Identity and Access Management: The First Step in AWS Security

Pop-up Loft
Identity and Access Management:
the First Step in AWS Security
Greg McConnel,
Solutions Architect
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved

What to Expect from the Session
We will look at:
• What is IAM?
• IAM Concepts – to help you get started
• Common use cases – cover the building blocks
• Demos – “Show and Tell”

AWS Identity and Access Management (IAM)
• Enables you to control who can do what in your AWS account
• IAM uses access control concepts that you are already familiar with
Roles
AWS Services
and
Resources
Users Permissions
(IAM Policies)
Groups

AWS Identity and Access Management (IAM)
• AAA
– Authentication
– Authorization
– Accounting/Audit (via other services)
• Control
– Centralized
– Fine-grained - APIs, resources, and AWS Management Console
• Security
– Secure (deny) by default
– Multiple users, individual security credentials and permissions

Live Demo
• Start with brand new AWS account
• Root Account best practices review
• Questions
• When, if ever, would you need the Root Account?
• How should you and other users access AWS?
• Is there a way to restrict Root Account permissions?
Demo
Time

IAM Users
What
• Used by person or service to interact with AWS
• Name and unique set of credentials
̶ Console password
̶ Access Key (access key ID and secret key) – used to sign requests
̶ MFA device
̶ Hardware: Gemalto Token
̶ Virtual: Authy, Amazon, Google, etc & SMS in preview now
When
• Enable user or programmatic access to AWS resources and services
̶ E.g. New employee requires access to Amazon EC2 and Amazon S3
̶ E.g. Application stores data in Amazon DynamoDB

IAM Users
Why (Benefits)
• Unique set of credentials
• Individual permissions
• Granular control
• Easy to revoke access
Do
• Create IAM user for yourself
• Create individual IAM users for others
Don’t
• Distribute your AWS root credentials
• Use your root account user
• Share your IAM user credentials

IAM Users and Permissions
• No permissions by default
• Permissions specify which AWS resources and what actions allowed
• Assign permissions individually to each user (or use Groups)
̶ Rob (UX Designer) > access to Amazon S3
̶ Samantha (Database Administrator) > access to select Amazon EC2, Amazon
RDS, Amazon DynamoDB, AWS Lambda, and AWS Data Pipeline APIs
• Use IAM Policies to assign permissions

IAM Policies
• Contain a statement (permissions) which specify a combination of :
• Who
• What actions
• Which AWS resources
• When
• Where
• How
Rob
Can GET/PUT objects in S3
Bucket = “*”
Until Dec 31, 2017
From IP range 123.456.789.012
If using MFA

IAM Policies
JSON-formatted documents
Example of an Amazon S3 Read-Only Access Template
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadOnlyPolicy",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
Attach policy to a user, group, or role (identity-
based permissions)
Example of
identity-based permission
Example of
resource-based permission
Rob
Can Read,
Write, List
On Resource :
icon-designs
icon-designs
Rob: Read,
Write, List
Samantha: List
Zoe: Read, List
Attach policy to select resources e.g. Amazon
S3 buckets (resource-based permissions)

IAM Policies
Two types of identity-based policies in IAM
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies (created and managed by AWS)
• Customer managed policies (created and managed by you)
o Up to 5K per policy
o Up to 5 versions
• You can limit who can attach managed policies
• Inline policies (the older way)
• You create and embed directly in a single user, group, or role
• Variable policy size (2K per user, 5K per group, 10K per role)

Live Demo
• Create IAM user Greg
• Assign password
• Enable MFA
• Grant administrative permissions to Amazon S3
̶ Replace with a less permissive customer managed policy
• Questions
• How should you and other users access AWS?
• Is there a way to restrict Root Account permissions?
• Is there a better option then adding policies to each user?
Demo
Time

IAM Groups
What
• Collection of IAM users
• Specify and manage permissions for multiple
users, centrally
• e.g. group for all UX Designers
• A group can contain many users, and a user
can belong to multiple groups
When
• Easily manage permissions for multiple users
AWS Account
IAM Group:
Administrators
Akshay
Andrea
Arvind
IAM Group:
UX Designers
Greg
Rachel
IAM Group:
DevOps
Akshay
Andrew
Lin
Zoe
Example of managing permission using groups

IAM Groups
Why (Benefits)
• Reduces user management
complexity
• Reassign permissions based on
change in responsibility
• Update permissions for multiple
users
• Reduce chance of accidental
excessive access
Do
• Create groups that relate to job
functions
• Attach policies to groups
• Use managed policies to logically
manage permissions
• Manage group membership to assign
permissions

Live Demo
• Create a new IAM group called UXDesigners
• Assign permissions to the IAM group
• Create IAM user Rachel
• Add Rob and Rachel to the IAM group
• Questions
• Can a group be used as the principal for a resource based
permission or trust policy?
• How can I grant permissions without a user or a group?
Demo
Time

IAM Roles
What
• “Container” of permissions; not uniquely associated with one person or
application
• Assume the role to get the permissions
• Temporary access keys are created and provided dynamically
When
• Cross-account access
• Access within an account
• e.g. access for application running on Amazon EC2
• [Federation] Access to identities defined outside AWS
• e.g. access for identities maintained in your corporate IdP

Use IAM roles to share access
Why (Benefits)
• No need to share security credentials
• No need to store long-term credentials
• No need to create IAM accounts
• Securely and easily control access

prod@example.com
Acct ID: 111122223333
ddb-role
{ "Statement": [
{ "Action":
[
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*“
}]}
dev@example.com
Acct ID: 123456789012
Authenticate with
Greg’s access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs using
temporary security
credentials
of ddb-role
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS account
dev@example.com (123456789012)
Permissions assigned to
Greg granting him
permission to assume ddb-
role in account B
IAM user: Greg
Permissions assigned to ddb-role
STS
Use IAM roles for cross-account access

Use IAM roles for Amazon EC2 instances
Why (Benefits)
• No hard coded access keys to
manage
• Automatic key rotation
• AWS SDKs/CLI fully integrated
Do
• Use roles instead of long term
credentials
• Assign least privilege to the
application

• Use Switch Role between accounts
• Run CLI from EC2 instance with a role Demo
Time

AWS IAM federation: A progression of options
Cross-
account
trust
AWS
Directory
Service
Security
Assertion
Markup
Language
(SAML)
Custom
identity
broker
Involvement
Control

Federation rationale
Before:
After:
Result:

Before:
After:
Result:
Unique credentials
Users

Before:
After:
Result:
Unique credentials
Single sign-on
Users

Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Users Security

Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
Users Security

Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Users Security Compliance

Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance

AWS federation with SAML
Why (Benefits)
• Single Sign On
• Administer AWS using AD
• Established provision/de-provision process for AD users extended to AWS
• Eliminates need for IAM users and groups
• Console and API/CLI

Directory
Group
definitions
AWS account
Providers,
roles, and
policies
AWA via AD Administration

Directory
Group
definitions
AWS account
Providers,
roles, and
policies
Smooth user experience
AWS
SDKs
AWS
CLI
AWA via AD Administration

SAML Federation Demo
Demo
Time
• https://aws.amazon.com/blogs/security/how-to-set-up-sso-to-the-aws-management-console-for-
multiple-accounts-by-using-ad-fs-and-saml-2-0/
• https://aws.amazon.com/blogs/security/saml-identity-federation-follow-up-questions-materials-guides-
and-templates-from-an-aws-reinvent-2016-workshop-sec306/
• https://aws.amazon.com/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-
0-and-ad-fs/

Extra Credit! (stickers!)
Demo
Time

Side bar
Access Advisor: shows the service
permissions granted to a user and when
those services were last accessed. You can
use this information to revise your policies.
Credential Reports: generate and download a
credential report that lists all IAM users in your account
and the status of their various credentials, including
passwords, access keys, and MFA devices. For
passwords and access keys, the credential report
shows how recently the password or access key has
been used.
Example of retrieving Credential Report
Example Access Advisor report for an IAM user

Pop-up Loft
Questions?

Pop-up Loft
https://aws.amazon.com/security
https://aws.amazon.com/documentation/iam
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Identity and Access Management:
the First Step in AWS Security

Identity and Access Management: The First Step in AWS Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Identity and Access Management: The First Step in AWS Security

Similar to Identity and Access Management: The First Step in AWS Security (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Identity and Access Management: The First Step in AWS Security