Innovating IAM Protection for AWS. Protecting your IAM users and roles is mission #1 for security professionals and DevOps alike. The challenge become more complex when adding multiple AWS accounts, many users, and a growing list of local and cross account roles. By utilising an innovative IAM protection solution, you can successfully defend your AWS cloud from new threats in the software defined data center realm. In this 30 min session you will learn:
- How to identify and map out potential IAM risk factors and attack vectors.
- How to prevent potentially irreversible and dangerous activities over your AWS accounts directly from your mobile device.
- How to ultimately defend your AWS investment from compromised credentials and malicious insiders that can wreak havoc on your business.
2. Quick poll
Is it possible that one of your AWS users or team members will have their
credentials compromised sometime in the future?
What if this compromised account belongs to a privileged user?
3. What is this session about?
IAM best practices and core principles that will allow you to prepare in advance for
extreme scenarios
4. Why IAM? Why this session?
30 years of isolated IT islands are converging now into a software defined data
center.
AWS IAM policy governs that converged IT and becomes the single most critical
security policy in your organization.
5. About me
Adam Neale
Product Manager at Dome9 and COO at EB2BCOM
Over 20 years IT sales and consulting experience working for companies
such as Novell, Quest, Cisco, and Citrix.
Dome9 is an AWS Advanced Technology partner with AWS Security
Competency focusing on Network Security and IAM protection
6. To our user...
In a software defined world a compromised privileged user
account can mean:
Data theft - cloning databases, S3 buckets, files
DNS hijacking - redirecting traffic to rogue sites
Deleting / encrypting data, infrastructure, encryption
keys, backups
Managing users - preventing legit admins from
accessing their environments, adding new accounts
7. Our user is already fatally compromised, but you don't have to be. Let's take a trip
back in our time machine to see what we could have done differently...
8. 2 main courses of actions
1. Preventative actions
2. Detection and containment measures
We need them both!
9. Preventative Measures (1)
• Create and use IAM users instead of your root account
• Enable multi-factor authentication (MFA) for all users
• Configure a strong password policy
• Rotate security credentials regularly
• Remove unused security credentials that are not needed
10. Preventative Measures (2)
• Use IAM roles to share access:
• For EC2 instances (and other AWS services)
• For multi-account / federated access scenarios
• For 3rd party service providers
• Manage permissions with groups
11. Detection & Containment
• Enable AWS CloudTrail to get logs of API calls
• Grant least privilege
• Restrict privileged access further with policy conditions
• Use multiple AWS accounts to segregate between dev/test/prod and
between different sub-systems with different security requirements
12. Still, something is missing...
Adversaries constantly target our users
One of our users will eventually make a mistake
Someone will break in
A new breed of solution is needed
13. Meet Dome9 IAM Safe
Dome9 IAM Safe is an AWS IAM Dynamic Authorization solution, providing
protection and detection against malicious cloud control plane attacks and
unintentional privileged user errors.
14. IAM Safe
Added layer of IAM protection
Prevents accidental or malicious invocation of risky
actions
“Just In time” authorization
Out of band authorization via mobile application
Multiple AWS accounts & regions
SaaS delivered
16. Containing the Blast Radius
Because IAM Safe users work at a
lesser privilege day-to-day, the
results of stolen credentials &
compromises are limited to non-
catastrophic actions.
IAM Safe ensures that the riskiest
AWS operations (as deemed by you)
cannot be executed without Dome9
IAM Safe multi-factor authorization.
Not all workloads are equal!
Leverage the power of AWS
IAM policy language to
define specific actions and
add conditions based on
sensitivity, tags, etc...
17. Summary
IAM is critical for AWS Security
Apply AWS best practices
Utilize the breadth of AWS partners ecosystem to take your posture to the next
level
The moment of the breach is too late - take ownership regarding your future and
start preparing now!