SlideShare uma empresa Scribd logo
1 de 35
Baixar para ler offline
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Best Practices to Live By
Ran Tessler, AWS Solutions Architect
November 2015
AWS Identity and Access Management (IAM)
Enables you to control who can do what in your AWS account
Users, groups, roles, and permissions
Control
– Centralized
– Fine-grained - APIs, resources, and AWS Management Console
Security
– Secure (deny) by default
– Multiple users, individual security credentials and permissions
What to expect from this session
We will look at:
• Best practices – To help you get started
• Versus – When to use one technology over another
• Demos – “Show and tell”
IAM Best Practices
• Basic user and permission management
• Credential management
• Delegation
Basic user and permission management
0. Create individual users Benefits
• Unique credentials
• Individual credential rotation
• Individual permissions
Basic user and permission management
0. Create individual users
1. Grant least privilege
Benefits
• Less chance of people making
mistakes
• Easier to relax than tighten up
• More granular control
Basic user and permission management
0. Create individual users
1. Grant least privilege
2. Manage permissions with groups
Benefits
• Easier to assign the same
permissions to multiple users
• Simpler to reassign permissions
based on change in
responsibilities
• Only one change to update
permissions for multiple users
Basic user and permission management
0. Create individual users
1. Grant least privilege
2. Manage permissions with groups
3. Restrict privileged access further with conditions
Benefits
• Additional granularity when
defining permissions
• Can be enabled for any AWS
service API
• Minimizes chances of
accidentally performing
privileged actions
Basic user and permission management
0. Create individual users
1. Grant least privilege
2. Manage permissions with groups
3. Restrict privileged access further with conditions
4. Enable AWS CloudTrail to get logs of API calls
Benefits
• Visibility into your user activity by
recording AWS API calls to an
Amazon S3 bucket
Credential management
5. Configure a strong password policy Benefits
• Ensures your users and your
data are protected
Credential management
5. Configure a strong password policy
6. Rotate security credentials regularly
Benefits
• Normal best practice
Credential management
5. Configure a strong password policy
6. Rotate security credentials regularly
7. Enable MFA for privileged users
Benefits
• Supplements user name and
password to require a one-time
code during authentication
Delegation
8. Use IAM roles to share access Benefits
• No need to share security
credentials
• No need to store long-term
credentials
• Use cases
- Cross-account access
- Intra-account delegation
- Federation
Delegation
8. Use IAM roles to share access
9. Use IAM roles for Amazon EC2 instances
Benefits
• Easy to manage access keys on
EC2 instances
• Automatic key rotation
• Assign least privilege to the
application
• AWS SDKs fully integrated
• AWS CLI fully integrated
Delegation
8. Use IAM roles to share access
9. Use IAM roles for Amazon EC2 instances
10. Reduce or remove use of root
Benefits
• Reduce potential for misuse of
credentials
Versus – When should I use…?
Controlling Access to your Resources
IAM users vs. federated users
• Depends on where you want to manage your users
– On-premises → Federated users (IAM roles)
– In your AWS account → IAM users
• Other important use cases
– Delegating access to your account → Federated users (IAM roles)
– Mobile application access → Should always be federated access
IMPORTANT: Never share security credentials.
prod@example.com
Acct ID: 111122223333
ddb-role
{ "Statement": [
{ "Action":
[
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*“
}]}
dev@example.com
Acct ID: 123456789012
Authenticate with
Ran’s access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
How does federated access work?
ddb-role trusts IAM users from the AWS account
dev@example.com (123456789012)
Permissions assigned
to Ran granting him
permission to assume
ddb-role in account B
IAM user: Ran
Permissions assigned to ddb-role
STS
Controlling Access to your Resources
AWS access keys vs. passwords
• Depends on how your users will access AWS
– Console → Password
– API, CLI, SDK → Access keys
• In either case make sure to rotate credentials regularly
– Use Credential Report to audit credential rotation.
– Configure password policy.
– Configure policy to allow access key rotation.
Enabling credential rotation for IAM users
(Enable access key rotation sample policy)
Access keys
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"],
"Resource":
"arn:aws:iam::123456789012:
user/${aws:username}"
}]}
1. While the first set of credentials is still
active, create a second set of credentials,
which will also be active by default.
2. Update all applications to use the new
credentials.
3. Change the state of the first set of
credentials to Inactive.
4. Using only the new credentials, confirm
that your applications are working well.
5. Delete the first set of credentials.
Steps to rotate access keys
Controlling Access to your Resources
Inline policies vs. managed policies
• Use inline policies when you need to:
– Enforce a strict one-to-one relationship between policy and principal.
– Avoid the wrong policy being attached to a principal.
– Ensure the policy is deleted when deleting the principal.
• Use managed policies when you need:
– Reusability.
– Central change management.
– Versioning and rollback.
– Delegation of permissions management.
– Automatic updates for AWS managed policies.
– Larger policy size.
Controlling Access to your Resources
Groups vs. managed policies
• Provide similar benefits
– Can be used to assign the same permission to many users.
– Central location to manage permissions.
– Policy updates affect multiple users.
• Use groups when you need to
– Logically group and manage IAM users .
• Use managed policies when you need to
– Assign the same policy to users, groups, and roles.
Combine the power of groups AND managed policies
• Use groups to organize your users into logical clusters.
• Attach managed policies to those groups with the permissions those groups
need.
• Pro tip: Create managed policies based on logically separated permissions
such as AWS service or project, and attach managed policies mix-and-
match style to your groups.
Controlling Access to your Resources
How does tag-based access control work?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Project" : "Blue"
}
}
}
]
}
Permissions assigned to Bob granting him permission to
perform any EC2 action on resources tagged with
Project=Blue
IAM user: Bob
i-a1234b12
Project=Blue
i-a4321b12
Project=Blue
Project=Blue
i-a4321b12
Project=Green
Resource-specific policy vs. tag-based access control
• Use resource-specific policy when you need to:
• Control access to a specific resource.
• Control access to most AWS service resources.
• Use tag-based access control when you need to:
• Treat resources as a unit, such as a project.
• Automatically enforce permissions when new resources are created.
NOTE: The following services currently support tag-based access control:
Amazon EC2, Amazon VPC, Amazon EBS, Amazon RDS, Amazon Simple
Workflow Service, and AWS Data Pipeline
Controlling Access to your Resources
One AWS account vs. multiple AWS accounts?
Use a single AWS account when you:
• Want simpler control of who does what in your AWS environment.
• Have no need to isolate projects/products/teams.
• Have no need for breaking up the cost.
Use multiple AWS accounts when you:
• Need full isolation between projects/teams/environments.
• Want to isolate recovery data and/or auditing data (e.g., writing your
CloudTrail logs to a different account).
• Need a single bill, but want to break out the cost and usage.
Cross-account access with IAM roles
External identity
provider
acme@example.com
Acct ID: 123456789012
dev@example.com
Acct ID: 123456123456
proj2@example.com
Acct ID: 111222333444
proj1@example.com
Acct ID: 112233445566
IAM user: Alice
IAM user: Bob
What did we cover?
1. Top 11 best practices.
2. IAM users vs. federated users.
3. Access keys vs. passwords.
4. Inline policies vs. managed policies.
5. Groups vs. managed policies.
6. Resource-specific policy vs. tag-based access control.
7. One AWS account vs. multiple AWS accounts.
Thank you!

Mais conteúdo relacionado

Mais procurados

Building end-to-end IT Lifecycle Mgmt & Workflows with AWS Service Catalog - ...
Building end-to-end IT Lifecycle Mgmt & Workflows with AWS Service Catalog - ...Building end-to-end IT Lifecycle Mgmt & Workflows with AWS Service Catalog - ...
Building end-to-end IT Lifecycle Mgmt & Workflows with AWS Service Catalog - ...Amazon Web Services
 
Cloud Migration 과 Modernization 을 위한 30가지 아이디어-박기흥, AWS Migrations Specialist...
Cloud Migration 과 Modernization 을 위한 30가지 아이디어-박기흥, AWS Migrations Specialist...Cloud Migration 과 Modernization 을 위한 30가지 아이디어-박기흥, AWS Migrations Specialist...
Cloud Migration 과 Modernization 을 위한 30가지 아이디어-박기흥, AWS Migrations Specialist...Amazon Web Services Korea
 
Tagging Best Practices for Cloud Governance
Tagging Best Practices for Cloud GovernanceTagging Best Practices for Cloud Governance
Tagging Best Practices for Cloud GovernanceRightScale
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory ProposalMJ Ferdous
 
ITIL Service Transition
ITIL Service TransitionITIL Service Transition
ITIL Service TransitionMarvin Sirait
 
Analyzing Data Streams in Real Time with Amazon Kinesis: PNNL's Serverless Da...
Analyzing Data Streams in Real Time with Amazon Kinesis: PNNL's Serverless Da...Analyzing Data Streams in Real Time with Amazon Kinesis: PNNL's Serverless Da...
Analyzing Data Streams in Real Time with Amazon Kinesis: PNNL's Serverless Da...Amazon Web Services
 
Migrating Monoliths to Microservices -- M3
Migrating Monoliths to Microservices -- M3Migrating Monoliths to Microservices -- M3
Migrating Monoliths to Microservices -- M3Asir Selvasingh
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...
IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...
IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...Simplilearn
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Desktop as a Service DaaS in India by BSNL SIS
Desktop as a Service DaaS in India by BSNL SISDesktop as a Service DaaS in India by BSNL SIS
Desktop as a Service DaaS in India by BSNL SISSATYAVEER PAL
 

Mais procurados (20)

Building end-to-end IT Lifecycle Mgmt & Workflows with AWS Service Catalog - ...
Building end-to-end IT Lifecycle Mgmt & Workflows with AWS Service Catalog - ...Building end-to-end IT Lifecycle Mgmt & Workflows with AWS Service Catalog - ...
Building end-to-end IT Lifecycle Mgmt & Workflows with AWS Service Catalog - ...
 
Serverless Microservices
Serverless MicroservicesServerless Microservices
Serverless Microservices
 
Monitoring and Alerting
Monitoring and AlertingMonitoring and Alerting
Monitoring and Alerting
 
Becoming an IAM Policy Ninja
Becoming an IAM Policy NinjaBecoming an IAM Policy Ninja
Becoming an IAM Policy Ninja
 
Cloud Migration 과 Modernization 을 위한 30가지 아이디어-박기흥, AWS Migrations Specialist...
Cloud Migration 과 Modernization 을 위한 30가지 아이디어-박기흥, AWS Migrations Specialist...Cloud Migration 과 Modernization 을 위한 30가지 아이디어-박기흥, AWS Migrations Specialist...
Cloud Migration 과 Modernization 을 위한 30가지 아이디어-박기흥, AWS Migrations Specialist...
 
Tagging Best Practices for Cloud Governance
Tagging Best Practices for Cloud GovernanceTagging Best Practices for Cloud Governance
Tagging Best Practices for Cloud Governance
 
AWS Route53
AWS Route53AWS Route53
AWS Route53
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory Proposal
 
ITIL Service Transition
ITIL Service TransitionITIL Service Transition
ITIL Service Transition
 
Analyzing Data Streams in Real Time with Amazon Kinesis: PNNL's Serverless Da...
Analyzing Data Streams in Real Time with Amazon Kinesis: PNNL's Serverless Da...Analyzing Data Streams in Real Time with Amazon Kinesis: PNNL's Serverless Da...
Analyzing Data Streams in Real Time with Amazon Kinesis: PNNL's Serverless Da...
 
Migrating Monoliths to Microservices -- M3
Migrating Monoliths to Microservices -- M3Migrating Monoliths to Microservices -- M3
Migrating Monoliths to Microservices -- M3
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...
IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...
IT Service Management Tutorial | What Is ITSM? | ITIL Foundation Training | S...
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
 
AWS Cost Optimisation Solutions
AWS Cost Optimisation SolutionsAWS Cost Optimisation Solutions
AWS Cost Optimisation Solutions
 
Desktop as a Service DaaS in India by BSNL SIS
Desktop as a Service DaaS in India by BSNL SISDesktop as a Service DaaS in India by BSNL SIS
Desktop as a Service DaaS in India by BSNL SIS
 

Semelhante a Controlling Access to your Resources

IAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivIAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivAmazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live byJohn Varghese
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live ByAmazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best PracticesAmazon Web Services
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)Amazon Web Services
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Advanced security best practices - Masterclass - Pop-up Loft Tel Aviv
Advanced security best practices - Masterclass - Pop-up Loft Tel AvivAdvanced security best practices - Masterclass - Pop-up Loft Tel Aviv
Advanced security best practices - Masterclass - Pop-up Loft Tel AvivAmazon Web Services
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftIan Massingham
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 

Semelhante a Controlling Access to your Resources (20)

IAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivIAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel Aviv
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best Practices
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS Security
 
Advanced security best practices - Masterclass - Pop-up Loft Tel Aviv
Advanced security best practices - Masterclass - Pop-up Loft Tel AvivAdvanced security best practices - Masterclass - Pop-up Loft Tel Aviv
Advanced security best practices - Masterclass - Pop-up Loft Tel Aviv
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv Loft
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Último

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 

Último (20)

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 

Controlling Access to your Resources

  • 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Best Practices to Live By Ran Tessler, AWS Solutions Architect November 2015
  • 2. AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account Users, groups, roles, and permissions Control – Centralized – Fine-grained - APIs, resources, and AWS Management Console Security – Secure (deny) by default – Multiple users, individual security credentials and permissions
  • 3. What to expect from this session We will look at: • Best practices – To help you get started • Versus – When to use one technology over another • Demos – “Show and tell”
  • 4. IAM Best Practices • Basic user and permission management • Credential management • Delegation
  • 5. Basic user and permission management 0. Create individual users Benefits • Unique credentials • Individual credential rotation • Individual permissions
  • 6. Basic user and permission management 0. Create individual users 1. Grant least privilege Benefits • Less chance of people making mistakes • Easier to relax than tighten up • More granular control
  • 7. Basic user and permission management 0. Create individual users 1. Grant least privilege 2. Manage permissions with groups Benefits • Easier to assign the same permissions to multiple users • Simpler to reassign permissions based on change in responsibilities • Only one change to update permissions for multiple users
  • 8. Basic user and permission management 0. Create individual users 1. Grant least privilege 2. Manage permissions with groups 3. Restrict privileged access further with conditions Benefits • Additional granularity when defining permissions • Can be enabled for any AWS service API • Minimizes chances of accidentally performing privileged actions
  • 9. Basic user and permission management 0. Create individual users 1. Grant least privilege 2. Manage permissions with groups 3. Restrict privileged access further with conditions 4. Enable AWS CloudTrail to get logs of API calls Benefits • Visibility into your user activity by recording AWS API calls to an Amazon S3 bucket
  • 10. Credential management 5. Configure a strong password policy Benefits • Ensures your users and your data are protected
  • 11. Credential management 5. Configure a strong password policy 6. Rotate security credentials regularly Benefits • Normal best practice
  • 12. Credential management 5. Configure a strong password policy 6. Rotate security credentials regularly 7. Enable MFA for privileged users Benefits • Supplements user name and password to require a one-time code during authentication
  • 13. Delegation 8. Use IAM roles to share access Benefits • No need to share security credentials • No need to store long-term credentials • Use cases - Cross-account access - Intra-account delegation - Federation
  • 14. Delegation 8. Use IAM roles to share access 9. Use IAM roles for Amazon EC2 instances Benefits • Easy to manage access keys on EC2 instances • Automatic key rotation • Assign least privilege to the application • AWS SDKs fully integrated • AWS CLI fully integrated
  • 15. Delegation 8. Use IAM roles to share access 9. Use IAM roles for Amazon EC2 instances 10. Reduce or remove use of root Benefits • Reduce potential for misuse of credentials
  • 16. Versus – When should I use…?
  • 18. IAM users vs. federated users • Depends on where you want to manage your users – On-premises → Federated users (IAM roles) – In your AWS account → IAM users • Other important use cases – Delegating access to your account → Federated users (IAM roles) – Mobile application access → Should always be federated access IMPORTANT: Never share security credentials.
  • 19. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Authenticate with Ran’s access keys Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to Ran granting him permission to assume ddb-role in account B IAM user: Ran Permissions assigned to ddb-role STS
  • 21. AWS access keys vs. passwords • Depends on how your users will access AWS – Console → Password – API, CLI, SDK → Access keys • In either case make sure to rotate credentials regularly – Use Credential Report to audit credential rotation. – Configure password policy. – Configure policy to allow access key rotation.
  • 22. Enabling credential rotation for IAM users (Enable access key rotation sample policy) Access keys { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012: user/${aws:username}" }]} 1. While the first set of credentials is still active, create a second set of credentials, which will also be active by default. 2. Update all applications to use the new credentials. 3. Change the state of the first set of credentials to Inactive. 4. Using only the new credentials, confirm that your applications are working well. 5. Delete the first set of credentials. Steps to rotate access keys
  • 24. Inline policies vs. managed policies • Use inline policies when you need to: – Enforce a strict one-to-one relationship between policy and principal. – Avoid the wrong policy being attached to a principal. – Ensure the policy is deleted when deleting the principal. • Use managed policies when you need: – Reusability. – Central change management. – Versioning and rollback. – Delegation of permissions management. – Automatic updates for AWS managed policies. – Larger policy size.
  • 26. Groups vs. managed policies • Provide similar benefits – Can be used to assign the same permission to many users. – Central location to manage permissions. – Policy updates affect multiple users. • Use groups when you need to – Logically group and manage IAM users . • Use managed policies when you need to – Assign the same policy to users, groups, and roles.
  • 27. Combine the power of groups AND managed policies • Use groups to organize your users into logical clusters. • Attach managed policies to those groups with the permissions those groups need. • Pro tip: Create managed policies based on logically separated permissions such as AWS service or project, and attach managed policies mix-and- match style to your groups.
  • 29. How does tag-based access control work? { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Bob granting him permission to perform any EC2 action on resources tagged with Project=Blue IAM user: Bob i-a1234b12 Project=Blue i-a4321b12 Project=Blue Project=Blue i-a4321b12 Project=Green
  • 30. Resource-specific policy vs. tag-based access control • Use resource-specific policy when you need to: • Control access to a specific resource. • Control access to most AWS service resources. • Use tag-based access control when you need to: • Treat resources as a unit, such as a project. • Automatically enforce permissions when new resources are created. NOTE: The following services currently support tag-based access control: Amazon EC2, Amazon VPC, Amazon EBS, Amazon RDS, Amazon Simple Workflow Service, and AWS Data Pipeline
  • 32. One AWS account vs. multiple AWS accounts? Use a single AWS account when you: • Want simpler control of who does what in your AWS environment. • Have no need to isolate projects/products/teams. • Have no need for breaking up the cost. Use multiple AWS accounts when you: • Need full isolation between projects/teams/environments. • Want to isolate recovery data and/or auditing data (e.g., writing your CloudTrail logs to a different account). • Need a single bill, but want to break out the cost and usage.
  • 33. Cross-account access with IAM roles External identity provider acme@example.com Acct ID: 123456789012 dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566 IAM user: Alice IAM user: Bob
  • 34. What did we cover? 1. Top 11 best practices. 2. IAM users vs. federated users. 3. Access keys vs. passwords. 4. Inline policies vs. managed policies. 5. Groups vs. managed policies. 6. Resource-specific policy vs. tag-based access control. 7. One AWS account vs. multiple AWS accounts.