Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
November 12, 2014 | Las Vegas, NV
Oops, looks
like a 0-based
code error

0. Users
Create individual users
Benefits How to get started
1. Permissions
Grant least privilege
Benefits How to get started
IMPORTANT NOTE: Permissions do not apply to root!
2. Groups
Manage permissions with groups
Benefits How to get started
3. Conditions
Restrict privileged access further with conditions
Benefits How to get started
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:TerminateInstances"],
"Resource":["*"],
"Condition":{
"Null":{"aws:Multi...
4. Auditing
EnableAWS CloudTrail to get logs ofAPI calls
4. Enable AWS CloudTrail to get logs of API calls
Benefits
• Visibility into your user activity
by recording AWS API calls...
Manage Users and Permissions
5. Passwords
Configure a strong password policy
Benefits How to get started
IMPORTANT NOTE: Password policy does not apply to root!
6. Rotation
Rotate (or delete) security credentials regularly
Benefits How to get started
(enable password rotation sample policy)
Password
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "...
(enable access key rotation sample policy)
Access Keys
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Actio...
(enable access key rotation sample policy)
Access Keys
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Actio...
7. MFA
Enable multi-factor authentication for privileged users
Benefits How to get started
8. Sharing
Use IAM roles to share access
Benefits How to get started
ExternalID
IMPORTANT NOTE: Never share credentials.
prod@example.com
Acct ID: 111122223333
ddb-role
{ "Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem"...
9. Roles
Use IAM roles for Amazon EC2 instances
Benefits How to get started
Manage Credentials
10. Root
Reduce or remove use of root
Benefits How to get started
0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing
0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing
5. Passwords
6. Rotation
7. MFA
8. Sharing
9. Roles
10.Root
http://aws.amazon.com/iam
https://forums.aws.amazon.com/forum.jspa?forumID=76
http://aws.amazon.com/documentation/iam/
htt...
Session When Where
SEC302 – Delegating Access to your AWS
Environment
Wednesday 11/12, 2.15pm Palazzo J
SEC304 – Bring You...
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals
(SEC305) IAM Best Practices | AWS re:Invent 2014
(SEC305) IAM Best Practices | AWS re:Invent 2014
(SEC305) IAM Best Practices | AWS re:Invent 2014
(SEC305) IAM Best Practices | AWS re:Invent 2014
Upcoming SlideShare
Loading in …5
×

(SEC305) IAM Best Practices | AWS re:Invent 2014

20,610 views

Published on

Ever wondered how to help secure your AWS environment? This session explains a series of best practices that help you do just that with AWS Identity and Access Management (IAM). We discuss how to create great access policies; manage security credentials (access keys, password, multi-factor authentication (MFA) devices, etc.); how to set up least privilege; how to minimize the use of your root account, and much, much more.

Published in: Technology

(SEC305) IAM Best Practices | AWS re:Invent 2014

  1. 1. November 12, 2014 | Las Vegas, NV
  2. 2. Oops, looks like a 0-based code error 
  3. 3. 0. Users Create individual users
  4. 4. Benefits How to get started
  5. 5. 1. Permissions Grant least privilege
  6. 6. Benefits How to get started IMPORTANT NOTE: Permissions do not apply to root!
  7. 7. 2. Groups Manage permissions with groups
  8. 8. Benefits How to get started
  9. 9. 3. Conditions Restrict privileged access further with conditions
  10. 10. Benefits How to get started
  11. 11. { "Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances"], "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"false"} } } ] } Enables a user to terminate EC2 instances only if the user has authenticated with their MFA device. MFA { "Statement":[{ "Effect":"Allow", "Action":"iam:*AccessKey*", "Resource”:"arn:aws:iam::123456789012:user/*", "Condition":{ "Bool":{"aws:SecureTransport":"true"} } } ] } Enables a user to manage access keys for all IAM users only if the user is coming over SSL. SSL { "Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances“], "Resource":["*“], "Condition":{ "IpAddress":{"aws:SourceIP":"192.168.176.0/24"} } } ] } Enables a user to terminate EC2 instances only if the user is accessing Amazon EC2 from the 192.168.176.0/24 address range. SourceIP { "Statement":[{ "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition":{ "StringEquals":{"ec2:ResourceTag/Environment":"Dev"} } } ] } Enables a user to terminate EC2 instances only if the instance is tagged with “Environment=Dev”. Tags { "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment": { "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment { "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environme
  12. 12. 4. Auditing EnableAWS CloudTrail to get logs ofAPI calls
  13. 13. 4. Enable AWS CloudTrail to get logs of API calls Benefits • Visibility into your user activity by recording AWS API calls to an Amazon S3 bucket How to get started • Set up an Amazon S3 bucket • Enable AWS CloudTrail Ensure the services you want are integrated with AWS CloudTrail
  14. 14. Manage Users and Permissions
  15. 15. 5. Passwords Configure a strong password policy
  16. 16. Benefits How to get started IMPORTANT NOTE: Password policy does not apply to root!
  17. 17. 6. Rotation Rotate (or delete) security credentials regularly
  18. 18. Benefits How to get started
  19. 19. (enable password rotation sample policy) Password { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "iam:ChangePassword", "Resource": "arn:aws:iam::123456789012:user/${aws:username}" } ] } Enforcing a password policy will automatically enable IAM users to manage their passwords Note the use of a policy variable
  20. 20. (enable access key rotation sample policy) Access Keys { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012:user/${aws:username}" } ] }
  21. 21. (enable access key rotation sample policy) Access Keys { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012: user/${aws:username}" } ] } 1. While the first set of credentials is still active, create a second set of credentials, which will also be active by default. 2. Update all applications to use the new credentials. 3. Change the state of the first set of credentials to Inactive. 4. Using only the new credentials, confirm that your applications are working well. 5. Delete the first set of credentials. Steps to rotate access keys
  22. 22. 7. MFA Enable multi-factor authentication for privileged users
  23. 23. Benefits How to get started
  24. 24. 8. Sharing Use IAM roles to share access
  25. 25. Benefits How to get started ExternalID IMPORTANT NOTE: Never share credentials.
  26. 26. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }]} dev@example.com Acct ID: 123456789012 Authenticate with Jeff access keys Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to Jeff granting him permission to assume ddb-role in account B IAM user: Jeff Permissions assigned to ddb-role STS External access User Login With Amazon Google Facebook Open ID Connect SAML Authenticate with Users tokens
  27. 27. 9. Roles Use IAM roles for Amazon EC2 instances
  28. 28. Benefits How to get started
  29. 29. Manage Credentials
  30. 30. 10. Root Reduce or remove use of root
  31. 31. Benefits How to get started
  32. 32. 0. Users 1. Permissions 2. Groups 3. Conditions 4. Auditing
  33. 33. 0. Users 1. Permissions 2. Groups 3. Conditions 4. Auditing
  34. 34. 5. Passwords 6. Rotation 7. MFA 8. Sharing 9. Roles
  35. 35. 10.Root
  36. 36. http://aws.amazon.com/iam https://forums.aws.amazon.com/forum.jspa?forumID=76 http://aws.amazon.com/documentation/iam/ http://blogs.aws.amazon.com/security http://aws.amazon.com/cloudtrail/ @AWSIdentity
  37. 37. Session When Where SEC302 – Delegating Access to your AWS Environment Wednesday 11/12, 2.15pm Palazzo J SEC304 – Bring Your Own Identities – Federating Access to your AWS Environment Wednesday 11/12, 4.30pm Palazzo J SEC303 – Mastering Access Control Policies Thursday 11/13, 3.15pm Palazzo J SEC306 – Turn on CloudTrail. Log API Activity in your AWS account Thursday 11/13, 3.15pm Lando 4305 MBL401 – Social Logins for Mobile Apps with Amazon Cognito Thursday 11/13, 3.15pm Palazzo B
  38. 38. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

×