SlideShare a Scribd company logo

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf

Jean-François LOMBARDO
Jean-François LOMBARDO

Infrastructure Security services are seen as the traditional mechanisms for enforcing protection of data. But now Identity and Access Management has to be considered too to prevent illegitimate access to information, unauthorized usage of services, and tampering of data. This is why, at AWS, Identity and Access Management oriented services is global service in our portfolio. Implementing a least privileged model for your workload requires that you consider what each component must have as permissions. For example: is it better to assign an IAM role to your Compute instance or to impersonate the initial requestor with their roles and permissions? Are the attributes of the requestor important for your access control logic? Can the context of the request influence how the resource should be disclosed? Answering those questions will allow you to design and implement access control thanks to a composition of multiple mechanisms. Through this session, we will describe how a very simple web store application will benefit from implementing: identity federation, attribute-based access control, and security token exchange through the usage of the appropriate AWS services.

Technology
1 of 38
Download to read offline
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AtlSecCon ‘22 Enforcing access control in depth with AWS Jeff Lombardo Sr. Solution Architect, Security Specialist April 2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jeff Lombardo Senior Solution Architect / Security Specialist at AWS Joined AWS in September 2020 Previously 15 years of expertise in Identity and Access Management, Application Security, and Data Protection My Moto: Give me a redirect URI and I will SSO the world
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What are the key principles? What are we trying to solve? Agenda Defining Access Control in Depth AWS Access Control capabilities Are they specific? What are the advantages? Example with a 3-tier application How can we apply AWS capabilities for improving security? Starting to build securely on AWS Multiple resources to help you learn more
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 Why Access Control in Depth is key?
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Any Security event includes an Access Control issue 5
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disambiguate requests by having initial requestor identity and entitlements shared with all tiers Key principles of Access Control in Depth Traceability Least Privilege Ensure all tiers don’t have more permissions that is necessary for each request Explicit Controls Encompass context and history in Access Control logic to catch modern threats and events 6 • Is this really User C connecting at 10 PM from Antarctica? • Is the batch server talking to the Database server still a trusted flow? • Who, • When, • What, • How, • from where, • for Which result
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7 AWS Access Control capabilities
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8 AWS Cloud Caption: Amazon EC2 Amazon S3 Amazon Redshift The classic method
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 AWS Cloud AWS account 111122223333 Caption: Amazon EC2 Amazon S3 Amazon Redshift The classic method
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10 AWS Cloud AWS account 111122223333 Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X The classic method
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 11 AWS Cloud AWS IAM AWS account 111122223333 Permissions Credential(s) Role(s) User(s) Group(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X The classic method
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Important points AWS IAM Roles • Assumed by IAM/federated users, applications, or AWS services like Amazon EC2 instances • Benefits • Security: no sharing of secrets • Control: revoke access anytime AWS IAM policies • Groups of permission statements in JSON format • Each statement defines: ▪ A Principal in a form an AWS Resource Name ▪ An effect (Allow or Deny) ▪ The Actions concerned ▪ The Resources concerned ▪ Optionally some fine grained Conditions 12
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example 13 { "Version": "2012-10-17", "Statement": [{ "Sid": "1", "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::111111111111:root"]}, "Action": "s3:*", "Resource": [ "arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*“ ] , "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} }] }
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14 AWS Cloud AWS IAM AWS account 111122223333 Permissions Credential(s) Role(s) User(s) Group(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X The classic method AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Analyze all the IAM permissions to identify any overly permissive and out- of-zone of trust access. Track user activity and API usage to enable governance, compliance, and operational and risk auditing of your AWS account. Gaining visibility AWS CloudTrail AWS IAM Access Analyzer Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads. 15
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s compare the methods How to Authenticate Classic method 16 Users and Credentials defined in AWS IAM User based long-term security credentials A principal through the UI A principal through the SDK A principal through the CLI / API Compute instance role only or long-term security credentials
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 17 AWS Cloud AWS IAM AWS account 111122223333 Permissions Credential(s) Role(s) User(s) Group(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X The federated method Corporate data center Enterprise IAM Capabilities Credential(s) User(s) Group(s) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18 AWS Cloud AWS IAM AWS account 111122223333 Permissions Role(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X IdP(s) The federated method Corporate data center Enterprise Identity Server Credential(s) User(s) Credential(s) Group(s) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s compare the methods How to Authenticate Classic method 19 Federated method Users and Credentials defined in AWS IAM User based long-term security credentials Compute instance role only or long-term security credentials Enterprise defined Users and Credentials Compute instance role or user based temporary security credentials User based long-term security credentials A principal through the UI A principal through the SDK A principal through the CLI / API
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20 AWS Cloud AWS IAM AWS account 111122223333 Permissions Role(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X IdP(s) The multi-accounts method Corporate data center Enterprise Identity Server Credential(s) User(s) Credential(s) AWS IAM AWS account 555555555555 Region W Region X Group(s) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21 AWS Cloud AWS IAM AWS account 111122223333 Permissions Role(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X IdP(s) The multi-accounts method AWS IAM Access Analyzer AWS CloudTrail Corporate data center Enterprise Identity Server Credential(s) User(s) Credential(s) AWS IAM AWS account 555555555555 Region W Region X AWS account 444455556666 (Root) AWS Organizations Organizational unit(s) Group(s)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22 AWS Cloud AWS IAM Corporate data center AWS account 111122223333 Enterprise Identity Server AWS account 444455556666 (Root) Caption: Amazon EC2 Amazon S3 Amazon Redshift AWS Organizations AWS IAM AWS account 555555555555 Region Y Region Z Region W Region X AWS account 7777888899990000 (Security) Organizational unit(s) The multi-accounts method Credential(s) User(s) Group(s) Permissions Role(s) IdP(s) Credential(s) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23 AWS Cloud AWS IAM Corporate data center AWS account 111122223333 Enterprise Identity Server AWS account 444455556666 (Root) Caption: Amazon EC2 Amazon S3 Amazon Redshift AWS Organizations AWS IAM AWS account 555555555555 Region Y Region Z Region W Region X AWS account 7777888899990000 (Security) Organizational unit(s) The multi-accounts method Credential(s) User(s) Group(s) Permissions Role(s) PermissionSets AWS Single Sign-On IdP User(s) Group(s) Temp. security credential AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s compare the methods How to Authenticate Classic method 24 Federated method Multi-Accounts method A principal through the UI A principal through the SDK Users and Credentials defined in AWS IAM User based long-term security credentials Enterprise defined Users and Credentials Compute instance role or user based temporary security credentials User based long-term security credentials User based temporary security credentials Compute instance role or user based temporary security credentials Enterprise defined Users and Credentials A principal through the CLI / API Compute instance role only or long-term security credentials
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25 Example with a 3-tier application
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s take a simple example 26 User A User B User C Web Server Amazon Redshift AWS account 444455556666 (Root) AWS account 111122223333 AWS SSO AWS Organizations AWS account 7777888899990000 (Security) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty AWS Cloud Corporate data center Enterprise Identity Server AWS IAM Permissions Role(s)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A 27
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A A B C SAML token Credential(s) 28
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A D A B C E Temporary security credential SAML token 29
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A D A B C E F G Temp. security credential Temp. DB credential 30
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A D A B C E F G H I Temp. DB credential Data 31
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling key principles enforcement AWS CloudTrail AWS IAM Access Analyzer Amazon GuardDuty 32 Traceability Least Privilege Explicit Controls • Authenticated through a Trusted IdP • Authorized Assume role for federated subject • Authorized DB credential creation for federated subject • Access to data through DB user • Identification of * based principals, conditions, and/or resources • Identification of never used permissions • Identification of external trust relationship • Evaluation of traffic against IoCs • Evaluation of current operations against ML generated baselines
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Q&A Let’s pause for a second 33
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34 Starting to build on AWS
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Get on-demand convenience with Digital Training Get started at aws.training Over 500 free training courses Cost-effective Search by role, domain, specific services, and level of expertise Flexible Access all AWS Classroom Training courses virtually to bring the learning experience to you; anytime, anywhere Convenient
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Re:Invent 2021 recap 36 https://www.youtube.com/watch?v=4J8REvs7zaY https://www.youtube.com/watch?v=pKPiPplJNak
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Workshops Get started at awssecworkshops.com
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! 38 Please, don’t forget to fill the survey for this session: https://eventbox.dev/survey/0C095J8

Recommended

AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
Amazon Web Services
 
AWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep Dive
Adam Fokken
 
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsBuilding Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and Websockets
Amazon Web Services
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPC
Amazon Web Services
 
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
Amazon Web Services
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
Goran Karmisevic
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
 

Recommended

AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
Amazon Web Services
 
AWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep Dive
Adam Fokken
 
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsBuilding Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and Websockets
Amazon Web Services
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPC
Amazon Web Services
 
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
(MBL401) Social Logins for Mobile Apps with Amazon Cognito | AWS re:Invent 2014
Amazon Web Services
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
Goran Karmisevic
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
Blazeclan Technologies Private Limited
 
Business Track
Business Track Business Track
Business Track
Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
Amazon Web Services
 
AWS IAM policies in plain english
AWS IAM policies in plain english AWS IAM policies in plain english
AWS IAM policies in plain english
Bogdan Naydenov
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Amazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
Amazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Amazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
Amazon Web Services
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
Amazon Web Services
 
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
HostedbyConfluent
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
Amazon Web Services
 
Federation
FederationFederation
Federation
Amazon Web Services
 
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
Amazon Web Services
 
Introduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptxIntroduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptx
GauravSharma164138
 

More Related Content

What's hot

A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
Blazeclan Technologies Private Limited
 
Business Track
Business Track Business Track
Business Track
Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
Amazon Web Services
 
AWS IAM policies in plain english
AWS IAM policies in plain english AWS IAM policies in plain english
AWS IAM policies in plain english
Bogdan Naydenov
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Amazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
Amazon Web Services
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Amazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
Amazon Web Services
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
Amazon Web Services
 
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
HostedbyConfluent
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
Amazon Web Services
 
Federation
FederationFederation
Federation
Amazon Web Services
 

What's hot (20)

A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
 
Business Track
Business Track Business Track
Business Track
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
AWS IAM policies in plain english
AWS IAM policies in plain english AWS IAM policies in plain english
AWS IAM policies in plain english
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
 
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
Build Your Mobile App Faster with AWS Mobile Services (Cognito, Lambda, SNS, ...
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
 
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
 
Federation
FederationFederation
Federation
 

Similar to Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf

How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
Amazon Web Services
 
Introduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptxIntroduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptx
GauravSharma164138
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
Amazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
Amazon Web Services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
Amazon Web Services
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
Amazon Web Services
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
Amazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
Amazon Web Services
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Amazon Web Services
 
A Practitioners Guide to Securing Your Cloud
A Practitioners Guide to Securing Your CloudA Practitioners Guide to Securing Your Cloud
A Practitioners Guide to Securing Your Cloud
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Amazon Web Services
 
AWSome Day Online 2020_Module 4: Secure your cloud applications
AWSome Day Online 2020_Module 4: Secure your cloud applicationsAWSome Day Online 2020_Module 4: Secure your cloud applications
AWSome Day Online 2020_Module 4: Secure your cloud applications
Amazon Web Services
 
AWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud Anda
AWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud AndaAWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud Anda
AWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud Anda
Amazon Web Services
 
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
Amazon Web Services
 
AWSome Day MODULE 4 - Security
AWSome Day MODULE 4 - SecurityAWSome Day MODULE 4 - Security
AWSome Day MODULE 4 - Security
Amazon Web Services
 
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
Amazon Web Services
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
AWS User Group Bengaluru
 

Similar to Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf (20)

How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
 
Introduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptxIntroduction_to_AWS_Services__Networking,_Security.pptx
Introduction_to_AWS_Services__Networking,_Security.pptx
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
A Practitioners Guide to Securing Your Cloud
A Practitioners Guide to Securing Your CloudA Practitioners Guide to Securing Your Cloud
A Practitioners Guide to Securing Your Cloud
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
Unleash the Power of Temporary AWS Credentials (a.k.a. IAM roles) (SEC390-R1)...
 
AWSome Day Online 2020_Module 4: Secure your cloud applications
AWSome Day Online 2020_Module 4: Secure your cloud applicationsAWSome Day Online 2020_Module 4: Secure your cloud applications
AWSome Day Online 2020_Module 4: Secure your cloud applications
 
AWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud Anda
AWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud AndaAWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud Anda
AWSome Day Online 2020_Modul 4: Mengamankan aplikasi cloud Anda
 
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
 
AWSome Day MODULE 4 - Security
AWSome Day MODULE 4 - SecurityAWSome Day MODULE 4 - Security
AWSome Day MODULE 4 - Security
 
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 

More from Jean-François LOMBARDO

2023 Identiverse - Enforcing consent conformance in your authorization logic ...
2023 Identiverse - Enforcing consent conformance in your authorization logic ...2023 Identiverse - Enforcing consent conformance in your authorization logic ...
2023 Identiverse - Enforcing consent conformance in your authorization logic ...
Jean-François LOMBARDO
 
AWS Canada Security Week 2024 - Définir et mettre en oeuvre votre stratégie d...
AWS Canada Security Week 2024 - Définir et mettre en oeuvre votre stratégie d...AWS Canada Security Week 2024 - Définir et mettre en oeuvre votre stratégie d...
AWS Canada Security Week 2024 - Définir et mettre en oeuvre votre stratégie d...
Jean-François LOMBARDO
 
SEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfSEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdf
Jean-François LOMBARDO
 
Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022
Jean-François LOMBARDO
 
Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609
Jean-François LOMBARDO
 
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Jean-François LOMBARDO
 
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Jean-François LOMBARDO
 
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategyIdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
Jean-François LOMBARDO
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102
Jean-François LOMBARDO
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
Jean-François LOMBARDO
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Jean-François LOMBARDO
 
Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...
Jean-François LOMBARDO
 

More from Jean-François LOMBARDO (12)

2023 Identiverse - Enforcing consent conformance in your authorization logic ...
2023 Identiverse - Enforcing consent conformance in your authorization logic ...2023 Identiverse - Enforcing consent conformance in your authorization logic ...
2023 Identiverse - Enforcing consent conformance in your authorization logic ...
 
AWS Canada Security Week 2024 - Définir et mettre en oeuvre votre stratégie d...
AWS Canada Security Week 2024 - Définir et mettre en oeuvre votre stratégie d...AWS Canada Security Week 2024 - Définir et mettre en oeuvre votre stratégie d...
AWS Canada Security Week 2024 - Définir et mettre en oeuvre votre stratégie d...
 
SEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfSEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdf
 
Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022
 
Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609
 
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430
 
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
 
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategyIdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
 
Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...
 

Recently uploaded

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 

Recently uploaded (20)

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf

  • 1. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AtlSecCon ‘22 Enforcing access control in depth with AWS Jeff Lombardo Sr. Solution Architect, Security Specialist April 2022
  • 2. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jeff Lombardo Senior Solution Architect / Security Specialist at AWS Joined AWS in September 2020 Previously 15 years of expertise in Identity and Access Management, Application Security, and Data Protection My Moto: Give me a redirect URI and I will SSO the world
  • 3. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What are the key principles? What are we trying to solve? Agenda Defining Access Control in Depth AWS Access Control capabilities Are they specific? What are the advantages? Example with a 3-tier application How can we apply AWS capabilities for improving security? Starting to build securely on AWS Multiple resources to help you learn more
  • 4. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 Why Access Control in Depth is key?
  • 5. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Any Security event includes an Access Control issue 5
  • 6. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disambiguate requests by having initial requestor identity and entitlements shared with all tiers Key principles of Access Control in Depth Traceability Least Privilege Ensure all tiers don’t have more permissions that is necessary for each request Explicit Controls Encompass context and history in Access Control logic to catch modern threats and events 6 • Is this really User C connecting at 10 PM from Antarctica? • Is the batch server talking to the Database server still a trusted flow? • Who, • When, • What, • How, • from where, • for Which result
  • 7. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7 AWS Access Control capabilities
  • 8. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8 AWS Cloud Caption: Amazon EC2 Amazon S3 Amazon Redshift The classic method
  • 9. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 AWS Cloud AWS account 111122223333 Caption: Amazon EC2 Amazon S3 Amazon Redshift The classic method
  • 10. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10 AWS Cloud AWS account 111122223333 Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X The classic method
  • 11. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 11 AWS Cloud AWS IAM AWS account 111122223333 Permissions Credential(s) Role(s) User(s) Group(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X The classic method
  • 12. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Important points AWS IAM Roles • Assumed by IAM/federated users, applications, or AWS services like Amazon EC2 instances • Benefits • Security: no sharing of secrets • Control: revoke access anytime AWS IAM policies • Groups of permission statements in JSON format • Each statement defines: ▪ A Principal in a form an AWS Resource Name ▪ An effect (Allow or Deny) ▪ The Actions concerned ▪ The Resources concerned ▪ Optionally some fine grained Conditions 12
  • 13. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example 13 { "Version": "2012-10-17", "Statement": [{ "Sid": "1", "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::111111111111:root"]}, "Action": "s3:*", "Resource": [ "arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*“ ] , "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} }] }
  • 14. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14 AWS Cloud AWS IAM AWS account 111122223333 Permissions Credential(s) Role(s) User(s) Group(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X The classic method AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
  • 15. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Analyze all the IAM permissions to identify any overly permissive and out- of-zone of trust access. Track user activity and API usage to enable governance, compliance, and operational and risk auditing of your AWS account. Gaining visibility AWS CloudTrail AWS IAM Access Analyzer Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads. 15
  • 16. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s compare the methods How to Authenticate Classic method 16 Users and Credentials defined in AWS IAM User based long-term security credentials A principal through the UI A principal through the SDK A principal through the CLI / API Compute instance role only or long-term security credentials
  • 17. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 17 AWS Cloud AWS IAM AWS account 111122223333 Permissions Credential(s) Role(s) User(s) Group(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X The federated method Corporate data center Enterprise IAM Capabilities Credential(s) User(s) Group(s) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
  • 18. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18 AWS Cloud AWS IAM AWS account 111122223333 Permissions Role(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X IdP(s) The federated method Corporate data center Enterprise Identity Server Credential(s) User(s) Credential(s) Group(s) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
  • 19. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s compare the methods How to Authenticate Classic method 19 Federated method Users and Credentials defined in AWS IAM User based long-term security credentials Compute instance role only or long-term security credentials Enterprise defined Users and Credentials Compute instance role or user based temporary security credentials User based long-term security credentials A principal through the UI A principal through the SDK A principal through the CLI / API
  • 20. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20 AWS Cloud AWS IAM AWS account 111122223333 Permissions Role(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X IdP(s) The multi-accounts method Corporate data center Enterprise Identity Server Credential(s) User(s) Credential(s) AWS IAM AWS account 555555555555 Region W Region X Group(s) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
  • 21. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21 AWS Cloud AWS IAM AWS account 111122223333 Permissions Role(s) Caption: Amazon EC2 Amazon S3 Amazon Redshift Region W Region X IdP(s) The multi-accounts method AWS IAM Access Analyzer AWS CloudTrail Corporate data center Enterprise Identity Server Credential(s) User(s) Credential(s) AWS IAM AWS account 555555555555 Region W Region X AWS account 444455556666 (Root) AWS Organizations Organizational unit(s) Group(s)
  • 22. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22 AWS Cloud AWS IAM Corporate data center AWS account 111122223333 Enterprise Identity Server AWS account 444455556666 (Root) Caption: Amazon EC2 Amazon S3 Amazon Redshift AWS Organizations AWS IAM AWS account 555555555555 Region Y Region Z Region W Region X AWS account 7777888899990000 (Security) Organizational unit(s) The multi-accounts method Credential(s) User(s) Group(s) Permissions Role(s) IdP(s) Credential(s) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
  • 23. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23 AWS Cloud AWS IAM Corporate data center AWS account 111122223333 Enterprise Identity Server AWS account 444455556666 (Root) Caption: Amazon EC2 Amazon S3 Amazon Redshift AWS Organizations AWS IAM AWS account 555555555555 Region Y Region Z Region W Region X AWS account 7777888899990000 (Security) Organizational unit(s) The multi-accounts method Credential(s) User(s) Group(s) Permissions Role(s) PermissionSets AWS Single Sign-On IdP User(s) Group(s) Temp. security credential AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty
  • 24. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s compare the methods How to Authenticate Classic method 24 Federated method Multi-Accounts method A principal through the UI A principal through the SDK Users and Credentials defined in AWS IAM User based long-term security credentials Enterprise defined Users and Credentials Compute instance role or user based temporary security credentials User based long-term security credentials User based temporary security credentials Compute instance role or user based temporary security credentials Enterprise defined Users and Credentials A principal through the CLI / API Compute instance role only or long-term security credentials
  • 25. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25 Example with a 3-tier application
  • 26. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s take a simple example 26 User A User B User C Web Server Amazon Redshift AWS account 444455556666 (Root) AWS account 111122223333 AWS SSO AWS Organizations AWS account 7777888899990000 (Security) AWS IAM Access Analyzer AWS CloudTrail Amazon GuardDuty AWS Cloud Corporate data center Enterprise Identity Server AWS IAM Permissions Role(s)
  • 27. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A 27
  • 28. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A A B C SAML token Credential(s) 28
  • 29. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A D A B C E Temporary security credential SAML token 29
  • 30. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A D A B C E F G Temp. security credential Temp. DB credential 30
  • 31. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enforcing key principles Virtual table Virtual table X X X X X Groups and permissions Amazon Redshift AWS IAM AWS IAM Roles and policies Temp. DB credential Enterprise User accounts Groups and permissions AWS SSO IdP Permission Set Enterprise Identity Server Amazon EC2 workload Application code with JDBC driver User A D A B C E F G H I Temp. DB credential Data 31
  • 32. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling key principles enforcement AWS CloudTrail AWS IAM Access Analyzer Amazon GuardDuty 32 Traceability Least Privilege Explicit Controls • Authenticated through a Trusted IdP • Authorized Assume role for federated subject • Authorized DB credential creation for federated subject • Access to data through DB user • Identification of * based principals, conditions, and/or resources • Identification of never used permissions • Identification of external trust relationship • Evaluation of traffic against IoCs • Evaluation of current operations against ML generated baselines
  • 33. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Q&A Let’s pause for a second 33
  • 34. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34 Starting to build on AWS
  • 35. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Get on-demand convenience with Digital Training Get started at aws.training Over 500 free training courses Cost-effective Search by role, domain, specific services, and level of expertise Flexible Access all AWS Classroom Training courses virtually to bring the learning experience to you; anytime, anywhere Convenient
  • 36. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Re:Invent 2021 recap 36 https://www.youtube.com/watch?v=4J8REvs7zaY https://www.youtube.com/watch?v=pKPiPplJNak
  • 37. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Workshops Get started at awssecworkshops.com
  • 38. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! 38 Please, don’t forget to fill the survey for this session: https://eventbox.dev/survey/0C095J8