TIB Academy Offers best AWS training in bangalore. this tutorial contains the following aspects, security mind map identity and access management IAM policies

2.  VPC (Virtual Private Cloud)
 Build a most commonly used network architecture with a
CloudFormation Template
 Entire Data Centre Networking Infrastructure in <20min

3.  AWS Organizations
 Architecting Governance and Security with multi-account strategy
 Immutable Architecture
 Security Control Policies: BL / WL

4. Master Account InfoSec Account
{"Version":"2012-10-
17","Statement":[{"Effect":"Allow","Action":"*","R
esource":"*"}]}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": “arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1499879069000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
“arn:aws:iam::222222222222:role/OrganizationAccountAccess
Role-InfoSec"
]
}
]
}
Trusting AccountTrusted Account
InfoSec Admin Group
1111-1111-1111 2222-2222-2222
OrganizationAccountAccessRole-InfoSec
Access Policy
Trust PolicyInline Policy Attached to a Group

5. https://cloudonaut.io

6.  Enables us to control who can do what in our AWS account
 Secure (deny) by default
 Global service

7.  https://alias.signin.aws.amazon.com/console
( redirected to a regional sign-in endpoint such as https://us-east-
2.signin.aws.amazon.com, resulting in a regional CloudTrail log entry
in the user's region's log )
 https://alias.signin.aws.amazon.com/console/s3
( AWS redirects you to the global sign-in endpoint at
https://signin.aws.amazon.com, resulting in a global CloudTrail log
entry )
 https://alias.signin.aws.amazon.com/console/ec2?region=ca-
central-1
(results in a CloudTrail log event in that region)

10.  Create individual users
 Grant least privilege
 Manage permissions with groups
 Restrict privileged access further with conditions
 Enable AWS CloudTrail to get logs of API calls
 Configure a strong password policy
 Rotate security credentials regularly.
 Enable MFA for privileged users
 Use IAM roles to share access
 Use IAM roles for Amazon EC2 instances
 Reduce or remove use of root
https://www.slideshare.net/AmazonWebServices/sec302-iam-best-practices-to-live-by

11.  A policy is a document that contains one or more permissions.
 Each permission describes actions that are allowed or not allowed
 Written in JSON
 User Based or Resource Based
 Managed Policies and Inline Policies
 Managed Policies:
 AWS managed policies
 Customer managed policies
 Managed Policies feature:
 Reusability
 Central change management
 Versioning and rolling back
 Delegating permissions management
 Automatic updates for AWS managed policies
 Inline Policies feature:
 Embedded into user/group/role
 Strict one to one relationship between a policy and the principal entity that
it’s attached
 What happens to a inline policy when we delete a principal entity that it’s
attached to?

12. Requests that are made by the AWS account root user are allowed for resources in that account.
IAM user in an account that is in an organization can use the intersection of the permissions allowed by
both Organizations SCPs and by the IAM permission policies

13.  Attached to a User, Group, or Role
 Policies DO NOT specify a Principal (User/Group/Role); it is implied

14.  Attached to a resource such as S3 Bucket or DynamoDB Table
 Policies DO specify a Principal (User/Group/Role)
 Policy describes what access is assigned to the principal

15.  Allows us to treat resources as a unit (i.e. project
 Allows us to autmatically enforce permissions when new resources are
created
 Supported services: EC2,VPC, EBS, RDS, SWS, Data Pipeline

16. Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS,
such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
The following is the common Amazon Resource Name (ARN) format to identify any resources in AWS.
arn:partition:service:region:namespace:relative-id
General formats for ARNs; the specific components and values used depend on the AWS service.
arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
 <!-- Elastic Beanstalk application version -->
 arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
 <!-- IAM user name —>
 arn:aws:iam::123456789012:user/David

 <!-- Amazon RDS instance used for tagging -->
 arn:aws:rds:eu-west-1:123456789012:db:mysql-db

 <!-- Object in an Amazon S3 bucket -->
 arn:aws:s3:::my_corporate_bucket/exampleobject.png

 Paths in ARNs
 arn:aws:iam::123456789012:user/Development/product_1234/*
 "Resource":"arn:aws:iam::123456789012:user/*"
 "Resource":"arn:aws:iam::123456789012:group/*"

 http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-rds

17.  arn:aws:s3:::bucket_name
 arn:aws:s3:::bucket_name/key_name
 arn:aws:s3:::examplebucket/developers/design_info.doc
 arn:aws:s3:::examplebucket/*
 arn:aws:s3:::example?bucket/*
 arn:aws:s3:::bucket_name/developers/${aws:username}/

18. AWS assigns two unique IDs to each AWS account:
 An AWS account ID (123456789012)
 A canonical user ID - an obfuscated form of the AWS account ID
(79a59df900b949665d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2b
e)

19.  You cannot use a wildcard to specify all users in the Principal element in
a resource-based policy or a role trust policy.
 You cannot use groups as principals in any policy.
 You can use wildcard characters (* and ?) within any ARN segment
 You can specify user/* to mean all users or group/* to mean all groups

20.  Effect - Required - specifies statements result is “Allow” or “Deny
 Principal - Required for Resource Policies only
 Action - Required - An AWS Service “Action” that statement applies to
 Resource - Required - An AWS object (ARN) that statement applies to.
 Condition - Optional

21.  Version policy element defines the version of the policy language
 Statement policy element is the main element for a policy
 Sid (Statement ID)
 Notprincipal (Effect: Allow with Notprincipal allows access to
anonymous (unauthenticated) uses; try not to use Notprincipal)
 Notaction

22. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": “Allow or Deny",
"Action": “some API action:*”,
“Resource": “some resource",
"Condition": {
“Key”: “Value”
}
}
]
}

23. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
“Resource": "*",
"Condition": {
"StringEquals": { "ec2:ResourceTag/Project" : "Blue"
}
}
}
]
}

24. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": “arn:aws:ec2:*:123456789012:instance/*",
"Condition": {
"StringNotLikeIfExists": {
"ec2:InstanceType": [
"t2.*"
]
}
}
}
]
}

25. {
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
}
]
}

26. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<BUCKET-NAME>",
"Condition": {"StringLike": {"s3:prefix": [
"",
"home/",
"home/${aws:username}/*"
]}}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET-NAME>/home/${aws:username}",
"arn:aws:s3:::<BUCKET-NAME>/home/${aws:username}/*"
]
}
]
}

27.  Log into your account -> Click User Name in navigation bar of the console
 Click Security Credentials
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::account-id-without-
hyphens:user/${aws:username}"
}
]
}

28. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET-NAME",
"Condition": {"StringLike": {"s3:prefix": [
"",
"home/",
"home/${aws:username}/"
]}}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}",
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}/*"
]
}
]
}

29. {
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["ec2:RunInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:Describe*"],
"Resource":"*"
},
{
"Effect":"Deny",
"NotAction":["ec2:RunInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:Describe*"],
"Resource":"*"
}
]
}

30.  Write a policy granting minimal set of permissions
 Let default ‘Deny’ prevent access to everything else
 Create a test user
 Attach the policy to the test user
 Make API / CLI calls as the test user with Dry Run option
 Confirm that policy works as intended
 If errors out, use AWS STS Encoded Authorization Message API to
decode the error
 Tweak the policy
 Iterate

31.  An AWS identity with permission policies that determine what the
identity can and cannot do in AWS.
 Temporary privilege escalation
 Enable users to perform a task that they normally would not be able
to do (kind of like ‘sudo’ command)
 A user can only assume one Role at a time
 Roles can be passed to EC2 Instances
 Credentials passed through a role have pre-set expiration times

32.  Reduced the surface area of attack
 Temporary authentication credentials
 Auditable activity
 Automatically generated authentication credentials
 Limited privilege

33.  Any process or user running on the EC2 instance with access to the
instance metadata can access the credentials
 Instances with Role need to implement their own access control
measures if users will be logging into the instances
 Ask yourself: Do users need to log into the instances?

34.  After you create a role and grant your user permissions to switch to it,
you must provide the user with the role name and the account ID
number or account alias that contains the role. You can make things
easier for your users by sending them a link that is preconfigured with
the account ID and role name.
 You can see the role link on the final page of the Create Role wizard
or in the Role Summary page for any cross-account enabled role.
https://signin.aws.amazon.com/switchrole?account=YourAccountIDor
AliasHere&roleName=pathIfAny/YourRoleNameHere

35.  http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-
integration.html
 http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_ev
aluation-logic.html
 http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html
 http://docs.aws.amazon.com/cli/latest/userguide/generate-cli-
skeleton.html
 http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-
guide/working-with-json.html
 http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_ele
ments.html