SlideShare a Scribd company logo
1 of 30
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Scale permissions management in AWS with
attribute-based access control
Brigid Johnson
Senior Manager, AWS Identity
AWS
S D D 3 5 0 - R
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Permissions review
Introducing attribute-based access control (ABAC) in AWS
Applying ABAC in your organization
ABAC best practices
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Purpose of permissions in your organization
Business to innovate
Agility to move fast
Give builders freedom
Prevent dangerous actions
Accountable security posture
Cost-effective solutions
Goal Ensure
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Specify who can access what
Workforce users Permissions Resources
AWS account
AWS account
AWS account
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Two parts to permissions
AWS’s job: Enforcement
For each request, the service or application evaluates the
permissions that you defined to allow or deny access
Your job: Specification
Define which entities are allowed to perform which actions on
specific resources and under which conditions
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role-based access control (RBAC)
Workforce users Permissions Resources
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of RBAC with AWS
Grant users specific permissions by assigning a collection of roles
Create a distinct role for each unique permission combination
Update permissions by adding access for each new resource
Determine access by auditing specific role permissions
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use attributes to create general
permissions rules that scale with
your organization
Attribute-
Based
Access
Control
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A little bit about attributes
Attributes are a key or a key and value pair
They are pre-defined by a provider or they are custom
UserID = AlienFriend
Team = Unicorns
Project = Pickles
Project = Pickles
Env = Development
CreatedBy = AlienFriend
Examples
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A scalablepermissions model based on attributes
Workforce users Permissions Resources
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permissions scale with innovation, enabling
developers to build
Teams move fast, as permissions
automatically apply based on attributes
Granular permissions are possible without
requiring a permissions update for every
new user or resource
Audit attributes are available to determine
access
Benefits of ABAC
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Examples of attribute-based permissions
Grant developers read and write access to their project resources
Require developers to assign their project to new resources
Grant developers read access to resources that are common to their
team
Manage only the resources that I own
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Steps to applying ABAC in your organization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demonstration Setup
Team Pickles Team Bubbles
AWS Secrets Manager
Easily rotate, manage, and
retrieve database credentials,
API keys, and other secrets
through their lifecycle
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identities with access control attributes
Demo Steps
Required Resource Attributes
project costcenter
project costcenter
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Require attributes for new resources
Demo Steps
project
costcenter
stage createdBy
application
Required Resource Attributes
• project
• costcenter
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policy to require attributes on new secrets
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/project": "${aws:PrincipalTag/project}",
"aws:RequestTag/costcenter": "${aws:PrincipalTag/costcenter}" },
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"project",
"createdby",
"costcenter",
"application" ] } } } ] }
Allows project with these
keys, but nothing else
Requires project and
costcenter tags and must
be this value
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Set permissions based on attributes
Permissions rules
Demo steps
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policy to manage secrets using tags
{
"Effect": "Allow",
"Action": [ "secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:RestoreSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:DeleteSecret",
"secretsmanager:RotateSecret",
"secretsmanager:CancelRotateSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:UpdateSecret" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}"
} } } ] }
Only manage resources
with these tags
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policy to manage secrets using tags
"Effect": "Allow",
"Action": ["secretsmanager:TagResource"],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}"},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"project",
“createdBy",
"application",
"costcenter" ] },
"StringEqualsIfExists": {
"aws:RequestTag/project": ["${aws:PrincipalTag/project}"],
"aws:RequestTag/costcenter": [ "${aws:PrincipalTag/costcenter}"]}}},
Only tag resources with
these tags
Tag with either of these
keys
For project, you specify
only these values
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policy to manage secrets using tags
"Effect": "Allow",
"Action": [
"secretsmanager:UntagResource" ],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}" },
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"application" ] } } } ] }
Only change tags of your
project
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Create new resources and demonstrate permissions
Demo Steps
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Five ABAC best practices to take back with you
1. Reserve a subset of attributes used for access control
2. Only approved entities can set or modify attributes
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Five ABAC best practices to take back with you
3. Tag everything during creation so that permissions apply immediately
4. Rely on attributes to grant permissions to manage resources
5. Periodically audit to ensure that resources are tagged appropriately
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional resources
Service-specific permissions documentation
A central location of services, actions, resource-level permissions, and conditions supported across AWS
Actions, Resources, and Condition Keys for AWS Services:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-
contextkeys.html
Become a policy master in 60 minutes or less
A review of IAM policy techniques and demonstrations on how to using them; it includes different
examples for ABAC
Video link: https://youtu.be/YQsK4MtsELU
Working backward: From IAM policies and principal tags to standardized names and tags for your AWS
resources
A blog post about implementing ABAC: AWS Security Blog post
@AWSIdentity
Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

More Related Content

What's hot

Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
AWS Storage - S3 Fundamentals
AWS Storage - S3 FundamentalsAWS Storage - S3 Fundamentals
AWS Storage - S3 FundamentalsPiyush Agrawal
 
Introduction to AWS Storage Services
Introduction to AWS Storage ServicesIntroduction to AWS Storage Services
Introduction to AWS Storage ServicesAmazon Web Services
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3Mark Cohen
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
(STG401) Amazon S3 Deep Dive & Best Practices
(STG401) Amazon S3 Deep Dive & Best Practices(STG401) Amazon S3 Deep Dive & Best Practices
(STG401) Amazon S3 Deep Dive & Best PracticesAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
Introduction to EC2
Introduction to EC2Introduction to EC2
Introduction to EC2Mark Squires
 
Amazon simple storage service (amazon s3)
Amazon simple storage service (amazon s3)Amazon simple storage service (amazon s3)
Amazon simple storage service (amazon s3)Faisal Ahmed Farooqui
 
기술 지원 사례로 알아보는 마이그레이션 이슈 및 해결 방안 모음-김용기, AWS Storage Specialist SA / 한소영, AWS...
기술 지원 사례로 알아보는 마이그레이션 이슈 및 해결 방안 모음-김용기, AWS Storage Specialist SA / 한소영, AWS...기술 지원 사례로 알아보는 마이그레이션 이슈 및 해결 방안 모음-김용기, AWS Storage Specialist SA / 한소영, AWS...
기술 지원 사례로 알아보는 마이그레이션 이슈 및 해결 방안 모음-김용기, AWS Storage Specialist SA / 한소영, AWS...Amazon Web Services Korea
 

What's hot (20)

Intro to Amazon ECS
Intro to Amazon ECSIntro to Amazon ECS
Intro to Amazon ECS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
What is AWS?
What is AWS?What is AWS?
What is AWS?
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
AWS Storage - S3 Fundamentals
AWS Storage - S3 FundamentalsAWS Storage - S3 Fundamentals
AWS Storage - S3 Fundamentals
 
Introduction to AWS Storage Services
Introduction to AWS Storage ServicesIntroduction to AWS Storage Services
Introduction to AWS Storage Services
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Application Migrations
Application MigrationsApplication Migrations
Application Migrations
 
(STG401) Amazon S3 Deep Dive & Best Practices
(STG401) Amazon S3 Deep Dive & Best Practices(STG401) Amazon S3 Deep Dive & Best Practices
(STG401) Amazon S3 Deep Dive & Best Practices
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
 
Introduction to EC2
Introduction to EC2Introduction to EC2
Introduction to EC2
 
Deep Dive on AWS Lambda
Deep Dive on AWS LambdaDeep Dive on AWS Lambda
Deep Dive on AWS Lambda
 
Amazon simple storage service (amazon s3)
Amazon simple storage service (amazon s3)Amazon simple storage service (amazon s3)
Amazon simple storage service (amazon s3)
 
기술 지원 사례로 알아보는 마이그레이션 이슈 및 해결 방안 모음-김용기, AWS Storage Specialist SA / 한소영, AWS...
기술 지원 사례로 알아보는 마이그레이션 이슈 및 해결 방안 모음-김용기, AWS Storage Specialist SA / 한소영, AWS...기술 지원 사례로 알아보는 마이그레이션 이슈 및 해결 방안 모음-김용기, AWS Storage Specialist SA / 한소영, AWS...
기술 지원 사례로 알아보는 마이그레이션 이슈 및 해결 방안 모음-김용기, AWS Storage Specialist SA / 한소영, AWS...
 

Similar to Scale permissions management in AWS with attribute-based access control - SDD350-R - AWS re:Inforce 2019

Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Amazon Web Services
 
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfDesign for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfAmazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Amazon Web Services
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Amazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless BackendsAWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless BackendsPatrick Sard
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksAmazon Web Services
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Amazon Web Services
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019John Varghese
 
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Amazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Driving DevOps Transformation in Enterprises (DEV320) - AWS re:Invent 2018
Driving DevOps Transformation in Enterprises (DEV320) - AWS re:Invent 2018Driving DevOps Transformation in Enterprises (DEV320) - AWS re:Invent 2018
Driving DevOps Transformation in Enterprises (DEV320) - AWS re:Invent 2018Amazon Web Services
 
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile appswith cloud-based ser...AWS DevDay Berlin 2019 - Simplify your Web & Mobile appswith cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...Darko Mesaroš
 

Similar to Scale permissions management in AWS with attribute-based access control - SDD350-R - AWS re:Inforce 2019 (20)

Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
 
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfDesign for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless BackendsAWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
 
Simplify front end apps.pdf
Simplify front end apps.pdfSimplify front end apps.pdf
Simplify front end apps.pdf
 
Simplify front end apps.pdf
Simplify front end apps.pdfSimplify front end apps.pdf
Simplify front end apps.pdf
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019
 
Governance@scale [Portuguese]
Governance@scale [Portuguese]Governance@scale [Portuguese]
Governance@scale [Portuguese]
 
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Driving DevOps Transformation in Enterprises (DEV320) - AWS re:Invent 2018
Driving DevOps Transformation in Enterprises (DEV320) - AWS re:Invent 2018Driving DevOps Transformation in Enterprises (DEV320) - AWS re:Invent 2018
Driving DevOps Transformation in Enterprises (DEV320) - AWS re:Invent 2018
 
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile appswith cloud-based ser...AWS DevDay Berlin 2019 - Simplify your Web & Mobile appswith cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Scale permissions management in AWS with attribute-based access control - SDD350-R - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Scale permissions management in AWS with attribute-based access control Brigid Johnson Senior Manager, AWS Identity AWS S D D 3 5 0 - R
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Permissions review Introducing attribute-based access control (ABAC) in AWS Applying ABAC in your organization ABAC best practices
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Purpose of permissions in your organization Business to innovate Agility to move fast Give builders freedom Prevent dangerous actions Accountable security posture Cost-effective solutions Goal Ensure
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Specify who can access what Workforce users Permissions Resources AWS account AWS account AWS account
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Two parts to permissions AWS’s job: Enforcement For each request, the service or application evaluates the permissions that you defined to allow or deny access Your job: Specification Define which entities are allowed to perform which actions on specific resources and under which conditions
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Role-based access control (RBAC) Workforce users Permissions Resources
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of RBAC with AWS Grant users specific permissions by assigning a collection of roles Create a distinct role for each unique permission combination Update permissions by adding access for each new resource Determine access by auditing specific role permissions
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use attributes to create general permissions rules that scale with your organization Attribute- Based Access Control
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. A little bit about attributes Attributes are a key or a key and value pair They are pre-defined by a provider or they are custom UserID = AlienFriend Team = Unicorns Project = Pickles Project = Pickles Env = Development CreatedBy = AlienFriend Examples
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. A scalablepermissions model based on attributes Workforce users Permissions Resources
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Permissions scale with innovation, enabling developers to build Teams move fast, as permissions automatically apply based on attributes Granular permissions are possible without requiring a permissions update for every new user or resource Audit attributes are available to determine access Benefits of ABAC
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Examples of attribute-based permissions Grant developers read and write access to their project resources Require developers to assign their project to new resources Grant developers read access to resources that are common to their team Manage only the resources that I own
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Steps to applying ABAC in your organization
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Demonstration Setup Team Pickles Team Bubbles AWS Secrets Manager Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Identities with access control attributes Demo Steps Required Resource Attributes project costcenter project costcenter
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Require attributes for new resources Demo Steps project costcenter stage createdBy application Required Resource Attributes • project • costcenter
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Permission policy to require attributes on new secrets { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/project": "${aws:PrincipalTag/project}", "aws:RequestTag/costcenter": "${aws:PrincipalTag/costcenter}" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "project", "createdby", "costcenter", "application" ] } } } ] } Allows project with these keys, but nothing else Requires project and costcenter tags and must be this value
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Set permissions based on attributes Permissions rules Demo steps
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Permission policy to manage secrets using tags { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:RestoreSecret", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage", "secretsmanager:DeleteSecret", "secretsmanager:RotateSecret", "secretsmanager:CancelRotateSecret", "secretsmanager:ListSecretVersionIds", "secretsmanager:UpdateSecret" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}" } } } ] } Only manage resources with these tags
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Permission policy to manage secrets using tags "Effect": "Allow", "Action": ["secretsmanager:TagResource"], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}"}, "ForAllValues:StringEquals": { "aws:TagKeys": [ "project", “createdBy", "application", "costcenter" ] }, "StringEqualsIfExists": { "aws:RequestTag/project": ["${aws:PrincipalTag/project}"], "aws:RequestTag/costcenter": [ "${aws:PrincipalTag/costcenter}"]}}}, Only tag resources with these tags Tag with either of these keys For project, you specify only these values
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Permission policy to manage secrets using tags "Effect": "Allow", "Action": [ "secretsmanager:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/project": "${aws:PrincipalTag/project}" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "application" ] } } } ] } Only change tags of your project
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Create new resources and demonstrate permissions Demo Steps
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Five ABAC best practices to take back with you 1. Reserve a subset of attributes used for access control 2. Only approved entities can set or modify attributes
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Five ABAC best practices to take back with you 3. Tag everything during creation so that permissions apply immediately 4. Rely on attributes to grant permissions to manage resources 5. Periodically audit to ensure that resources are tagged appropriately
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional resources Service-specific permissions documentation A central location of services, actions, resource-level permissions, and conditions supported across AWS Actions, Resources, and Condition Keys for AWS Services: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources- contextkeys.html Become a policy master in 60 minutes or less A review of IAM policy techniques and demonstrations on how to using them; it includes different examples for ABAC Video link: https://youtu.be/YQsK4MtsELU Working backward: From IAM policies and principal tags to standardized names and tags for your AWS resources A blog post about implementing ABAC: AWS Security Blog post @AWSIdentity
  • 30. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.