In Depth: AWS IAM and VPC

5,135 views

Published on

Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).

Published in: Technology, Business

In Depth: AWS IAM and VPC

  1. 1. The Solution
  2. 2. In Depth: AWS Identity & AccessManagement and Virtual Private Cloud Mark Ryland Chief Solutions Architect AWS Worldwide Public Sector
  3. 3. Deep Dive in Two Key Security Technologies Identity & Access Management  Overview  Core concepts: users, groups, roles, policies, etc.  Demos: multi-factor authentication; S3 and access control policies; Roles for Instances, MFA API protection EC2 Virtual Private Cloud  EC2 classic networking review  Virtual Private Cloud in-depth  Demos: network control via security groups; ELB in VPC; public and private connectivity to VPC to instances
  4. 4. AWS Identity & Access Management (IAM)• Each account has root identity plus Users, Groups, Roles • Account-level: password complexity policies• Unique security credentials for each user • Login/password (optional) • Access / secret keys (for APIs) (optional) • (V)MFA devices (optional)• Policies control access to AWS APIs• Deeper integration into some Services • S3: policies on objects and buckets • Simple DB: domains• AWS Management Console supports IAM user log on• Not for Operating Systems or Applications • use LDAP, Active Directory/ADFS, etc...
  5. 5. Identity & Access: Relevant Layers IAM is for AWS service endpoints: AWS APIs plus console/CLI Apps or databases Operating system and app/DB identity running on OSes systems often distinct  OS: e.g., Active Directory, etc.  Apps/DBs: e.g., Drupal user Identity/access for OSes database; application-level running in EC2 (or elsewhere) federation, etc. IAM federation, however, allows for AWS integration with other identity IAM: for AWS APIs, systems services, infrastructure Roles for Instances provides EC2 guest OS to AWS service integration
  6. 6. Security Token Service (STS) Temporary security credentials containing  Identity (native or federated) for authentication  Access Policy to control permissions  Configurable Expiration (1 – 36 hours) Supports  AWS Identities (root and IAM Users)  Federated Identities (authenticated outside IAM) Scales to millions of users  No need to create an IAM identity for every user Use Cases  Roles for Instances  Identity Federation to AWS APIs  Mobile and browser-based applications  Consumer applications with unlimited users  MFA-based API protection policies
  7. 7. Integration Option 1: Identity Syncing
  8. 8. Integration Option 2: Identity Federation
  9. 9. AWS Multi-Factor Authentication Requires more than username and password (or access key and secret key for API calls) Works with master account, IAM Users Integrated into  AWS Management Console  Billing pages on the AWS Portal  New: arbitrary API protection! Virtual MFA as well via OATH standard  IETF RFC 6238 A recommended opt-in security feature!
  10. 10. IAM Policies: Core Concepts Single IAM policy language applies everywhere  Principals: users, groups, and roles  Actions: service-specific verbs  Resources: set of named / addressable AWS objects • Amazon Resource Names (ARNs) (including relative names)  Conditions: context and environment • E.g., time, transport, source ARN, source IP, UserAgent, Referrer Policies can be written/stored relative to identities, or relative to resources  http://docs.amazonwebservices.com/IAM/latest/UserGuide/PermissionsOverview.html  Full processing details in case where multiple policies apply: http://docs.amazonwebservices.com/IAM/latest/UserGuide/AccessPolicyLanguage_ EvaluationLogic.html
  11. 11. Example Policy{ "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*“, "Condition": {} //e.g., time, transport, source ARN, source IP, UserAgent, Referrer }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket", "s3:GetObject", "s3:PutObject“ ], "Resource": "arn:aws:s3:::policy-test", "Resource": "arn:aws:s3:::policy-test/*“, "Condition": {} } ]}
  12. 12. Roles for Instances Temporary (STS) credentials pushed securely to EC2 instance via metadata service Automatically rotated every N minutes (configurable) Normally, AWS SDKs to the work for you  Example of using new STS model of auth in REST call: https://sdb.amazonaws.com/ ?Action=GetAttributes &AWSAccessKeyId=Access Key ID provided by AWS Security Token Service &DomainName=MyDomain &ItemName=MyItem &SignatureVersion=2 &SignatureMethod=HmacSHA256 &Timestamp=2010-01-25T15%3A03%3A07-07%3A00 &Version=2009-04-15 &Signature=Signature calculated using the SecretKeyId provided by AWS STS &SecurityToken=Security Token Value
  13. 13. IAM Demos Create user, assign to group Add virtual MFA for interactive sessions  And APIs with new MFA-protected API feature Create S3-related policy Login as new user, try S3 operations Start instance in IAM role  Instance has access to protected resource  SSH into instance, view identity metadata
  14. 14. Deep Dive in Two Key Security Technologies Identity & Access Management  Overview  Core concepts: users, groups, roles, policies, etc.  Demos: multi-factor authentication; S3 and access control policies; Roles for Instances, MFA API protection EC2 Virtual Private Cloud  EC2 classic networking review  Virtual Private Cloud in-depth  Demos: network control via security groups; ELB in VPC; public and private connectivity to VPC to instances
  15. 15. EC2 Standard Networking Every instance has private/internal and public/external IPs  True 1:1 NAT (no port translation)  “Split-brained” DNS  Addresses can change on start/stop, other state transitions Security groups control ingress Elastic IPs: fixed public IP addresses  Must be reassigned on instance restart
  16. 16. Internet EC2 instances dynamically assigned private IP addresses from the one large internal / private IP address range 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.16.22.33 10.131.7.28 10.6.78.201 Availability Zone 1a Availability Zone 1b Customer 1 Customer 2 Customer 3
  17. 17. 23.20.151.66 23.20.146.1 23.20.103.11 23.19.11.5 72.43.22.45 72.43.2.77 Internet 72.43.22.5 23.20.148.59 72.44.32.9 72.44.21.7 23.19.10.51 72.43.1.7 EC2 instances dynamically assigned public IP addresses on border network from Amazon’s public IP address blocks 10.134.2.3 10.1.2.3 10.218.5.17 10.27.45.16 10.243.3.5 10.8.55.5 10.141.9.810.99.42.97 10.155.6.7 10.16.22.33 10.131.7.28 10.6.78.201 Availability Zone 1a Availability Zone 1b Customer 1 Customer 2 Customer 3
  18. 18. Introducing AWS Virtual Private Cloud User-defined virtual IP networking for EC2 Private or mixed private/public addressing and ingress/egress Re-use of proven and well-understood networking concepts and technologies
  19. 19. VPC Capabilities in a Nutshell User-defined address space up to /16  Completely disjoint from all other tenant networks Up to 20* user-defined subnets up to /16 User-defined:  Virtual routing, DHCP servers, and NAT instances  Internet gateways, private, customer gateways, and VPN tunnels Private IPs are stable once assigned Elastic Network Interfaces (virtual NICs) Not automatically connected to Internet
  20. 20. Enhanced Security Capabilities Network topology, routing, subnet ACLs Security group enhancements  Egress control; dynamic (re)assignment; multiple SGs; richer protocol support Multiple network interfaces per instance  Multiple IP addresses per interface allow, e.g., multiple SSL terminations per instance Completely private networking via VPN Support for dedicated instances
  21. 21. Common Use Cases Mixing public and private resources  E.g., web-facing hosts with DMZ subnets, control plane subnets Workloads expecting fixed IPs and/or multiple NICs and/or multiple IP addresses AWS cloud as private extension of on-premises network  Accessible from on-premises hosts  No change to addressing  No change to Internet threat/risk posture
  22. 22. Internet www.aws-wwps.com webserver2.aws-wwps.com EIP: 107.21.19.137 webserver3.aws-wwps.comwebserver1.aws-wwps.com EIP: 107.21.19.141 EIP: 107.21.19.136 Internet Gateway (IGW + EIPs = direct Internet access) VPC Subnets VPC Subnets VPC Subnets Webserver1 Webserver3 10.1.100.101/24 Webserver2 10.1.102.101/24 10.1.101.101/24 AD/DNS server 10.1.0.20/24 AD/DNS server 10.1.1.20/24 Availability Zone 1a Availability Zone 1b Availability Zone 1b Virtual Private Gateway VPN Connection Customer Gateway VPC Customer Customer Data Center
  23. 23. Networking Demos Ping instances from inside / outside VPC Change security group content and examine behavior  Ping / web server access  Egress control (web browser) Drop public IPs, switch to accessing VPC from (virtual) “on premises” network
  24. 24. Simulation of “on-premises” VPC access via Sophos Security Gateway (ASG) EC2 virtual appliance and Sophos Remote Ethernet (RED) device VPC Subnets VPC Subnets 10.1.100.101 10.1.101.101 10.1.0.20 10.1.1.20 Availability Zone 1a Availability Zone 1b Virtual Private Gateway VPN Connection Customer Gateway EIP: 107.22.190.219 Private CIDR: 10.3.0.0/24 SSG running in EC2 REDTry it! Join my VPC now usingSSID: aws_inside_my_vpc Renaissance Hotel
  25. 25. Thank you!

×