Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | Scale Permissions Management with Attribute-based Access Control | Identiverse | Day 4, June 28

164 views

Published on

As organizations grow they onboard employees to their workforce and resources to their workloads. Using attribute-based access control (ABAC), customers can achieve fine-grained access control without hindering progress. This session walks through the strategy for implementing ABAC in your organization and actionable best practices. The detailed demonstrations using Amazon Web Services (AWS) will help you determine if and how ABAC enables you to simplify and scale your permissions management mechanisms.

Published in: Technology
  • I seemed to underperform in my mock exams - achieving D's/E's but after following your strategy and advice, I achieved a 'B' grade in my final GCSE maths exam. I was chuffed because this result enabled me to study A-Level Chemistry. I've used your revision principles again and this has helped me immensely in this subject. Thank you so much Jeevan.. my 'B' grade will definitely help me in applying for a Pharmacy' course at University...▲▲▲ http://t.cn/AirrSv7D
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

2019 | Scale Permissions Management with Attribute-based Access Control | Identiverse | Day 4, June 28

  1. 1. ® SCALE PERMISSIONS MANAGEMENT WITH ATTRIBUTE-BASED ACCESS CONTROL BRIGID JOHNSON SENIOR MANAGER, AWS IDENTITY
  2. 2. ® About who you are listening to ~ 5 year Amazonian Product management for AWS Identity Building AWS products that help customers set the right access controls using data. Check out IAM access advisor! Avid horseback rider – Meet Pickles!
  3. 3. ® The next 40 minutes • Permissions review • Introducing Attribute-based access control (ABAC) • Applying ABAC in your organization • ABAC best practices
  4. 4. ® Permissions Review To make sure we all start on the same page
  5. 5. ® Purpose of permissions as developers build Goal • Business to innovate • Agility to move fast • Developer freedom Ensure • Prevent dangerous actions • Accountable for security posture • Cost effective solutions
  6. 6. ® Specify Who Can Access What AWS Account AWS Account AWS Account Workforce Users (e.g. Developers) & Applications Permissions Resources
  7. 7. ® Two parts to permissions Enforcement: For each request the service or application evaluates the permissions you defined to allow or deny access. Specification: Define which entities are allowed to perform which actions on specific resources and under which conditions.
  8. 8. ® Role-based Access Control (RBAC) Developers ResourcesPermissions
  9. 9. ® Benefits of RBAC Grant permissions by assigning a collection of roles Create a role for each unique permission combination Add permission for each new resource Determine access by auditing each role
  10. 10. ® Introducing ABAC Use attributes to scale permissions management
  11. 11. Use attributes to create general permission rules that scale with your organization Attribute Based Access Control
  12. 12. ® A little bit about attributes Attributes are a key or a key and value pair Pre-defined by a provider or custom UserID = ziggy Team = Unicorns Project = Pickles Project = Pickles Env = Development CreatedBy = ziggy
  13. 13. ® A scalable permissions model based on attributes Developer Attributes Resource Attributes Permission Rules
  14. 14. • Permissions scale with innovation • Teams move fast as permissions automatically apply • Granular permissions without a permission update for every item • Audit attributes to determine access Benefits of ABAC
  15. 15. ® Examples of attribute-based permissions Grant developers read and write access to their project resources Require developers to assign their project to new resources Grant developers read access to resources common to their team Manage only the resources I own
  16. 16. ® Applying ABAC in your organization
  17. 17. ® Steps to implement ABAC
  18. 18. Demonstration Setup Team Pickles Team Bubbles AWS Secrets Manager Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle
  19. 19. ® Create identities with access control attributes Required Resource Attributes project costcenter project costcenter Demo Steps
  20. 20. ® Require attributes for new resources Required Resource Attributes • project • costcenter Demo Steps project costcenter stage createdBy application
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Permission policy to require attributes on new secrets { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/project": "${aws:PrincipalTag/project}", "aws:RequestTag/costcenter": "${aws:PrincipalTag/costcenter}" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "project", "createdBy", "costcenter", "application" ] } } } ] } Allows project with these keys, but nothing else Requires project and costcenter tags and must be this value
  22. 22. ® Set permissions based on attributes Permissions rules Demo steps
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Permission policy to manage secrets using tags { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:RestoreSecret", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage", "secretsmanager:DeleteSecret", "secretsmanager:RotateSecret", "secretsmanager:CancelRotateSecret", "secretsmanager:ListSecretVersionIds", "secretsmanager:UpdateSecret" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}" } } } ] } Only manage resources with these tags
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Permission policy to manage secrets using tags "Effect": "Allow", "Action": ["secretsmanager:TagResource"], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}"}, "ForAllValues:StringEquals": { "aws:TagKeys": [ "project", “createdBy", "application", "costcenter" ] }, "StringEqualsIfExists": { "aws:RequestTag/project": ["${aws:PrincipalTag/project}"], "aws:RequestTag/costcenter": [ "${aws:PrincipalTag/costcenter}"]}}}, Only tag resources with these tags Tag with either of these keys For project, you specify only these values
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Permission policy to manage secrets using tags "Effect": "Allow", "Action": [ "secretsmanager:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "application" ] } } } ] } Only change tags of your project
  26. 26. ® Applying ABAC in AWS – 5 step Demo Demo Steps
  27. 27. ® ABAC best practices Take these back with you
  28. 28. ® Five ABAC best practices to take back with you 1. Reserve a subset of attributes used for access control 2. Only approved entities can set or modify attributes
  29. 29. ® Five ABAC best practices to take back with you 3. Tag everything during creation so that permissions apply immediately 4. Rely on attributes to grant permissions to manage resources 5. Periodically audit to ensure that resources are tagged appropriately
  30. 30. ® Additional Resources about ABAC Service-specific permissions documentation A central location of services, actions, resource-level permissions, and conditions supported across AWS Actions, Resources, and Condition Keys for AWS Services: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions- resources-contextkeys.html Become a policy master in 60 minutes or less A review of IAM policy techniques and demonstrations on how to using them; it includes different examples for ABAC Video link: https://youtu.be/YQsK4MtsELU Working backward: From IAM policies and principal tags to standardized names and tags for your AWS resources A blog post about implementing ABAC: AWS Security Blog post @AWSIdentity
  31. 31. ®

×