O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Become an IAM Policy Ninja

1.656 visualizações

Publicada em

We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.

  • Seja o primeiro a comentar

Become an IAM Policy Ninja

  1. 1. Becoming an IAM Policy Ninja Greg McConnel, Solutions Architect @2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
  2. 2. What to expect from the session • Knowledge of how to better control access to AWS resources. • A deeper understanding of the AWS policy language. • Tips for avoiding common mistakes.
  3. 3. Your first day as an IAM administrator • Scenario: A user at your company has overly permissive Amazon EC2 privileges. He keeps launching unnecessarily large instance types in a bunch of different regions. • Goal: Create a new policy that allows him to launch EC2 instances, but only • specific types: t2.* & m4.* • and specific regions: us-west-2 & us-east-1
  4. 4. Identity-based Permissions Different Types of Policies/Permissions Resource-based Permissions Resource-level Permissions user group role Trust Policies Amazon SNS Amazon SQS Amazon Glacier Amazon S3 “Resource”: “arn:aws:s3:::bucket” vs “Resource”: “*” AWSKMS Tag-based Permissions “Condition”: { “StringEquals”: { “ec2:ResourceTag/Owner”: “${aws:username}”}}
  5. 5. Different Types of Policies/Permissions Best resource to sort all this out: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html Or Google “IAM services work” Specifically for EC2: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon- ec2.html
  6. 6. Different types of Identity-based Policies • Inline policies (the older way) – You create and embed directly in a single user, group, or role – Variable policy size (2K per user, 5K per group, 10K per role) • Managed policies (newer way) – Can be attached to multiple users, groups, and roles – AWS managed policies (created and managed by AWS) – Customer managed policies (created and managed by you) • Up to 5K per policy • Up to 5 versions – You can limit who can attach managed policies
  7. 7. Protection from mistakes • Policy: • Deny delete of DynamoDB tables for all users • Allow delete of DynamoDB tables that start with the word “score” via a role that requires MFA and external ID • Delete through switch role in the console • Delete through CLI • An alternative option is to require MFA on the user and group for deletes Demo @2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved https://aws.amazon.com/blogs/database/preventing-accidental-table-deletion-in-dynamodb/
  8. 8. The policy language
  9. 9. The policy language • Defines Who can do What to Which and When • Two parts: –Specification: Defining access policies –Enforcement: Evaluating policies
  10. 10. { “Version”: “2012-10-17” "Statement":[{ "Effect":“Allow", "Principal":"{"AWS": "999999999999"}, "Action":“s3:*", "Resource":"arn:aws:s3:::bucket", "Condition":{"condition":{“key":"value"}} } ] } JSON-formatted documents • One overall JSON Block • A statement can use an array to have multiple “statement blocks” Contain a statement (permissions) that specifies: • Who can perform the action • What actions can be performed • Which resources are the actions applied to • When can the action be performed Principal Action Resource Condition Policy specification basics
  11. 11. { “Version”: “2012-10-17” “Statement”:[{ “Effect”: “Allow”, “Principal”: “{“AWS”: “999999999999”}, “Action": “s3:*”, “Resource”: “arn:aws:s3:::bucket”, “Condition”: {“condition”:{“key”: “value”}} } ] } Policy specification basics Who What Which When Principal Action Resource Condition
  12. 12. { “Version”: “2012-10-17” “Statement”:[{ “Effect”: “Allow”, “Principal”: “{“AWS”: “999999999999”}, “Action": “s3:*”, “Resource”: “arn:aws:s3:::bucket”, “Condition”: {“condition”:{“key”: “value”}} } ] } Policy specification basics Who What Which When Principal Action Resource Condition
  13. 13. Action (WHAT) – Examples • Describes What you can and cannot do • You can find actions in the docs or use the policy editor to get a drop-down list • Statements must include either an Action or NotAction element <!-- EC2 action --> "Action":"ec2:StartInstances" <!-- IAM action --> "Action":"iam:ChangePassword" <!– Amazon S3 action --> "Action":"s3:GetObject" <!-- Specify multiple values for the Action element--> "Action":["sqs:SendMessage","sqs:ReceiveMessage"] <-- Wildcards (* or ?) in the action name. Below covers create/delete/list/update--> "Action":"iam:*AccessKey*" Principal Action Resource Condition
  14. 14. Understanding NotAction • Lets you specify an exception to a list of actions • Could result in shorter policies than using Action and exclude many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ] } or This is not a Deny. A user could still have a separate policy that grants IAM:* If you want to prevent the user from ever being able to call IAM APIs, use an explicit Deny. Is there a difference?
  15. 15. You can use Not for Resources and Principals too
  16. 16. Resource (WHICH) – Examples • Which objects are impacted by the permission • Statements must include either a Resource or a NotResource element arn:aws:service:region:account-id:resource arn:aws:service:region:account-id:resourcetype/resource arn:aws:service:region:account-id:resourcetype:resource <-- S3 bucket --> "Resource":"arn:aws:s3:::my_corporate_bucket" <-- All S3 buckets, except this one --> "NotResource":"arn:aws:s3:::security_logging_bucket" <-- Amazon SQS queue--> "Resource":"arn:aws:sqs:us-west-2:123456789012:queue1" <-- Multiple Amazon DynamoDB tables --> "Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table", "arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"] <-- All EC2 instances for an account in a region --> "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*" Principal Action Resource Condition Replace with your account number
  17. 17. Condition (WHEN) example “Condition” : { "DateGreaterThan" : {"aws:CurrentTime" : "2017-01-01T11:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2017-12-31T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]} } • Allows a user to access a resource under the following conditions: • The time is after 11:00 A.M. on 01/01/2017 AND • The time is before 3:00 P.M. on 12/31/2017 AND • The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range • All of these conditions must be met in order for the statement to evaluate to TRUE. AND OR What if you wanted to restrict access to a time frame and IP address range? Principal Action Resource Condition• When does the permission get applied
  18. 18. Take advantage of IfExists conditional operator • Many condition keys only exist for certain resource types. • If you test for a nonexistent key, your policy will fail to evaluate (in other words, access denied). • You can add IfExists at the end of any condition operator except the Null condition (for example, StringLikeIfExists). • Allows you to create policies that “don’t care” if the key is not present.
  19. 19. Principal (WHO) – Examples • • An entity that is allowed or denied access to a resource • Indicated by an Amazon Resource Name (ARN) • With IAM policies, the principal element is implicit (i.e., the user, group, or role attached) <!-- Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!-- Specific account or accounts --> "Principal":{"AWS":"arn:aws:iam::123456789012:root" } "Principal":{"AWS":"123456789012"} <!-- Individual IAM user --> "Principal":"AWS":"arn:aws:iam::123456789012:user/username" <!-- Federated user (using web identity federation) --> "Principal":{"Federated":"accounts.google.com"} <!-- Specific role --> "Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"} <!-- Specific service --> "Principal":{"Service":"ec2.amazonaws.com"} Principal Action Resource Condition
  20. 20. Principal (WHO) – Examples • • An entity that is allowed or denied access to a resource • Indicated by an Amazon Resource Name (ARN) • With IAM policies, the principal element is implicit (i.e., the user, group, or role attached) <!-- Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!-- Specific account or accounts --> "Principal":{"AWS":"arn:aws:iam::123456789012:root" } "Principal":{"AWS":"123456789012"} <!-- Individual IAM user --> "Principal":"AWS":"arn:aws:iam::123456789012:user/username" <!-- Federated user (using web identity federation) --> "Principal":{"Federated":"accounts.google.com"} <!-- Specific role --> "Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"} <!-- Specific service --> "Principal":{"Service":"ec2.amazonaws.com"} Replace with your account number Principal Action Resource Condition
  21. 21. Mixing things up • Role: No permissions (also it is very insecure and is just for demo purposes – don’t try this at home!) • Assume role, then read out the phrase in the file “readme” in bucket nyloftdemo • Account ID: 536768756927 • Role Name: nyloftdemo • Bucket Name: nyloftdemo • File: readme Group Demo @2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
  22. 22. Policy Variables
  23. 23. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::myBucket"], "Condition": {"StringLike": {"s3:prefix":["home/${aws:username}/*"]} } }, { "Effect":"Allow", "Action":["s3:*"], "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}", "arn:aws:s3:::myBucket/home/${aws:username}/*"] } ] } The anatomy of a policy with variables Grants a user access to a home directory in S3 that can be accessed programmatically
  24. 24. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::myBucket"], "Condition": {"StringLike": {"s3:prefix":["home/${aws:username}/*"]} } }, { "Effect":"Allow", "Action":["s3:*"], "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}", "arn:aws:s3:::myBucket/home/${aws:username}/*"] } ] } The anatomy of a policy with variables Grants a user access to a home directory in S3 that can be accessed programmatically Version is required Variable in conditions Variable in resource ARNs
  25. 25. Mixing things up • What is the Phrase? • Questions • Where is the permission to view the bucket and open the file come from? Group Demo @2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
  26. 26. Policy enforcement
  27. 27. Policy enforcement • Remember policies can come from multiple places • IAM users, roles and groups • AWS resources (Amazon S3, Amazon SQS, Amazon SNS and Amazon Glacier) • Passed through federated user calls • Well defined evaluation logic • All requests denied by default • Explicit Deny trump Allow • Permissions are the union of all policies
  28. 28. Policy enforcement Final decision =“Deny” (explicit Deny) Yes Final decision =“Allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all applicable policies 2 Is there an explicit Deny? 3 No Final decision =“Deny” (default Deny) 5 • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. • If a policy statement has a Deny, it trumps all other policy statements. • Access is granted if there is an explicit Allow and no Deny. • By default, an implicit (default) Deny is returned.
  29. 29. Testing and Debugging • Authoring – Policy Editor and Policy Generator • Testing – Policy Simulator • Debugging – Encoded Authorization Message – for EC2
  30. 30. Authoring https://awspolicygen.s3.amazonaws.com/policygen.html IAM Console Or use the “copy from an existing example” method
  31. 31. Authoring Policy Editor • Policy validation checks: – JSON errors – Policy grammar errors • Policy formatting: – On demand – Auto-formatting
  32. 32. Policy SimulatorTesting CLI dry-run
  33. 33. Debugging
  34. 34. Controlling access to EC2 Demo EC2
  35. 35. Decoding the EC2 Authorization message • Additional information about the authorization status of a request • The decoded message includes: – Whether the request was denied due to an explicit deny or absence of an explicit allow. – The principal who made the request. – The requested action. – The requested resource. – The values of condition keys in the context of the user's request. The message is encoded because the details of the authorization status can constitute privileged information! Launch Failed You are not authorized to perform this operation. Encoded authorization failure message: -VfI1U7UrRUcnnquJI- _e0M8S92blCJyHwP7WFGG6ywdmofrR4VTe9i_ypEEZtD1jmgBQwTbpZX8 v6rB3e2h_- EqsrvbjwKJ4ibYFYNmuMWU2ErOTOHHHQzwxlRxFpdP43IUP8zt6HT6b9t uWXaCgaJeG3kZdcO6VRqjx_zr4gc9v51W1OVCU- g94xuhPohfH9kCapGL82wamnjyfPDXCnWS26lKPx90FwZf9ALab5z2OKrzv q5YMY7- VgNPDfNxHCPZgFRaoVwZYBDJsiR4HQKHJxUE0KfroAPaTPzGajTWeKN 5OCRwogOrW8J5Q9XA2dQH3W8yTz9EHqo-nv8jRp- EAzAUMaq28q92SfENj_gDCZ7KnJ217Ec-Ne-RLao_bmHNB7819Y_H- WhFV3mXQAe76v5Dy6so9qx0- x9RBy_sekHPjiMZ7z9QVIDQs0N3bUgBrGVCsbG5XxTb7oSI29JjpHmrr2Y OG- YJPHfeYsaoUget3jXYPRH8REX0MZv5I3OFrGVXk2nr2af3OIralo5gqFOIUA YaEBT0z0SMnxq9oZKKonvEMA
  36. 36. Steps to Decode • Use the decode-authorization command – aws sts decode-authorization-message –encoded-message "action": "ec2:RunInstances", "resource": "arn:aws:ec2:us-west-2:185106362262:key-pair/work-aws-account-pdx", "conditions": {"items": [{"key": "ec2:Region","values": {"items": [{"value": "us-west-2“}] } } ]} Great reference: https://iam.cloudonaut.io/reference/ec2.html
  37. 37. Demo: Controlling access to EC2 • Goal: Create a policy that allows users to control EC2 instances, but: • Only launch instances of specific types. • Only launch instances in two specific regions. • We’ll examine how to: • Create an managed policy. • Enable users to access the EC2 console. • Use policy conditions to limit the users to the specified types and regions.
  38. 38. Demo: Controlling access to EC2 • { • "Version": "2012-10-17", • "Statement": [ { • "Effect": "Allow", • "Action": "ec2:Describe*", • "Resource": "*" • }, • { • "Effect": "Allow", • "Action": "elasticloadbalancing:Describe*", • "Resource": "*" • }, • { • "Effect": "Allow", • "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*" ], • "Resource": "*" • }, • { • "Effect": "Allow", • "Action": "autoscaling:Describe*", • "Resource": "*" • } ] • } AWS Managed Policy AmazonEC2ReadOnlyAccess
  39. 39. Demo: Controlling access to EC2 • { • "Version": "2012-10-17", • "Statement": [ { • "Effect": "Allow", • "Action": "ec2:Describe*", • "Resource": "*" • }, • { • "Effect": "Allow", • "Action": "elasticloadbalancing:Describe*", • "Resource": "*" • }, • { • "Effect": "Allow", • "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*" ], • "Resource": "*" • }, • { • "Effect": "Allow", • "Action": "autoscaling:Describe*", • "Resource": "*" • } ] • } AWS Managed Policy AmazonEC2ReadOnlyAccess Allows access to the EC2 console
  40. 40. Demo: Controlling access to EC2 • { • "Version": "2012-10-17", • "Statement": [ • { • "Effect": "Allow", • "Action": [ • "ec2:RebootInstances", • "ec2:RunInstances", • "ec2:StartInstances", • "ec2:StopInstances", • "ec2:TerminateInstances" • ], • "Condition": { • "StringLikeIfExists": { • "ec2:Region": [ "us-east-1", "us-west-2" ], • "ec2:InstanceType": [ "t2.*", "m4.*" ] • } • }, • "Resource": "*" • } • ] • }
  41. 41. Demo: Controlling access to EC2 • { • "Version": "2012-10-17", • "Statement": [ • { • "Effect": "Allow", • "Action": [ • "ec2:RebootInstances", • "ec2:RunInstances", • "ec2:StartInstances", • "ec2:StopInstances", • ”ec2:TerminateInstances" • ], • "Condition": { • "StringLikeIfExists": { • "ec2:Region": [ "us-east-1", "us-west-2“ ], • "ec2:InstanceType": [ "t2.*", "m4.*“ ] • } • }, • "Resource": "*" • } • ] • } Basic policy hygiene Basic control actions for EC2 Use of IfExists makes sure your policy works the way you expect it to.
  42. 42. IAM Policy Ninja Disclaimer: Not really. This is not a real certification, but thank you for staying until the end. 
  43. 43. Additional Resources • Documentation – http://aws.amazon.com/documentation/iam/ – http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2- apipermissions.html • AWS Security Blog (blogs.aws.amazon.com/security) – http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/De mystifying-EC2-Resource-Level-Permissions – http://blogs.aws.amazon.com/security/post/Tx29ZC3VE9SQGQM/ Granting-Users-Permission-to-Work-in-the-Amazon-EC2-Console • http://aws.amazon.com/iam • https://forums.aws.amazon.com/forum.jspa?forumID=76 • Twitter: @AWSIdentity @2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
  44. 44. Questions? @2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved

×