SEC301: Top 10 IAM best practices
Anders Samuelsson, AWS Identity and Access
November 13, 2013

© 2013 Amazon.com, Inc. an...
What we will cover today
• Quick overview of AWS Identity and Acces
Management (IAM)
• Top 10 IAM best practices to secure...
AWS Identity and Access Management (IAM)
IAM enables you to control who can do what in your
AWS account
• Users, Groups, R...
Top 10 IAM best practices
Top 10 IAM best practices
1. Users
2. Groups
3. Permissions
4. Passwords
5. MFA
6. Roles
7. Sharing
8. Rotation
9. Conditi...
1. Users
Create individual users
1. Create individual users
Benefits

How to steps

• Unique credentials
• Individual credential rotation
• Individual perm...
1. Create individual users
2. Groups
Manage permissions with groups
2. Manage permissions with groups
Benefits

How to steps

• Easier to assign the same
permissions to multiple users
• Simp...
2. Manage permissions with groups
3. Permissions
Grant least privilege
3. Grant least privilege
Benefits

How to steps

• More granular control
• Less chance of people
making mistakes
• Easier ...
3. Grant least privilege
4. Passwords
Configure a strong password policy
4. Enforce a strong password policy

Benefits

How to steps

• Ensures your users and
your data are protected

• What is y...
4. Configure a strong password policy
5. MFA
Enable multi-factor authentication for privileged users
5. Enable Multi-Factor Authentication for
privileged users
Benefits

How to steps

• Supplements user name and
password to...
5. Enable MFA for privileged users
6. Roles
Use IAM roles for Amazon EC2 instances
6. Use IAM roles for Amazon EC2 instances
Benefits

How to steps

• Easy to manage access keys
on EC2 instances
• Automati...
6. Use IAM roles for EC2 instances
7. Sharing
Use IAM roles to share access
7. Use IAM roles to share access
Benefits
• No need to share security
credentials
• Easy to break sharing
relationship
• U...
Cross-account access – How does it work?
prod@example.com

dev@example.com
Acct ID: 123456789012

Acct ID: 111122223333
Au...
7. Use IAM roles to share access
8. Rotation
Rotate security credentials regularly
8. Rotate security credentials regularly
Benefits

How to steps

• Normal best practice

• Grant IAM user permission to
ro...
Enabling credential rotation for IAM users
(enable password rotation sample policy)
Password
{ "Version":"2012-10-17",
"St...
Enabling credential rotation for IAM users
(enable access key rotation sample policy)
Access Keys
{ "Version":"2012-10-17"...
8. Rotate security credentials regularly
9. Conditions
Restrict privileged access further with conditions
9. Restrict privileged access further with conditions

Benefits

How to steps

• Additional granularity
when defining perm...
Restrict privileged access further with conditions
{

MFA

{

"Statement":[{
"Effect":"Deny",
"Action":["ec2:TerminateInst...
9. Restrict privileged access further with conditions
10. Root
Reduce or remove use of root
10. Reduce or remove use of root
Benefits
• Reduce potential for misuse
of credentials

How to steps
• Security Credential...
10. Reduce or remove use of root
Top 10 IAM best practices
1. Users – Create individual users
2. Groups – Manage permissions with groups
3. Permissions – G...
Top 10 IAM best practices
1.
2.
3.
4.
5.
6.
7.
8.
9.
0.

Users – Create individual users
Groups – Manage permissions with ...
Additional resources
•
•
•
•
•

IAM detail page: http://aws.amazon.com/iam
AWS forum: https://forums.aws.amazon.com/forum....
All IAM related sessions at re:Invent
ID

Title

Time, Room

CPN205

Securing Your Amazon EC2 Environment with AWS IAM
Rol...
Please give us your feedback on this
presentation

SEC301
As a thank you, we will select prize
winners daily for completed...
Upcoming SlideShare
Loading in...5
×

Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS re:Invent 2013

3,542

Published on

Learn about best practices on how to secure your AWS environment with AWS Identity and Access Management (IAM). We will discuss how you best create access policies; manage security credentials (i.e., access keys, password, multi factor authentication (MFA) devices etc); how to set up least privilege; minimizing the use of your root account etc.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,542
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
150
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Transcript of "Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS re:Invent 2013"

  1. 1. SEC301: Top 10 IAM best practices Anders Samuelsson, AWS Identity and Access November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. What we will cover today • Quick overview of AWS Identity and Acces Management (IAM) • Top 10 IAM best practices to secure your AWS environment (with a lot of demos)
  3. 3. AWS Identity and Access Management (IAM) IAM enables you to control who can do what in your AWS account • Users, Groups, Roles, Permissions • Control… – Centralized – Fine-grained - APIs, resources and AWS Management Console • Security… – Secure by default – Multiple users, individual security credentials and permissions
  4. 4. Top 10 IAM best practices
  5. 5. Top 10 IAM best practices 1. Users 2. Groups 3. Permissions 4. Passwords 5. MFA 6. Roles 7. Sharing 8. Rotation 9. Conditions 10.Root
  6. 6. 1. Users Create individual users
  7. 7. 1. Create individual users Benefits How to steps • Unique credentials • Individual credential rotation • Individual permissions • Identify which IAM users you want to create  • Use the IAM Console, CLI or API to: - Create user - Assign credentials - Assign permissions
  8. 8. 1. Create individual users
  9. 9. 2. Groups Manage permissions with groups
  10. 10. 2. Manage permissions with groups Benefits How to steps • Easier to assign the same permissions to multiple users • Simpler to re-assign permissions based on change in responsibilities • Only one change to update permissions for multiple users • Map permissions to a specific business function • Assign users to that function • Manage groups in the Group section of the IAM Console
  11. 11. 2. Manage permissions with groups
  12. 12. 3. Permissions Grant least privilege
  13. 13. 3. Grant least privilege Benefits How to steps • More granular control • Less chance of people making mistakes • Easier to relax than to tighten up • Identify what permissions are required • Password/Access keys? • Avoid assigning *:* policy • Use policy templates
  14. 14. 3. Grant least privilege
  15. 15. 4. Passwords Configure a strong password policy
  16. 16. 4. Enforce a strong password policy Benefits How to steps • Ensures your users and your data are protected • What is your company’s password policy? • You can configure - Minimum password length - Require any combination of: • • • • One uppercase letter One lowercase letter One number One non-alphanumeric character
  17. 17. 4. Configure a strong password policy
  18. 18. 5. MFA Enable multi-factor authentication for privileged users
  19. 19. 5. Enable Multi-Factor Authentication for privileged users Benefits How to steps • Supplements user name and password to require a onetime code during authentication • Choose type of MFA - Virtual MFA - Hardware • Use IAM Console to assign MFA device
  20. 20. 5. Enable MFA for privileged users
  21. 21. 6. Roles Use IAM roles for Amazon EC2 instances
  22. 22. 6. Use IAM roles for Amazon EC2 instances Benefits How to steps • Easy to manage access keys on EC2 instances • Automatic key rotation • Assign least privilege to the application • AWS SDKs fully integrated • Create a role • Launch instances with the role • If not using SDKs, sign all requests to AWS services with the roles’ temporary credentials
  23. 23. 6. Use IAM roles for EC2 instances
  24. 24. 7. Sharing Use IAM roles to share access
  25. 25. 7. Use IAM roles to share access Benefits • No need to share security credentials • Easy to break sharing relationship • Use cases - Cross-account access - Intra-account delegation - Federation How to steps • Create a role - Specify who you trust - Describe what the role can do • Share the name of the role
  26. 26. Cross-account access – How does it work? prod@example.com dev@example.com Acct ID: 123456789012 Acct ID: 111122223333 Authenticate with Jeff access keys STS ddb-role IAM user: Jeff Get temporary security credentials for ddb-role Permissions assigned to Jeff granting him permission to assume ddb-role in account B Call AWS APIs { "Statement": [ using temporary { security credentials "Effect": "Allow", of ddb-role "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012)
  27. 27. 7. Use IAM roles to share access
  28. 28. 8. Rotation Rotate security credentials regularly
  29. 29. 8. Rotate security credentials regularly Benefits How to steps • Normal best practice • Grant IAM user permission to rotate credentials • Change password in IAM console • IAM roles for EC2 automatically rotate credentials
  30. 30. Enabling credential rotation for IAM users (enable password rotation sample policy) Password { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:ChangePassword", "Resource": "arn:aws:iam::123456789012:user/${aws:username}" } ]} Enforcing a password policy will automatically enable IAM users to manage their passwords
  31. 31. Enabling credential rotation for IAM users (enable access key rotation sample policy) Access Keys { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012: user/${aws:username}" } ]} Steps to rotate access keys
  32. 32. 8. Rotate security credentials regularly
  33. 33. 9. Conditions Restrict privileged access further with conditions
  34. 34. 9. Restrict privileged access further with conditions Benefits How to steps • Additional granularity when defining permissions • Can be enabled for any AWS service API • Minimizes chances of accidentally performing privileged actions • Use conditions where applicable • Two types of conditions - AWS common - Service-specific
  35. 35. Restrict privileged access further with conditions { MFA { "Statement":[{ "Effect":"Deny", "Action":["ec2:TerminateInstances"], "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} }}]} "Statement":[{ "Effect":"Allow", "Action":"iam:*AccessKey*", "Resource”:"arn:aws:iam::123456789012:user/*", "Condition":{ "Bool":{“aws:SecureTransport":"true"}, }}]} Enables a user to terminate EC2 instances only if the user has authenticated with their MFA device. SSL Enables a user to manage access keys for all IAM users only if the user is coming over SSL. { SourceIP "Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances“], "Resource":["*“], "Condition":{ "IpAddress":{"aws:SourceIP":"192.168.176.0/24"} }}]} Enables a user to terminate EC2 instances only if the user is accessing EC2 from the 192.168.176.0/24 address range.
  36. 36. 9. Restrict privileged access further with conditions
  37. 37. 10. Root Reduce or remove use of root
  38. 38. 10. Reduce or remove use of root Benefits • Reduce potential for misuse of credentials How to steps • Security Credentials Page - Delete access keys - Activate a MFA device • Ensure you have set a “strong” password
  39. 39. 10. Reduce or remove use of root
  40. 40. Top 10 IAM best practices 1. Users – Create individual users 2. Groups – Manage permissions with groups 3. Permissions – Grant least privilege 4. Password – Configure a strong password policy 5. MFA – Enable MFA for privileged users 6. Roles – Use IAM roles for EC2 instances 7. Sharing – Use IAM roles to share access 8. Rotate – Rotate security credentials regularly 9. Conditions – Restrict privileged access further with conditions 10.Root – Reduce or remove use of root
  41. 41. Top 10 IAM best practices 1. 2. 3. 4. 5. 6. 7. 8. 9. 0. Users – Create individual users Groups – Manage permissions with groups Permissions – Grant least privilege Password – Configure a strong password policy MFA – Enable MFA for privileged users Roles – Use IAM roles for EC2 instances Sharing – Use IAM roles to share access Rotate – Rotate security credentials regularly Conditions – Restrict privileged access further with conditions Root – Reduce or remove use of root
  42. 42. Additional resources • • • • • IAM detail page: http://aws.amazon.com/iam AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76 Documentation: http://aws.amazon.com/documentation/iam/ AWS Security Blog: http://blogs.aws.amazon.com/security Twitter: @AWSIdentity
  43. 43. All IAM related sessions at re:Invent ID Title Time, Room CPN205 Securing Your Amazon EC2 Environment with AWS IAM Roles and Resource-Based Permissions Wed 11/13 11am, Delfino 4003 SEC201 Access Control for the Cloud: AWS Identity and Access Management (IAM) Wed 11/13 1.30pm, Marcello 4406 SEC301 TOP 10 IAM Best Practices Wed 11/13 3pm, Marcello 4503 SEC302 Mastering Access Control Policies Wed 11/13 4.15pm, Venetian A SEC303 Delegating Access to Your AWS Environment Thu 11/14 11am, Venetian A GA23 Come talk security with AWS Thu 11/14 4pm, Toscana 3605
  44. 44. Please give us your feedback on this presentation SEC301 As a thank you, we will select prize winners daily for completed surveys!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×