IAM Best Practices

6,574 views
6,446 views

Published on

AWS Identity and Access Management (IAM) enables you to manage who can do what in your AWS environment. In this session you will learn how to leverage IAM to control access to your AWS environment. We will cover best practices on how to create access policies, manage security credentials (i.e., access keys, password, Multi Factor Authentication devices, etc.), how to set up least privilege, minimizing the use of your root account, and more.

Published in: Technology
0 Comments
11 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,574
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
297
Comments
0
Likes
11
Embeds 0
No embeds

No notes for slide

IAM Best Practices

  1. 1. Max RamsayTop 10 IAM best practicesPrincipal Security Solutions Architect
  2. 2. What we will be covering today• Quick overview of IAM• Top 10 IAM best practices to secure your AWS environment• Demos galore 
  3. 3. AWS Identity and Access Management (IAM)enables you to control who can do what in your AWS account• Users, Groups, Roles, Permissions• Control…- Centralized- Fine-grained - APIs, resources and AWS Management Console• Security…- Secure by default- Multiple users, individual security credentials and permissions
  4. 4. Top 10 IAM best practices1. Users2. Groups3. Permissions4. Passwords5. MFA6. Roles7. Sharing8. Rotation9. Conditions10. Root
  5. 5. 1. UsersCreate individual users
  6. 6. 1. Create individual usersBenefits• Unique credentials• Individual credential rotation• Individual permissionsHow to steps• Identify which IAM users you wantto create • Use the IAM Console, CLI or API to:- Create user- Assign credentials- Assign permissions
  7. 7. 1. Create individual users
  8. 8. 2. GroupsManage permissions with groups
  9. 9. 2. Manage permissions with groupsBenefits• Easier to assign the samepermissions to multiple users• Simpler to re-assign permissionsbased on change in responsibilities• Only one change to updatepermissions for multiple usersHow to steps• Map permissions to a specificbusiness function• Assign users to that function• Manage groups in the Groupsection of the IAM Console
  10. 10. 2. Manage permissions with groups
  11. 11. 3. PermissionsGrant least privilege
  12. 12. 3. Grant least privilegeBenefits• More granular control• Less chance of people makingmistakes• Easier to relax than to tighten upHow to steps• Identify what permissions arerequired• Password/Access keys?• Avoid assigning *:* policy• Use policy templates
  13. 13. 3. Grant least privilege
  14. 14. 4. PasswordsConfigure a strong password policy
  15. 15. 4. Enforce a strong password policyBenefits• Ensures your users and your dataare protectedHow to steps• What is your company’s passwordpolicy?• You can configure- Minimum password length- Require any combination of:• One uppercase letter• One lowercase letter• One number• One non-alphanumeric character
  16. 16. 4. Configure a strong password policy
  17. 17. 5. MFAEnable MFA for privileged users
  18. 18. 5. Enable Multi-Factor Authentication for privilegedusersBenefits• Supplements username andpassword to require a one-time codeduring authenticationHow to steps• Choose type of MFA- Virtual MFA- Hardware• Use IAM Console to assign MFAdevice
  19. 19. Multi-Factor Authentication devices
  20. 20. 5. Enable MFA for privileged users
  21. 21. 6. RolesUse IAM roles for EC2 instances
  22. 22. 6. Use IAM roles for EC2 instancesBenefits• Easy to manage access keys onEC2 instances• Automatic key rotation• Assign least privilege to theapplication• AWS SDKs fully integratedHow to steps• Create a role• Launch instances with the role• If not using SDKs, sign all requeststo AWS services with the roles’temporary credentials
  23. 23. 6. Use IAM roles for EC2 instances
  24. 24. 7. SharingUse IAM roles to share access
  25. 25. 7. Use IAM roles to share accessBenefits• No need to share security credentials• Easy to break sharing relationship• Use cases- Cross-account access- Intra-account delegation- FederationHow to steps• Create a role- Specify who you trust- Describe what the role can do• Share the name of the role
  26. 26. prod@example.comAcct ID: 111122223333ddb-role{ "Statement": [{"Action": ["dynamodb:GetItem","dynamodb:BatchGetItem","dynamodb:Query","dynamodb:Scan","dynamodb:DescribeTable","dynamodb:ListTables"],"Effect": "Allow","Resource": "*"}]}dev@example.comAcct ID: 123456789012Authenticate withJeff access keysGet temporarysecurity credentialsfor ddb-roleCall AWS APIsusing temporarysecurity credentialsof ddb-role{ "Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Resource":"arn:aws:iam::111122223333:role/ddb-role"}]}{ "Statement": [{"Effect":"Allow","Principal":{"AWS":"123456789012"},"Action":"sts:AssumeRole"}]}Cross Account Access – How does it workddb-role trusts IAM users from the AWS accountdev@example.com (123456789012)Permissions assigned to Jeff granting him permissionto assume ddb-role in account BIAM user: JeffPermissions assignedto ddb-roleSTS
  27. 27. 7. Use IAM roles to share access
  28. 28. 8. RotationRotate security credentials regularly
  29. 29. 8. Rotate security credentials regularlyBenefits• Normal best practiceHow to steps• Grant IAM user permission torotate credentials• Password change in IAM console• IAM roles for EC2 automaticallyrotates credentials
  30. 30. Enabling credential rotation for IAM users(enable password rotation sample policy)Password{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:ChangePassword","Resource":"arn:aws:iam::123456789012:user/max”"arn:aws:iam::123456789012:user/${aws:username}”}]}
  31. 31. Enabling credential rotation for IAM users(enable access key rotation sample policy)Access Keys{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["iam:*AccessKey*","iam:*SigningCertificate*"],"Resource":"arn:aws:iam::123456789012:user/max”"arn:aws:iam::123456789012:user/${aws:username}”}]}Steps to rotate access keys
  32. 32. 8. Rotate security credentials regularly
  33. 33. 9. ConditionsRestrict privileged access further with conditions
  34. 34. 9. Restrict privileged access further with conditionsBenefits• Additional granularity when definingpermissions• Can be enabled for any AWS serviceAPI• Minimizes accidentally performingprivileged actionsHow to steps• Use conditions where applicable• Two types of conditions- AWS common- Service specific
  35. 35. Restrict privileged access further with conditions{ "Statement":[{"Effect":"Deny","Action":["ec2:TerminateInstances"],"Resource":["*"],"Condition":{"Null":{"aws:MultiFactorAuthAge":"true"}}}]}Enables a user to terminate EC2 instances only if the user hasauthenticated with their MFA device.MFA{"Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource”:"arn:aws:iam::123456789012:user/*","Condition":{"Bool":{“aws:SecureTransport":"true"},}}]}Enables a user to manage access keys for all IAM users only if the useris coming over SSL.“SSL”{"Statement":[{"Effect":"Allow","Action":["ec2:TerminateInstances“],"Resource":["*“],"Condition":{"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}}}]}Enables a user to terminate EC2 instances only if the user is accessing EC2 from the192.168.176.0/24 address range.SourceIP
  36. 36. 9. Restrict privileged access further with conditions
  37. 37. 10. RootReduce/remove use of root
  38. 38. 10. Reduce/remove use of rootBenefits• Reduce potential for misuse ofcredentialsHow to steps• Security Credentials Page- Delete access keys- Activate a MFA device• Ensure you have set a “strong”password
  39. 39. 10. Reduce/remove use of root
  40. 40. Top 10 IAM best practices1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions10. Root – Reduce/remove use of root
  41. 41. Top 10 IAM best practices1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions0. Root – Reduce/remove use of root
  42. 42. Related Content• Learn more from the IAM detail page– http://aws.amazon.com/iam• AWS forum where the IAM team hangs out– https://forums.aws.amazon.com/forum.jspa?forumID=76• Documentation– http://aws.amazon.com/documentation/iam/• Twitter- Follow the IAM team @AWSIdentity
  43. 43. Thank You!!!awsmax@amazon.com

×