Mais conteúdo relacionado Semelhante a SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 2012 (20) Mais de Amazon Web Services (20) SEC303 Top 10 AWS Identity and Access Management Best Practices - AWS re:Invent 20122. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
3. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
4. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
5. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
6. 1. Users
Create individual users
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
7. Benefits How to steps
• Unique credentials
• Individual credential rotation
• Individual permissions
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
8. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
9. 2. Groups
Manage permissions with groups
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
10. Benefits How to steps
• Easier to assign the same
permissions to multiple
users
• Simpler to re-assign
permissions based on
change in responsibilities
• Only one change to update
permissions for multiple
users
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
11. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
12. 3. Permissions
Grant least privilege
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
13. Benefits How to steps
• More granular control
• Less chance of people
making mistakes
• Easier to relax than to
tighten up
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
14. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
15. 4. Passwords
Configure a strong password policy
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
16. Benefits How to steps
• Ensures your users and
your data are protected
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
17. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
18. 5. MFA
Enable MFA for privileged users
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
19. Benefits How to steps
• Supplements username and
password to require a one-
time code during
authentication
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
20. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
21. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
22. 6. Roles
Use IAM roles for EC2 instances
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
23. Benefits How to steps
• Easy to manage access
keys on EC2 instances
• Automatic key rotation
• Assign least privilege to the
application
• AWS SDKs fully integrated
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
24. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
25. 7. Sharing
Use IAM roles to share access
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
26. Benefits How to steps
• No need to security
credentials
• Easy to break sharing
relationship
• Use cases
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
27. prod@example.com Permissions assigned
to ddb-role
dev@example.com Acct ID: 111122223333
Acct ID: 123456789012 { "Statement": [
Authenticate with
STS {
Jeff access keys
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
ddb-role "dynamodb:Scan",
Get temporary
IAM user: Jeff security credentials "dynamodb:DescribeTable",
for ddb-role "dynamodb:ListTables"
],
Permissions assigned to Jeff granting him permission "Effect": "Allow",
to assume ddb-role in account B "Resource": "*"
Call AWS APIs }]}
{ "Statement": [
{ using temporary
"Effect": "Allow", security credentials
"Action": "sts:AssumeRole", of ddb-role { "Statement": [
"Resource": {
"arn:aws:iam::111122223333:role/ddb-role" "Effect":"Allow",
}]} "Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS account
dev@example.com (123456789012)
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
28. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
29. 8. Rotation
Rotate security credentials regularly
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
30. Benefits How to steps
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
31. (enable password rotation sample policy)
Password
{ "Statement": [{
"Effect": "Allow",
"Action": "iam:ChangePassword", Enforcing a password policy will
"Resource": automatically enable IAM users to
"arn:aws:iam::123456789012:user/anders" manage their password
}
]}
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
32. (enable access key rotation sample policy)
Access Keys Steps to rotate access keys
{ "Statement": [{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"],
"Resource":
"arn:aws:iam::123456789012:user/anders"
}
]}
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
33. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
34. 9. Conditions
Restrict privileged access further with conditions
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
35. Benefits How to steps
• Additional granularity when
defining permissions
• Can be enabled for any
AWS service API
• Minimizes accidentally
performing privileged
actions
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
36. {
{ "Statement":[{ "Statement":[{
"Effect":"Deny", "Effect":"Allow",
"Action":["ec2:TerminateInstances"],
MFA "Resource":["*"],
"Condition":{
“SSL” "Action":"iam:*AccessKey*",
"Resource”:"arn:aws:iam::123456789012:user/*",
"Condition":{
"Null":{"aws:MultiFactorAuthAge":"true"} "Bool":{“aws:SecureTransport":"true"},
}}]} }}]}
Enables a user to terminate EC2 instances only if the user has Enables a user to manage access keys for all IAM users only if
authenticated with their MFA device. the user is coming over SSL.
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:TerminateInstances“],
SourceIP "Resource":["*“],
"Condition":{
"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}
}}]}
Enables a user to terminate EC2 instances only if the user is accessing EC2
from the 192.168.176.0/24 address range.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
37. 10. Root
Reduce/remove use of root
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
38. Benefits How to steps
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
39. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
40. 1. Users – Create individual users
2. Groups – Manage permissions with groups
3. Permissions – Grant least privilege
4. Password – Configure a strong password policy
5. MFA – Enable MFA for privileged users
6. Roles – Use IAM roles for EC2 instances
7. Sharing – Use IAM roles to share access
8. Rotate – Rotate security credentials regularly
9. Conditions – Restrict privileged access further with conditions
0. Root – Reduce/remove use of root
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
41. Code Session Time
SEC101 A Guided Tour of AWS Identity and Access Management Wednesday 11/28 2.05pm
SEC302 Delegating Access to Your AWS Environment Wednesday 11/28 3.25pm
SEC303 TOP 10 IAM Best Practices Thursday 11/29 3pm
• Learn more from our detail page
http://aws.amazon.com/iam
• AWS forum where we hang out
https://forums.aws.amazon.com/forum.jspa?forumID=76
• Documentation
http://aws.amazon.com/documentation/iam/
• Twitter
- Follow us @AWSIdentity
- #reinvent
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
42. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
43. We are sincerely eager to
hear your feedback on this
presentation and on re:Invent.
Please fill out an evaluation
form when you have a
chance.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.