Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AtlSecCon ‘22
Enforcing access control in depth with AWS
Jeff Lombardo
Sr. Solution Architect, Security Specialist
April 2022

Jeff Lombardo
Senior Solution Architect / Security Specialist at AWS
Joined AWS in September 2020
Previously 15 years of expertise in Identity and Access Management,
Application Security, and Data Protection
My Moto: Give me a redirect URI and I will SSO the world

What are the key
principles?
What are we trying
to solve?
Agenda
Defining Access
Control in Depth
AWS Access Control
capabilities
Are they specific?
What are the
advantages?
Example with
a 3-tier application
How can we apply
AWS capabilities for
improving security?
Starting to build
securely on AWS
Multiple resources
to help you learn
more

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
Why Access Control in
Depth is key?

Any Security event includes an Access Control issue
5

Disambiguate requests by
having initial requestor
identity and entitlements
shared with all tiers
Key principles of Access Control in Depth
Traceability Least Privilege
Ensure all tiers don’t have
more permissions that is
necessary for each request
Explicit Controls
Encompass context and
history in Access Control
logic to catch modern
threats and events
6
• Is this really User C
connecting at 10 PM
from Antarctica?
• Is the batch server
talking to the
Database server still a
trusted flow?
• Who,
• When,
• What,
• How,
• from where,
• for Which result

AWS Access Control
capabilities

AWS Cloud
Caption:
Amazon EC2 Amazon S3 Amazon Redshift
The classic method

AWS Cloud AWS account 111122223333
Caption:
The classic method

AWS Cloud AWS account 111122223333
Caption:
Region W
Region X
The classic method

AWS Cloud
AWS IAM
AWS account 111122223333
Permissions
Credential(s)
Role(s)
User(s) Group(s)
Caption:
Region W
Region X
The classic method

Important points
AWS IAM Roles
• Assumed by IAM/federated users,
applications, or AWS services like
Amazon EC2 instances
• Benefits
• Security: no sharing of secrets
• Control: revoke access anytime
AWS IAM policies
• Groups of permission statements in JSON
format
• Each statement defines:
▪ A Principal in a form an AWS Resource
Name
▪ An effect (Allow or Deny)
▪ The Actions concerned
▪ The Resources concerned
▪ Optionally some fine grained Conditions
12

Example
13
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "1",
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::111111111111:root"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*“
] ,
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}]
}

AWS Cloud
AWS IAM
Permissions
Credential(s)
Role(s)
User(s) Group(s)
Caption:
Region W
Region X
The classic method
AWS IAM Access Analyzer
AWS CloudTrail Amazon GuardDuty

Analyze all the IAM
permissions to identify any
overly permissive and out-
of-zone of trust access.
Track user activity and API
usage to enable governance,
compliance,
and operational and risk
auditing of your AWS
account.
Gaining visibility
AWS CloudTrail AWS IAM Access Analyzer Amazon GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads.
15

Let’s compare the methods
How to Authenticate Classic method
16
Users and Credentials
defined in AWS IAM
User based
long-term security
credentials
A principal through the UI
A principal through the SDK
A principal through the CLI / API
Compute instance role
only or long-term
security
credentials

AWS Cloud
AWS IAM
Permissions
Credential(s)
Role(s)
User(s) Group(s)
Caption:
Region W
Region X
The federated method
Corporate
data center
Enterprise
IAM
Capabilities
Credential(s)
User(s) Group(s)

AWS Cloud
AWS IAM
Permissions
Role(s)
Caption:
Region W
Region X
IdP(s)
The federated method
Corporate
data center
Enterprise
Identity
Server
Credential(s)
User(s) Credential(s)
Group(s)

19
Federated method
defined in AWS IAM
User based
long-term security
credentials
only or long-term
security
credentials
Enterprise defined
or user based
temporary security
credentials
User based
long-term security
credentials

AWS Cloud
AWS IAM
Permissions
Role(s)
Caption:
Region W
Region X
IdP(s)
The multi-accounts method
Corporate
data center
Enterprise
Identity
Server
Credential(s)
AWS IAM
AWS account 555555555555 Region W
Region X
Group(s)

AWS Cloud
AWS IAM
Permissions
Role(s)
Caption:
Region W
Region X
IdP(s)
AWS IAM Access Analyzer AWS CloudTrail
Corporate
data center
Enterprise
Identity
Server
Credential(s)
AWS IAM
AWS account 555555555555 Region W
Region X
(Root)
AWS Organizations
Organizational unit(s)
Group(s)

AWS Cloud
AWS IAM
Corporate
data center
Enterprise
Identity
Server
(Root)
Caption:
AWS Organizations
AWS IAM
AWS account 555555555555 Region Y
Region Z
Region W
Region X
AWS account 7777888899990000 (Security)
Credential(s)
User(s) Group(s) Permissions
Role(s)
IdP(s)
Credential(s)

AWS Cloud
AWS IAM
Corporate
data center
Enterprise
Identity
Server
(Root)
Caption:
AWS Organizations
AWS IAM
AWS account 555555555555 Region Y
Region Z
Region W
Region X
Credential(s)
User(s) Group(s) Permissions
Role(s)
PermissionSets
AWS Single Sign-On
IdP User(s) Group(s)
Temp. security
credential AWS IAM Access Analyzer

24
Federated method Multi-Accounts method
defined in AWS IAM
User based
long-term security
credentials
Enterprise defined
or user based
temporary security
credentials
User based
long-term security
credentials
User based
temporary security
credentials
or user based
temporary security
credentials
Enterprise defined
only or long-term
security
credentials

Example with
a 3-tier application

Let’s take a simple example
26
User A
User B
User C
Web
Server
Amazon
Redshift
AWS account 444455556666 (Root)
AWS SSO AWS Organizations
AWS Cloud
Corporate
data center
Enterprise
Identity
Server
AWS IAM
Permissions
Role(s)

Enforcing key principles
Virtual table
Virtual table
X
X
X
X
X
Groups and
permissions
Amazon Redshift
AWS IAM
AWS IAM
Roles and
policies
Temp. DB
credential
Enterprise
User accounts
Groups and
permissions
AWS SSO
IdP
Permission
Set
Enterprise
Identity Server
Amazon EC2 workload
Application
code with
JDBC driver
User A
27

Virtual table
Virtual table
X
X
X
X
X
Groups and
permissions
Amazon Redshift
AWS IAM
AWS IAM
Roles and
policies
Temp. DB
credential
Enterprise
User accounts
Groups and
permissions
AWS SSO
IdP
Permission
Set
Enterprise
Identity Server
Amazon EC2 workload
Application
code with
JDBC driver
User A A
B
C
SAML token
Credential(s)
28

Virtual table
Virtual table
X
X
X
X
X
Groups and
permissions
Amazon Redshift
AWS IAM
AWS IAM
Roles and
policies
Temp. DB
credential
Enterprise
User accounts
Groups and
permissions
AWS SSO
IdP
Permission
Set
Enterprise
Identity Server
Amazon EC2 workload
Application
code with
JDBC driver
User A
D
A
B
C
E
Temporary security
credential
SAML token
29

Virtual table
Virtual table
X
X
X
X
X
Groups and
permissions
Amazon Redshift
AWS IAM
AWS IAM
Roles and
policies
Temp. DB
credential
Enterprise
User accounts
Groups and
permissions
AWS SSO
IdP
Permission
Set
Enterprise
Identity Server
Amazon EC2 workload
Application
code with
JDBC driver
User A
D
A
B
C
E F
G
Temp. security
credential
Temp. DB
credential
30

Virtual table
Virtual table
X
X
X
X
X
Groups and
permissions
Amazon Redshift
AWS IAM
AWS IAM
Roles and
policies
Temp. DB
credential
Enterprise
User accounts
Groups and
permissions
AWS SSO
IdP
Permission
Set
Enterprise
Identity Server
Amazon EC2 workload
Application
code with
JDBC driver
User A
D
A
B
C
E F
G
H
I
Temp. DB
credential
Data
31

Controlling key principles enforcement
AWS CloudTrail AWS IAM Access Analyzer Amazon GuardDuty
32
Traceability Least Privilege Explicit Controls
• Authenticated through a
Trusted IdP
• Authorized Assume role for
federated subject
• Authorized DB credential
creation for federated
subject
• Access to data through DB
user
• Identification of * based
principals, conditions,
and/or resources
• Identification of never used
permissions
• Identification of external
trust relationship
• Evaluation of traffic against
IoCs
• Evaluation of current
operations against ML
generated baselines

Q&A
Let’s pause for a second
33

Starting to build on AWS

Get on-demand convenience with Digital Training
Get started at aws.training
Over 500 free training courses
Cost-effective
Search by role, domain, specific
services, and level of expertise
Flexible
Access all AWS Classroom Training
courses virtually to bring the learning
experience to you; anytime, anywhere
Convenient

Re:Invent 2021 recap
36
https://www.youtube.com/watch?v=4J8REvs7zaY https://www.youtube.com/watch?v=pKPiPplJNak

Security Workshops
Get started at awssecworkshops.com

Thank you!
38
Please, don’t forget to fill
the survey for this session:
https://eventbox.dev/survey/0C095J8

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf

More Related Content

Similar to Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf

More from Jean-François LOMBARDO

Recently uploaded

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf