Download to read offline
ABAC in AWS
- 1. ABAC Jasper Riane DMendoza 1 August 20, 2020
- 2. Outline ● IAM Overview ●Definition of IAM terms ● ABAC ● Quick Demo ● Common IAM Usage Patterns (based on experience) ● Define metrics to measure scalability ● Scenarios ● Conclusion 2
- 3. IAM IAM Principals AWS Resources Securely controlindividual and group access to AWS Resources 3
- 4. Tags that youassign to Identities and Resources that are used to manage access Definition of IAM terms Principals Entity that initiates actions or requests against resources Action/Operation These are actions or operations that a principal wants to perform against resources Resources The AWS resource object upon which the actions or operations are performed. Identity Users, Groups or Roles Policy Object in JSON format that is associated with an identity or resource to define permissions Attribute 4
- 5.
- 6. Common IAM UsagePatterns (based on experience) ● No IAM Standards being established ○ Policies are attached directly to IAM Users or Resources ○ There are multiple admins assigned per team to handle IAM needs ○ Policies are attached ad hoc ○ Discretionary Access Control (DAC) ● A Single Team or Person implements all IAM Needs but still no IAM standards being established ○ Only a single team has admin permissions ○ No clear standards have been established with regards to IAM ○ Policies are either attached directly to users, groups or roles or Resources ○ Mandatory Access Control (MAC) ● A Single Team or Person implements all IAM Needs and there are established IAM standards ○ IAM Users are grouped into relevant groups ○ Roles are created based on specific access patterns ○ Policies are attached either to groups or roles or Resources ○ Role-Based Access Control (RBAC) 6
- 7. Using Metrics Creating/Modifying apolicy 1 point Creating/Modifying a role 1 point 7
- 8. Scenario - 1Team, 1 Project 8 Engineering Users Engineering- Project1 Resources Engineering- Project1 Policy Engineering- Project1 Role 1 point 1 point 3 points worth of effort RBAC Engineering Users 3 points worth of effort ABAC Engineering- Project1 Assume Role Policy Engineering- Project1 Resources Same-Team- And-Project Policy Engineering- Project1 Role 1 point 1 point 1 point Same-Team- And-Project Assume Role Policy 1 point
- 9. Scenario - 1Team, 2 Projects (RBAC) Engineering Project1 Users Engineering- Project1 Resources Engineering- Project1 Policy Engineering- Project1 Role 1 point 1 point 6 points worth of effort Engineering- Project2 Policy Engineering- Project2 Role 1 point 1 point Engineering- Project2 Resources Engineering- Project1 Assume Role Policy 1 point Engineering- Project2 Assume Role Policy 1 point Engineering Project2 Users
- 10. Scenario - 1Team, 2 Projects (ABAC) Engineering Project1 Users Engineering- Project1 Resources Engineering- Project1 Role 1 point 4 points worth of effort Engineering- Project2 Role 1 point Engineering- Project2 Resources Engineering Project2 Users Same-Team- And-Project Assume Role Policy 1 point Same-Team- And-Project Policy 1 point
- 11.
- 12.
Editor's Notes
- #4 Importance of Security Underrated based on experience Usually an afterthought, no planning and assessment efforts to ensure the architecture for IAM is scalable and manageable Securely control individual and group access to AWS Resources
- #5 Principal - The person or application that used an entity (user or role) to send the request. Information about the principal includes the policies that are associated with the entity that the principal used to sign in. Action/Operation - The actions or operations that the principal wants to perform. This can be an action in the AWS Management Console, or an operation in the AWS CLI or AWS API. Resource - The AWS resource object upon which the actions or operations are performed. Identity - User, Group or Roles. Principals can be identified as either User (Login via console or access keys via cli or api) or Role (assume role and temporary access keys are provided by STS). And Users can be assigned to Groups. Policy - defines permissions that will either allow or deny an action to specific resources (JSON format) and can be attached to Identities or Resources Attributes - are tags that you assign to Identities and Resources that can be used by permission policies to evaluate access
- #6 Principal - The person or application that used an entity (user or role) to send the request. Information about the principal includes the policies that are associated with the entity that the principal used to sign in. Action/Operation - The actions or operations that the principal wants to perform. This can be an action in the AWS Management Console, or an operation in the AWS CLI or AWS API. Resource - The AWS resource object upon which the actions or operations are performed. Identity - User, Group or Roles. Principals can be identified as either User (Login via console or access keys via cli or api) or Role (assume role and temporary access keys are provided by STS). And Users can be assigned to Groups. Policy - defines permissions that will either allow or deny an action to specific resources (JSON format) and can be attached to Identities or Resources Attributes - are tags that you assign to Identities and Resources that can be used by permission policies to evaluate access