Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Permission Boundary Round: AWS Security Week at the San Francisco Loft

1,170 views

Published on

Permission Boundary Round: Security Week at the San Francisco Loft

Learn how to use permission boundaries to truly delegate administration in AWS. This new feature can be challenging to understand so we'll do a good intro and then dive into an in-depth hands-on exercise to help you master it.

Level: 300
Speaker: Greg McConnel - Sr. Solutions Architect, AWS

  • Be the first to comment

Permission Boundary Round: AWS Security Week at the San Francisco Loft

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Greg McConnel Identity Round Robin Workshop Permission Boundaries Solutions Architect Amazon Web Services (AWS) AWS Pop-up Loft
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • Intro • Permission boundary basics • Policy categories • Permission boundary mechanism • Resource restrictions • Q & A • Workshop • Final Q & A Agenda
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Mechanism to delegate the permission to create users and roles while preventing privilege escalation or unnecessarily broad permissions. What are permission boundaries?
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • Developers that need to create roles for Lambda functions • Application owners that need to create roles for EC2 instances • Admins that need to be able to create users for particular use cases • Any others? Use cases
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Two viewpoints – the problem Tatyana Juan Juan, I need to create policies and roles for Lambda Uh, ok, but then we can’t regulate what permissions you grant Hi Tatyana, grabbing coffee? Tatyana Juan
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Two viewpoints – old solution 1 So… what if you could request the creation of policies and roles … That would slow us down Juan Juan Tatyana Tatyana
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Two viewpoints – old solution 2 Alright, then what if, hear me out, we pre- created policies and roles You won’t be able to cover every scenario… Also we’re out of coffee Tatyana Tatyana Juan Juan
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Permission boundary basics
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Before • Certain IAM policy actions (e.g. PutUserPolicy, AttachRolePolicy) are essentially full admin-like permissions. • Doing any form of self-service permissions management was non-trivial. IAM Delegated Administration Now • Administrator can grant full admin- like permissions, but specify a “permissions boundary.” • Allow developers to create principals for their applications and attach policies, but only within the boundary. Before and After Permission Boundaries
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Permission Boundaries – mechanism Admins create delegated admins with permissions such that users and roles created must have a permission boundary Delegated admins create users and roles that have permission boundaries attached Admins Delegated admins “Bound” IAM users and roles Create delegated admins Create “bound” user & roles Permission boundary restricts the users and roles Delegated admins attach the IAM roles to resources (or use the IAM user) Restricted resources Resource permissions restricted Effective permissions of resources like Lambda functions are limited by permission boundary
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark A condition "Condition": {"StringEquals": {"iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/permissionboundary" } }
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark A condition applied to principal creation actions (users and roles) "Effect": "Allow", "Action": ["iam:CreateRole"], "Resource": ["arn:aws:iam::ACCOUNT_ID:role/path/"], "Condition": {"StringEquals": {"iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/permissionboundary" } }
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark IAM Delegated Administration – User side # Step 1: Create role $ aws iam create-role –role-name roleforlambda –assume-role-policy-document file://Role_Trust_Policy_Text.json –permissions-boundary arn:aws:iam::<ACCOUNT_NUMBER>:policy/department_a/boundary_1 # Step 2: Create policy No change # Step 3: Attach policy No change Developer creates a role for a Lambda function Mechanism
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Two viewpoints – the new solution Tatyana Juan I can create roles now, I just need to attach an additional policy. Developers can now create roles but I can prevent them from escalating their permissions or creating roles that are too permissive.
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Policy categories
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Policy permission categories Permission boundaries Organization SCPs IAM user and role permission boundaries Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs) Policy permission categories
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Policy permission categories Policy permission categories Permission boundaries Organization SCPs IAM user and role permission boundaries Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs)
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark But, it’s just an IAM policy right? IAM roleIAM policies Identity-based policy slot Identity-based policy Permission boundary Permission boundary slot
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark But, it’s just an IAM policy right? Identity-based policy slot Permission boundary slot
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Permission boundary mechanism
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Policy permission categories Permission boundaries attached to users and roles Permission policies attached to users and roles Policy permission categories Permission boundaries Organization SCPs IAM user and role permission boundaries Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs)
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark 1. Authenticate the principal 2. Determine which policies apply to the request 3. Evaluate the different policy types that apply which affect the order in which they are evaluated. 4. Allow or Deny the request Everything after authentication
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective Permissions - intersection Resulting permission Permission boundary Permission policy Defined by the admin Defined by the developer
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – mechanism Permission policy Explicit deny API Request
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – mechanism Permission policy Explicit deny API Request Permission boundary Resulting permission
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – mechanism Permission policy Explicit deny API Request Permission boundary Implicit deny Explicit deny Allow Implicit deny Allow
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – allow example Permission policy Explicit deny API Request Permission boundary Allow Allow Request allowed
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – scenario 1 Permission PolicyPermission Boundary Request: s3:GetObject / bucket name: example1 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" } } { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "s3:*" ], "Resource": "*" } ] }
  29. 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – mechanism Permission policy Explicit deny API Request: s3:getobject Permission boundary Allow Request Denied Implicit deny
  30. 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – scenario 1 Permission PolicyPermission Boundary Request: s3:GetObject / bucket name: example1 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource”:"arn:aws:s3:::example1/*" } } { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "s3:*" ], "Resource": "*" } ] }
  31. 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – mechanism Permission policy Explicit deny API Request: s3:getobject Permission boundary Allow Request allowed Allow
  32. 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – scenario 1 Permission PolicyPermission Boundary Request: s3:GetObject / bucket name: example1 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource”:"arn:aws:s3:::example1/*" } } { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Resource": "*" } ] }
  33. 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – mechanism Permission policy Explicit deny API Request: s3:getobject Permission boundary Implicit deny Request denied Allow
  34. 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Effective permissions – mechanism Permission policy Explicit deny API Request Permission boundary SCPs Assume Role Policy Identity- based policy ACL Resource- based policy
  35. 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Resource Restrictions Goal: carve out a space for the delegated admins to be able to modify resources without impacting other resources. https://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html#arns-paths https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.ht ml#identifiers-arns
  36. 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Resource Restrictions • We are granting admin-like permissions (create and delete policies and roles) • Permission boundary is one part of the delegation • The other part is restricting the policies and roles they can impact then they could "Effect": "Allow", "Action": [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:SetDefaultPolicyVersion" ], "Resource": ”*”
  37. 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Resource Restrictions Resource restriction using paths: arn:aws:iam::123456789012:role/department1/* Example role: arn:aws:iam::123456789012:role/department1/role1 Resource restriction using names: arn:aws:iam::123456789012:policy/development-users* Example policy: arn:aws:iam::123456789012:policy/development-users- policy1
  38. 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Resource Restrictions - policies "Effect": "Allow", "Action": [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:SetDefaultPolicyVersion" ], "Resource": "*" • Examine permissions assigned to a delegated admin to create policies • If there is not a resource restriction then the delegated admins could modify any customer managed policies "Effect": "Allow", "Action": [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:SetDefaultPolicyVersion" ], "Resource": "arn:aws:iam::ACCOUNT_ID:policy/path/name*" vs
  39. 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Resource Restrictions - roles "Effect": "Allow", "Action": [ "iam:UpdateRole", "iam:DeleteRole” ], "Resource": "*" • Just like with policies we want to carve out a safe space for roles. • Permission boundaries play a part here, but not all actions support the condition • In addition different teams could be using the same permission boundaries "Effect": "Allow", "Action": [ "iam:UpdateRole", "iam:DeleteRole” ], "Resource": "arn:aws:iam::ACCOUNT_ID:role/path/name*" vs
  40. 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Presentation Q & A
  41. 41. Presentation Q & A • How does a permission boundary differ from a standard IAM policy? • What would happen if we delegated permissions without resource restrictions? • The scenario where you have user in an account that need to be able to create IAM polices, roles and Lambda functions is common. How was this situation handled before permission boundaries came along?
  42. 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark • Intro • Permission boundary basics • Policy categories • Permission boundary mechanism • Resource restrictions • Q & A • Workshop • Final Q & A Agenda reminder
  43. 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Workshop Overview
  44. 44. Workshop The round is broken down into a BUILD and VERIFY phase. BUILD (60 min): First each team will carry out the activities involved in the BUILD phase. VERIFY (30 min): Each team will carry out the VERIFY activities as if they were part of the web admin team.
  45. 45. Workshop AWS Cloud AWS Region Amazon S3 bucket IAM roles Web Admins Application Admins IAM policies Lambda Functions IAM roles IAM policies Lambda Functions Amazon S3 bucket Lambda Functions Amazon S3 bucket Workshop
  46. 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Workshop
  47. 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Final Q & A
  48. 48. Final Q & A • What is the fundamental mechanism of permission boundaries? • There are two ways of doing resource restrictions (naming and pathing.) Which option allows you to create policies using both the AWS Console and CLI? • Is there an advantage to using one over the other? • Why do we not allow the web admins to attach any role to the Lambda functions?
  49. 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark End of day survey https://tinyurl.com/yb6naz8f @2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved

×