© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
1. Users                                                        Create individual users© 2012 Amazon.com, Inc. and its aff...
Benefits                                                                                 How to steps• Unique credentials•...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
2. Groups                                          Manage permissions with groups© 2012 Amazon.com, Inc. and its affiliate...
Benefits                                                                                 How to steps• Easier to assign th...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
3. Permissions                                                            Grant least privilege© 2012 Amazon.com, Inc. and...
Benefits                                                                                 How to steps• More granular contr...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
4. Passwords                                       Configure a strong password policy© 2012 Amazon.com, Inc. and its affil...
Benefits                                                                                 How to steps• Ensures your users ...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
5. MFA                                            Enable MFA for privileged users© 2012 Amazon.com, Inc. and its affiliate...
Benefits                                                                                How to steps• Supplements username...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
6. Roles                                          Use IAM roles for EC2 instances© 2012 Amazon.com, Inc. and its affiliate...
Benefits                                                                                 How to steps• Easy to manage acce...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
7. Sharing                                             Use IAM roles to share access© 2012 Amazon.com, Inc. and its affili...
Benefits                                                                                 How to steps• No need to security...
prod@example.com                            Permissions assigned                                                          ...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
8. Rotation                                      Rotate security credentials regularly© 2012 Amazon.com, Inc. and its affi...
Benefits                                                                                How to steps© 2012 Amazon.com, Inc...
(enable password rotation sample policy)Password{ "Statement": [{   "Effect": "Allow",   "Action": "iam:ChangePassword",  ...
(enable access key rotation sample policy)Access Keys                                                                     ...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
9. Conditions                      Restrict privileged access further with conditions© 2012 Amazon.com, Inc. and its affil...
Benefits                                                                                 How to steps• Additional granular...
{           {  "Statement":[{                                                                                  "Statement"...
10. Root                                                  Reduce/remove use of root© 2012 Amazon.com, Inc. and its affilia...
Benefits                                                                                How to steps© 2012 Amazon.com, Inc...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Passw...
Code                    Session                                                                                           ...
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in...
We are sincerely eager to hear your feedback on thispresentation and on re:Invent. Please fill out an evaluation   form wh...
SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012
Upcoming SlideShare
Loading in...5
×

SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012

3,324

Published on

0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,324
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide

SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012

  1. 1. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  3. 3. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  4. 4. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  5. 5. 1. Users Create individual users© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  6. 6. Benefits How to steps• Unique credentials• Individual credential rotation• Individual permissions © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  7. 7. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  8. 8. 2. Groups Manage permissions with groups© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  9. 9. Benefits How to steps• Easier to assign the same permissions to multiple users• Simpler to re-assign permissions based on change in responsibilities• Only one change to update permissions for multiple users © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  10. 10. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  11. 11. 3. Permissions Grant least privilege© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  12. 12. Benefits How to steps• More granular control• Less chance of people making mistakes• Easier to relax than to tighten up © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  13. 13. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  14. 14. 4. Passwords Configure a strong password policy© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  15. 15. Benefits How to steps• Ensures your users and your data are protected © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  16. 16. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  17. 17. 5. MFA Enable MFA for privileged users© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  18. 18. Benefits How to steps• Supplements username and password to require a one- time code during authentication© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  19. 19. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  20. 20. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  21. 21. 6. Roles Use IAM roles for EC2 instances© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  22. 22. Benefits How to steps• Easy to manage access keys on EC2 instances• Automatic key rotation• Assign least privilege to the application• AWS SDKs fully integrated © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  23. 23. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  24. 24. 7. Sharing Use IAM roles to share access© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  25. 25. Benefits How to steps• No need to security credentials• Easy to break sharing relationship• Use cases © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  26. 26. prod@example.com Permissions assigned to ddb-role dev@example.com Acct ID: 111122223333 Acct ID: 123456789012 { "Statement": [ Authenticate with STS { Jeff access keys "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", ddb-role "dynamodb:Scan", Get temporary IAM user: Jeff security credentials "dynamodb:DescribeTable", for ddb-role "dynamodb:ListTables" ], Permissions assigned to Jeff granting him permission "Effect": "Allow", to assume ddb-role in account B "Resource": "*" Call AWS APIs }]}{ "Statement": [ { using temporary "Effect": "Allow", security credentials "Action": "sts:AssumeRole", of ddb-role { "Statement": [ "Resource": { "arn:aws:iam::111122223333:role/ddb-role" "Effect":"Allow",}]} "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  27. 27. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  28. 28. 8. Rotation Rotate security credentials regularly© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  29. 29. Benefits How to steps© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  30. 30. (enable password rotation sample policy)Password{ "Statement": [{ "Effect": "Allow", "Action": "iam:ChangePassword", Enforcing a password policy will "Resource": automatically enable IAM users to "arn:aws:iam::123456789012:user/anders" manage their password }]} © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  31. 31. (enable access key rotation sample policy)Access Keys Steps to rotate access keys{ "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012:user/anders" }]} © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  32. 32. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  33. 33. 9. Conditions Restrict privileged access further with conditions© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  34. 34. Benefits How to steps• Additional granularity when defining permissions• Can be enabled for any AWS service API• Minimizes accidentally performing privileged actions © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  35. 35. { { "Statement":[{ "Statement":[{ "Effect":"Deny", "Effect":"Allow", "Action":["ec2:TerminateInstances"],MFA "Resource":["*"], "Condition":{ “SSL” "Action":"iam:*AccessKey*", "Resource”:"arn:aws:iam::123456789012:user/*", "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} "Bool":{“aws:SecureTransport":"true"}, }}]} }}]} Enables a user to terminate EC2 instances only if the user has Enables a user to manage access keys for all IAM users only if authenticated with their MFA device. the user is coming over SSL. { "Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances“], SourceIP "Resource":["*“], "Condition":{ "IpAddress":{"aws:SourceIP":"192.168.176.0/24"} }}]} Enables a user to terminate EC2 instances only if the user is accessing EC2 from the 192.168.176.0/24 address range. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  36. 36. 10. Root Reduce/remove use of root© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  37. 37. Benefits How to steps© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  38. 38. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  39. 39. 1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions0. Root – Reduce/remove use of root © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  40. 40. Code Session Time SEC101 A Guided Tour of AWS Identity and Access Management Wednesday 11/28 2.05pm SEC302 Delegating Access to Your AWS Environment Wednesday 11/28 3.25pm SEC303 TOP 10 IAM Best Practices Thursday 11/29 3pm• Learn more from our detail page http://aws.amazon.com/iam• AWS forum where we hang out https://forums.aws.amazon.com/forum.jspa?forumID=76• Documentation http://aws.amazon.com/documentation/iam/• Twitter - Follow us @AWSIdentity - #reinvent © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  41. 41. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  42. 42. We are sincerely eager to hear your feedback on thispresentation and on re:Invent. Please fill out an evaluation form when you have a chance. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

×