Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302)

1,089 views

Published on

AWS IAM and Amazon VPC offer powerful tools that help you adhere to the principle of least privilege in your resource permissions and network security settings. This workshop will start with the fundamentals of IAM and VPC security techniques and will give you hands-on experience in writing, testing, applying, troubleshooting, and auditing progressively more tightly scoped IAM policies. You will also get experience building and monitoring VPC security groups that grant only the access required to perform tasks.

Published in: Technology

AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. November 29, 2016 SEC302 Workshop: Adhering to Least-Privilege Principles Becky Weiss, Senior Principal Engineer, AWS
  2. 2. virtual private cloud S3 bucket DynamoDB table SQS queue Amazon Kinesis stream Application Load Balancer Amazon Redshift cluster RDS databaseEC2 instances ECS tasks
  3. 3. Principle of Least Privilege: Definition “In information security, computer science, and other fields, the principle of least privilege requires that in a particular abstraction layer of a computing environment, every module must be able to access only the information and resources that are necessary for its legitimate purpose.” (Wikipedia)
  4. 4. Identity and Access Management (IAM) IAM policy Temporary credentials IAM role
  5. 5. Virtual Private Cloud (VPC) security group security group
  6. 6. Auditing, Monitoring and Troubleshooting AWS CloudTrail Amazon CloudWatch Events and CloudWatch Logs AWS Lambda
  7. 7. What to Expect from the Session Hands-on practice working with IAM and Amazon VPC • Techniques for scoping access and connectivity: allowing exactly what you need. • Techniques for debugging, auditing, and alarming.
  8. 8. Prerequisites You will get the most out of this session if you: • Have some experience with AWS • Have an AWS account with a working, installed AWS CLI • Know how to SSH to a Linux host • Have some basic programming experience (examples will be in JavaScript)
  9. 9. Handouts Handouts zip file: https://s3.amazonaws.com/awsiammedia/public/sample/Le astPrivilegeWorkshopreInvent/SEC302_handouts.zip Download and unzip it on your machine
  10. 10. Getting set up
  11. 11. Meet your neighbors! Look to your left, look to your right… Introduce yourself! You’ll be working with your neighbor later in this workshop.
  12. 12. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  13. 13. Setup: AWS Command Line Interface
  14. 14. Installing the CLI OS-specific instructions: http://docs.aws.amazon.com/cli/latest/userguide/installing.h tml Test it: C:Usersbecky>aws --version aws-cli/1.10.65 Python/2.7.9 Windows/7 botocore/1.4.55
  15. 15. Configuring the CLI http://docs.aws.amazon.com/cli/latest/userguide/cli-chap- getting-started.html Note: We will be using the us-west-2 region (Oregon) for this workshop.
  16. 16. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  17. 17. Setup: CloudTrail
  18. 18. Always run CloudTrail
  19. 19. And we’ll come back later
  20. 20. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  21. 21. Setup: IAM Users, Credentials, SSH Keys
  22. 22. I actually could have shown you these, since I later deleted the user. BUT: These are long-term security credentials. Don’t share or post them anywhere.
  23. 23. Configuring an IAM User Profile in the CLI C:Usersbecky>aws configure --profile sec302demo AWS Access Key ID [None]: AKIA************* AWS Secret Access Key [None]: *************************** Default region name [None]: us-west-2 Default output format [None]: json Use the credentials you were given.
  24. 24. Use the CLI as Sec302DemoUser C:Usersbecky>aws ec2 describe-vpcs --profile sec302demo An error occurred (UnauthorizedOperation) when calling the DescribeVpcs operation: You are not authorized to perform this operation.
  25. 25. Give the new user some permissions
  26. 26. Handy filter Attach it IAM managed policies: Predefined sets of commonly-used policies. You can also write your own (and we will)
  27. 27. Test Access > aws ec2 describe-vpcs --profile sec302demo { "Vpcs": [ { "VpcId": "vpc-c6a649a1", "InstanceTenancy": "default", "State": "available", "DhcpOptionsId": "dopt-e4650b80", "CidrBlock": "172.31.0.0/16", "IsDefault": true } ] }
  28. 28. Create an EC2 Key Pair For SSH Access If you already have an SSH key: aws ec2 import-key-pair ` --profile sec302demo ` --key-name Sec302DemoSSH ` --public-key-material file://c:tempSec302DemoPub.t xt To create a new SSH key: aws ec2 create-key-pair ` --profile sec302demo ` --key-name Sec302DemoSSH And save the KeyMaterial from the response
  29. 29. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  30. 30. Setup: CloudFormation Template
  31. 31. CloudFormation Stack Setup
  32. 32. CloudFormation Stack Setup Handout: sec302_setup_template.json
  33. 33. CloudFormation Stack Setup Your email address A name for the stack Your SSH key name Your IP address
  34. 34. The VPC You Just Created virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0
  35. 35. The Application You Just Launched virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0
  36. 36. Looking at your VPC
  37. 37. Your VPC Has Flow Logs Enabled Logs will be delivered to this CloudWatch Logs group.
  38. 38. Optional: Subscribe to SNS Topic
  39. 39. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  40. 40. Setup: Test SSH Access
  41. 41. Launch an EC2 Instance virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0 SSH security group
  42. 42. Use the SSH Security Group
  43. 43. Cheat sheet: Launch an EC2 instance Handout: run_instances_cheat_sheet.txt > aws ec2 run-instances --profile sec302demo >> --image-id ami-7172b611 >> --instance-type t2.nano >> --subnet-id $YOUR_SUBNET_ID >> --security-group-ids $YOUR_SECURITY_GROUP_ID >> --key-name Sec302DemoSSH Resources created by the SEC302 CloudFormation stack
  44. 44. Verify SSH Access Test your ssh access, e.g.: putty.exe -i c:tempSec302DemoPriv.ppk ec2- user@52.24.192.187 You can now terminate this EC2 instance. We won’t need it again.
  45. 45. All done setting up Let’s get started
  46. 46. Introduction to IAM Roles Beyond simple credentials
  47. 47. Granting Permissions, the Wrong Way EC2 instance DynamoDB table
  48. 48. Granting Permissions, the Right Way EC2 instance IAM role DynamoDB table
  49. 49. Granting Permissions, the Right Way AWS Lambda function DynamoDB table
  50. 50. Granting Permissions, the Right Way Other AWS accounts DynamoDB table
  51. 51. Hands-On with IAM Roles We’ll create an IAM role with some very specific privileges
  52. 52. Create an IAM Role for an EC2 Instance
  53. 53. Create an IAM Role for an EC2 Instance Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  54. 54. This will allow Amazon EC2 to launch EC2 instances into this IAM role. Create an IAM Role for an EC2 Instance Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  55. 55. Policy for the IAM Role: S3 Read-Only Access Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  56. 56. Anatomy of an IAM Role ARN for referring to it later For use by EC2 Right now, permits all ReadOnly operations in S3. (We’ll make this more restrictive later.) Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  57. 57. Launch an EC2 instance Launching with IAM role: This EC2 Instance will have S3 ReadOnly permissions Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  58. 58. Attempt Actions From the EC2 Instance SSH to your EC2 instance, and from there, try some actions: # Tell the CLI your default region aws configure set default.region us-west-2 # This should work aws s3 ls # This should fail aws s3 mb s3://this-will-fail # This should fail aws ec2 describe-instances
  59. 59. Where Are the Credentials? There are credentials, but: • They are completely hands-off: You don’t touch them. • They are temporary and will expire; IAM will automatically rotate them To see them: curl http://169.254.169.254/latest/meta- data/iam/security-credentials/Sec302EC2Role; echo EC2 Instance Metadata Service Your role name
  60. 60. Making IAM Policy More Restrictive Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  61. 61. Making IAM Policy More Restrictive Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  62. 62. Making IAM Policy More Restrictive: Choosing Specific Actions Only the s3.GetObject action is allowed Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  63. 63. Making IAM Policy More Restrictive: Choosing Specific Actions “*” means permission to s3.GetObject on all S3 objects Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  64. 64. Making IAM Policy More Restrictive: Delete the Old Policy Detach this managed policy: We’re going to write our own
  65. 65. Making IAM Policy More Restrictive: Choosing Specific Actions Our policy so far: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1474248983000", "Effect": "Allow", "Action": [ "s3:GetObject“ ], "Resource": [ "*" ] } ] } Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  66. 66. Attempt Actions From the EC2 Instance SSH to your EC2 instance, and from there, try some actions: # This should fail aws s3 ls # This should work: It is s3.GetObject aws s3 cp s3://awsiammedia/public/sample/LeastPrivilegeWorkshopr eInvent/SEC302_handouts.zip . Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  67. 67. Making IAM Policy More Restrictive: IAM Resource-Level Policies Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  68. 68. Making IAM Policy More Restrictive: IAM Resource-Level Policies In English: s3.ListBucket is allowed, only on the specified bucket, only when the prefix matches the given pattern. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Condition" : { "StringLike": { "s3:prefix": "AWSLogs/111122223333/CloudTrail/*" } }, "Resource": [ "arn:aws:s3:::your-cloudtrail-bucket-name-here" ] } ] } Catchup handout: ec2_instance_in_iam_role_policy_update_template.json Use your own bucket name Use your own account ID
  69. 69. Testing the ListBuckets Policy SSH to your EC2 instance and try it: [ec2-user@ip-10-0-2-49 ~]$ aws s3 ls s3://$YOUR_CLOUDTRAIL_BUCKET/AWSLogs/$YOUR_ACCOUNT_ID/CloudTrai l/us-west-2/2016/11/29/ 2016-11-29 16:28:41 1213 778340376510_CloudTrail_us-west- 2_20161001T1625Z_k5gzl4muOxohMXeM.json.gz 2016-11-29 16:38:33 2311 778340376510_CloudTrail_us-west- 2_20161001T1630Z_50SqQyuABVqP5igQ.json.gz 2016-11-29 16:33:22 1881 778340376510_CloudTrail_us-west- 2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz … Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  70. 70. Making IAM Policy More Restrictive: IAM Resource-Level Policies In English: s3.GetObject is allowed, only on objects matching the given pattern. Add this statement to your policy, inside Statement[]: { "Effect": "Allow", "Action": [ "s3:GetObject“ ], "Resource": [ "arn:aws:s3:::<YOUR_CLOUDTRAIL_BUCKET>/AWSLogs/<YOUR_ACCOUNT_ID>/CloudTrail/*" ] } Catchup handout: ec2_instance_in_iam_role_policy_update_template.json Use your own bucket name and account ID
  71. 71. Testing the GetObject Policy [ec2-user@ip-10-0-2-49 ~]$ aws s3 cp s3://becky-20161001- cloudtrail/AWSLogs/778340376510/CloudTrail/us-west- 2/2016/10/01/778340376510_CloudTrail_us-west- 2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz . download: s3://becky-20161001- cloudtrail/AWSLogs/778340376510/CloudTrail/us-west- 2/2016/10/01/778340376510_CloudTrail_us-west- 2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz to ./778340376510_CloudTrail_us-west- 2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz Take a minute to unzip this and look at its contents: # gunzip $CLOUD_TRAIL_FILE.gz # sudo yum -y install jq # jq .Records[0] $CLOUD_TRAIL_FILE Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  72. 72. Reference: AWS Services That Work With IAM Bookmark this page: http://docs.aws.amazon.com/IAM/latest/UserGuide/referen ce_aws-services-that-work-with-iam.html This has pointers to how you can use IAM with each AWS service.
  73. 73. Terminate the EC2 Instance You Launched We will not need it anymore
  74. 74. Testing IAM Roles Assuming IAM roles
  75. 75. Create an IAM Role: “Sec302RoleTestMe”
  76. 76. Grant access to your partner’s account (or your own, if no partner) Catchup CloudFormation template handout: iam_role_cross_account_template.json
  77. 77. Permissions for the IAM Role Choose a managed policy in the creation wizard Or write your own (inline policies). For example: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": [ "*" ] } ] } Catchup CloudFormation template handout: iam_role_cross_account_template.json
  78. 78. Note the IAM Role ARN Catchup CloudFormation template handout: iam_role_cross_account_template.json
  79. 79. Assuming Your Partner’s IAM Role > aws sts assume-role --profile sec302demo ` --role-arn arn:aws:iam::111122223333:role/Sec302RoleTestMe ` --role-session-name MyTestSession An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::410436118402:user/sec302demo is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::778340376510:role/Sec302RoleTestMe Oops! What did we miss? Your partner’s account
  80. 80. Policy Needed By Sec302DemoUser { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["sts:AssumeRole"], "Resource": ["arn:aws:iam::<YOUR_PARTNERS_ACCOUNT_ID>:role/Sec302RoleTestMe"] } ] } Catchup CloudFormation template handout: sts_assume_role_policy_template.json
  81. 81. Assuming the IAM Role C:Usersbecky>aws sts assume-role --profile sec302demo --role-arn arn:aws:iam:: 778340376510:role/Sec302RoleTestMe --role-session-name MyTestSession { "AssumedRoleUser": { "AssumedRoleId": "AROAJCO64ENYICVBJQRWM:MyTestSession", "Arn": "arn:aws:sts::778340376510:assumed-role/Sec302RoleTestMe/MyTestSe ssion" }, "Credentials": { "SecretAccessKey": “****", "SessionToken": “*****************", "Expiration": "2016-09-21T16:57:03Z", "AccessKeyId": "ASIA***********" } } Temporary credentials: I could have shown them. They have expired and are useless
  82. 82. Use the Temporary Credentials > aws configure --profile sec302assumed AWS Access Key ID [None]: ***** AWS Secret Access Key [None]:************* Default region name [None]: us-west-2 Default output format [None]: json > aws configure set aws_session_token *************************** --profile sec302assumed
  83. 83. Try the Temporary Credentials # Should succeed aws ec2 describe-instances --profile sec302assumed # Should fail aws dynamodb list-tables --profile sec302assumed
  84. 84. More on Permissions for IAM Roles Permissions for IAM roles should be minimal. Example yellow flags: • iam:AssumeRole / iam:PassRole -- If needed, be specific about the IAM role that this IAM role can assume • iam:PutRolePolicy -- Usually only for highly privileged principals !
  85. 85. Going Further: IAM Resource-Based Policies Useful for cross-account access Supported on some AWS resources, e.g. S3 buckets Attach policy to the resource itself: Analogous to access control lists &&
  86. 86. Auditing API Call Events Using CloudWatch Events + AWS Lambda to audit resource access
  87. 87. CloudWatch Events & AWS Lambda CloudWatch Events: AWS API calls via CloudTrail AWS LambdaCloudTrail
  88. 88. Lambda Function for CloudWatch Events Created by the SEC302 CloudFormation stack
  89. 89. Lambda Function for CloudWatch Events
  90. 90. Setting Up the CloudWatch Events Rule
  91. 91. Setting Up the CloudWatch Events Rule
  92. 92. Setting Up the CloudWatch Events Rule AWS API call via CloudTrail We will see EC2 API calls The SEC302 CloudFormation stack created this. Catchup CloudFormation handout: cloudwatch_events_aws_api_rule_template.json
  93. 93. Try it: Make EC2 API calls Make some that succeed Make some that fail Get your partner to make some that fail, while assuming your IAM role
  94. 94. Find Lambda Logs in CloudWatch Logs
  95. 95. Events Delivered to Your Lambda Function { … "detail": { "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJCO64ENYICVBJQRWM:MyTestSession", "arn": "arn:aws:sts::410436118402:assumed- role/Sec302RoleTestMe/MyTestSession", … "eventTime": "2016-09-21T17:03:13Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateVpc", "awsRegion": "us-west-2", "errorCode": "Client.UnauthorizedOperation", "errorMessage": "You are not authorized to perform this operation.", "requestParameters": { "cidrBlock": "192.168.0.0/16" }, … Someone tried and failed to use CreateVpc while assuming this role
  96. 96. You Can Do a Lot With These Events Plenty of details there, including: • Principal that attempted the call • API method and request parameters • Result: Success or error (with detail) • Response All of this is also in CloudTrail in S3 But Lambda functions can take actions: Ideas?
  97. 97. Sidebar: IAM Role for the Lambda Function
  98. 98. Sidebar: IAM Role for the Lambda Function Managed policy “AWSLambdaBasicExecutionRole”: Permits writing output to CloudWatch Logs
  99. 99. Sidebar: IAM Role for the Lambda Function Inline policy “LambdaPublishToSNSTopic”: Permits publishing to your SNS topic
  100. 100. Sidebar: IAM Role for the Lambda Function
  101. 101. Sidebar: IAM Role for the Lambda Function Indicates that AWS Lambda can assume this IAM role { "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ] }, … } AWS Lambda is allowed to assume this role
  102. 102. Activity: React to AWS API Events
  103. 103. Your Turn: Modify the Function Code Try modifying the AWS Lambda function to do something more interesting! For example code that publishes to an SNS topic, see handout: lambda_function_with_publish_to_sns.js
  104. 104. Another Idea: Using CloudTrail to Audit Permissions Least-privilege best practice: Audit IAM roles and users against actual usage in CloudTrail Does anyone have permissions that have gone unused?
  105. 105. VPC Security Groups Privilege of Least Principle for Connectivity
  106. 106. Security Groups in a VPC virtual private cloud 0.0.0.0/0
  107. 107. The Application We Are Running virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0 SSH Security Group ALB Security Group Backend Security Group ALLOW
  108. 108. Backend Security Group Port 8080
  109. 109. ALB Security Group: Ingress
  110. 110. ALB Security Group: Egress Port 8080
  111. 111. What You Are Running virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0 ALB Security Group Backend Security Group
  112. 112. Routing for Least-Privilege in a VPC virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0
  113. 113. Routing for Least-Privilege in a VPC virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0 VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c Access to S3 via VPC Endpoints Private subnets
  114. 114. VPC Flow Logs Troubleshooting, Auditing, Monitoring, Analysis
  115. 115. VPC Flow Logs Are in CloudWatch Logs
  116. 116. VPC Flow Logs Are in CloudWatch Logs Each ENI has its own stream
  117. 117. CloudWatch Logs Trigger for AWS Lambda VPC Flow Logs in CloudWatch Logs AWS Lambda
  118. 118. Trigger a Lambda Function for VPC Flow Logs
  119. 119. Trigger a Lambda Function for VPC Flow Logs
  120. 120. Trigger a Lambda Function for VPC Flow Logs
  121. 121. Trigger a Lambda Function for VPC Flow Logs
  122. 122. Trigger a Lambda Function for VPC Flow Logs Give it a name Can leave blank Your VPC Flow Log
  123. 123. VPC Flow Logs in CloudWatch Logs Each ENI has its own stream
  124. 124. Inspecting VPC Flow Logs 10.0.0.117 = Me10.0.1.239 = ALB Port 8080 = Backend port ACCEPT
  125. 125. Inspecting VPC Flow Logs Who’s this? # dig +short -x 109.236.86.32 internetpolice.co. REJECT UDP Port 53 = DNS
  126. 126. VPC Flow Logs in Lambda 2016-09-24T21:53:46.264Z 5e20015f-82a1-11e6-b2ab-735d6b306893 { "messageType": "DATA_MESSAGE", "owner": "280328680831", "logGroup": "VPCFlowLogs", "logStream": "eni-18027f46-all", "subscriptionFilters": [ "myTrigger" ], "logEvents": [ { "id": "32888099581059259498575118542779913238350648463663169536", "timestamp": 1474753390000, "message": "2 280328680831 eni-18027f46 10.0.2.92 10.0.2.98 8080 32906 6 5 650 1474753390 1474753446 ACCEPT OK" }, … Available after 10 mins
  127. 127. Expected and Unexpected REJECT Packets virtual private cloud 0.0.0.0/0 From Internet
  128. 128. Lambda Function for Unexpected REJECTs Your turn: Do something interesting with VPC Flow Logs! Idea: Try writing a Lambda function that notifies your SNS topic when within-VPC traffic gets REJECTed. The code in your Lambda function already unzips and pretty-prints the messages.
  129. 129. Lambda Function for Unexpected REJECTs Handout: vpc_flow_logs_rejects.js Simple Lambda function for notifying an SNS topic whenever a packet sent within the VPC gets rejected.
  130. 130. Wrap-up
  131. 131. Remember To Delete Resources You Created
  132. 132. virtual private cloud
  133. 133. Remember to complete your evaluations!
  134. 134. Related Sessions More About IAM: • SAC317 - IAM Best Practices to Live By • SEC311 - How to Automate Policy Validation More About VPC: • NET201 - Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options • SEC401 - Automated Formal Reasoning About AWS Systems
  135. 135. Thank you!

×