SlideShare a Scribd company logo

Policy Ninja

Amazon Web Services
Amazon Web Services

by Joy Chatterjee, Sr. Technical Product Manager, AWS We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type. Level 300

1 of 37
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Joy Chatterjee October 9th, 2017 Becoming an AWS Policy Ninja
Introduction Follow on to “60 mins or less”
What to expect from the session • A deeper understanding of the AWS policy language. • Knowledge of how to better control access to AWS resources. • Using policy summaries to avoid common mistakes • Typos • Permission errors • Example policy library
Your first day as an IAM administrator • Scenario: A user at your company needs list and read access to only one S3 bucket. You create this policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", “Action": [“s3:Get*", “s3:List*”], "Resource": “arn:aws:s3:::HumanResources" } ] }
Access Levels Categorize actions across ever service Access Level Description Example List Actions that allow you to see a list of resources s3:ListBucket, s3:ListAllMyBuckets Read Actions that allow you to read the content in resources s3:GetObject, s3:GetBucketTagging Write Actions that allow you to create, delete, or modify resources s3:PutObject, s3:DeleteBucket Permissions management Actions that allow you to grant or modify permissions to resources s3:PutBucketPolicy
The policy language • Provides authorization • Two parts: – Specification: Defining access policies – Enforcement: Evaluating policies
Policy specification basics { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } JSON-formatted documents Contain a statement (permissions) that specifies: • Which actions a principal can perform • Which resources can be accessed Actions must have an applicable resource or condition for the statement to evaluate to true. Principal Action Resource Condition You can have multiple statements and each statement is comprised of PARC.
Policy specification basics Resource-based policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::111122223333:user/Alice", "arn:aws:iam::111122223333:root"] }, "Action": "s3:*", "Resource": ["arn:aws:s3:::my_bucket", "arn:aws:s3:::my_bucket/*"] } ] } IAM policy { "Version": "2012-10-17", "Statement":[{ "Effect": "Allow", "Action": "s3:*", "Resource": ["arn:aws:s3:::my_bucket", "arn:aws:s3:::my_bucket/*"] } ] }
Effect • By default any user or role is denied access to actions and resources in the account. • That means everything is implicitly denied by default. • Every policy requires Effect • Deny • Allow
Principal – Examples • An entity that is allowed or denied access to a resource • Indicated by an Amazon Resource Name (ARN) • With IAM policies, the principal element is implicit (i.e., the user, group, or role attached) <!-- Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!-- Specific account or accounts --> "Principal":{"AWS":"arn:aws:iam::123456789012:root" } "Principal":{"AWS":"123456789012"} <!-- Individual IAM user --> "Principal":"AWS":"arn:aws:iam::123456789012:user/username" <!-- Federated user (using web identity federation) --> "Principal":{"Federated":"accounts.google.com"} <!-- Specific role --> "Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"} <!-- Specific service --> "Principal":{"Service":"ec2.amazonaws.com"} Replace with your account number Principal Action Resource Condition
Action – Examples • Describes the type of access that should be allowed or denied • You can find actions in the docs or use the policy editor to get a drop-down list • Statements must include either an Action or NotAction element <!-- EC2 action --> "Action":"ec2:StartInstances" <!-- IAM action --> "Action":"iam:ChangePassword" <!– Amazon S3 action --> "Action":"s3:GetObject" <!-- Specify multiple values for the Action element--> "Action":["sqs:SendMessage","sqs:ReceiveMessage"] <-- Wildcards (* or ?) in the action name. Below covers create/delete/list/update--> "Action":"iam:*AccessKey*“ "Action":“s3:Get*“ Principal Action Resource Condition
Understanding NotAction • Lets you specify an exception to a list of actions • Could result in shorter policies than using Action and exclude many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": ["iam:*", "organizations:*“], "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": ["iam:*", "organizations:*“], "Resource": "*" } ] } or
Understanding NotAction • Lets you specify an exception to a list of actions • Could result in shorter policies than using Action and exclude many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": ["iam:*", “organizations:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": ["iam:*", “organizations:*“], "Resource": "*" } ] } or This is not a Deny. A user could still have a separate policy that grants IAM:* If you want to prevent the user from ever being able to call IAM APIs, use an explicit Deny. Is there a difference?
Resource – Examples • The object or objects being requested • Statements must include either a Resource or a NotResource element <-- S3 bucket and object--> "Resource":"arn:aws:s3:::my_corporate_bucket" "Resource":"arn:aws:s3:::my_corporate_bucket/*" <-- All S3 buckets, except this one --> "NotResource":"arn:aws:s3:::security_logging_bucket" <-- Amazon SQS queue--> "Resource":"arn:aws:sqs:us-west-2:123456789012:queue1" <-- Multiple Amazon DynamoDB tables --> "Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table", "arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"] <-- All EC2 instances for an account in a region --> "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*" Principal Action Resource Condition Replace with your account number
Condition Principal Action Resource Condition • This is the only element of a policy that is optional • Conditions is an IAM best practice and adds extra security • Context keys • Global • Service specific • Operators • Values
Condition example “Condition” : { "DateGreaterThan" : {"aws:CurrentTime" : "2017-01-01T11:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2017-12-31T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]} } • Allows a user to access a resource under the following conditions: • The time is after 11:00 A.M. on 01/01/2017 AND • The time is before 3:00 P.M. on 12/31/2017 AND • The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range • All of these conditions must be met in order for the statement to evaluate to TRUE. AND OR What if you wanted to restrict access to a time frame and IP address range? Principal Action Resource Condition
Take advantage of IfExists conditional operator • Many condition keys only exist for certain resource types. • If you test for a nonexistent key, your policy will fail to evaluate (in other words, access denied). • You can add IfExists at the end of any condition operator except the Null condition (for example, StringLikeIfExists). • Allows you to create policies that “don’t care” if the key is not present. Serious Ninja-foo
Policy enforcement Final decision =“Deny” (explicit Deny) Yes Final decision =“Allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all applicable policies 2 Is there an explicit Deny? 3 No Final decision =“Deny” (default Deny) 5 • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. • If a policy statement has a Deny, it trumps all other policy statements. • Access is granted if there is an explicit Allow and no Deny. • By default, an implicit (default) Deny is returned.
Policy variables • Predefined variables based on service request context • Global keys (aws:SourceIP, aws:MultiFactorAuthPresent, etc.) • Principal-specific keys (aws:username, aws:userid, aws:PrincipalType) • Provider-specific keys (graph.facebook.com:id, www.amazon.com:user_id) • SAML keys (saml:cn, saml:edupersonassurance) • See documentation for service-specific variables • Benefits • Simplify policy management • Reduce the need for hard-coded, user-specific policies
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::myBucket"], "Condition": {"StringLike": {"s3:prefix":["home/${aws:username}/*"]} } }, { "Effect":"Allow", "Action":["s3:*"], "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}", "arn:aws:s3:::myBucket/home/${aws:username}/*"] } ] } The anatomy of a policy with variables Grants a user access to a home directory in S3 that can be accessed programmatically Version is required Variable in conditions Variable in resource ARNs
The tools in your tool box Demos
Policy Summaries • Understand permissions • Database Administrator • Permissions Errors • S3 example • Finding all the actions for an access level • Unrecognized services, actions or resource types
Thank you
These slides not included
Conditions • Optional criteria that must evaluate to true for the policy to evaluate as true (ex: restrict to an IP address range) • Can contain multiple conditions • Condition keys can contain multiple values • If a single condition includes multiple values for one key, the condition is evaluated using logical OR • Multiple conditions (or multiple keys in a single condition): the conditions are evaluated using logical AND Condition element Condition 1: Key1: Value1A Condition 2: Key3: Value3A AND AND Key2: Value2A OR Value2B OR ORKey1: Value1A Value1B Value 1C
Enough already… Let’s look at some examples S3 IAM EC2
AWS Organizations Control AWS service use across accounts Policy-based management for multiple AWS accounts. Consolidate billingAutomate AWS account creation
How is Organizations different from IAM? • Create groups of AWS accounts with AWS Organizations. • Use Organizations to attach Service Control Policies to those groups to centrally control AWS service use. • Principals in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policies attached to them.
Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP aware
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "redshift:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } Blacklisting example Whitelisting example
Intros & Expectations Verbalize Author Validate, Simulate, Debug Deploy Continuously Monitor Iterate Since JSON is a known sedative… (C) Copyright Jean-Remy Duboc and licensed for reuse under the Creative Commons Attribution-Generic 2.0 License Mental Models Mechanisms Live Demos
Intros & Expectations 0 2 4 6 8 10 12 0 1 2 3 4 LevelofEffort Number of Policies written There is a learning curve… So cut yourself some slack
Mental Model #1 On premises… The Network was the old King
Mental Model #1 In the Cloud… IAM is the new King
Mental Model #1: IAM is the new King (or Queen)
IAM is your Sword Mental Model #2: IAM & Organizations Organizations is your Hammer

Recommended

How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
Amazon Web Services
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
John Varghese
 
AWS IAM policies in plain english
AWS IAM policies in plain english AWS IAM policies in plain english
AWS IAM policies in plain english
Bogdan Naydenov
 

Recommended

How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
Amazon Web Services
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
John Varghese
 
AWS IAM policies in plain english
AWS IAM policies in plain english AWS IAM policies in plain english
AWS IAM policies in plain english
Bogdan Naydenov
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMAWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
Brandon Wells
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPC
Amazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
Amazon Web Services
 
AWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep Dive
Adam Fokken
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
Erik Paulsson
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Aws IAM
Aws IAMAws IAM
Aws IAM
Chamali Liyanage
 
Federation
Federation Federation
Federation
Amazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated Billing
Amazon Web Services
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Amazon Web Services
 
Become an IAM Policy Ninja
Become an IAM Policy NinjaBecome an IAM Policy Ninja
Become an IAM Policy Ninja
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Amazon services iam
Amazon services iamAmazon services iam
Amazon services iam
Ismaeel Enjreny
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
Goran Karmisevic
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Amazon Web Services
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best Practices
Amazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
Amazon Web Services
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
Amazon Web Services
 

More Related Content

What's hot

IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMAWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
Brandon Wells
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPC
Amazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
Amazon Web Services
 
AWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep Dive
Adam Fokken
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
Erik Paulsson
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Aws IAM
Aws IAMAws IAM
Aws IAM
Chamali Liyanage
 
Federation
Federation Federation
Federation
Amazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated Billing
Amazon Web Services
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Amazon Web Services
 
Become an IAM Policy Ninja
Become an IAM Policy NinjaBecome an IAM Policy Ninja
Become an IAM Policy Ninja
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Amazon services iam
Amazon services iamAmazon services iam
Amazon services iam
Ismaeel Enjreny
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
Goran Karmisevic
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Amazon Web Services
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best Practices
Amazon Web Services
 

What's hot (20)

IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMAWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAM
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPC
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
 
AWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep Dive
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
Aws IAM
Aws IAMAws IAM
Aws IAM
 
Federation
Federation Federation
Federation
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated Billing
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
 
Become an IAM Policy Ninja
Become an IAM Policy NinjaBecome an IAM Policy Ninja
Become an IAM Policy Ninja
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Amazon services iam
Amazon services iamAmazon services iam
Amazon services iam
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best Practices
 

Similar to Policy Ninja

SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
Amazon Web Services
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
Amazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
Amazon Web Services
 
SID314_IAM Policy Ninja
SID314_IAM Policy NinjaSID314_IAM Policy Ninja
SID314_IAM Policy Ninja
Amazon Web Services
 
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Amazon Web Services
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
Amazon Web Services
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
Amazon Web Services
 
Masting Access Control Policies
Masting Access Control PoliciesMasting Access Control Policies
Masting Access Control Policies
Amazon Web Services
 
best aws training in bangalore
best aws training in bangalorebest aws training in bangalore
best aws training in bangalore
rajkamal560066
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
Becoming an IAM Policy Ninja
Becoming an IAM Policy NinjaBecoming an IAM Policy Ninja
Becoming an IAM Policy Ninja
Amazon Web Services
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS Security
Amazon Web Services
 
SRV334-Making Things Right with AWS Config Rules and AWS Lambda
SRV334-Making Things Right with AWS Config Rules and AWS LambdaSRV334-Making Things Right with AWS Config Rules and AWS Lambda
SRV334-Making Things Right with AWS Config Rules and AWS Lambda
Amazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
Amazon Web Services
 
Data Security in the Cloud Demystified – Policies, Protection, and Tools for ...
Data Security in the Cloud Demystified – Policies, Protection, and Tools for ...Data Security in the Cloud Demystified – Policies, Protection, and Tools for ...
Data Security in the Cloud Demystified – Policies, Protection, and Tools for ...
Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Amazon Web Services
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
Amazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
Amazon Web Services
 

Similar to Policy Ninja (20)

SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 
SID314_IAM Policy Ninja
SID314_IAM Policy NinjaSID314_IAM Policy Ninja
SID314_IAM Policy Ninja
 
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
Masting Access Control Policies
Masting Access Control PoliciesMasting Access Control Policies
Masting Access Control Policies
 
best aws training in bangalore
best aws training in bangalorebest aws training in bangalore
best aws training in bangalore
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
 
Becoming an IAM Policy Ninja
Becoming an IAM Policy NinjaBecoming an IAM Policy Ninja
Becoming an IAM Policy Ninja
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS Security
 
SRV334-Making Things Right with AWS Config Rules and AWS Lambda
SRV334-Making Things Right with AWS Config Rules and AWS LambdaSRV334-Making Things Right with AWS Config Rules and AWS Lambda
SRV334-Making Things Right with AWS Config Rules and AWS Lambda
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 
Data Security in the Cloud Demystified – Policies, Protection, and Tools for ...
Data Security in the Cloud Demystified – Policies, Protection, and Tools for ...Data Security in the Cloud Demystified – Policies, Protection, and Tools for ...
Data Security in the Cloud Demystified – Policies, Protection, and Tools for ...
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Policy Ninja

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Joy Chatterjee October 9th, 2017 Becoming an AWS Policy Ninja
  • 2. Introduction Follow on to “60 mins or less”
  • 3. What to expect from the session • A deeper understanding of the AWS policy language. • Knowledge of how to better control access to AWS resources. • Using policy summaries to avoid common mistakes • Typos • Permission errors • Example policy library
  • 4. Your first day as an IAM administrator • Scenario: A user at your company needs list and read access to only one S3 bucket. You create this policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", “Action": [“s3:Get*", “s3:List*”], "Resource": “arn:aws:s3:::HumanResources" } ] }
  • 5. Access Levels Categorize actions across ever service Access Level Description Example List Actions that allow you to see a list of resources s3:ListBucket, s3:ListAllMyBuckets Read Actions that allow you to read the content in resources s3:GetObject, s3:GetBucketTagging Write Actions that allow you to create, delete, or modify resources s3:PutObject, s3:DeleteBucket Permissions management Actions that allow you to grant or modify permissions to resources s3:PutBucketPolicy
  • 6.
  • 7. The policy language • Provides authorization • Two parts: – Specification: Defining access policies – Enforcement: Evaluating policies
  • 8. Policy specification basics { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } JSON-formatted documents Contain a statement (permissions) that specifies: • Which actions a principal can perform • Which resources can be accessed Actions must have an applicable resource or condition for the statement to evaluate to true. Principal Action Resource Condition You can have multiple statements and each statement is comprised of PARC.
  • 9. Policy specification basics Resource-based policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::111122223333:user/Alice", "arn:aws:iam::111122223333:root"] }, "Action": "s3:*", "Resource": ["arn:aws:s3:::my_bucket", "arn:aws:s3:::my_bucket/*"] } ] } IAM policy { "Version": "2012-10-17", "Statement":[{ "Effect": "Allow", "Action": "s3:*", "Resource": ["arn:aws:s3:::my_bucket", "arn:aws:s3:::my_bucket/*"] } ] }
  • 10. Effect • By default any user or role is denied access to actions and resources in the account. • That means everything is implicitly denied by default. • Every policy requires Effect • Deny • Allow
  • 11. Principal – Examples • An entity that is allowed or denied access to a resource • Indicated by an Amazon Resource Name (ARN) • With IAM policies, the principal element is implicit (i.e., the user, group, or role attached) <!-- Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!-- Specific account or accounts --> "Principal":{"AWS":"arn:aws:iam::123456789012:root" } "Principal":{"AWS":"123456789012"} <!-- Individual IAM user --> "Principal":"AWS":"arn:aws:iam::123456789012:user/username" <!-- Federated user (using web identity federation) --> "Principal":{"Federated":"accounts.google.com"} <!-- Specific role --> "Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"} <!-- Specific service --> "Principal":{"Service":"ec2.amazonaws.com"} Replace with your account number Principal Action Resource Condition
  • 12. Action – Examples • Describes the type of access that should be allowed or denied • You can find actions in the docs or use the policy editor to get a drop-down list • Statements must include either an Action or NotAction element <!-- EC2 action --> "Action":"ec2:StartInstances" <!-- IAM action --> "Action":"iam:ChangePassword" <!– Amazon S3 action --> "Action":"s3:GetObject" <!-- Specify multiple values for the Action element--> "Action":["sqs:SendMessage","sqs:ReceiveMessage"] <-- Wildcards (* or ?) in the action name. Below covers create/delete/list/update--> "Action":"iam:*AccessKey*“ "Action":“s3:Get*“ Principal Action Resource Condition
  • 13. Understanding NotAction • Lets you specify an exception to a list of actions • Could result in shorter policies than using Action and exclude many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": ["iam:*", "organizations:*“], "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": ["iam:*", "organizations:*“], "Resource": "*" } ] } or
  • 14. Understanding NotAction • Lets you specify an exception to a list of actions • Could result in shorter policies than using Action and exclude many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": ["iam:*", “organizations:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": ["iam:*", “organizations:*“], "Resource": "*" } ] } or This is not a Deny. A user could still have a separate policy that grants IAM:* If you want to prevent the user from ever being able to call IAM APIs, use an explicit Deny. Is there a difference?
  • 15. Resource – Examples • The object or objects being requested • Statements must include either a Resource or a NotResource element <-- S3 bucket and object--> "Resource":"arn:aws:s3:::my_corporate_bucket" "Resource":"arn:aws:s3:::my_corporate_bucket/*" <-- All S3 buckets, except this one --> "NotResource":"arn:aws:s3:::security_logging_bucket" <-- Amazon SQS queue--> "Resource":"arn:aws:sqs:us-west-2:123456789012:queue1" <-- Multiple Amazon DynamoDB tables --> "Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table", "arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"] <-- All EC2 instances for an account in a region --> "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*" Principal Action Resource Condition Replace with your account number
  • 16. Condition Principal Action Resource Condition • This is the only element of a policy that is optional • Conditions is an IAM best practice and adds extra security • Context keys • Global • Service specific • Operators • Values
  • 17. Condition example “Condition” : { "DateGreaterThan" : {"aws:CurrentTime" : "2017-01-01T11:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2017-12-31T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]} } • Allows a user to access a resource under the following conditions: • The time is after 11:00 A.M. on 01/01/2017 AND • The time is before 3:00 P.M. on 12/31/2017 AND • The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range • All of these conditions must be met in order for the statement to evaluate to TRUE. AND OR What if you wanted to restrict access to a time frame and IP address range? Principal Action Resource Condition
  • 18. Take advantage of IfExists conditional operator • Many condition keys only exist for certain resource types. • If you test for a nonexistent key, your policy will fail to evaluate (in other words, access denied). • You can add IfExists at the end of any condition operator except the Null condition (for example, StringLikeIfExists). • Allows you to create policies that “don’t care” if the key is not present. Serious Ninja-foo
  • 19. Policy enforcement Final decision =“Deny” (explicit Deny) Yes Final decision =“Allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all applicable policies 2 Is there an explicit Deny? 3 No Final decision =“Deny” (default Deny) 5 • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. • If a policy statement has a Deny, it trumps all other policy statements. • Access is granted if there is an explicit Allow and no Deny. • By default, an implicit (default) Deny is returned.
  • 20. Policy variables • Predefined variables based on service request context • Global keys (aws:SourceIP, aws:MultiFactorAuthPresent, etc.) • Principal-specific keys (aws:username, aws:userid, aws:PrincipalType) • Provider-specific keys (graph.facebook.com:id, www.amazon.com:user_id) • SAML keys (saml:cn, saml:edupersonassurance) • See documentation for service-specific variables • Benefits • Simplify policy management • Reduce the need for hard-coded, user-specific policies
  • 21. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::myBucket"], "Condition": {"StringLike": {"s3:prefix":["home/${aws:username}/*"]} } }, { "Effect":"Allow", "Action":["s3:*"], "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}", "arn:aws:s3:::myBucket/home/${aws:username}/*"] } ] } The anatomy of a policy with variables Grants a user access to a home directory in S3 that can be accessed programmatically Version is required Variable in conditions Variable in resource ARNs
  • 22. The tools in your tool box Demos
  • 23. Policy Summaries • Understand permissions • Database Administrator • Permissions Errors • S3 example • Finding all the actions for an access level • Unrecognized services, actions or resource types
  • 25. These slides not included
  • 26. Conditions • Optional criteria that must evaluate to true for the policy to evaluate as true (ex: restrict to an IP address range) • Can contain multiple conditions • Condition keys can contain multiple values • If a single condition includes multiple values for one key, the condition is evaluated using logical OR • Multiple conditions (or multiple keys in a single condition): the conditions are evaluated using logical AND Condition element Condition 1: Key1: Value1A Condition 2: Key3: Value3A AND AND Key2: Value2A OR Value2B OR ORKey1: Value1A Value1B Value 1C
  • 27. Enough already… Let’s look at some examples S3 IAM EC2
  • 28. AWS Organizations Control AWS service use across accounts Policy-based management for multiple AWS accounts. Consolidate billingAutomate AWS account creation
  • 29. How is Organizations different from IAM? • Create groups of AWS accounts with AWS Organizations. • Use Organizations to attach Service Control Policies to those groups to centrally control AWS service use. • Principals in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policies attached to them.
  • 30. Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions • Necessary but not sufficient • IAM policy simulator is SCP aware
  • 31. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "redshift:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] } Blacklisting example Whitelisting example
  • 32. Intros & Expectations Verbalize Author Validate, Simulate, Debug Deploy Continuously Monitor Iterate Since JSON is a known sedative… (C) Copyright Jean-Remy Duboc and licensed for reuse under the Creative Commons Attribution-Generic 2.0 License Mental Models Mechanisms Live Demos
  • 33. Intros & Expectations 0 2 4 6 8 10 12 0 1 2 3 4 LevelofEffort Number of Policies written There is a learning curve… So cut yourself some slack
  • 34. Mental Model #1 On premises… The Network was the old King
  • 35. Mental Model #1 In the Cloud… IAM is the new King
  • 36. Mental Model #1: IAM is the new King (or Queen)
  • 37. IAM is your Sword Mental Model #2: IAM & Organizations Organizations is your Hammer