Taking IAM protection to the
next level with Dome9
Is it possible that one of your AWS users or team members will have their
credentials compromised sometime in the future?
What if this compromised account belongs to a privileged user?
What is this session about?
IAM best practices and core principles that will allow you to prepare in advance for
Why IAM? Why this session?
30 years of isolated IT islands are converging now into a software defined data
AWS IAM policy governs that converged IT and becomes the single most critical
security policy in your organization.
Roy Feintuch @royfein
30 years fiddling with SW, 15 professionally,
10 in security systems, 5 in cloud sec
CTO / Co-founder of Dome9 Security
An AWS Advanced Technology partner with
Security Competency focusing on Network
Security and IAM protection
To our user...
In a software defined world a compromised privileged user
account can mean:
Data theft - cloning databases, S3 buckets, files
DNS hijacking - redirecting traffic to rogue sites
Deleting / encrypting data, infrastructure, encryption
Managing users - preventing legit admins from
accessing their environments, adding new accounts
Our user is already fatally compromised, but you don't have to be. Let's take a trip
back in our time machine to see what we could have done differently...
2 main courses of actions
1. Preventative actions
2. Detection and containment measures
We need them both!
Preventative Measures (1)
• Create and use IAM users instead of your root account
• Enable multi-factor authentication (MFA) for all users
• Configure a strong password policy
• Rotate security credentials regularly
• Remove unused security credentials that are not needed
Preventative Measures (2)
• Use IAM roles to share access:
• For EC2 instances (and other AWS services)
• For multi-account / federated access scenarios
• For 3rd party service providers
• Manage permissions with groups
Detection & Containment
• Enable AWS CloudTrail to get logs of API calls
• Grant least privilege
• Restrict privileged access further with policy conditions
• Use multiple AWS accounts to segregate between dev/test/prod and
between different sub-systems with different security requirements
Still, something is missing...
Adversaries constantly target our users
One of our users will eventually make mistake
Someone will break in
A new breed of solution is needed
Meet Dome9 IAM Safe
Dome9 IAM Safe is an AWS IAM Dynamic Authorization solution, providing
protection and detection against malicious cloud control plane attacks and
unintentional privileged user errors.
Added layer of IAM protection
Prevents accidental or malicious invocation of risky
“Just In time” authorization
Out of band authorization via mobile application
Multiple AWS accounts & regions
Containing the Blast Radius
Because IAM Safe users work at a
lesser privilege day-to-day, the
results of stolen credentials &
compromises are limited to non-
IAM Safe ensures that the riskiest
AWS operations (as deemed by you)
cannot be executed without Dome9
IAM Safe multi-factor authorization.
Not all workloads are equal!
Leverage the power of AWS
IAM policy language to
define specific actions and
add conditions based on
sensitivity, tags, etc...
IAM is critical for AWS Security
Apply AWS best practices
Utilize the breadth of AWS partners ecosystem to take your posture to the next
The moment of the breach is too late - take ownership regarding your future and
start preparing now!