Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Max RamsayTop 10 IAM best practicesPrincipal Security Solutions Architect
What we will be covering today• Quick overview of IAM• Top 10 IAM best practices to secure your AWS environment• Demos gal...
AWS Identity and Access Management (IAM)enables you to control who can do what in your AWS account• Users, Groups, Roles, ...
Top 10 IAM best practices1. Users2. Groups3. Permissions4. Passwords5. MFA6. Roles7. Sharing8. Rotation9. Conditions10. Root
1. UsersCreate individual users
1. Create individual usersBenefits• Unique credentials• Individual credential rotation• Individual permissionsHow to steps...
1. Create individual users
2. GroupsManage permissions with groups
2. Manage permissions with groupsBenefits• Easier to assign the samepermissions to multiple users• Simpler to re-assign pe...
2. Manage permissions with groups
3. PermissionsGrant least privilege
3. Grant least privilegeBenefits• More granular control• Less chance of people makingmistakes• Easier to relax than to tig...
3. Grant least privilege
4. PasswordsConfigure a strong password policy
4. Enforce a strong password policyBenefits• Ensures your users and your dataare protectedHow to steps• What is your compa...
4. Configure a strong password policy
5. MFAEnable MFA for privileged users
5. Enable Multi-Factor Authentication for privilegedusersBenefits• Supplements username andpassword to require a one-time ...
Multi-Factor Authentication devices
5. Enable MFA for privileged users
6. RolesUse IAM roles for EC2 instances
6. Use IAM roles for EC2 instancesBenefits• Easy to manage access keys onEC2 instances• Automatic key rotation• Assign lea...
6. Use IAM roles for EC2 instances
7. SharingUse IAM roles to share access
7. Use IAM roles to share accessBenefits• No need to share security credentials• Easy to break sharing relationship• Use c...
prod@example.comAcct ID: 111122223333ddb-role{ "Statement": [{"Action": ["dynamodb:GetItem","dynamodb:BatchGetItem","dynam...
7. Use IAM roles to share access
8. RotationRotate security credentials regularly
8. Rotate security credentials regularlyBenefits• Normal best practiceHow to steps• Grant IAM user permission torotate cre...
Enabling credential rotation for IAM users(enable password rotation sample policy)Password{"Version": "2012-10-17","Statem...
Enabling credential rotation for IAM users(enable access key rotation sample policy)Access Keys{"Version": "2012-10-17","S...
8. Rotate security credentials regularly
9. ConditionsRestrict privileged access further with conditions
9. Restrict privileged access further with conditionsBenefits• Additional granularity when definingpermissions• Can be ena...
Restrict privileged access further with conditions{ "Statement":[{"Effect":"Deny","Action":["ec2:TerminateInstances"],"Res...
9. Restrict privileged access further with conditions
10. RootReduce/remove use of root
10. Reduce/remove use of rootBenefits• Reduce potential for misuse ofcredentialsHow to steps• Security Credentials Page- D...
10. Reduce/remove use of root
Top 10 IAM best practices1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Gran...
Top 10 IAM best practices1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Gran...
Related Content• Learn more from the IAM detail page– http://aws.amazon.com/iam• AWS forum where the IAM team hangs out– h...
Thank You!!!awsmax@amazon.com
Upcoming SlideShare
Loading in …5
×

IAM Best Practices

7,457 views

Published on

AWS Identity and Access Management (IAM) enables you to manage who can do what in your AWS environment. In this session you will learn how to leverage IAM to control access to your AWS environment. We will cover best practices on how to create access policies, manage security credentials (i.e., access keys, password, Multi Factor Authentication devices, etc.), how to set up least privilege, minimizing the use of your root account, and more.

Published in: Technology

IAM Best Practices

  1. 1. Max RamsayTop 10 IAM best practicesPrincipal Security Solutions Architect
  2. 2. What we will be covering today• Quick overview of IAM• Top 10 IAM best practices to secure your AWS environment• Demos galore 
  3. 3. AWS Identity and Access Management (IAM)enables you to control who can do what in your AWS account• Users, Groups, Roles, Permissions• Control…- Centralized- Fine-grained - APIs, resources and AWS Management Console• Security…- Secure by default- Multiple users, individual security credentials and permissions
  4. 4. Top 10 IAM best practices1. Users2. Groups3. Permissions4. Passwords5. MFA6. Roles7. Sharing8. Rotation9. Conditions10. Root
  5. 5. 1. UsersCreate individual users
  6. 6. 1. Create individual usersBenefits• Unique credentials• Individual credential rotation• Individual permissionsHow to steps• Identify which IAM users you wantto create • Use the IAM Console, CLI or API to:- Create user- Assign credentials- Assign permissions
  7. 7. 1. Create individual users
  8. 8. 2. GroupsManage permissions with groups
  9. 9. 2. Manage permissions with groupsBenefits• Easier to assign the samepermissions to multiple users• Simpler to re-assign permissionsbased on change in responsibilities• Only one change to updatepermissions for multiple usersHow to steps• Map permissions to a specificbusiness function• Assign users to that function• Manage groups in the Groupsection of the IAM Console
  10. 10. 2. Manage permissions with groups
  11. 11. 3. PermissionsGrant least privilege
  12. 12. 3. Grant least privilegeBenefits• More granular control• Less chance of people makingmistakes• Easier to relax than to tighten upHow to steps• Identify what permissions arerequired• Password/Access keys?• Avoid assigning *:* policy• Use policy templates
  13. 13. 3. Grant least privilege
  14. 14. 4. PasswordsConfigure a strong password policy
  15. 15. 4. Enforce a strong password policyBenefits• Ensures your users and your dataare protectedHow to steps• What is your company’s passwordpolicy?• You can configure- Minimum password length- Require any combination of:• One uppercase letter• One lowercase letter• One number• One non-alphanumeric character
  16. 16. 4. Configure a strong password policy
  17. 17. 5. MFAEnable MFA for privileged users
  18. 18. 5. Enable Multi-Factor Authentication for privilegedusersBenefits• Supplements username andpassword to require a one-time codeduring authenticationHow to steps• Choose type of MFA- Virtual MFA- Hardware• Use IAM Console to assign MFAdevice
  19. 19. Multi-Factor Authentication devices
  20. 20. 5. Enable MFA for privileged users
  21. 21. 6. RolesUse IAM roles for EC2 instances
  22. 22. 6. Use IAM roles for EC2 instancesBenefits• Easy to manage access keys onEC2 instances• Automatic key rotation• Assign least privilege to theapplication• AWS SDKs fully integratedHow to steps• Create a role• Launch instances with the role• If not using SDKs, sign all requeststo AWS services with the roles’temporary credentials
  23. 23. 6. Use IAM roles for EC2 instances
  24. 24. 7. SharingUse IAM roles to share access
  25. 25. 7. Use IAM roles to share accessBenefits• No need to share security credentials• Easy to break sharing relationship• Use cases- Cross-account access- Intra-account delegation- FederationHow to steps• Create a role- Specify who you trust- Describe what the role can do• Share the name of the role
  26. 26. prod@example.comAcct ID: 111122223333ddb-role{ "Statement": [{"Action": ["dynamodb:GetItem","dynamodb:BatchGetItem","dynamodb:Query","dynamodb:Scan","dynamodb:DescribeTable","dynamodb:ListTables"],"Effect": "Allow","Resource": "*"}]}dev@example.comAcct ID: 123456789012Authenticate withJeff access keysGet temporarysecurity credentialsfor ddb-roleCall AWS APIsusing temporarysecurity credentialsof ddb-role{ "Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Resource":"arn:aws:iam::111122223333:role/ddb-role"}]}{ "Statement": [{"Effect":"Allow","Principal":{"AWS":"123456789012"},"Action":"sts:AssumeRole"}]}Cross Account Access – How does it workddb-role trusts IAM users from the AWS accountdev@example.com (123456789012)Permissions assigned to Jeff granting him permissionto assume ddb-role in account BIAM user: JeffPermissions assignedto ddb-roleSTS
  27. 27. 7. Use IAM roles to share access
  28. 28. 8. RotationRotate security credentials regularly
  29. 29. 8. Rotate security credentials regularlyBenefits• Normal best practiceHow to steps• Grant IAM user permission torotate credentials• Password change in IAM console• IAM roles for EC2 automaticallyrotates credentials
  30. 30. Enabling credential rotation for IAM users(enable password rotation sample policy)Password{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:ChangePassword","Resource":"arn:aws:iam::123456789012:user/max”"arn:aws:iam::123456789012:user/${aws:username}”}]}
  31. 31. Enabling credential rotation for IAM users(enable access key rotation sample policy)Access Keys{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["iam:*AccessKey*","iam:*SigningCertificate*"],"Resource":"arn:aws:iam::123456789012:user/max”"arn:aws:iam::123456789012:user/${aws:username}”}]}Steps to rotate access keys
  32. 32. 8. Rotate security credentials regularly
  33. 33. 9. ConditionsRestrict privileged access further with conditions
  34. 34. 9. Restrict privileged access further with conditionsBenefits• Additional granularity when definingpermissions• Can be enabled for any AWS serviceAPI• Minimizes accidentally performingprivileged actionsHow to steps• Use conditions where applicable• Two types of conditions- AWS common- Service specific
  35. 35. Restrict privileged access further with conditions{ "Statement":[{"Effect":"Deny","Action":["ec2:TerminateInstances"],"Resource":["*"],"Condition":{"Null":{"aws:MultiFactorAuthAge":"true"}}}]}Enables a user to terminate EC2 instances only if the user hasauthenticated with their MFA device.MFA{"Statement":[{"Effect":"Allow","Action":"iam:*AccessKey*","Resource”:"arn:aws:iam::123456789012:user/*","Condition":{"Bool":{“aws:SecureTransport":"true"},}}]}Enables a user to manage access keys for all IAM users only if the useris coming over SSL.“SSL”{"Statement":[{"Effect":"Allow","Action":["ec2:TerminateInstances“],"Resource":["*“],"Condition":{"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}}}]}Enables a user to terminate EC2 instances only if the user is accessing EC2 from the192.168.176.0/24 address range.SourceIP
  36. 36. 9. Restrict privileged access further with conditions
  37. 37. 10. RootReduce/remove use of root
  38. 38. 10. Reduce/remove use of rootBenefits• Reduce potential for misuse ofcredentialsHow to steps• Security Credentials Page- Delete access keys- Activate a MFA device• Ensure you have set a “strong”password
  39. 39. 10. Reduce/remove use of root
  40. 40. Top 10 IAM best practices1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions10. Root – Reduce/remove use of root
  41. 41. Top 10 IAM best practices1. Users – Create individual users2. Groups – Manage permissions with groups3. Permissions – Grant least privilege4. Password – Configure a strong password policy5. MFA – Enable MFA for privileged users6. Roles – Use IAM roles for EC2 instances7. Sharing – Use IAM roles to share access8. Rotate – Rotate security credentials regularly9. Conditions – Restrict privileged access further with conditions0. Root – Reduce/remove use of root
  42. 42. Related Content• Learn more from the IAM detail page– http://aws.amazon.com/iam• AWS forum where the IAM team hangs out– https://forums.aws.amazon.com/forum.jspa?forumID=76• Documentation– http://aws.amazon.com/documentation/iam/• Twitter- Follow the IAM team @AWSIdentity
  43. 43. Thank You!!!awsmax@amazon.com

×