SlideShare a Scribd company logo

AWS IAM and security

Download as PPTX, PDF
••
Erik Paulsson, profile picture
Erik Paulsson

The document provides a comprehensive overview of Identity and Access Management (IAM) within AWS, detailing essential concepts such as IAM users, groups, roles, and policies. It emphasizes the importance of implementing least privilege access and avoiding common security pitfalls, particularly regarding the management of AWS credentials. Additionally, it discusses advanced IAM features like temporary credentials, account federation, and best practices for securing AWS resources and permissions.

Technology
1 of 22
Downloaded 449 times
1
2
Most read
3
4
Most read
5
Most read
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Identity and Access Management Erik Paulsson https://www.linkedin.com/in/erikpaulsson
Agenda / Topics • Basics o What is IAM? o What to do right after creating an AWS account o What are the main components of IAM? • What not to do o Don’t be that person / company… • Intermediate o Least privilege access permissions o How to manage / distribute AWS creds o How to write code that auto-discovers AWS creds o AWS Services that support IAM and at what level • Advanced o Temporary credentials / Avoiding long-lived creds o AWS account federation / SSO
What is AWS IAM? • Identity and Access Management is an AWS service that enables you to provide fine grained access control to: o Interact with AWS services on behalf of your AWS account o Interact with AWS resources created in your AWS account • The main components are: o IAM Users o IAM Groups o IAM Roles o IAM Polices
IAM Users • Can have username / password to login to the AWS Console • Can have AWS credentials for making API calls to interact with AWS services • New IAM users have no permissions to do anything, implicit deny all. Permissions must be explicitly granted. • An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. o An IAM User with only AWS creds can be created so the creds can be used by an application to make API calls into AWS.
IAM Groups • A collection of IAM Users • You assign permissions to the IAM Group, all IAM Users in the Group inherit those permissions. o Implicit deny of permissions applies to IAM Groups as well
IAM Roles / Instance Profiles • IAM Roles define permissions much like an IAM User o IAM Roles do NOT have: • Username/password like an IAM User can • AWS creds that can be retrieved like an IAM User creds • The permissions of an IAM Role can be granted / assigned to an EC2 instance o An Instance Profile is just a “container” for one or more IAM Roles o An Instance Profile is what you actually assign to an EC2 instance • IAM Roles and Instance Profiles provide enhanced security because these structures provide temporary AWS creds o These temporary creds are made available by the EC2 meta-data service • … More on IAM Roles later
IAM Policies • When you create an IAM Group, User, or Role in your AWS account, you associate an IAM policy with it, which specifies the permissions that you want to grant. • IAM Polices are JSON formatted documents that define AWS permissions • Working with IAM Policies
Security firsts for new AWS accounts • For AWS root account: o Store username/password somewhere safe and secure o Setup multi-factor authentication • Create IAM User(s) with "least privileges" necessary o Least privilege = only the permissions necessary to accomplish needed tasks • After IAM Users have been created never use root account again o An IAM User with root permissions can be created • If IAM Users have username/password for AWS console login then they should also have multi factor authentication (MFA) enabled o https://aws.amazon.com/iam/details/mfa/ • If you don’t want some users having access to billing o Control access to AWS account billing through IAM • IAM controls “the keys to the (AWS) kingdom” o Only highly privileged users should have permissions to perform IAM actions
Getting AWS credentials onto EC2 instances • Always use an IAM Role / Instance Profile • Never ever..... ever o Self manage credentials for EC2 instances (environment variables, etc) o Put AWS credentials into source code or config files • Don't make yourself or company a victim like these guys: o Key slurping bots crawl github, use creds to run EC2 instances for bitcoin mining • http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_ crawling_with_keyslurping_bots o Companies have gone out of business because they were careless with their AWS creds • CodeSpaces had EVERYTHING deleted o http://arstechnica.com/security/2014/06/aws-console-breach- leads-to-demise-of-service-with-proven-backup-plan/
…continued Getting creds onto EC2 instances • Use IAM Instance Profile assigned to EC2 instance • An Instance Profile is created from an IAM Role • The instance profile must be assigned to an EC2 instance when it is launched • AWS credentials retrieved through the EC2 metadata service o curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<instance- profile-name> • These temporary credentials never have to be shared or managed by developers • These temporary AWS credentials are automatically rotated so instance always has valid credentials • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-instanceprofile.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-ec2instance.html
How can code use Instance Profile creds? • All AWS SDKs have a built in way to auto-discover AWS credentials on EC2 instances o Simplifies code by not having to explicitly set AWS credentials • SDKs for all languages can automatically check standard locations for AWS credentials to use: o Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY (legacy, not recommended anymore) o Credentials file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI (great for applications/scripts being run outside of AWS) o Instance Profile Credentials - delivered through the Amazon EC2 metadata service (best practice for getting AWS creds onto EC2 instances) • Example - Java SDK docs which document AWS creds auto-discovery: o http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws /services/s3/AmazonS3Client.html - AmazonS3Client()
Local development • If you are running scripts or an application locally that needs to call AWS APIs then store AWS creds in the AWS “credentials” file: o http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and- Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs • Allows you to define multiple sets of credentials each identified by a profile name • A “default” profile name can be defined so a profile doesn’t have to be specified in your code/script • AWS CLI (command line interface) o http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting- started.html#cli-multiple-profiles o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ (uses default profile defined in ~/.aws/credentials file) o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ --profile user2 (uses user2 profile defined in ~/.aws/credentials file)
IAM least privilege rights • "Anything" with AWS access should have the minimal rights it needs to accomplish its specific actions • "Anything" with AWS access refers to the following: o IAM Users or Groups o IAM Roles / Instance Profiles • IAM Roles can be assumed by end users • Instance Profiles can be assigned to EC2 instances o Your applications or scripts (which use IAM Role or User creds) • Example: if an application only needs read access to files in S3, then create an IAM Role with only “GetObject” rights on S3.
S3 IAM Policies • Granting access to an S3 bucket (Simple) • Granting access to specific “folders” in S3 bucket • S3 Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
Amazon Resource Names (ARNs) • ARNs are unique identifiers for AWS resources. • Format of an ARN: o arn:partition:service:region:account-id:resource o arn:partition:service:region:account-id:resourcetype/resource o arn:partition:service:region:account-id:resourcetype:resource • Details of ARNs for each AWS Service o http://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html
Elements of an IAM Policy • Main elements of an IAM Policy o Version o Statement • Main element of the policy • Contains an array of statements • Each statement defines whether permissions are allowed or denied for certain service actions against particular resources. These are defined by the values of the following elements in each statement: o Effect – Allow or Deny o Action – array of service actions o Resource – array of ARNs that actions can occur on o Principal – identifies who/what is allowed/denied access • Details on IAM Policy elements o http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_e lements.html
Advanced uses of IAM Roles • IAM Roles can be “assumed” by: o IAM Users in the either the same or different AWS account o AWS services (EC2 instances or even another IAM Role) o External users authenticated outside of AWS (Federation) • IAM Roles provide enhanced security: o Temporary credentials • If credentials do get compromised they won’t be valid for long • “Long-lived” credentials are bad… mmmmmkkk o Users can be logged into AWS console without username/password o Temporary credentials + Least privilege permissions!!!
AWS Federation • My real world scenario o Many AWS accounts o Many users needing access to 1 or many AWS accounts o Management of many of the “same” IAM Users and Groups across many AWS accounts • Equals… o Maintenance nightmare o Potential for security lapses when employee leaves company • What AWS accounts did the employee have access to? • Have to delete IAM User from each AWS account • Most mid to large companies have a central Identity Provider o Active Directory o Federation could also use social login providers
…continued AWS Federation • We took a web application that uses SSO via SAML to authenticate with our corp AD o Runs in AWS on EC2 instance with Instance Profile that has rights to “assume” Roles o The IAM Roles that can be “assumed” can exist in any AWS account as long as a trust relationship is created. o IAM Roles are kept track of in the application DB o For each user of this web application 0 or more IAM Roles can be mapped to a user o The application can then retrieve temporary credentials from a Role on behalf of a user of the web application • AWS creds can be returned to user for local use • AWS console access can be granted based on permissions of the IAM Role • Simplified solution o Delete all IAM Users across all AWS accounts o Replace all IAM Groups with IAM Roles in each AWS account o One set of users (web application users) that can be granted access to any IAM Role from any AWS account. o Enhances security • If a user leaves the company they are removed from corporate AD, no longer have access to web application and therefore no more access to any AWS accounts • TEMPORARY AWS creds (only last 1 hour, AWS allowed max… for now) • Creating a URL that Enables Federated Access to the AWS Management Console o Java example code
AWS Console Federated Username • Federated Login/Identifier uses the name of the IAM Role that was used plus a specified identifier. • It is cutoff in this image • AutomationFederationRoles-AutomationAdmins-1VGJS9PG5J8JO/erik.paulsson
AWS Federation Local dev with temp creds • It is a pain for developers and cloud admins to work locally when AWS creds expire o Every hour have to: • Retrieve new AWS creds from web application • Copy/paste into local AWS credentials file • Solution o Wrote small GUI tool • Local thick client since it needs to write to file system • User authenticates to same web application using SSO still • Tool retrieves new credentials on hourly schedule from web application REST APIs • Writes these AWS credentials to local AWS credentials file o Tool allows users to retrieve creds for 0 or more of the IAM Roles they are allowed to use o A credentials profile name can be assigned to each o Used NW.js to build client (formerly known as “node-webkit”) • Single code base • Compiles to self executable for all platforms (Linux, Mac, Win) • No run-time dependencies (JRE, python, etc) o Just download and run
Other Links • Advanced Assume Role using “policy” parameter: o http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.h tml • IDC White Paper: You can be more secure in the cloud than in your own data center • AWS in Plain English o https://www.expeditedssl.com/aws-in-plain-english

More Related Content

What's hot (20)

PPTX
Elastic Compute Cloud (EC2) on AWS Presentation
Knoldus Inc.
 
PPTX
AWS SQS SNS
Durgesh Vaishnav
 
PPTX
Aws ppt
RamyaG50
 
PPTX
What is AWS?
Martin Yan
 
PPTX
AWS VPC & Networking basic concepts
Abhinav Kumar
 
PDF
Iam presentation
AWS UG PK
 
PDF
Fundamentals of Cloud Computing & AWS
Bhuvaneswari Subramani
 
PPTX
Microsoft Azure Technical Overview
gjuljo
 
PPTX
AWS Cloud Watch
zekeLabs Technologies
 
PPTX
Aws VPC
Abhishek Amralkar
 
PPTX
Public cloud
Dr.Neeraj Kumar Pandey
 
PPTX
Introduction to Cloud Computing and AWS
Faisal Ahmed Farooqui
 
PPTX
Azure Storage
Mustafa
 
PDF
Introduction to Microsoft Azure Cloud
Dinesh Kumar Wickramasinghe
 
PDF
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
Edureka!
 
PPT
Cloud computing
Aditya Dwivedi
 
PPTX
Cloud computing hybrid architecture
Abhijeet Singh
 
PPTX
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
Simplilearn
 
PPTX
Presentation on Databases in the Cloud
moshfiq
 
PPTX
Microsoft Azure - Introduction
Pranav Ainavolu
 
Elastic Compute Cloud (EC2) on AWS Presentation
Knoldus Inc.
 
AWS SQS SNS
Durgesh Vaishnav
 
Aws ppt
RamyaG50
 
What is AWS?
Martin Yan
 
AWS VPC & Networking basic concepts
Abhinav Kumar
 
Iam presentation
AWS UG PK
 
Fundamentals of Cloud Computing & AWS
Bhuvaneswari Subramani
 
Microsoft Azure Technical Overview
gjuljo
 
AWS Cloud Watch
zekeLabs Technologies
 
Aws VPC
Abhishek Amralkar
 
Public cloud
Dr.Neeraj Kumar Pandey
 
Introduction to Cloud Computing and AWS
Faisal Ahmed Farooqui
 
Azure Storage
Mustafa
 
Introduction to Microsoft Azure Cloud
Dinesh Kumar Wickramasinghe
 
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
Edureka!
 
Cloud computing
Aditya Dwivedi
 
Cloud computing hybrid architecture
Abhijeet Singh
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
Simplilearn
 
Presentation on Databases in the Cloud
moshfiq
 
Microsoft Azure - Introduction
Pranav Ainavolu
 

Similar to AWS IAM and security (15)

PPTX
AWS core services
Nagesh Ramamoorthy
 
PDF
Diving into Common AWS Misconfigurations
Nikhil Sahoo
 
PPTX
AWS deployment and management Services
Nagesh Ramamoorthy
 
PDF
Introduction to AWS Security
LalitMohanSharma8
 
PPTX
AWS Intro
HernnCSaltiel
 
PPTX
AWS-IAM-intro-2016-08-03.pptx
Bima Ariateja
 
PDF
Demystifying identity on AWS
AWS User Group Bengaluru
 
PDF
Simple Security for Startups
AWS Germany
 
PDF
Simple Security for Startups
Mark Bate
 
PPTX
AWS Users Authentication
chandrasen Reddy
 
PPTX
AWS Account Security Checklist
Ninad Gupte
 
PDF
AWS Identity Access Management
Richard Harvey
 
PPTX
Aws iam best practices to live by
John Varghese
 
PPTX
AWS Identity and access management for users
StephenEfange3
 
PPTX
AWSM2C3.pptx
RahulDange13
 
AWS core services
Nagesh Ramamoorthy
 
Diving into Common AWS Misconfigurations
Nikhil Sahoo
 
AWS deployment and management Services
Nagesh Ramamoorthy
 
Introduction to AWS Security
LalitMohanSharma8
 
AWS Intro
HernnCSaltiel
 
AWS-IAM-intro-2016-08-03.pptx
Bima Ariateja
 
Demystifying identity on AWS
AWS User Group Bengaluru
 
Simple Security for Startups
AWS Germany
 
Simple Security for Startups
Mark Bate
 
AWS Users Authentication
chandrasen Reddy
 
AWS Account Security Checklist
Ninad Gupte
 
AWS Identity Access Management
Richard Harvey
 
Aws iam best practices to live by
John Varghese
 
AWS Identity and access management for users
StephenEfange3
 
AWSM2C3.pptx
RahulDange13
 
Ad

Recently uploaded (20)

PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
The Future of Artificial Intelligence (AI)
Mukul
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
Ad

AWS IAM and security

  • 2. Agenda / Topics • Basics o What is IAM? o What to do right after creating an AWS account o What are the main components of IAM? • What not to do o Don’t be that person / company… • Intermediate o Least privilege access permissions o How to manage / distribute AWS creds o How to write code that auto-discovers AWS creds o AWS Services that support IAM and at what level • Advanced o Temporary credentials / Avoiding long-lived creds o AWS account federation / SSO
  • 3. What is AWS IAM? • Identity and Access Management is an AWS service that enables you to provide fine grained access control to: o Interact with AWS services on behalf of your AWS account o Interact with AWS resources created in your AWS account • The main components are: o IAM Users o IAM Groups o IAM Roles o IAM Polices
  • 4. IAM Users • Can have username / password to login to the AWS Console • Can have AWS credentials for making API calls to interact with AWS services • New IAM users have no permissions to do anything, implicit deny all. Permissions must be explicitly granted. • An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. o An IAM User with only AWS creds can be created so the creds can be used by an application to make API calls into AWS.
  • 5. IAM Groups • A collection of IAM Users • You assign permissions to the IAM Group, all IAM Users in the Group inherit those permissions. o Implicit deny of permissions applies to IAM Groups as well
  • 6. IAM Roles / Instance Profiles • IAM Roles define permissions much like an IAM User o IAM Roles do NOT have: • Username/password like an IAM User can • AWS creds that can be retrieved like an IAM User creds • The permissions of an IAM Role can be granted / assigned to an EC2 instance o An Instance Profile is just a “container” for one or more IAM Roles o An Instance Profile is what you actually assign to an EC2 instance • IAM Roles and Instance Profiles provide enhanced security because these structures provide temporary AWS creds o These temporary creds are made available by the EC2 meta-data service • … More on IAM Roles later
  • 7. IAM Policies • When you create an IAM Group, User, or Role in your AWS account, you associate an IAM policy with it, which specifies the permissions that you want to grant. • IAM Polices are JSON formatted documents that define AWS permissions • Working with IAM Policies
  • 8. Security firsts for new AWS accounts • For AWS root account: o Store username/password somewhere safe and secure o Setup multi-factor authentication • Create IAM User(s) with "least privileges" necessary o Least privilege = only the permissions necessary to accomplish needed tasks • After IAM Users have been created never use root account again o An IAM User with root permissions can be created • If IAM Users have username/password for AWS console login then they should also have multi factor authentication (MFA) enabled o https://aws.amazon.com/iam/details/mfa/ • If you don’t want some users having access to billing o Control access to AWS account billing through IAM • IAM controls “the keys to the (AWS) kingdom” o Only highly privileged users should have permissions to perform IAM actions
  • 9. Getting AWS credentials onto EC2 instances • Always use an IAM Role / Instance Profile • Never ever..... ever o Self manage credentials for EC2 instances (environment variables, etc) o Put AWS credentials into source code or config files • Don't make yourself or company a victim like these guys: o Key slurping bots crawl github, use creds to run EC2 instances for bitcoin mining • http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_ crawling_with_keyslurping_bots o Companies have gone out of business because they were careless with their AWS creds • CodeSpaces had EVERYTHING deleted o http://arstechnica.com/security/2014/06/aws-console-breach- leads-to-demise-of-service-with-proven-backup-plan/
  • 10. …continued Getting creds onto EC2 instances • Use IAM Instance Profile assigned to EC2 instance • An Instance Profile is created from an IAM Role • The instance profile must be assigned to an EC2 instance when it is launched • AWS credentials retrieved through the EC2 metadata service o curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<instance- profile-name> • These temporary credentials never have to be shared or managed by developers • These temporary AWS credentials are automatically rotated so instance always has valid credentials • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-instanceprofile.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-ec2instance.html
  • 11. How can code use Instance Profile creds? • All AWS SDKs have a built in way to auto-discover AWS credentials on EC2 instances o Simplifies code by not having to explicitly set AWS credentials • SDKs for all languages can automatically check standard locations for AWS credentials to use: o Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY (legacy, not recommended anymore) o Credentials file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI (great for applications/scripts being run outside of AWS) o Instance Profile Credentials - delivered through the Amazon EC2 metadata service (best practice for getting AWS creds onto EC2 instances) • Example - Java SDK docs which document AWS creds auto-discovery: o http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws /services/s3/AmazonS3Client.html - AmazonS3Client()
  • 12. Local development • If you are running scripts or an application locally that needs to call AWS APIs then store AWS creds in the AWS “credentials” file: o http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and- Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs • Allows you to define multiple sets of credentials each identified by a profile name • A “default” profile name can be defined so a profile doesn’t have to be specified in your code/script • AWS CLI (command line interface) o http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting- started.html#cli-multiple-profiles o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ (uses default profile defined in ~/.aws/credentials file) o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ --profile user2 (uses user2 profile defined in ~/.aws/credentials file)
  • 13. IAM least privilege rights • "Anything" with AWS access should have the minimal rights it needs to accomplish its specific actions • "Anything" with AWS access refers to the following: o IAM Users or Groups o IAM Roles / Instance Profiles • IAM Roles can be assumed by end users • Instance Profiles can be assigned to EC2 instances o Your applications or scripts (which use IAM Role or User creds) • Example: if an application only needs read access to files in S3, then create an IAM Role with only “GetObject” rights on S3.
  • 14. S3 IAM Policies • Granting access to an S3 bucket (Simple) • Granting access to specific “folders” in S3 bucket • S3 Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
  • 15. Amazon Resource Names (ARNs) • ARNs are unique identifiers for AWS resources. • Format of an ARN: o arn:partition:service:region:account-id:resource o arn:partition:service:region:account-id:resourcetype/resource o arn:partition:service:region:account-id:resourcetype:resource • Details of ARNs for each AWS Service o http://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html
  • 16. Elements of an IAM Policy • Main elements of an IAM Policy o Version o Statement • Main element of the policy • Contains an array of statements • Each statement defines whether permissions are allowed or denied for certain service actions against particular resources. These are defined by the values of the following elements in each statement: o Effect – Allow or Deny o Action – array of service actions o Resource – array of ARNs that actions can occur on o Principal – identifies who/what is allowed/denied access • Details on IAM Policy elements o http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_e lements.html
  • 17. Advanced uses of IAM Roles • IAM Roles can be “assumed” by: o IAM Users in the either the same or different AWS account o AWS services (EC2 instances or even another IAM Role) o External users authenticated outside of AWS (Federation) • IAM Roles provide enhanced security: o Temporary credentials • If credentials do get compromised they won’t be valid for long • “Long-lived” credentials are bad… mmmmmkkk o Users can be logged into AWS console without username/password o Temporary credentials + Least privilege permissions!!!
  • 18. AWS Federation • My real world scenario o Many AWS accounts o Many users needing access to 1 or many AWS accounts o Management of many of the “same” IAM Users and Groups across many AWS accounts • Equals… o Maintenance nightmare o Potential for security lapses when employee leaves company • What AWS accounts did the employee have access to? • Have to delete IAM User from each AWS account • Most mid to large companies have a central Identity Provider o Active Directory o Federation could also use social login providers
  • 19. …continued AWS Federation • We took a web application that uses SSO via SAML to authenticate with our corp AD o Runs in AWS on EC2 instance with Instance Profile that has rights to “assume” Roles o The IAM Roles that can be “assumed” can exist in any AWS account as long as a trust relationship is created. o IAM Roles are kept track of in the application DB o For each user of this web application 0 or more IAM Roles can be mapped to a user o The application can then retrieve temporary credentials from a Role on behalf of a user of the web application • AWS creds can be returned to user for local use • AWS console access can be granted based on permissions of the IAM Role • Simplified solution o Delete all IAM Users across all AWS accounts o Replace all IAM Groups with IAM Roles in each AWS account o One set of users (web application users) that can be granted access to any IAM Role from any AWS account. o Enhances security • If a user leaves the company they are removed from corporate AD, no longer have access to web application and therefore no more access to any AWS accounts • TEMPORARY AWS creds (only last 1 hour, AWS allowed max… for now) • Creating a URL that Enables Federated Access to the AWS Management Console o Java example code
  • 20. AWS Console Federated Username • Federated Login/Identifier uses the name of the IAM Role that was used plus a specified identifier. • It is cutoff in this image • AutomationFederationRoles-AutomationAdmins-1VGJS9PG5J8JO/erik.paulsson
  • 21. AWS Federation Local dev with temp creds • It is a pain for developers and cloud admins to work locally when AWS creds expire o Every hour have to: • Retrieve new AWS creds from web application • Copy/paste into local AWS credentials file • Solution o Wrote small GUI tool • Local thick client since it needs to write to file system • User authenticates to same web application using SSO still • Tool retrieves new credentials on hourly schedule from web application REST APIs • Writes these AWS credentials to local AWS credentials file o Tool allows users to retrieve creds for 0 or more of the IAM Roles they are allowed to use o A credentials profile name can be assigned to each o Used NW.js to build client (formerly known as “node-webkit”) • Single code base • Compiles to self executable for all platforms (Linux, Mac, Win) • No run-time dependencies (JRE, python, etc) o Just download and run
  • 22. Other Links • Advanced Assume Role using “policy” parameter: o http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.h tml • IDC White Paper: You can be more secure in the cloud than in your own data center • AWS in Plain English o https://www.expeditedssl.com/aws-in-plain-english

Editor's Notes