SlideShare a Scribd company logo

AWS IAM and security

Download as PPTX, PDF
Erik Paulsson
Erik Paulsson

AWS security with Identity and Access Management. From the basics to advanced uses of federated access to multiple AWS accounts.

Technology
1 of 22
Identity and Access Management Erik Paulsson https://www.linkedin.com/in/erikpaulsson
Agenda / Topics • Basics o What is IAM? o What to do right after creating an AWS account o What are the main components of IAM? • What not to do o Don’t be that person / company… • Intermediate o Least privilege access permissions o How to manage / distribute AWS creds o How to write code that auto-discovers AWS creds o AWS Services that support IAM and at what level • Advanced o Temporary credentials / Avoiding long-lived creds o AWS account federation / SSO
What is AWS IAM? • Identity and Access Management is an AWS service that enables you to provide fine grained access control to: o Interact with AWS services on behalf of your AWS account o Interact with AWS resources created in your AWS account • The main components are: o IAM Users o IAM Groups o IAM Roles o IAM Polices
IAM Users • Can have username / password to login to the AWS Console • Can have AWS credentials for making API calls to interact with AWS services • New IAM users have no permissions to do anything, implicit deny all. Permissions must be explicitly granted. • An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. o An IAM User with only AWS creds can be created so the creds can be used by an application to make API calls into AWS.
IAM Groups • A collection of IAM Users • You assign permissions to the IAM Group, all IAM Users in the Group inherit those permissions. o Implicit deny of permissions applies to IAM Groups as well
IAM Roles / Instance Profiles • IAM Roles define permissions much like an IAM User o IAM Roles do NOT have: • Username/password like an IAM User can • AWS creds that can be retrieved like an IAM User creds • The permissions of an IAM Role can be granted / assigned to an EC2 instance o An Instance Profile is just a “container” for one or more IAM Roles o An Instance Profile is what you actually assign to an EC2 instance • IAM Roles and Instance Profiles provide enhanced security because these structures provide temporary AWS creds o These temporary creds are made available by the EC2 meta-data service • … More on IAM Roles later
IAM Policies • When you create an IAM Group, User, or Role in your AWS account, you associate an IAM policy with it, which specifies the permissions that you want to grant. • IAM Polices are JSON formatted documents that define AWS permissions • Working with IAM Policies
Security firsts for new AWS accounts • For AWS root account: o Store username/password somewhere safe and secure o Setup multi-factor authentication • Create IAM User(s) with "least privileges" necessary o Least privilege = only the permissions necessary to accomplish needed tasks • After IAM Users have been created never use root account again o An IAM User with root permissions can be created • If IAM Users have username/password for AWS console login then they should also have multi factor authentication (MFA) enabled o https://aws.amazon.com/iam/details/mfa/ • If you don’t want some users having access to billing o Control access to AWS account billing through IAM • IAM controls “the keys to the (AWS) kingdom” o Only highly privileged users should have permissions to perform IAM actions
Getting AWS credentials onto EC2 instances • Always use an IAM Role / Instance Profile • Never ever..... ever o Self manage credentials for EC2 instances (environment variables, etc) o Put AWS credentials into source code or config files • Don't make yourself or company a victim like these guys: o Key slurping bots crawl github, use creds to run EC2 instances for bitcoin mining • http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_ crawling_with_keyslurping_bots o Companies have gone out of business because they were careless with their AWS creds • CodeSpaces had EVERYTHING deleted o http://arstechnica.com/security/2014/06/aws-console-breach- leads-to-demise-of-service-with-proven-backup-plan/
…continued Getting creds onto EC2 instances • Use IAM Instance Profile assigned to EC2 instance • An Instance Profile is created from an IAM Role • The instance profile must be assigned to an EC2 instance when it is launched • AWS credentials retrieved through the EC2 metadata service o curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<instance- profile-name> • These temporary credentials never have to be shared or managed by developers • These temporary AWS credentials are automatically rotated so instance always has valid credentials • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-instanceprofile.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-ec2instance.html
How can code use Instance Profile creds? • All AWS SDKs have a built in way to auto-discover AWS credentials on EC2 instances o Simplifies code by not having to explicitly set AWS credentials • SDKs for all languages can automatically check standard locations for AWS credentials to use: o Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY (legacy, not recommended anymore) o Credentials file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI (great for applications/scripts being run outside of AWS) o Instance Profile Credentials - delivered through the Amazon EC2 metadata service (best practice for getting AWS creds onto EC2 instances) • Example - Java SDK docs which document AWS creds auto-discovery: o http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws /services/s3/AmazonS3Client.html - AmazonS3Client()
Local development • If you are running scripts or an application locally that needs to call AWS APIs then store AWS creds in the AWS “credentials” file: o http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and- Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs • Allows you to define multiple sets of credentials each identified by a profile name • A “default” profile name can be defined so a profile doesn’t have to be specified in your code/script • AWS CLI (command line interface) o http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting- started.html#cli-multiple-profiles o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ (uses default profile defined in ~/.aws/credentials file) o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ --profile user2 (uses user2 profile defined in ~/.aws/credentials file)
IAM least privilege rights • "Anything" with AWS access should have the minimal rights it needs to accomplish its specific actions • "Anything" with AWS access refers to the following: o IAM Users or Groups o IAM Roles / Instance Profiles • IAM Roles can be assumed by end users • Instance Profiles can be assigned to EC2 instances o Your applications or scripts (which use IAM Role or User creds) • Example: if an application only needs read access to files in S3, then create an IAM Role with only “GetObject” rights on S3.
S3 IAM Policies • Granting access to an S3 bucket (Simple) • Granting access to specific “folders” in S3 bucket • S3 Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
Amazon Resource Names (ARNs) • ARNs are unique identifiers for AWS resources. • Format of an ARN: o arn:partition:service:region:account-id:resource o arn:partition:service:region:account-id:resourcetype/resource o arn:partition:service:region:account-id:resourcetype:resource • Details of ARNs for each AWS Service o http://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html
Elements of an IAM Policy • Main elements of an IAM Policy o Version o Statement • Main element of the policy • Contains an array of statements • Each statement defines whether permissions are allowed or denied for certain service actions against particular resources. These are defined by the values of the following elements in each statement: o Effect – Allow or Deny o Action – array of service actions o Resource – array of ARNs that actions can occur on o Principal – identifies who/what is allowed/denied access • Details on IAM Policy elements o http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_e lements.html
Advanced uses of IAM Roles • IAM Roles can be “assumed” by: o IAM Users in the either the same or different AWS account o AWS services (EC2 instances or even another IAM Role) o External users authenticated outside of AWS (Federation) • IAM Roles provide enhanced security: o Temporary credentials • If credentials do get compromised they won’t be valid for long • “Long-lived” credentials are bad… mmmmmkkk o Users can be logged into AWS console without username/password o Temporary credentials + Least privilege permissions!!!
AWS Federation • My real world scenario o Many AWS accounts o Many users needing access to 1 or many AWS accounts o Management of many of the “same” IAM Users and Groups across many AWS accounts • Equals… o Maintenance nightmare o Potential for security lapses when employee leaves company • What AWS accounts did the employee have access to? • Have to delete IAM User from each AWS account • Most mid to large companies have a central Identity Provider o Active Directory o Federation could also use social login providers
…continued AWS Federation • We took a web application that uses SSO via SAML to authenticate with our corp AD o Runs in AWS on EC2 instance with Instance Profile that has rights to “assume” Roles o The IAM Roles that can be “assumed” can exist in any AWS account as long as a trust relationship is created. o IAM Roles are kept track of in the application DB o For each user of this web application 0 or more IAM Roles can be mapped to a user o The application can then retrieve temporary credentials from a Role on behalf of a user of the web application • AWS creds can be returned to user for local use • AWS console access can be granted based on permissions of the IAM Role • Simplified solution o Delete all IAM Users across all AWS accounts o Replace all IAM Groups with IAM Roles in each AWS account o One set of users (web application users) that can be granted access to any IAM Role from any AWS account. o Enhances security • If a user leaves the company they are removed from corporate AD, no longer have access to web application and therefore no more access to any AWS accounts • TEMPORARY AWS creds (only last 1 hour, AWS allowed max… for now) • Creating a URL that Enables Federated Access to the AWS Management Console o Java example code
AWS Console Federated Username • Federated Login/Identifier uses the name of the IAM Role that was used plus a specified identifier. • It is cutoff in this image • AutomationFederationRoles-AutomationAdmins-1VGJS9PG5J8JO/erik.paulsson
AWS Federation Local dev with temp creds • It is a pain for developers and cloud admins to work locally when AWS creds expire o Every hour have to: • Retrieve new AWS creds from web application • Copy/paste into local AWS credentials file • Solution o Wrote small GUI tool • Local thick client since it needs to write to file system • User authenticates to same web application using SSO still • Tool retrieves new credentials on hourly schedule from web application REST APIs • Writes these AWS credentials to local AWS credentials file o Tool allows users to retrieve creds for 0 or more of the IAM Roles they are allowed to use o A credentials profile name can be assigned to each o Used NW.js to build client (formerly known as “node-webkit”) • Single code base • Compiles to self executable for all platforms (Linux, Mac, Win) • No run-time dependencies (JRE, python, etc) o Just download and run
Other Links • Advanced Assume Role using “policy” parameter: o http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.h tml • IDC White Paper: You can be more secure in the cloud than in your own data center • AWS in Plain English o https://www.expeditedssl.com/aws-in-plain-english

Recommended

Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon CognitoAmazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 

Recommended

Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon CognitoAmazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Deep Dive on Amazon EC2 Systems Manager
Deep Dive on Amazon EC2 Systems ManagerDeep Dive on Amazon EC2 Systems Manager
Deep Dive on Amazon EC2 Systems ManagerAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인Amazon Web Services Korea
 
AWS Simple Storage Service (s3)
AWS Simple Storage Service (s3) AWS Simple Storage Service (s3)
AWS Simple Storage Service (s3) zekeLabs Technologies
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaAmazon Web Services
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Edureka!
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsBryant Poush
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018Amazon Web Services Korea
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3Mark Cohen
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMSRicardo Schmidt
 
Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)Amazon Web Services
 
Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...Amazon Web Services
 

More Related Content

What's hot

Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Deep Dive on Amazon EC2 Systems Manager
Deep Dive on Amazon EC2 Systems ManagerDeep Dive on Amazon EC2 Systems Manager
Deep Dive on Amazon EC2 Systems ManagerAmazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인Amazon Web Services Korea
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsShiva Narayanaswamy
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Edureka!
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsBryant Poush
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018Amazon Web Services Korea
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3Mark Cohen
 
Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)Amazon Web Services
 
Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 

What's hot (20)

Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Deep Dive on Amazon EC2 Systems Manager
Deep Dive on Amazon EC2 Systems ManagerDeep Dive on Amazon EC2 Systems Manager
Deep Dive on Amazon EC2 Systems Manager
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
 
AWS Simple Storage Service (s3)
AWS Simple Storage Service (s3) AWS Simple Storage Service (s3)
AWS Simple Storage Service (s3)
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro Tips
 
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
Amazon CloudWatch Tutorial | AWS Certification | Cloud Monitoring Tools | AWS...
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018
AWS KMS를 활용하여 안전한 AWS 환경을 구축하기 위한 전략::임기성::AWS Summit Seoul 2018
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)Introduction to Amazon Elastic File System (EFS)
Introduction to Amazon Elastic File System (EFS)
 
Iam presentation
Iam presentationIam presentation
Iam presentation
 

Similar to AWS IAM and security

AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...Amazon Web Services
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 
Security Best Practices - Hebrew Webinar
Security Best Practices - Hebrew WebinarSecurity Best Practices - Hebrew Webinar
Security Best Practices - Hebrew WebinarAmazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access ServicesAmazon Web Services
 
Diving into Common AWS Misconfigurations
Diving into Common AWS MisconfigurationsDiving into Common AWS Misconfigurations
Diving into Common AWS MisconfigurationsNikhil Sahoo
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management ServicesNagesh Ramamoorthy
 
(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live ByAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
AWS-IAM-intro-2016-08-03.pptx
AWS-IAM-intro-2016-08-03.pptxAWS-IAM-intro-2016-08-03.pptx
AWS-IAM-intro-2016-08-03.pptxBima Ariateja
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for StartupsMark Bate
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for StartupsAWS Germany
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 

Similar to AWS IAM and security (20)

AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 
Security Best Practices - Hebrew Webinar
Security Best Practices - Hebrew WebinarSecurity Best Practices - Hebrew Webinar
Security Best Practices - Hebrew Webinar
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
AWS core services
AWS core servicesAWS core services
AWS core services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
 
Diving into Common AWS Misconfigurations
Diving into Common AWS MisconfigurationsDiving into Common AWS Misconfigurations
Diving into Common AWS Misconfigurations
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management Services
 
(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Intro
AWS IntroAWS Intro
AWS Intro
 
AWS-IAM-intro-2016-08-03.pptx
AWS-IAM-intro-2016-08-03.pptxAWS-IAM-intro-2016-08-03.pptx
AWS-IAM-intro-2016-08-03.pptx
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for Startups
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for Startups
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

AWS IAM and security

  • 2. Agenda / Topics • Basics o What is IAM? o What to do right after creating an AWS account o What are the main components of IAM? • What not to do o Don’t be that person / company… • Intermediate o Least privilege access permissions o How to manage / distribute AWS creds o How to write code that auto-discovers AWS creds o AWS Services that support IAM and at what level • Advanced o Temporary credentials / Avoiding long-lived creds o AWS account federation / SSO
  • 3. What is AWS IAM? • Identity and Access Management is an AWS service that enables you to provide fine grained access control to: o Interact with AWS services on behalf of your AWS account o Interact with AWS resources created in your AWS account • The main components are: o IAM Users o IAM Groups o IAM Roles o IAM Polices
  • 4. IAM Users • Can have username / password to login to the AWS Console • Can have AWS credentials for making API calls to interact with AWS services • New IAM users have no permissions to do anything, implicit deny all. Permissions must be explicitly granted. • An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. o An IAM User with only AWS creds can be created so the creds can be used by an application to make API calls into AWS.
  • 5. IAM Groups • A collection of IAM Users • You assign permissions to the IAM Group, all IAM Users in the Group inherit those permissions. o Implicit deny of permissions applies to IAM Groups as well
  • 6. IAM Roles / Instance Profiles • IAM Roles define permissions much like an IAM User o IAM Roles do NOT have: • Username/password like an IAM User can • AWS creds that can be retrieved like an IAM User creds • The permissions of an IAM Role can be granted / assigned to an EC2 instance o An Instance Profile is just a “container” for one or more IAM Roles o An Instance Profile is what you actually assign to an EC2 instance • IAM Roles and Instance Profiles provide enhanced security because these structures provide temporary AWS creds o These temporary creds are made available by the EC2 meta-data service • … More on IAM Roles later
  • 7. IAM Policies • When you create an IAM Group, User, or Role in your AWS account, you associate an IAM policy with it, which specifies the permissions that you want to grant. • IAM Polices are JSON formatted documents that define AWS permissions • Working with IAM Policies
  • 8. Security firsts for new AWS accounts • For AWS root account: o Store username/password somewhere safe and secure o Setup multi-factor authentication • Create IAM User(s) with "least privileges" necessary o Least privilege = only the permissions necessary to accomplish needed tasks • After IAM Users have been created never use root account again o An IAM User with root permissions can be created • If IAM Users have username/password for AWS console login then they should also have multi factor authentication (MFA) enabled o https://aws.amazon.com/iam/details/mfa/ • If you don’t want some users having access to billing o Control access to AWS account billing through IAM • IAM controls “the keys to the (AWS) kingdom” o Only highly privileged users should have permissions to perform IAM actions
  • 9. Getting AWS credentials onto EC2 instances • Always use an IAM Role / Instance Profile • Never ever..... ever o Self manage credentials for EC2 instances (environment variables, etc) o Put AWS credentials into source code or config files • Don't make yourself or company a victim like these guys: o Key slurping bots crawl github, use creds to run EC2 instances for bitcoin mining • http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_ crawling_with_keyslurping_bots o Companies have gone out of business because they were careless with their AWS creds • CodeSpaces had EVERYTHING deleted o http://arstechnica.com/security/2014/06/aws-console-breach- leads-to-demise-of-service-with-proven-backup-plan/
  • 10. …continued Getting creds onto EC2 instances • Use IAM Instance Profile assigned to EC2 instance • An Instance Profile is created from an IAM Role • The instance profile must be assigned to an EC2 instance when it is launched • AWS credentials retrieved through the EC2 metadata service o curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<instance- profile-name> • These temporary credentials never have to be shared or managed by developers • These temporary AWS credentials are automatically rotated so instance always has valid credentials • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-instanceprofile.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-ec2instance.html
  • 11. How can code use Instance Profile creds? • All AWS SDKs have a built in way to auto-discover AWS credentials on EC2 instances o Simplifies code by not having to explicitly set AWS credentials • SDKs for all languages can automatically check standard locations for AWS credentials to use: o Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY (legacy, not recommended anymore) o Credentials file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI (great for applications/scripts being run outside of AWS) o Instance Profile Credentials - delivered through the Amazon EC2 metadata service (best practice for getting AWS creds onto EC2 instances) • Example - Java SDK docs which document AWS creds auto-discovery: o http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws /services/s3/AmazonS3Client.html - AmazonS3Client()
  • 12. Local development • If you are running scripts or an application locally that needs to call AWS APIs then store AWS creds in the AWS “credentials” file: o http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and- Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs • Allows you to define multiple sets of credentials each identified by a profile name • A “default” profile name can be defined so a profile doesn’t have to be specified in your code/script • AWS CLI (command line interface) o http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting- started.html#cli-multiple-profiles o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ (uses default profile defined in ~/.aws/credentials file) o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ --profile user2 (uses user2 profile defined in ~/.aws/credentials file)
  • 13. IAM least privilege rights • "Anything" with AWS access should have the minimal rights it needs to accomplish its specific actions • "Anything" with AWS access refers to the following: o IAM Users or Groups o IAM Roles / Instance Profiles • IAM Roles can be assumed by end users • Instance Profiles can be assigned to EC2 instances o Your applications or scripts (which use IAM Role or User creds) • Example: if an application only needs read access to files in S3, then create an IAM Role with only “GetObject” rights on S3.
  • 14. S3 IAM Policies • Granting access to an S3 bucket (Simple) • Granting access to specific “folders” in S3 bucket • S3 Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
  • 15. Amazon Resource Names (ARNs) • ARNs are unique identifiers for AWS resources. • Format of an ARN: o arn:partition:service:region:account-id:resource o arn:partition:service:region:account-id:resourcetype/resource o arn:partition:service:region:account-id:resourcetype:resource • Details of ARNs for each AWS Service o http://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html
  • 16. Elements of an IAM Policy • Main elements of an IAM Policy o Version o Statement • Main element of the policy • Contains an array of statements • Each statement defines whether permissions are allowed or denied for certain service actions against particular resources. These are defined by the values of the following elements in each statement: o Effect – Allow or Deny o Action – array of service actions o Resource – array of ARNs that actions can occur on o Principal – identifies who/what is allowed/denied access • Details on IAM Policy elements o http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_e lements.html
  • 17. Advanced uses of IAM Roles • IAM Roles can be “assumed” by: o IAM Users in the either the same or different AWS account o AWS services (EC2 instances or even another IAM Role) o External users authenticated outside of AWS (Federation) • IAM Roles provide enhanced security: o Temporary credentials • If credentials do get compromised they won’t be valid for long • “Long-lived” credentials are bad… mmmmmkkk o Users can be logged into AWS console without username/password o Temporary credentials + Least privilege permissions!!!
  • 18. AWS Federation • My real world scenario o Many AWS accounts o Many users needing access to 1 or many AWS accounts o Management of many of the “same” IAM Users and Groups across many AWS accounts • Equals… o Maintenance nightmare o Potential for security lapses when employee leaves company • What AWS accounts did the employee have access to? • Have to delete IAM User from each AWS account • Most mid to large companies have a central Identity Provider o Active Directory o Federation could also use social login providers
  • 19. …continued AWS Federation • We took a web application that uses SSO via SAML to authenticate with our corp AD o Runs in AWS on EC2 instance with Instance Profile that has rights to “assume” Roles o The IAM Roles that can be “assumed” can exist in any AWS account as long as a trust relationship is created. o IAM Roles are kept track of in the application DB o For each user of this web application 0 or more IAM Roles can be mapped to a user o The application can then retrieve temporary credentials from a Role on behalf of a user of the web application • AWS creds can be returned to user for local use • AWS console access can be granted based on permissions of the IAM Role • Simplified solution o Delete all IAM Users across all AWS accounts o Replace all IAM Groups with IAM Roles in each AWS account o One set of users (web application users) that can be granted access to any IAM Role from any AWS account. o Enhances security • If a user leaves the company they are removed from corporate AD, no longer have access to web application and therefore no more access to any AWS accounts • TEMPORARY AWS creds (only last 1 hour, AWS allowed max… for now) • Creating a URL that Enables Federated Access to the AWS Management Console o Java example code
  • 20. AWS Console Federated Username • Federated Login/Identifier uses the name of the IAM Role that was used plus a specified identifier. • It is cutoff in this image • AutomationFederationRoles-AutomationAdmins-1VGJS9PG5J8JO/erik.paulsson
  • 21. AWS Federation Local dev with temp creds • It is a pain for developers and cloud admins to work locally when AWS creds expire o Every hour have to: • Retrieve new AWS creds from web application • Copy/paste into local AWS credentials file • Solution o Wrote small GUI tool • Local thick client since it needs to write to file system • User authenticates to same web application using SSO still • Tool retrieves new credentials on hourly schedule from web application REST APIs • Writes these AWS credentials to local AWS credentials file o Tool allows users to retrieve creds for 0 or more of the IAM Roles they are allowed to use o A credentials profile name can be assigned to each o Used NW.js to build client (formerly known as “node-webkit”) • Single code base • Compiles to self executable for all platforms (Linux, Mac, Win) • No run-time dependencies (JRE, python, etc) o Just download and run
  • 22. Other Links • Advanced Assume Role using “policy” parameter: o http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.h tml • IDC White Paper: You can be more secure in the cloud than in your own data center • AWS in Plain English o https://www.expeditedssl.com/aws-in-plain-english

Editor's Notes

  1. This