Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building a well-engaged and secure AWS account access management - FND207-R - AWS re:Inforce 2019

807 views

Published on

Building a well-managed and secure AWS account access management for enterprise customers and AWS partners is essential for managing a large number of AWS accounts. In this session, we review new features, best practices, and the risks involved when architecting organizational units. We also cover how to build dynamic access structures.

  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Building a well-engaged and secure AWS account access management - FND207-R - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Building a well-engaged and secure AWS account access management Marcus Fritsche Global Solutions Architect Amazon Web Services F N D 2 0 7
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security, access, and resource boundary API limits/throttling Billing separation AWS account
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Account models One account Thousands of accounts Your accounts
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why one account isn’t enough Billing Many teams, different access Security/ compliance controls Business process isolation (Apps, SaaS)
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Guardrails not blockers Auditable Flexible Automated Scalable Self-service Goals for a multi-account environment
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Account access and security considerations Baseline requirements Lock Enable ! Federate Define and map Establish Identify
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What AWS accounts do we need for our secure, compliant multi-account environment? Security Shared services Billing-admin Dev Prod Sandbox OtherPre-prod/QA Organizations account Log archive Network
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations master AWS Organizations master Network path Data center No connection to data center Service control policies Consolidated billing Volume discount Minimal resources Limited access (e.g., restrict Organizations role)
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Core accounts – OU Core accounts AWS Organizations master Network path Data center Foundational Building blocks Once per organization Have their own development life cycle (dev/QA/prod)
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Log archive account Core accounts AWS Organizations master Log archive Network path Data center Amazon S3 bucket (versioned, restricted, MFA delete) CloudTrail logs Security logs Single source of truth Limited access and alarm on user login
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security account Core accounts AWS Organizations master Log archive Network Path Data center Optional data center connectivity Security tools and audit GuardDuty Master, FW-Manager Cross-account read/write automated tooling Limited access Security
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared services account Security Core accounts AWS Organizations master Log archive Network Path Data center Connected to DC DNS LDAP/Active Directory Shared services VPC Deployment tools Golden AMIs Pipeline Scanning infrastructure Inactive instances Improper tags Snapshot life cycle Monitoring Limited access (IT-Ops) Shared services
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Network account Security Core accounts AWS Organizations master Shared Services Log archive Network Path Data center Networking services AWS Direct Connect (DX) AWS DX Gateway TGW, shared VPC AWS Client VPN Limited access Managed by network team Network
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer sandbox (OU and SBX-accounts) Security Core accounts AWS Organizations master Shared Services Network Log archive Network Path No connection to DC Innovation space Fixed spending limit Autonomous Experimentation Developer sandbox Developer accounts
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Team/group accounts – OU Developer Sandbox Security Core accounts AWS Organizations master Shared Services Network Log archive Network Path Developer Accounts Data center Based on level of needed isolation Match your development life cycle Think small Team/group accounts
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dev Developer Sandbox Team/group accounts Security Core accounts AWS Organizations master Shared Services Network Log archive Network Path Developer Accounts Data center Develop and iterate quickly Collaboration space Stage of SDLC Dev
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Preproduction Developer Sandbox Dev Team/group accounts Security Core accounts AWS Organizations master Shared Services Network Log archive Network Path Developer Accounts Data center Connected to data center Production-like Staging Testing automated deployment Pre-prod
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Production Developer Sandbox Dev Pre-prod Team/group accounts Security Core accounts AWS Organizations master Shared Services Network Log archive Network Path Developer Accounts Data center Connected to data center Production applications Promoted from pre-prod Limited access (RO-only?) Automated deployments Prod
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Team shared services Developer Sandbox Dev Pre-prod Team/group accounts Security Core accounts AWS Organizations master Shared Services Network Log archive Prod Network Path Developer Accounts Data center Grows organically Shared to the team Product-specific common services Data lake Common tooling Common services Team shared services
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account approach Developer sandbox Dev Pre-prod Team/group accounts Security Core accounts AWS Organizations master Shared services Network Log archive Prod Team shared services Network path Developer accounts Data center Orgs: Account management Log archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: DX Dev sandbox: Experiments, learning Dev: Development Pre-prod: Staging Prod: Production Team shared service: Team services, data lake, common AWS Cognito, etc.
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure – Basic AWS Organizations Shared services Log archive a Security Organizations account • Account provisioning • Account access (SSO) Shared services account • Active directory • Log analytics Log archive • Security logs Security account • Audit/break-glass
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Landing Zone structure – with add-ons AWS Organizations Shared Services Log Archive Security Log Archive • Security Logs Security Account • Audit / Break-glass Parameter Store Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone pipeline Source Validate/Build/Test Deploy Core Account Structure and Policies Deploy Core Resources Deploy Service Catalog Portfolio/Products Deploy Baseline Resources Launch AVM for Core accounts AWS Organizations AWS Account Baseline StackSets AWS Service Catalog Core StackSet AWS Service Catalog Landing Zone Configuration ZIP file AWS CodeBuild Organizations / SCP State Machine State Machine Trigger Lambda StackSet State Machine Service Catalog State Machine StackSet State Machine Launch AVM State Machine AWS Landing Zone Master Configuration AWS CodeBuild
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Organizations (cross-account access) Dev Pre-prod Security Core accounts AWS Organizations master Shared services Network ProdTeam shared services Developer Accounts Log archive Team/group accounts
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations (no cross-account access) Dev Pre-prod Security Core accounts AWS Organizations master Shared services Network ProdTeam shared services Developer Accounts Log archive Team/group accounts • Log archive • Security • Backups • PCI
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution • Automate the creation of an AWS Landing Zone (best practice blueprints), account factory, and AWS Single Sign-On (SSO) • Enable curated guardrails => on-going policy enforcement • Dashboard for continuous visibility => Visual summaries of your AWS environment
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution: The Dashboard for Oversight
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Landing Zone solution: The Dashboard for Oversight
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Access management authorization with IAM policies and secure control policies (SCPs)
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations (enable all features mode) Developer sandbox Dev Pre-prod Team/group accounts Security Core accounts AWS Organizations master Shared services Network Log archive ProdTeam shared services Developer accounts Single AWS account Developer Sandbox Dev Pre-prod Team/group accounts Security Core accounts AWS Organizations master Shared services Network Log archive ProdTeam shared services Developer accounts
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM and AWS Organizations Developer Sandbox Dev Pre-prod Team/group accounts Security Core accounts AWS Organizations master Shared Services Network Log archive ProdTeam Shared Services Developer Accounts Single AWS Account * IAM policies * SCPs (service control policies) * Manage ARN * Manage APIs * Start from DENIED * Start from ALLOWED * Assigned to roles and groups * Assigned to OUs and AWS accounts * Not for root credentials, AWS Support, Amazon CloudFront, Alexa, etc.
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM and SC policies Developer Sandbox Dev Pre-prod Team/group accounts Security Core accounts AWS Organizations master Shared Services Network Log archive ProdTeam Shared Services Developer Accounts Single AWS Account • Choose a service • Define actions for the service • Apply resources for actions • Specify condition for actions • Effect: Deny or Allow • Choose a service • Define actions for the service • Apply resource = “*”
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policies • JSON-formatted set of instructions which define permission • Contain a statement (permissions) that specifies: • which actions a principal can perform • which resources can be accessed { "Statement":[{ "Effect":"effect", "Principal":"principal", who "Action":"action", what "Resource":"arn", where "Condition":{ if "condition":{ "key":"value" } } } ] }
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policy: Resource and conditions • Resources and services Defined uniquely by an Amazon resource name (ARN) • Contain a statement (permissions) that specifies: • which actions a principal can perform • which resources can be accessed arn:aws:service:region:account:resource…
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policies and SCPs IAM policies Organizations SCP = Effective right Group User Role Account OU ∩ intersection Service User
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. SCPs and IAM – Policies to protect Organizations . SCP Identity- based policy Effective permission 1 2 3 Allow: S3:* Allow: EC2:* SCP Allow: SQS:* Allow: EC2:* IAM permissions
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Permissions boundaries for IAM entities(user or role) Set the maximum permissions that an identity-based policy can grant to an IAM entity The entity can perform only the actions that are allowed by both its identity- based policies and its permissions boundaries
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Organizations SCPs Organizations . SCP Permissions boundary Identity- based policy Effective permission 1 2 3 4 5 6 7
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Resource-based policies Resource-based policy Permissions boundary Identity- based policy Effective permission 1 2 3 4 5 6 7
  43. 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Session policies Session policy Permissions boundary Identity- based policy Effective permission 1 2 3 4 5 6 7
  44. 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policies – Evaluation logic
  45. 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Access best practice • Restrict root and master account access • Monitor activities as root and in the Organizations Master • Use consolidated user management/SAML • Use principal of “least privilege” (role-based access) • Assign SCPs to OUs and test with dedicated OUs • Avoid “whitelisting” and “blacklisting”
  46. 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Fun part – AWS Well-Architected Tool review
  47. 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  48. 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop details & steps https://chilp.it/f546818 https://mf-aws.s3.amazonaws.com/events/Reinforca2019- WorkshopFND.htm http://mf-aws.s3.amazonaws.com/events/Workshop- Guide2019062b.pdf Your AWS Support Team: • Shahab Mohsen smohsen@amazon.com • Sirirat Kongdee siriratk@amazon.com • Kevin Dobbins kdobbin@amazon.nl • Jonathan Jenkyn jjenkyn@amazon.co.uk • Sean Leviseur slevise@amazon.com • Pablo Salazar, pablosal@amazon.com • Marcus Fritsche mafritsc@amazon.de
  49. 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Whiteboard session: Useful service control and IAM policies • SCP: No access to foundational setup services (CloudTrail, DX, etc.) • IAM-Identity: • Full-Admin • IAM-User-Adm; IAM-Role Adm • Server-Admin, only if Tag = “CostCode22” • Permission boundary • Resource permission
  50. 50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  51. 51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Next steps – Action required • Build your AWS account segmentation strategy • Set up AWS Landing Zone/Control Tower • Search train your policy ninja • Iterate on SCPs and IAM policies—automated using scripts! • Use AWS security audits and WARs to check and challenge! ? What did I say that you should not forget?
  52. 52. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Next steps – Action required • Build your AWS account segmentation strategy • Set up AWS Landing Zone/Control Tower • Search train your policy ninja • Iterate on SCPs and IAM policies—automated using scripts! • Use AWS security audits and WARs to check and challenge! • Enable CloudTrail, AWS Config, Guard​Duty
  53. 53. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Marcus Fritsche mafritsc@amazon.de

×