SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012

  • 3,194 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,194
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
8

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 3. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 4. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 5. 1. Users Create individual users© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 6. Benefits How to steps• Unique credentials• Individual credential rotation• Individual permissions © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 7. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 8. 2. Groups Manage permissions with groups© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 9. Benefits How to steps• Easier to assign the same permissions to multiple users• Simpler to re-assign permissions based on change in responsibilities• Only one change to update permissions for multiple users © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 10. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 11. 3. Permissions Grant least privilege© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 12. Benefits How to steps• More granular control• Less chance of people making mistakes• Easier to relax than to tighten up © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 13. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 14. 4. Passwords Configure a strong password policy© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 15. Benefits How to steps• Ensures your users and your data are protected © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 16. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 17. 5. MFA Enable MFA for privileged users© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 18. Benefits How to steps• Supplements username and password to require a one- time code during authentication© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 19. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 20. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 21. 6. Roles Use IAM roles for EC2 instances© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 22. Benefits How to steps• Easy to manage access keys on EC2 instances• Automatic key rotation• Assign least privilege to the application• AWS SDKs fully integrated © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 23. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 24. 7. Sharing Use IAM roles to share access© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 25. Benefits How to steps• No need to security credentials• Easy to break sharing relationship• Use cases © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 26. prod@example.com Permissions assigned to ddb-role dev@example.com Acct ID: 111122223333 Acct ID: 123456789012 { "Statement": [ Authenticate with STS { Jeff access keys "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", ddb-role "dynamodb:Scan", Get temporary IAM user: Jeff security credentials "dynamodb:DescribeTable", for ddb-role "dynamodb:ListTables" ], Permissions assigned to Jeff granting him permission "Effect": "Allow", to assume ddb-role in account B "Resource": "*" Call AWS APIs }]}{ "Statement": [ { using temporary "Effect": "Allow", security credentials "Action": "sts:AssumeRole", of ddb-role { "Statement": [ "Resource": { "arn:aws:iam::111122223333:role/ddb-role" "Effect":"Allow",}]} "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 27. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 28. 8. Rotation Rotate security credentials regularly© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 29. Benefits How to steps© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 30. (enable password rotation sample policy)Password{ "Statement": [{ "Effect": "Allow", "Action": "iam:ChangePassword", Enforcing a password policy will "Resource": automatically enable IAM users to "arn:aws:iam::123456789012:user/anders" manage their password }]} © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 31. (enable access key rotation sample policy)Access Keys Steps to rotate access keys{ "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012:user/anders" }]} © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 32. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 33. 9. Conditions Restrict privileged access further with conditions© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 34. Benefits How to steps• Additional granularity when defining permissions• Can be enabled for any AWS service API• Minimizes accidentally performing privileged actions © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 35. { { "Statement":[{ "Statement":[{ "Effect":"Deny", "Effect":"Allow", "Action":["ec2:TerminateInstances"],MFA "Resource":["*"], "Condition":{ “SSL” "Action":"iam:*AccessKey*", "Resource”:"arn:aws:iam::123456789012:user/*", "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} "Bool":{“aws:SecureTransport":"true"}, }}]} }}]} Enables a user to terminate EC2 instances only if the user has Enables a user to manage access keys for all IAM users only if authenticated with their MFA device. the user is coming over SSL. { "Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances“], SourceIP "Resource":["*“], "Condition":{ "IpAddress":{"aws:SourceIP":"192.168.176.0/24"} }}]} Enables a user to terminate EC2 instances only if the user is accessing EC2 from the 192.168.176.0/24 address range. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 36. 10. Root Reduce/remove use of root© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 37. Benefits How to steps© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 38. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 39. 1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions0. Root – Reduce/remove use of root © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 40. Code Session Time SEC101 A Guided Tour of AWS Identity and Access Management Wednesday 11/28 2.05pm SEC302 Delegating Access to Your AWS Environment Wednesday 11/28 3.25pm SEC303 TOP 10 IAM Best Practices Thursday 11/29 3pm• Learn more from our detail page http://aws.amazon.com/iam• AWS forum where we hang out https://forums.aws.amazon.com/forum.jspa?forumID=76• Documentation http://aws.amazon.com/documentation/iam/• Twitter - Follow us @AWSIdentity - #reinvent © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 41. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 42. We are sincerely eager to hear your feedback on thispresentation and on re:Invent. Please fill out an evaluation form when you have a chance. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.