Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Module 3: Security, Identity and Access Management - AWSome Day Online Conference APAC

27,724 views

Published on

This module will cover:

Data Center Security,
AWS Identity and Access Management (IAM) concepts including users, groups, roles and policies.

  • Its very much helpful, i would like to get this document for my carrier development. Please share it to mail seenuvasan1985@gmail.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Visit this site: tinyurl.com/sexinarea and find sex in your area for one night)) You can find me on this site too)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area for one night is there tinyurl.com/hotsexinarea Copy and paste link in your browser to visit a site)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Girls for sex are waiting for you https://bit.ly/2TQ8UAY
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Meetings for sex in your area are there: https://bit.ly/2TQ8UAY
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Module 3: Security, Identity and Access Management - AWSome Day Online Conference APAC

  1. 1. Module 3 Security, Identity, and Access Management
  2. 2. AWS Shared Responsibility Model AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the cloud © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  3. 3. AWS Shared Responsibility Model AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity, and Access Management Operating System, Network, and Firewall Configuration Customer Applications & ContentCustomers Customers are responsible for security IN the cloud AWS is responsible for the security OF the cloud © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  4. 4. Physical Security • 24/7 trained security staff • AWS data centers in nondescript and undisclosed facilities • Two-factor authentication for authorized staff • Authorization for data center access © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  5. 5. Hardware, Software, and Network • Automated change-control process • Bastion servers that record all access attempts • Firewall and other boundary devices • AWS monitoring tools © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  6. 6. Certifications and Accreditations ISO 9001, ISO 27001, ISO 27017, ISO 27018, IRAP (Australia), MLPS Level 3 (China), MTCS Tier 3 Certification (Singapore) and more … © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  7. 7. SSL Endpoints VPC Secure Transmission Use secure endpoints to establish secure communication sessions (HTTPS). Instance Firewalls Use security groups to configure firewall rules for instances. SSL Endpoints Security Groups Network Control Use public and private subnets, NAT, and VPN support in your virtual private cloud to create low-level networking constraints for resource access. SSL Endpoints © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  8. 8. Security Groups SSL Endpoints Security Groups Instance Firewalls Use security groups to configure firewall rules for instances. VPC Secure Transmission Use secure endpoints to establish secure communication sessions (HTTPS). Network Control Use public and private subnets, NAT, and VPN support in your virtual private cloud to create low-level networking constraints for resource access. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  9. 9. AWS Multi-Tier Security Groups © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. www server www server www server app server app server app server Database Tier security group Application Tier security group Web Tier security group db server db server db server Internet Corporate Admin Network ssh/rdp api api (all other ports are blocked)
  10. 10. AWS Identity and Access Management (IAM) AWS IAM 3 Manage federated users and their permissions 2 Manage AWS IAM roles and their permissions 1 Manage AWS IAM users and their access © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  11. 11. AWS IAM Authentication • Authentication • AWS Management Console • User Name and Password IAM User © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  12. 12. AWS IAM Authentication • Authentication • AWS CLI or SDK API • Access Key and Secret Key Access Key ID: AKIAIOSFODNN7EXAMPLE Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Java Python .NET AWS SDK & APIAWS CLI IAM User © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  13. 13. AWS IAM User Management - Groups User D DevOps Group User C AWS Account TestDev Group User BUser A © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  14. 14. AWS IAM Authorization Authorization • Policies: • Are JSON documents to describe permissions. • Are assigned to users, groups or roles. IAM User IAM Group IAM Roles © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  15. 15. AWS IAM Policy Elements { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1453690971587", "Action": [ "ec2:Describe*", "ec2:StartInstances", "ec2:StopInstances” ], "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "54.64.34.65/32” } } }, { "Sid": "Stmt1453690998327", "Action": [ "s3:GetObject*” ], "Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket/*” } ] } IAM Policy © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  16. 16. AWS IAM Policy Assignment(1) IAM User IAM Group Assigned Assigned IAM Policy © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  17. 17. AWS IAM Policy Assignment(2) IAM User IAM Group IAM Roles Assigned Assigned Assigned IAM Policy © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  18. 18. AWS IAM Roles • An IAM role uses a policy. • An IAM role has no associated credentials. • IAM users, applications, and services may assume IAM roles. IAM Roles © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  19. 19. AWS IAM Policy Assignment IAM User IAM Group IAM Roles Assigned Assigned Assigned IAM Policy IAM User Assumed Assumed AWS Resources © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  20. 20. Example: Application Access to AWS Resources • Python application hosted on an Amazon EC2 Instance needs to interact with Amazon S3. • AWS credentials are required: • Option 1: Store AWS Credentials on the Amazon EC2 instance. IAM Roles © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  21. 21. Example: Application Access to AWS Resources • Python application hosted on an Amazon EC2 Instance needs to interact with Amazon S3. • AWS credentials are required: • Option 1: Store AWS Credentials on the Amazon EC2 instance. • Option 2: Securely distribute AWS credentials to AWS Services and Applications. IAM Roles © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  22. 22. AWS IAM Roles - Instance Profiles Amazon EC2 Amazon S3 1 Create Instance
  23. 23. AWS IAM Roles - Instance Profiles Amazon EC2 App & Amazon S3 1 2 Create Instance SelectIAMRole © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  24. 24. AWS IAM Roles - Instance Profiles Amazon EC2 App & EC2 MetaData Service http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename Amazon S3 1 2 3 Create Instance SelectIAMRole © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  25. 25. AWS IAM Roles - Instance Profiles Amazon EC2 App & EC2 MetaData Service http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename Amazon S3 1 2 3 4 Create Instance SelectIAMRole ApplicationinteractswithS3 © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  26. 26. Temporary Security Credentials (AWS STS) Use Cases • Cross account access • Federation • Mobile Users • Key rotation for Amazon EC2-based apps Session Access Key ID Secret Access Key Session Token Expiration Temporary Security Credentials 15 minutes to 36 hours © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  27. 27. Application Authentication AWS IAM Application No Support No Support OS © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  28. 28. AWS IAM Best Practices • Delete AWS account (root) access keys. • Create individual IAM users. • Use groups to assign permissions to IAM users. • Grant least privilege. • Configure a strong password policy. • Enable MFA for privileged users. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  29. 29. AWS IAM Best Practices (cont.) • Use roles for applications that run on Amazon EC2 instances. • Delegate by using roles instead of by sharing credentials. • Rotate credentials regularly. • Remove unnecessary users and credentials. • Use policy conditions for extra security. • Monitor activity in your AWS account. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  30. 30. DEMO TIME © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  31. 31. New to AWS Introductory labs and videos can help you ramp up Start learning Take a Class Build technical skills and learn best practices from an accredited instructor Find a class AWS Certification Validate knowledge and show expertise with industry recognized certifications Get Certified Online Labs Take an online Self-Paced Lab to get hands-on- practice with AWS services Start practicing Learn more: aws.amazon.com/training
  32. 32. Thank You for Attending AWSome Day Online Conference We hope you found it interesting! A kind reminder to complete the survey. Let us know what you thought of today’s event and how we can improve the event experience for you in the future. aws-apac-marketing@amazon.com twitter.com/AWSCloud facbook.com/AmazonWebServices youtube.com/user/AmazonWebServices slideshare.net/AmazonWebServices twitch.tv/aws

×