Become an AWS IAM Policy Ninja

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Becoming an IAM Policy Ninja
Greg McConnel,
Solutions Architect

One Key Take Away
“You can use the following policy to deny an IAM user, role, or group access to SERVICE
findings. Users can't view findings or the details about findings, but they can access all other
SERVICE operations:”
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
”SERVICE:List######",
"SERVICE:Describe######",
"SERVICE:Get######"
],
"Resource": "*"
}
]
}

What to expect from the session
• Knowledge of how to better control access to AWS
resources.
• A deeper understanding of the AWS policy language.
• Useful Resources

Improved Support for Tags
Task: Admins must use certain tags when launching instances and can only stop, start, terminate
the instances with those tags. Also can’t modify tags of existing instances after launch (otherwise
people would go around the system.)
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:us-west-2::image/*",
"arn:aws:ec2:us-west-2:570118607132:subnet/*",
"arn:aws:ec2:us-west-2:570118607132:network-interface/*",
"arn:aws:ec2:us-west-2:570118607132:security-group/*",
"arn:aws:ec2:us-west-2:570118607132:key-pair/*",
"arn:aws:ec2:us-west-2:570118607132:instance/*",
"arn:aws:ec2:us-west-2:570118607132:volume/*"],
"Condition":
{"StringEquals": {"aws:RequestTag/environment": "dev", "aws:RequestTag/costcenter": "01"},
"ForAllValues:StringEquals": {"aws:TagKeys": ["environment", "costcenter" ]}}},
Demo
https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/

Wait, this
doesn’t
work!?

Identity-based
Permissions
Different Types of Policies/Permissions
Resource-based
Permissions
Resource-level
Permissions
user group
role
Trust
Policies
(Roles)
Amazon
SNS Amazon
SQS
Amazon
Glacier Amazon
S3
“Resource”: “arn:aws:s3:::bucket”
vs
“Resource”: “*”
AWS KMS
Tag-based
Permissions
“Condition”: { “StringEquals”: {
“ec2:ResourceTag/Owner”:
“${aws:username}”}}

Identity-based
Permissions
Different Types of Policies/Permissions
Resource-based
Permissions
Trust Policies
(Roles)

{“The policy” : “language”}

JSON-formatted documents
• One overall JSON Block
• A statement can use an array to have
multiple “statement blocks”
Contain a statement (permissions)
that specifies:
• Who can perform the action
• What action can be performed
• Which resources is the action applied to
• When can the action be performed
Policy specification basics
Principal
Action
Resource
Condition

{
“Version”: “2012-10-17”
“Statement”:[{
“Effect”: “Allow”,
“Principal”: “{“AWS”: “999999999999”},
“Action": “s3:*”,
“Resource”: “arn:aws:s3:::bucket”,
“Condition”: {“condition”:{“key”: “value”}}
}
]
}
Who
What
Which
When

“Action": “s3:*”,
“Resource”: “arn:aws:s3:::bucket”,
“Condition”: {“condition”:{“key”: “value”}}
What
Which
When

Protection from mistakes
Policy:
• Deny delete of DynamoDB tables for all users
• Allow delete of DynamoDB tables that start with
the word “scores” via a role that requires MFA
• Delete through switch role in the console
• Or Use external ID - Delete through CLI
Demo
https://aws.amazon.com/blogs/database/preventing-accidental-table-deletion-in-
dynamodb/

Policy Hierarchy
Action (What) Resource (Which)
Condition
(When)

Policy Hierarchy
AcceptVpcPeeringConnection
AllocateAddress
AllocateHosts
AssignIpv6Addresses
AssignPrivateIpAddresses
AssociateAddress
AssociateDhcpOptions
AssociateIamInstanceProfile
AssociateRouteTable
AssociateSubnetCidrBlock
AssociateVpcCidrBlock
…
arn:aws:ec2:region:account:dhcp-
options/*
arn:aws:ec2:region:account:dhcp-
options/dhcp-options-id
arn:aws:ec2:region:account:instance/*
arn:aws:ec2:region:account:instance/i
nstance-id
arn:aws:ec2:region:account:instance/i
nstance-id
arn:aws:ec2:region:account:vpc-
peering-connection/*
…
ec2:AccepterVpc
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceType
ec2:PlacementGroup
…

Policy Hierarchy
RunInstances
arn:aws:ec2:region::image/*
arn:aws:ec2:region::image/im
age-id
ec2:ImageType
ec2:IsLaunchTemplateR
esource
ec2:LaunchTemplate
ec2:Owner
ec2:Public
ec2:Region
ec2:RootDeviceType
ec2:ResourceTag/tag-
key

Good Resources to Get Started
Best resource to sort all this out:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
Or
Google "IAM service works” (aka AWS Services that work with IAM)
Specifically for EC2: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-
ec2.html

Back to: Improved Support for Tags
Does the Policy ”Hierarchy” help us here?
"Effect": "Allow",
"Resource": [
"Condition":
Demo
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html

Action (WHAT) – Examples
• Describes What you can and cannot do
• Statements must include either an Action or NotAction element

"Action":"ec2:StartInstances"

"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"

"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<-- Wildcards (* or ?) in the action name. Below covers create/delete/list/update-->
* represents any combination of characters / ? represents any single character
"Action":"iam:*AccessKey*“
Principal
Action
Resource
Condition

Understanding NotAction
• Lets you specify an exception to a list of actions
• Could result in shorter policies than using Action and exclude many actions
• Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
or
This is not an explicit Deny. A user could still
have a separate policy that grants IAM:*
If you want to prevent the user from ever being
able to call IAM APIs, use an explicit Deny.
Is there a
difference?

Resource (WHICH) – Examples
• Which objects are impacted by the permission
• Statements must include either a Resource or a NotResource element
arn:aws:service:region:account-id:resource
arn:aws:service:region:account-id:resourcetype/resource
arn:aws:service:region:account-id:resourcetype:resource
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
Principal
Action
Resource
Condition
Replace
with your
account
number

Condition (WHEN) example
Principal
Action
Resource
Condition• When does the permission get applied
"Condition": {
"<Condition Operator>": {
"<Condition Key>": "<Condition Value>"
}
}
"Condition": {
"<What's the comparison we're making?>": {
"<Key being passed in the request>": "<Value to compare against>"
}
}

Condition (WHEN) example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-01-01T11:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-31T15:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
• Allows a user to access a resource under the following conditions:
• The time is after 11:00 A.M. on 01/01/2017 AND
• The time is before 3:00 P.M. on 12/31/2017 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range
• All of these conditions must be met in order for the statement to evaluate to TRUE.
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition• When does the permission get applied
Question: What gets AND’d / what gets OR’d?

Take advantage of IfExists conditional operator
• Many condition keys only exist for certain resource types.
• If you test for a nonexistent key, your policy will fail to evaluate (in other words,
access denied).
• You can add IfExists at the end of any condition operator except the Null
condition (for example, StringLikeIfExists).
• Allows you to create policies that “don’t care” if the key is not present.

Back to: Improved Support for Tags
Would IfExists help here?
"Effect": "Allow",
"Resource": [
"Condition":
Demo

Principal (WHO) – Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)

"Principal":{"AWS":"*“}

"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}

"Principal":{"AWS":"arn:aws:iam::123456789012:user/username“}

"Principal":{"Federated":"accounts.google.com"}

"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}

"Principal":{"Service":"ec2.amazonaws.com"}
Principal
Action
Resource
Condition
Replace
with your
account
number

Policy enforcement

Policy enforcement
• Policies can come from multiple places
• IAM users, groups and roles
• AWS resources (Amazon S3, Amazon SQS, Amazon SNS and
Amazon Glacier)
• Passed through federated user calls
• Well defined evaluation logic
• All requests denied by default
• Explicit Deny trumps Allow
• Permissions are the union of all policies

Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Final decision =“Allow”
Yes
No
Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
No
Final decision =“Deny”
(default Deny)
5
• AWS retrieves all policies associated
with the user and resource.
• Only policies that match the action,
resource and conditions are evaluated.

Authoring, Testing and Debugging

Evolution of My IAM Policy Authoring
Manual Copy
and Edit
Old Console
Editor
New Visual
Editor
What's next?

Authoring – New Visual Editor

Policy SimulatorTesting
CLI dry-run

Debugging
• Use the decode-authorization
command
– aws sts decode-authorization-message
–encoded-message
• If a user is not authorized to perform an
action that he or she has requested, the
request returns
a Client.UnauthorizedOperation
• Only certain AWS actions return an
encoded authorization message.
The message is encoded because the details of the
authorization status can constitute privileged
information.
Launch Failed
You are not authorized to perform this operation. Encoded authorization failure
message: -VfI1U7UrRUcnnquJI-
_e0M8S92blCJyHwP7WFGG6ywdmofrR4VTe9i_ypEEZtD1jmgBQwTbpZX8v6rB
3e2h_-
EqsrvbjwKJ4ibYFYNmuMWU2ErOTOHHHQzwxlRxFpdP43IUP8zt6HT6b9tuWXa
CgaJeG3kZdcO6VRqjx_zr4gc9v51W1OVCU-
g94xuhPohfH9kCapGL82wamnjyfPDXCnWS26lKPx90FwZf9ALab5z2OKrzvq5Y
MY7-
VgNPDfNxHCPZgFRaoVwZYBDJsiR4HQKHJxUE0KfroAPaTPzGajTWeKN5OC
RwogOrW8J5Q9XA2dQH3W8yTz9EHqo-nv8jRp-
EAzAUMaq28q92SfENj_gDCZ7KnJ217Ec-Ne-RLao_bmHNB7819Y_H-
WhFV3mXQAe76v5Dy6so9qx0-
x9RBy_sekHPjiMZ7z9QVIDQs0N3bUgBrGVCsbG5XxTb7oSI29JjpHmrr2YOG-
YJPHfeYsaoUget3jXYPRH8REX0MZv5I3OFrGVXk2nr2af3OIralo5gqFOIUAYaE
BT0z0SMnxq9oZKKonvEMA

Group Lab – With a Prize!
• Instructions URL:
loftlab.gregmcconnel.net/groupdemo.html
• Read out the phrase in the file “readme”
• Role: No permissions (also this is a very insecure
and is just for demo purposes – don’t try this at
home!)
• Using Role you can access the Bucket and then
open the file “readme”
• Read out the phrase in the file “readme”
• Account ID: 570118607132
• Role Name: loft-demo-mixed-permissions
• Bucket Name: aws-loft-group-demo
• File: readme
Group
Lab

Summary
• NotAction (and NotPrincipal and NotResource)
• New tagging capabilities (Search: EC2 tag instance blog)
• Many different types of Permissions
• Principle (Who) à Action (What) à Resource (Which) à Condition (When)
• IAM policy hierarchy and how that can impact policy processing
• IAM policy visual editor
• Come to me after the session if you find the phrase in the S3 readme object

Additional Resources
• AWS Services that work with IAM:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-
iam.html
• Service Specific Actions and Condition Keys:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actionsconditions.html
• Global Condition Keys:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-
keys.html#AvailableKeys
• Condition Operators:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolic
yLanguage_ConditionType
• Policy Variables:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-
infotouse

Additional Resources
• Documentation
– http://aws.amazon.com/documentation/iam/
– http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-
apipermissions.html
• AWS Security Blog (blogs.aws.amazon.com/security)
– http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-
EC2-Resource-Level-Permissions
– http://blogs.aws.amazon.com/security/post/Tx29ZC3VE9SQGQM/Granting-
Users-Permission-to-Work-in-the-Amazon-EC2-Console
• http://aws.amazon.com/iam
• https://forums.aws.amazon.com/forum.jspa?forumID=76
• Twitter: @AWSIdentity

Pop-up Loft
Questions?

Design Guide Lines
• Use Dots for List elements
– Alternate Dots and Dashes
• Font info
– Arial
– Color: White
– Content: In Arial
– Titles: Arial Bold
• Content should be Left aligned
– No Center aligned text
• Avoid Clipart

Become an AWS IAM Policy Ninja

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Become an AWS IAM Policy Ninja

Similar a Become an AWS IAM Policy Ninja (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Become an AWS IAM Policy Ninja