Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC303) Mastering Access Control Policies | AWS re:Invent 2014

4,209 views

Published on

If you have ever wondered how best to scope down permissions in your account, this in-depth look at the AWS Access Control Policy language is for you. We start with the basics of the policy language and how to create policies for users and groups. We look at how to use policy variables to simplify policy management. Finally, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket, allowing an IAM user to manage their own credentials and passwords, and more.

Published in: Technology
  • Be the first to comment

(SEC303) Mastering Access Control Policies | AWS re:Invent 2014

  1. 1. Demo
  2. 2. Amazon S3 Read-Only Access Template Example of an IAM user/group/role access policy { "Statement": [ { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": "*" } ] }
  3. 3. { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } Principal Action Resource Conditions Effect: Allow Principal:123456789012:user/bob Action: s3:* Resource: jeff_bucket/* Condition: Referer= example.com Effect: Deny Principal:123456789012:user/brad Action: s3:DeleteBucket Resource: jeff_bucket Condition: Referer= example.com
  4. 4. <!--Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!--Specific account or accounts --> "Principal":{"AWS":"arn:aws:iam::123456789012:root" } "Principal":{"AWS":"123456789012"} <!--Individual IAM user --> "Principal":"AWS":"arn:aws:iam::123456789012:user/username" <!--Federated user (using web identity federation) --> "Principal":{"Federated":"www.amazon.com"} "Principal":{"Federated":"graph.facebook.com"} "Principal":{"Federated":"accounts.google.com"} <!--Specific role --> "Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"} <!--Specific service --> "Principal":{"Service":"ec2.amazonaws.com"} Replace with your account number
  5. 5. <!--EC2 action --> "Action":"ec2:StartInstances" <!--IAM action --> "Action":"iam:ChangePassword" <!--S3 action --> "Action":"s3:GetObject" <!--Specify multiple values for the Action element--> "Action":["sqs:SendMessage","sqs:ReceiveMessage"] <--Use wildcards (* or ?) as part of the action name. This would cover Create/Delete/List/Update--> "Action":"iam:*AccessKey*"
  6. 6. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ] } or This is not a Deny. A user could still have a separate policy that grants IAM:* If you want to prevent the user from ever being able to call IAM APIs, use an explicit deny Notice the difference?
  7. 7. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ] } Even more strict Grants only what you want while ensuring you’re always denying what you don’t want granted.
  8. 8. <--S3 Bucket --> "Resource":"arn:aws:s3:::my_corporate_bucket/*" <--SQS queue--> "Resource":"arn:aws:sqs:us-west-2:123456789012:queue1" <--Multiple DynamoDB tables --> "Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table", "arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"] <--All EC2 instances for an account in a region --> "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
  9. 9. { "Statement": { "Sid":"Queue1_SendMessage", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1" } } Principal required here
  10. 10. Condition Element Condition 1: Key1: Value1A Condition 2: Key3: Value3A AND AND Key2: Value2A ORValue2B OR OR Value1B Value 1C
  11. 11. "Condition" : { "DateGreaterThan" : {"aws:CurrentTime" : "2014-11-13T12:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2014-11-13T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]} } Allows a user to access a resource under the following conditions: •The time is after 12:00 p.m. on 11/13/2014 •The time is before 3:00 p.m. on 11/13/2014 •The request comes from an IP address in the 192.0.2.0 /24 or 203.0.113.0 /24 range AND OR
  12. 12. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::myBucket"], "Condition": {"StringLike": {"s3:prefix":["home/${aws:userid}/*"]} } }, { "Effect":"Allow", "Action":["s3:*"], "Resource": ["arn:aws:s3:::myBucket/home/${aws:userid}", "arn:aws:s3:::myBucket/home/${aws:userid}/*"] } ] } Version is required Variable in conditions Variable in resource ARNs Grants a user access to a home directory in Amazon S3 that can be accessed programmatically
  13. 13. Giving a User a Home Directory From the Amazon S3 Console { "Version": "2012-10-17", "Statement": [ {"Sid": "AllowGroupToSeeBucketListInTheManagementConsole", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"], "Effect": "Allow", "Resource": ["arn:aws:s3:::*"]}, {"Sid": "AllowRootLevelListingOfThisBucketAndHomePrefix", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::myBucket"], "Condition":{"StringEquals":{"s3:prefix":["","home/"],"s3:delimiter":["/"]}}}, {"Sid": "AllowListBucketofASpecificUserPrefix", "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::myBucket"], "Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}}, {"Sid":"AllowUserFullAccesstoJustSpecificUserPrefix", "Action":["s3:*"], "Effect":"Allow", "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}", "arn:aws:s3:::myBucket/home/${aws:username}/*"]} ] } Necessary to access the Amazon S3 console Allows listing all objects in a folder + its subfolders Allows modifying objects in the folder + subfolders
  14. 14. Demo
  15. 15. { "Version": "2012-10-17", "Statement": [{ "Sid": "ViewListOfAllUsers", "Action": ["iam:ListUsers"], "Effect": "Allow", "Resource": ["arn:aws:iam::123456789012:user/*"] }, { "Sid": "AllowUserToSeeListOfOwnStuff", "Action": ["iam:GetUser","iam:GetLoginProfile", "iam:ListGroupsForUser","iam:ListAccessKeys"], "Effect": "Allow", "Resource": ["arn:aws:iam::123456789012:user/${aws:username}"] } ] } •Underneath the covers, the IAM console calls these APIs •Keep in mind the user will be able to viewlimited details about all users •The IAM user will not be able to modify the other IAM users’ settings •Alternatively, use the CLI
  16. 16. { "Version": "2012-10-17", "Statement": [ { "Action": ["iam:*AccessKey*","iam:*SigningCertificate*"], "Effect": "Allow", "Resource": ["arn:aws:iam::123456789012:user/${aws:username}"] } ] }
  17. 17. { "Version": "2012-10-17", "Statement": [ { "Action": ["iam:CreateVirtualMFADevice","iam:DeleteVirtualMFADevice"], "Effect": "Allow", "Resource": "arn:aws:iam::123456789012:mfa/${aws:username}" }, { "Action": ["iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ResyncMFADevice"], "Effect": "Allow", "Resource": "arn:aws:iam::123456789012:user/${aws:username}" }, { "Action": ["iam:ListVirtualMFADevices"], "Effect": "Allow", "Resource": "arn:aws:iam::123456789012:mfa/*" } ] }
  18. 18. Demo
  19. 19. { "Statement": [{ "Effect": "Allow", "Action": ["ec2:TerminateInstances"], "Resource":"*" } ] } Tell me there is a better way.
  20. 20. { "Statement": [{ "Effect": "Allow", "Action": ["ec2:TerminateInstances"], "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-abc12345" } ] }
  21. 21. { "Statement": [{ "Effect": "Allow", "Action": ["ec2:TerminateInstances"], "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*" } ] }
  22. 22. { "Statement": [{ "Effect": "Allow", "Action": ["ec2:TerminateInstances"], "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*", "Condition": { "StringEquals": {"ec2:ResourceTag/department": "dev"} } } ] }
  23. 23. •Customer gateway •DHCP options set •Image •Instance •Instance profile •Internet gateway •Key pair •Network ACL •Network interface •Placement group •Route table •Security group •Snapshot •Subnet •Volume •VPC •VPC peering connection Supports many different resource types, including:
  24. 24. Type of Resource Actions EC2 Instances RebootInstances,RunInstance, StartInstances, StopInstances, TerminateInstances Customer gateway DeleteCustomerGateway DHCP Options Sets DeleteDhcpOptions Internet Gateways DeleteInternetGateway Network ACLs DeleteNetworkAcl, DeleteNetworkAclEntry Route Tables DeleteRoute, DeleteRouteTable Security Groups AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, DeleteSecurityGroup, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress Volumes AttachVolume, DeleteVolume, DetachVolume VPC Peering Connections AcceptVpcPeeringConnection, CreateVpcPeeringConnection, DeleteVpcPeeringConnection, RejectVpcPeeringConnection Accurate as of 11/13/2014 Note: This is only a subsetof all possible Amazon EC2 actions
  25. 25. Demo
  26. 26. { "Version": "2012-10-17", "Statement": [ { "Sid": "THISALLOWSEC2READACCESS", "Effect": "Allow", "Action": ["ec2:Describe*","elasticloadbalancing:Describe*", "cloudwatch:ListMetrics","cloudwatch:GetMetricStatistics", "cloudwatch:Describe*","autoscaling:Describe*"], "Resource": "*" }, { "Sid": "THISLIMITSACCESSTOOWNINSTANCES", "Effect": "Allow", "Action": ["ec2:RebootInstances","ec2:StartInstances", "ec2:StopInstances","ec2:TerminateInstances"], "Resource":"arn:aws:ec2:us-east-1:123456789012:instance/*", "Condition": {"StringEquals": {"ec2:ResourceTag/Owner": "${aws:username}"}} } ] } Version is required here because we’re using variables Only allowed if this tag condition is true Use a variable for the owner tag Allows seeing everything from the Amazon EC2 console.
  27. 27. Ready for a quiz?
  28. 28. { "Version": "2012-10-17", "Statement": [ { "Sid": "SorryThisIsNotGoingToWorkAsExpected", "Effect": "Allow", "Action": ["ec2:*"], "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*" } ] } Why doesn’t this work? Problem: Not all Amazon EC2 actions support resource-level permissions
  29. 29. { "Version": "2012-10-17", "Statement": [ { "Sid": "Thiswillwork", "Effect": "Allow", "Action": ["ec2:*"], "Resource": "*" } ] } Solution: Change the resource to *
  30. 30. { "Version": "2012-10-17", "Statement": [ { "Sid": "ThisWillNotWork", "Effect": "Allow", "Action": [ "ec2:RunInstances","ec2:TerminateInstances", "ec2:StopInstances","ec2:StartInstances", "ec2:Describe*" ], "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*" } ] } Why doesn’t this work? Problem: None of the ec2:Describe* actions support resource-level permissions
  31. 31. { "Version": "2012-10-17", "Statement": [ { "Sid": "TheseActionsDontSupportResourceLevelPermissions", "Effect": "Allow", "Action": ["ec2:Describe*"], "Resource": "*" }, { "Sid": "TheseActionsSupportResourceLevelPermissions", "Effect": "Allow", "Action": [ "ec2:RunInstances","ec2:TerminateInstances", "ec2:StopInstances","ec2:StartInstances" ], "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*" } ] } Solution: Put ec2:Describe* into a separate block.
  32. 32. { "Version": "2012-10-17", "Statement": [ { "Sid": "TheseActionsDontSupportResourceLevelPermissions", "Effect": "Allow", "Action": ["ec2:Describe*"], "Resource": "*" }, { "Sid": "TheseActionsSupportResourceLevelPermissions", "Effect": "Allow", "Action": [ "ec2:RunInstances","ec2:TerminateInstances", "ec2:StopInstances","ec2:StartInstances" ], "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*" } ] } So will this work now? No
  33. 33. { "Version": "2012-10-17", "Statement": [{ "Sid": "TheseActionsDontSupportResourceLevelPermissions", "Effect": "Allow", "Action": ["ec2:Describe*"], "Resource": "*"}, { "Sid": "ThisActionsSupportResourceLevelPermissions", "Effect": "Allow", "Action": ["ec2:RunInstances"], "Resource": [ "arn:aws:ec2:us-east-1:accountid:instance/*", "arn:aws:ec2:us-east-1:accountid:key-pair/*", "arn:aws:ec2:us-east-1:accountid:security-group/*", "arn:aws:ec2:us-east-1:accountid:volume/*", "arn:aws:ec2:us-east-1::image/ami-*"]}, { "Sid": "TheseActionsSupportResourceLevelPermissions", "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances"], "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*" } ] To run an EC2 instance, you also need access to an Amazon EC2 key pair, a security group, an EBS volume, and an AMI .
  34. 34. Final decision =“deny” (explicit deny) Yes Final decision =“allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all Applicable policies 2 Is there an explicit deny? 3 No Final decision =“deny” (default deny) 5 •AWS retrieves all policies associated with the user and resource •Only policies that match the action & conditions are evaluated •If a policy statement has a deny, it trumps all other policy statements •Access is granted if there is an explicit allow and no deny •By default, a implicit (default) deny is returned
  35. 35. http://aws.amazon.com/documentation/iam/ http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api- permissions.htmlDemystifying- EC2-Resource-Level-PermissionsGranting-Users-Permission-to-Work-in-the-Amazon-EC2-Consolehttp://aws.amazon.com/iamhttps://forums.aws.amazon.com/forum.jspa?forumID=76
  36. 36. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

×