• Save
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012
Upcoming SlideShare
Loading in...5
×
 

SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012

on

  • 3,673 views

 

Statistics

Views

Total Views
3,673
Views on SlideShare
3,667
Embed Views
6

Actions

Likes
8
Downloads
0
Comments
0

1 Embed 6

https://twitter.com 6

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012 SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012 Presentation Transcript

  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 1. Users Create individual users© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps• Unique credentials• Individual credential rotation• Individual permissions © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. Groups Manage permissions with groups© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps• Easier to assign the same permissions to multiple users• Simpler to re-assign permissions based on change in responsibilities• Only one change to update permissions for multiple users © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 3. Permissions Grant least privilege© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps• More granular control• Less chance of people making mistakes• Easier to relax than to tighten up © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 4. Passwords Configure a strong password policy© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps• Ensures your users and your data are protected © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 5. MFA Enable MFA for privileged users© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps• Supplements username and password to require a one- time code during authentication© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 6. Roles Use IAM roles for EC2 instances© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps• Easy to manage access keys on EC2 instances• Automatic key rotation• Assign least privilege to the application• AWS SDKs fully integrated © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 7. Sharing Use IAM roles to share access© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps• No need to security credentials• Easy to break sharing relationship• Use cases © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • prod@example.com Permissions assigned to ddb-role dev@example.com Acct ID: 111122223333 Acct ID: 123456789012 { "Statement": [ Authenticate with STS { Jeff access keys "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", ddb-role "dynamodb:Scan", Get temporary IAM user: Jeff security credentials "dynamodb:DescribeTable", for ddb-role "dynamodb:ListTables" ], Permissions assigned to Jeff granting him permission "Effect": "Allow", to assume ddb-role in account B "Resource": "*" Call AWS APIs }]}{ "Statement": [ { using temporary "Effect": "Allow", security credentials "Action": "sts:AssumeRole", of ddb-role { "Statement": [ "Resource": { "arn:aws:iam::111122223333:role/ddb-role" "Effect":"Allow",}]} "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 8. Rotation Rotate security credentials regularly© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • (enable password rotation sample policy)Password{ "Statement": [{ "Effect": "Allow", "Action": "iam:ChangePassword", Enforcing a password policy will "Resource": automatically enable IAM users to "arn:aws:iam::123456789012:user/anders" manage their password }]} © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • (enable access key rotation sample policy)Access Keys Steps to rotate access keys{ "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012:user/anders" }]} © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 9. Conditions Restrict privileged access further with conditions© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps• Additional granularity when defining permissions• Can be enabled for any AWS service API• Minimizes accidentally performing privileged actions © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • { { "Statement":[{ "Statement":[{ "Effect":"Deny", "Effect":"Allow", "Action":["ec2:TerminateInstances"],MFA "Resource":["*"], "Condition":{ “SSL” "Action":"iam:*AccessKey*", "Resource”:"arn:aws:iam::123456789012:user/*", "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} "Bool":{“aws:SecureTransport":"true"}, }}]} }}]} Enables a user to terminate EC2 instances only if the user has Enables a user to manage access keys for all IAM users only if authenticated with their MFA device. the user is coming over SSL. { "Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances“], SourceIP "Resource":["*“], "Condition":{ "IpAddress":{"aws:SourceIP":"192.168.176.0/24"} }}]} Enables a user to terminate EC2 instances only if the user is accessing EC2 from the 192.168.176.0/24 address range. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 10. Root Reduce/remove use of root© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Benefits How to steps© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions0. Root – Reduce/remove use of root © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • Code Session Time SEC101 A Guided Tour of AWS Identity and Access Management Wednesday 11/28 2.05pm SEC302 Delegating Access to Your AWS Environment Wednesday 11/28 3.25pm SEC303 TOP 10 IAM Best Practices Thursday 11/29 3pm• Learn more from our detail page http://aws.amazon.com/iam• AWS forum where we hang out https://forums.aws.amazon.com/forum.jspa?forumID=76• Documentation http://aws.amazon.com/documentation/iam/• Twitter - Follow us @AWSIdentity - #reinvent © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • We are sincerely eager to hear your feedback on thispresentation and on re:Invent. Please fill out an evaluation form when you have a chance. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.