SlideShare a Scribd company logo

AWS IAM and security

Download as PPTX, PDF
Erik Paulsson
Erik Paulsson

AWS security with Identity and Access Management. From the basics to advanced uses of federated access to multiple AWS accounts.

Technology
1 of 22
Identity and Access Management Erik Paulsson https://www.linkedin.com/in/erikpaulsson
Agenda / Topics • Basics o What is IAM? o What to do right after creating an AWS account o What are the main components of IAM? • What not to do o Don’t be that person / company… • Intermediate o Least privilege access permissions o How to manage / distribute AWS creds o How to write code that auto-discovers AWS creds o AWS Services that support IAM and at what level • Advanced o Temporary credentials / Avoiding long-lived creds o AWS account federation / SSO
What is AWS IAM? • Identity and Access Management is an AWS service that enables you to provide fine grained access control to: o Interact with AWS services on behalf of your AWS account o Interact with AWS resources created in your AWS account • The main components are: o IAM Users o IAM Groups o IAM Roles o IAM Polices
IAM Users • Can have username / password to login to the AWS Console • Can have AWS credentials for making API calls to interact with AWS services • New IAM users have no permissions to do anything, implicit deny all. Permissions must be explicitly granted. • An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. o An IAM User with only AWS creds can be created so the creds can be used by an application to make API calls into AWS.
IAM Groups • A collection of IAM Users • You assign permissions to the IAM Group, all IAM Users in the Group inherit those permissions. o Implicit deny of permissions applies to IAM Groups as well
IAM Roles / Instance Profiles • IAM Roles define permissions much like an IAM User o IAM Roles do NOT have: • Username/password like an IAM User can • AWS creds that can be retrieved like an IAM User creds • The permissions of an IAM Role can be granted / assigned to an EC2 instance o An Instance Profile is just a “container” for one or more IAM Roles o An Instance Profile is what you actually assign to an EC2 instance • IAM Roles and Instance Profiles provide enhanced security because these structures provide temporary AWS creds o These temporary creds are made available by the EC2 meta-data service • … More on IAM Roles later
IAM Policies • When you create an IAM Group, User, or Role in your AWS account, you associate an IAM policy with it, which specifies the permissions that you want to grant. • IAM Polices are JSON formatted documents that define AWS permissions • Working with IAM Policies
Security firsts for new AWS accounts • For AWS root account: o Store username/password somewhere safe and secure o Setup multi-factor authentication • Create IAM User(s) with "least privileges" necessary o Least privilege = only the permissions necessary to accomplish needed tasks • After IAM Users have been created never use root account again o An IAM User with root permissions can be created • If IAM Users have username/password for AWS console login then they should also have multi factor authentication (MFA) enabled o https://aws.amazon.com/iam/details/mfa/ • If you don’t want some users having access to billing o Control access to AWS account billing through IAM • IAM controls “the keys to the (AWS) kingdom” o Only highly privileged users should have permissions to perform IAM actions
Getting AWS credentials onto EC2 instances • Always use an IAM Role / Instance Profile • Never ever..... ever o Self manage credentials for EC2 instances (environment variables, etc) o Put AWS credentials into source code or config files • Don't make yourself or company a victim like these guys: o Key slurping bots crawl github, use creds to run EC2 instances for bitcoin mining • http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_ crawling_with_keyslurping_bots o Companies have gone out of business because they were careless with their AWS creds • CodeSpaces had EVERYTHING deleted o http://arstechnica.com/security/2014/06/aws-console-breach- leads-to-demise-of-service-with-proven-backup-plan/
…continued Getting creds onto EC2 instances • Use IAM Instance Profile assigned to EC2 instance • An Instance Profile is created from an IAM Role • The instance profile must be assigned to an EC2 instance when it is launched • AWS credentials retrieved through the EC2 metadata service o curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<instance- profile-name> • These temporary credentials never have to be shared or managed by developers • These temporary AWS credentials are automatically rotated so instance always has valid credentials • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-instanceprofile.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-ec2instance.html
How can code use Instance Profile creds? • All AWS SDKs have a built in way to auto-discover AWS credentials on EC2 instances o Simplifies code by not having to explicitly set AWS credentials • SDKs for all languages can automatically check standard locations for AWS credentials to use: o Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY (legacy, not recommended anymore) o Credentials file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI (great for applications/scripts being run outside of AWS) o Instance Profile Credentials - delivered through the Amazon EC2 metadata service (best practice for getting AWS creds onto EC2 instances) • Example - Java SDK docs which document AWS creds auto-discovery: o http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws /services/s3/AmazonS3Client.html - AmazonS3Client()
Local development • If you are running scripts or an application locally that needs to call AWS APIs then store AWS creds in the AWS “credentials” file: o http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and- Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs • Allows you to define multiple sets of credentials each identified by a profile name • A “default” profile name can be defined so a profile doesn’t have to be specified in your code/script • AWS CLI (command line interface) o http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting- started.html#cli-multiple-profiles o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ (uses default profile defined in ~/.aws/credentials file) o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ --profile user2 (uses user2 profile defined in ~/.aws/credentials file)
IAM least privilege rights • "Anything" with AWS access should have the minimal rights it needs to accomplish its specific actions • "Anything" with AWS access refers to the following: o IAM Users or Groups o IAM Roles / Instance Profiles • IAM Roles can be assumed by end users • Instance Profiles can be assigned to EC2 instances o Your applications or scripts (which use IAM Role or User creds) • Example: if an application only needs read access to files in S3, then create an IAM Role with only “GetObject” rights on S3.
S3 IAM Policies • Granting access to an S3 bucket (Simple) • Granting access to specific “folders” in S3 bucket • S3 Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
Amazon Resource Names (ARNs) • ARNs are unique identifiers for AWS resources. • Format of an ARN: o arn:partition:service:region:account-id:resource o arn:partition:service:region:account-id:resourcetype/resource o arn:partition:service:region:account-id:resourcetype:resource • Details of ARNs for each AWS Service o http://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html
Elements of an IAM Policy • Main elements of an IAM Policy o Version o Statement • Main element of the policy • Contains an array of statements • Each statement defines whether permissions are allowed or denied for certain service actions against particular resources. These are defined by the values of the following elements in each statement: o Effect – Allow or Deny o Action – array of service actions o Resource – array of ARNs that actions can occur on o Principal – identifies who/what is allowed/denied access • Details on IAM Policy elements o http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_e lements.html
Advanced uses of IAM Roles • IAM Roles can be “assumed” by: o IAM Users in the either the same or different AWS account o AWS services (EC2 instances or even another IAM Role) o External users authenticated outside of AWS (Federation) • IAM Roles provide enhanced security: o Temporary credentials • If credentials do get compromised they won’t be valid for long • “Long-lived” credentials are bad… mmmmmkkk o Users can be logged into AWS console without username/password o Temporary credentials + Least privilege permissions!!!
AWS Federation • My real world scenario o Many AWS accounts o Many users needing access to 1 or many AWS accounts o Management of many of the “same” IAM Users and Groups across many AWS accounts • Equals… o Maintenance nightmare o Potential for security lapses when employee leaves company • What AWS accounts did the employee have access to? • Have to delete IAM User from each AWS account • Most mid to large companies have a central Identity Provider o Active Directory o Federation could also use social login providers
…continued AWS Federation • We took a web application that uses SSO via SAML to authenticate with our corp AD o Runs in AWS on EC2 instance with Instance Profile that has rights to “assume” Roles o The IAM Roles that can be “assumed” can exist in any AWS account as long as a trust relationship is created. o IAM Roles are kept track of in the application DB o For each user of this web application 0 or more IAM Roles can be mapped to a user o The application can then retrieve temporary credentials from a Role on behalf of a user of the web application • AWS creds can be returned to user for local use • AWS console access can be granted based on permissions of the IAM Role • Simplified solution o Delete all IAM Users across all AWS accounts o Replace all IAM Groups with IAM Roles in each AWS account o One set of users (web application users) that can be granted access to any IAM Role from any AWS account. o Enhances security • If a user leaves the company they are removed from corporate AD, no longer have access to web application and therefore no more access to any AWS accounts • TEMPORARY AWS creds (only last 1 hour, AWS allowed max… for now) • Creating a URL that Enables Federated Access to the AWS Management Console o Java example code
AWS Console Federated Username • Federated Login/Identifier uses the name of the IAM Role that was used plus a specified identifier. • It is cutoff in this image • AutomationFederationRoles-AutomationAdmins-1VGJS9PG5J8JO/erik.paulsson
AWS Federation Local dev with temp creds • It is a pain for developers and cloud admins to work locally when AWS creds expire o Every hour have to: • Retrieve new AWS creds from web application • Copy/paste into local AWS credentials file • Solution o Wrote small GUI tool • Local thick client since it needs to write to file system • User authenticates to same web application using SSO still • Tool retrieves new credentials on hourly schedule from web application REST APIs • Writes these AWS credentials to local AWS credentials file o Tool allows users to retrieve creds for 0 or more of the IAM Roles they are allowed to use o A credentials profile name can be assigned to each o Used NW.js to build client (formerly known as “node-webkit”) • Single code base • Compiles to self executable for all platforms (Linux, Mac, Win) • No run-time dependencies (JRE, python, etc) o Just download and run
Other Links • Advanced Assume Role using “policy” parameter: o http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.h tml • IDC White Paper: You can be more secure in the cloud than in your own data center • AWS in Plain English o https://www.expeditedssl.com/aws-in-plain-english

Recommended

AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
zekeLabs Technologies
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 

Recommended

AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
zekeLabs Technologies
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
Introduction to Amazon Relational Database Service
Introduction to Amazon Relational Database ServiceIntroduction to Amazon Relational Database Service
Introduction to Amazon Relational Database Service
Amazon Web Services
 
AWS Elastic Compute Cloud (EC2)
AWS Elastic Compute Cloud (EC2) AWS Elastic Compute Cloud (EC2)
AWS Elastic Compute Cloud (EC2)
zekeLabs Technologies
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
Diego Pacheco
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Web Services
 
Aws IAM
Aws IAMAws IAM
Aws IAM
Chamali Liyanage
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
Amazon Web Services
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
Amazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
Edureka!
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
Gary Silverman
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
Jason Poley
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Amazon Web Services
 
An Introduction to AWS
An Introduction to AWSAn Introduction to AWS
An Introduction to AWS
Ian Massingham
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
Amazon Web Services
 
AWS Elastic Container Registry
AWS Elastic Container RegistryAWS Elastic Container Registry
AWS Elastic Container Registry
Richard Boyd, II
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
Amazon Web Services
 

More Related Content

What's hot

AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
AWS Elastic Compute Cloud (EC2)
AWS Elastic Compute Cloud (EC2) AWS Elastic Compute Cloud (EC2)
AWS Elastic Compute Cloud (EC2)
zekeLabs Technologies
 

What's hot (20)

AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Introduction to Amazon Relational Database Service
Introduction to Amazon Relational Database ServiceIntroduction to Amazon Relational Database Service
Introduction to Amazon Relational Database Service
 
AWS Elastic Compute Cloud (EC2)
AWS Elastic Compute Cloud (EC2) AWS Elastic Compute Cloud (EC2)
AWS Elastic Compute Cloud (EC2)
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
Amazon Virtual Private Cloud (VPC): Networking Fundamentals and Connectivity ...
 
Aws IAM
Aws IAMAws IAM
Aws IAM
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
 
An Introduction to AWS
An Introduction to AWSAn Introduction to AWS
An Introduction to AWS
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
AWS Elastic Container Registry
AWS Elastic Container RegistryAWS Elastic Container Registry
AWS Elastic Container Registry
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 

Similar to AWS IAM and security

Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Amazon Web Services
 
Security Best Practices - Hebrew Webinar
Security Best Practices - Hebrew WebinarSecurity Best Practices - Hebrew Webinar
Security Best Practices - Hebrew Webinar
Amazon Web Services
 

Similar to AWS IAM and security (20)

AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 
Security Best Practices - Hebrew Webinar
Security Best Practices - Hebrew WebinarSecurity Best Practices - Hebrew Webinar
Security Best Practices - Hebrew Webinar
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
AWS core services
AWS core servicesAWS core services
AWS core services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
 
Diving into Common AWS Misconfigurations
Diving into Common AWS MisconfigurationsDiving into Common AWS Misconfigurations
Diving into Common AWS Misconfigurations
 
AWS deployment and management Services
AWS deployment and management ServicesAWS deployment and management Services
AWS deployment and management Services
 
(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Intro
AWS IntroAWS Intro
AWS Intro
 
AWS-IAM-intro-2016-08-03.pptx
AWS-IAM-intro-2016-08-03.pptxAWS-IAM-intro-2016-08-03.pptx
AWS-IAM-intro-2016-08-03.pptx
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for Startups
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for Startups
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your Resources
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

AWS IAM and security

  • 2. Agenda / Topics • Basics o What is IAM? o What to do right after creating an AWS account o What are the main components of IAM? • What not to do o Don’t be that person / company… • Intermediate o Least privilege access permissions o How to manage / distribute AWS creds o How to write code that auto-discovers AWS creds o AWS Services that support IAM and at what level • Advanced o Temporary credentials / Avoiding long-lived creds o AWS account federation / SSO
  • 3. What is AWS IAM? • Identity and Access Management is an AWS service that enables you to provide fine grained access control to: o Interact with AWS services on behalf of your AWS account o Interact with AWS resources created in your AWS account • The main components are: o IAM Users o IAM Groups o IAM Roles o IAM Polices
  • 4. IAM Users • Can have username / password to login to the AWS Console • Can have AWS credentials for making API calls to interact with AWS services • New IAM users have no permissions to do anything, implicit deny all. Permissions must be explicitly granted. • An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. o An IAM User with only AWS creds can be created so the creds can be used by an application to make API calls into AWS.
  • 5. IAM Groups • A collection of IAM Users • You assign permissions to the IAM Group, all IAM Users in the Group inherit those permissions. o Implicit deny of permissions applies to IAM Groups as well
  • 6. IAM Roles / Instance Profiles • IAM Roles define permissions much like an IAM User o IAM Roles do NOT have: • Username/password like an IAM User can • AWS creds that can be retrieved like an IAM User creds • The permissions of an IAM Role can be granted / assigned to an EC2 instance o An Instance Profile is just a “container” for one or more IAM Roles o An Instance Profile is what you actually assign to an EC2 instance • IAM Roles and Instance Profiles provide enhanced security because these structures provide temporary AWS creds o These temporary creds are made available by the EC2 meta-data service • … More on IAM Roles later
  • 7. IAM Policies • When you create an IAM Group, User, or Role in your AWS account, you associate an IAM policy with it, which specifies the permissions that you want to grant. • IAM Polices are JSON formatted documents that define AWS permissions • Working with IAM Policies
  • 8. Security firsts for new AWS accounts • For AWS root account: o Store username/password somewhere safe and secure o Setup multi-factor authentication • Create IAM User(s) with "least privileges" necessary o Least privilege = only the permissions necessary to accomplish needed tasks • After IAM Users have been created never use root account again o An IAM User with root permissions can be created • If IAM Users have username/password for AWS console login then they should also have multi factor authentication (MFA) enabled o https://aws.amazon.com/iam/details/mfa/ • If you don’t want some users having access to billing o Control access to AWS account billing through IAM • IAM controls “the keys to the (AWS) kingdom” o Only highly privileged users should have permissions to perform IAM actions
  • 9. Getting AWS credentials onto EC2 instances • Always use an IAM Role / Instance Profile • Never ever..... ever o Self manage credentials for EC2 instances (environment variables, etc) o Put AWS credentials into source code or config files • Don't make yourself or company a victim like these guys: o Key slurping bots crawl github, use creds to run EC2 instances for bitcoin mining • http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_ crawling_with_keyslurping_bots o Companies have gone out of business because they were careless with their AWS creds • CodeSpaces had EVERYTHING deleted o http://arstechnica.com/security/2014/06/aws-console-breach- leads-to-demise-of-service-with-proven-backup-plan/
  • 10. …continued Getting creds onto EC2 instances • Use IAM Instance Profile assigned to EC2 instance • An Instance Profile is created from an IAM Role • The instance profile must be assigned to an EC2 instance when it is launched • AWS credentials retrieved through the EC2 metadata service o curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<instance- profile-name> • These temporary credentials never have to be shared or managed by developers • These temporary AWS credentials are automatically rotated so instance always has valid credentials • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-instanceprofile.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-ec2instance.html
  • 11. How can code use Instance Profile creds? • All AWS SDKs have a built in way to auto-discover AWS credentials on EC2 instances o Simplifies code by not having to explicitly set AWS credentials • SDKs for all languages can automatically check standard locations for AWS credentials to use: o Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY (legacy, not recommended anymore) o Credentials file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI (great for applications/scripts being run outside of AWS) o Instance Profile Credentials - delivered through the Amazon EC2 metadata service (best practice for getting AWS creds onto EC2 instances) • Example - Java SDK docs which document AWS creds auto-discovery: o http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws /services/s3/AmazonS3Client.html - AmazonS3Client()
  • 12. Local development • If you are running scripts or an application locally that needs to call AWS APIs then store AWS creds in the AWS “credentials” file: o http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and- Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs • Allows you to define multiple sets of credentials each identified by a profile name • A “default” profile name can be defined so a profile doesn’t have to be specified in your code/script • AWS CLI (command line interface) o http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting- started.html#cli-multiple-profiles o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ (uses default profile defined in ~/.aws/credentials file) o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ --profile user2 (uses user2 profile defined in ~/.aws/credentials file)
  • 13. IAM least privilege rights • "Anything" with AWS access should have the minimal rights it needs to accomplish its specific actions • "Anything" with AWS access refers to the following: o IAM Users or Groups o IAM Roles / Instance Profiles • IAM Roles can be assumed by end users • Instance Profiles can be assigned to EC2 instances o Your applications or scripts (which use IAM Role or User creds) • Example: if an application only needs read access to files in S3, then create an IAM Role with only “GetObject” rights on S3.
  • 14. S3 IAM Policies • Granting access to an S3 bucket (Simple) • Granting access to specific “folders” in S3 bucket • S3 Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
  • 15. Amazon Resource Names (ARNs) • ARNs are unique identifiers for AWS resources. • Format of an ARN: o arn:partition:service:region:account-id:resource o arn:partition:service:region:account-id:resourcetype/resource o arn:partition:service:region:account-id:resourcetype:resource • Details of ARNs for each AWS Service o http://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html
  • 16. Elements of an IAM Policy • Main elements of an IAM Policy o Version o Statement • Main element of the policy • Contains an array of statements • Each statement defines whether permissions are allowed or denied for certain service actions against particular resources. These are defined by the values of the following elements in each statement: o Effect – Allow or Deny o Action – array of service actions o Resource – array of ARNs that actions can occur on o Principal – identifies who/what is allowed/denied access • Details on IAM Policy elements o http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_e lements.html
  • 17. Advanced uses of IAM Roles • IAM Roles can be “assumed” by: o IAM Users in the either the same or different AWS account o AWS services (EC2 instances or even another IAM Role) o External users authenticated outside of AWS (Federation) • IAM Roles provide enhanced security: o Temporary credentials • If credentials do get compromised they won’t be valid for long • “Long-lived” credentials are bad… mmmmmkkk o Users can be logged into AWS console without username/password o Temporary credentials + Least privilege permissions!!!
  • 18. AWS Federation • My real world scenario o Many AWS accounts o Many users needing access to 1 or many AWS accounts o Management of many of the “same” IAM Users and Groups across many AWS accounts • Equals… o Maintenance nightmare o Potential for security lapses when employee leaves company • What AWS accounts did the employee have access to? • Have to delete IAM User from each AWS account • Most mid to large companies have a central Identity Provider o Active Directory o Federation could also use social login providers
  • 19. …continued AWS Federation • We took a web application that uses SSO via SAML to authenticate with our corp AD o Runs in AWS on EC2 instance with Instance Profile that has rights to “assume” Roles o The IAM Roles that can be “assumed” can exist in any AWS account as long as a trust relationship is created. o IAM Roles are kept track of in the application DB o For each user of this web application 0 or more IAM Roles can be mapped to a user o The application can then retrieve temporary credentials from a Role on behalf of a user of the web application • AWS creds can be returned to user for local use • AWS console access can be granted based on permissions of the IAM Role • Simplified solution o Delete all IAM Users across all AWS accounts o Replace all IAM Groups with IAM Roles in each AWS account o One set of users (web application users) that can be granted access to any IAM Role from any AWS account. o Enhances security • If a user leaves the company they are removed from corporate AD, no longer have access to web application and therefore no more access to any AWS accounts • TEMPORARY AWS creds (only last 1 hour, AWS allowed max… for now) • Creating a URL that Enables Federated Access to the AWS Management Console o Java example code
  • 20. AWS Console Federated Username • Federated Login/Identifier uses the name of the IAM Role that was used plus a specified identifier. • It is cutoff in this image • AutomationFederationRoles-AutomationAdmins-1VGJS9PG5J8JO/erik.paulsson
  • 21. AWS Federation Local dev with temp creds • It is a pain for developers and cloud admins to work locally when AWS creds expire o Every hour have to: • Retrieve new AWS creds from web application • Copy/paste into local AWS credentials file • Solution o Wrote small GUI tool • Local thick client since it needs to write to file system • User authenticates to same web application using SSO still • Tool retrieves new credentials on hourly schedule from web application REST APIs • Writes these AWS credentials to local AWS credentials file o Tool allows users to retrieve creds for 0 or more of the IAM Roles they are allowed to use o A credentials profile name can be assigned to each o Used NW.js to build client (formerly known as “node-webkit”) • Single code base • Compiles to self executable for all platforms (Linux, Mac, Win) • No run-time dependencies (JRE, python, etc) o Just download and run
  • 22. Other Links • Advanced Assume Role using “policy” parameter: o http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.h tml • IDC White Paper: You can be more secure in the cloud than in your own data center • AWS in Plain English o https://www.expeditedssl.com/aws-in-plain-english

Editor's Notes

  1. This