(sec305) iam best practices | aws re:invent 2014
DESCRIPTION
Ever wondered how to help secure your AWS environment? This session explains a series of best practices that help you do just that with AWS Identity and Access Management (IAM). We discuss how to create great access policies; manage security credentials (access keys, password, multi-factor authentication (MFA) devices, etc.); how to set up least privilege; how to minimize the use of your root account, and much, much more.TRANSCRIPT
November 12, 2014 | Las Vegas, NV
Oops, looks
like a 0-based
code error
0. UsersCreate individual users
Benefits How to get started
1. PermissionsGrant least privilege
Benefits How to get started
IMPORTANT NOTE: Permissions do not apply to root!
2. GroupsManage permissions with groups
Benefits How to get started
3. ConditionsRestrict privileged access further with conditions
Benefits How to get started
{ "Statement":[{"Effect":"Allow","Action":["ec2:TerminateInstances"],"Resource":["*"],"Condition":{
"Null":{"aws:MultiFactorAuthAge":"false"}}
}]
}
Enables a user to terminate EC2 instances only
if the user has authenticated with their MFA
device.
MFA
{"Statement":[{ "Effect":"Allow", "Action":"iam:*AccessKey*","Resource”:"arn:aws:iam::123456789012:user/*", "Condition":{
"Bool":{"aws:SecureTransport":"true"}}
}]
}
Enables a user to manage access keys for all
IAM users only if the user is coming over SSL.
SS
L
{"Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances“],"Resource":["*“], "Condition":{
"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}}
}]
}
Enables a user to terminate EC2 instances only if the
user is accessing Amazon EC2 from the 192.168.176.0/24
address range.
So
urc
eIP
{"Statement":[{"Effect": "Allow","Action":"ec2:TerminateInstances","Resource": "*","Condition":{
"StringEquals":{"ec2:ResourceTag/Environment":"Dev"}}
}]
}
Enables a user to terminate EC2 instances only if the
instance is tagged with “Environment=Dev”.Ta
gs
{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment": "Dev"} } }{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment": "Dev"} } }
{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment": "Dev"} } }
4. AuditingEnable AWS CloudTrail to get logs of API calls
4. Enable AWS CloudTrail to get logs of API calls
Benefits
• Visibility into your user activity
by recording AWS API calls to
an Amazon S3 bucket
How to get started
• Set up an Amazon S3
bucket
• Enable AWS CloudTrail
Ensure the services you want are integrated with AWS CloudTrail
Manage Users and Permissions
5. PasswordsConfigure a strong password policy
Benefits How to get started
IMPORTANT NOTE: Password policy does not apply to root!
6. RotationRotate (or delete) security credentials regularly
Benefits How to get started
(enable password rotation sample policy)
Password{"Version":"2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:ChangePassword","Resource":
"arn:aws:iam::123456789012:user/${aws:username}"}
]}
Enforcing a password policy will automatically enable
IAM users to manage their passwords
Note the use of
a policy
variable
(enable access key rotation sample policy)
Access Keys
{"Version":"2012-10-17","Statement": [{"Effect": "Allow","Action": [
"iam:CreateAccessKey","iam:DeleteAccessKey","iam:ListAccessKeys","iam:UpdateAccessKey"],
"Resource": "arn:aws:iam::123456789012:user/${aws:username}"
}]
}
(enable access key rotation sample policy)
Access Keys{"Version":"2012-10-17","Statement": [{"Effect": "Allow","Action": [
"iam:CreateAccessKey","iam:DeleteAccessKey","iam:ListAccessKeys","iam:UpdateAccessKey"],
"Resource": "arn:aws:iam::123456789012:
user/${aws:username}"}
]}
1. While the first set of credentials is still active, create a second set of credentials, which will also be active by default.
2. Update all applications to use the new credentials.
3. Change the state of the first set of credentials to Inactive.
4. Using only the new credentials, confirm that your applications are working well.
5. Delete the first set of credentials.
Steps to rotate access keys
7. MFAEnable multi-factor authentication for privileged users
Benefits How to get started
8. SharingUse IAM roles to share access
Benefits How to get started
ExternalID
IMPORTANT NOTE: Never share credentials.
[email protected] ID: 111122223333
ddb-role
{ "Statement": [{
"Action": ["dynamodb:GetItem","dynamodb:BatchGetItem","dynamodb:Query","dynamodb:Scan","dynamodb:DescribeTable","dynamodb:ListTables"
],"Effect": "Allow","Resource": "*"
}]}
[email protected] ID: 123456789012
Authenticate with
Jeff access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
{ "Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Resource":
"arn:aws:iam::111122223333:role/ddb-role"}]}
{ "Statement": [{"Effect":"Allow","Principal":{"AWS":"123456789012"},"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS account
[email protected] (123456789012)
Permissions assigned to Jeff granting him permission
to assume ddb-role in account B
IAM user: Jeff
Permissions assigned
to ddb-role
STS
External access
User
Login With Amazon
Open ID Connect
SAML
Authenticate with
Users tokens
9. RolesUse IAM roles for Amazon EC2 instances
Benefits How to get started
Manage Credentials
10. Root Reduce or remove use of root
Benefits How to get started
0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing
0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing
5. Passwords
6. Rotation
7. MFA
8. Sharing
9. Roles
10.Root
http://aws.amazon.com/iam
https://forums.aws.amazon.com/forum.jspa?forumID=76
http://aws.amazon.com/documentation/iam/
http://blogs.aws.amazon.com/security
http://aws.amazon.com/cloudtrail/
@AWSIdentity
Session When Where
SEC302 – Delegating Access to your AWS
Environment
Wednesday 11/12, 2.15pm Palazzo J
SEC304 – Bring Your Own Identities – Federating
Access to your AWS Environment
Wednesday 11/12, 4.30pm Palazzo J
SEC303 – Mastering Access Control Policies Thursday 11/13, 3.15pm Palazzo J
SEC306 – Turn on CloudTrail. Log API Activity in
your AWS account
Thursday 11/13, 3.15pm Lando 4305
MBL401 – Social Logins for Mobile Apps with
Amazon Cognito
Thursday 11/13, 3.15pm Palazzo B
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals