IAM is first in the Security CAF because in the cloud first you grant access and only then can you provision infrastructure (the opposite of on-prem). In this session we’ll cover how to define fine grained access to AWS resources via users, roles and groups; designing privileged user & multi-factor authentication mechanisms and how to operate IAM at scale.
1. Identity and Access Management:
the First Step in AWS Security
Greg McConnel,
Solutions Architect
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
2. What to Expect from the Session
We will look at:
• What is IAM?
• IAM Concepts – to help you get started
• Common use cases – cover the building blocks
• Demos – “Show and Tell”
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
3. AWS Identity and Access Management (IAM)
• Enables you to control who can do what in your AWS account
• IAM uses access control concepts that you are already familiar with
Roles
AWS Services
and
Resources
Users Permissions
(IAM Policies)
Groups
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
4. AWS Identity and Access Management (IAM)
• AAA
– Authentication
– Authorization
– Accounting/Audit (via other services)
• Control
– Centralized
– Fine-grained - APIs, resources, and AWS Management Console
• Security
– Secure (deny) by default
– Each users has individual security credentials and permissions
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
5. Questions
• Questions
• When, if ever, would you need the Root Account?
• Is there a way to restrict Root Account permissions?
• How should you and other users access AWS? Questions
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
6. IAM Users
What
• Used by a person or service to interact with AWS
• Name and unique set of credentials
̶ Console password
̶ Access Key (access key ID and secret key) – used to sign requests
̶ MFA device
̶ Hardware: Gemalto Token
̶ Virtual: Authy, Amazon, Google, etc & SMS in preview now
When
• Enable user or programmatic access to AWS resources and services
̶ E.g. New employee requires access to Amazon EC2 and Amazon S3
̶ E.g. Application stores data in Amazon DynamoDB
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
7. IAM Users
Why (Benefits)
• Unique set of credentials
• Individual permissions
• Granular control
• Easy to revoke access
Do
• Create IAM user for yourself
• Create individual IAM users for others
Don’t
• Distribute your AWS root credentials
• Use your root account user
• Share your IAM user credentials
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
8. IAM Users and Permissions
• No permissions by default
• Permissions specify which AWS resources and what actions allowed
• Assign permissions individually to each user (or use Groups)
̶ Greg (UX Designer) > access to Amazon S3
̶ Samantha (Database Administrator) > access to select Amazon EC2, Amazon
RDS, Amazon DynamoDB, AWS Lambda, and AWS Data Pipeline APIs
• Use IAM Policies to assign permissions
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
9. IAM Policies
Two types of identity-based policies in IAM
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies (created and managed by AWS)
• Customer managed policies (created and managed by you)
o Up to 5K per policy
o Up to 5 versions
• You can limit who can attach managed policies
• Inline policies (the older way)
• You create and embed directly in a single user, group, or role
• Variable policy size (2K per user, 5K per group, 10K per role)
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
10. Questions
• Questions
• Why bother with IAM users when we have the Root
Account?
• Is there a better option then adding policies to each
IAM user?
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Questions
11. IAM Groups
What
• Collection of IAM users
• Specify and manage permissions for multiple
users, centrally
• e.g. group for all UX Designers
• A group can contain many users, and a user
can belong to multiple groups
When
• Easily manage permissions for multiple users
AWS Account
IAM Group:
Administrators
Akshay
Andrea
Arvind
IAM Group:
UX Designers
Greg
Rachel
IAM Group:
DevOps
Akshay
Andrew
Lin
Zoe
Example of managing permission using groups
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
12. IAM Groups
Why (Benefits)
• Reduces user management
complexity
• Reassign permissions based on
change in responsibility
• Update permissions for multiple
users
• Reduce chance of accidental
excessive access
Do
• Create groups that relate to job
functions
• Attach policies to groups
• Use managed policies to logically
manage permissions
• Manage group membership to assign
permissions
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
13. Questions
• Questions
• Can a group be used as the principal for a resource
based permission or trust policy?
• How can I grant permissions without a user or a
group?
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Questions
14. IAM Roles
What
• “Container” of permissions; not uniquely associated with one person or
application
• Assume the role to get the permissions
• Temporary access keys are created and provided dynamically
When
• Cross-account access
• Access within an account
• e.g. access for application running on Amazon EC2
• [Federation] Access to identities defined outside AWS
• e.g. access for identities maintained in your corporate IdP
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
15. Use IAM roles to share access
Why (Benefits)
• No need to share security credentials
• No need to store long-term credentials
• No need to create IAM accounts
• Securely and easily control access
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
16. prod@example.com
Acct ID: 111122223333
ddb-role
{ "Statement": [
{ "Action":
[
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*“
}]}
dev@example.com
Acct ID: 123456789012
Authenticate with
Greg’s access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs using
temporary security
credentials
of ddb-role
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS account
dev@example.com (123456789012)
Permissions assigned to
Greg granting him
permission to assume ddb-
role in account B
IAM user: Greg
Permissions assigned to ddb-role
STS
Use IAM roles for cross-account access
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
17. Use IAM roles for Amazon EC2 instances
Why (Benefits)
• No hard coded access keys to
manage
• Automatic key rotation
• AWS SDKs/CLI fully integrated
Do
• Use roles instead of long term
credentials
• Assign least privilege to the
application
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
18. • Use Switch Role between accounts
• Run CLI from EC2 instance with a role
• Questions
• How can I enable SSO too AWS for my users?
Demo
Time
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Demo
19. AWS federation with SAML
Why (Benefits)
• Single Sign On
• Administer AWS using AD
• Established provision/de-provision process for AD users extended to AWS
• Eliminates need for IAM users and groups
• Console and API/CLI
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
20. AWS federation with SAML
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
21. SAML Federation Demo
Demo
Time
• https://aws.amazon.com/blogs/security/how-to-set-up-sso-to-the-aws-management-console-for-
multiple-accounts-by-using-ad-fs-and-saml-2-0/
• https://aws.amazon.com/blogs/security/saml-identity-federation-follow-up-questions-materials-guides-
and-templates-from-an-aws-reinvent-2016-workshop-sec306/
• https://aws.amazon.com/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-
0-and-ad-fs/
@2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Demo