Más contenido relacionado La actualidad más candente (20) Similar a Become an AWS IAM Policy Ninja (20) Más de Amazon Web Services (20) Become an AWS IAM Policy Ninja2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
One Key Take Away
“You can use the following policy to deny an IAM user, role, or group access to SERVICE
findings. Users can't view findings or the details about findings, but they can access all other
SERVICE operations:”
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
”SERVICE:List######",
"SERVICE:Describe######",
"SERVICE:Get######"
],
"Resource": "*"
}
]
}
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Improved Support for Tags
Task: Admins must use certain tags when launching instances and can only stop, start, terminate
the instances with those tags. Also can’t modify tags of existing instances after launch (otherwise
people would go around the system.)
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:us-west-2::image/*",
"arn:aws:ec2:us-west-2:570118607132:subnet/*",
"arn:aws:ec2:us-west-2:570118607132:network-interface/*",
"arn:aws:ec2:us-west-2:570118607132:security-group/*",
"arn:aws:ec2:us-west-2:570118607132:key-pair/*",
"arn:aws:ec2:us-west-2:570118607132:instance/*",
"arn:aws:ec2:us-west-2:570118607132:volume/*"],
"Condition":
{"StringEquals": {"aws:RequestTag/environment": "dev", "aws:RequestTag/costcenter": "01"},
"ForAllValues:StringEquals": {"aws:TagKeys": ["environment", "costcenter" ]}}},
Demo
https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Back to: Improved Support for Tags
Does the Policy ”Hierarchy” help us here?
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:us-west-2::image/*",
"arn:aws:ec2:us-west-2:570118607132:instance/*",
"arn:aws:ec2:us-west-2:570118607132:key-pair/*",
"arn:aws:ec2:us-west-2:570118607132:network-interface/*",
"arn:aws:ec2:us-west-2:570118607132:security-group/*",
"arn:aws:ec2:us-west-2:570118607132:subnet/*",
"arn:aws:ec2:us-west-2:570118607132:volume/*"],
"Condition":
{"StringEquals": {"aws:RequestTag/environment": "dev", "aws:RequestTag/costcenter": "01"},
"ForAllValues:StringEquals": {"aws:TagKeys": ["environment", "costcenter" ]}}},
Demo
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Action (WHAT) – Examples
• Describes What you can and cannot do
• Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!– Amazon S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<-- Wildcards (* or ?) in the action name. Below covers create/delete/list/update-->
* represents any combination of characters / ? represents any single character
"Action":"iam:*AccessKey*“
Principal
Action
Resource
Condition
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Understanding NotAction
• Lets you specify an exception to a list of actions
• Could result in shorter policies than using Action and exclude many actions
• Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
or
This is not an explicit Deny. A user could still
have a separate policy that grants IAM:*
If you want to prevent the user from ever being
able to call IAM APIs, use an explicit Deny.
Is there a
difference?
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Resource (WHICH) – Examples
• Which objects are impacted by the permission
• Statements must include either a Resource or a NotResource element
arn:aws:service:region:account-id:resource
arn:aws:service:region:account-id:resourcetype/resource
arn:aws:service:region:account-id:resourcetype:resource
<-- S3 bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket"
<-- All S3 buckets, except this one -->
"NotResource":"arn:aws:s3:::security_logging_bucket"
<-- Amazon SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple Amazon DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
Principal
Action
Resource
Condition
Replace
with your
account
number
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Condition (WHEN) example
“Condition” : {
"DateGreaterThan" : {"aws:CurrentTime" : "2017-01-01T11:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2017-12-31T15:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
• Allows a user to access a resource under the following conditions:
• The time is after 11:00 A.M. on 01/01/2017 AND
• The time is before 3:00 P.M. on 12/31/2017 AND
• The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range
• All of these conditions must be met in order for the statement to evaluate to TRUE.
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
Principal
Action
Resource
Condition• When does the permission get applied
Question: What gets AND’d / what gets OR’d?
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Take advantage of IfExists conditional operator
• Many condition keys only exist for certain resource types.
• If you test for a nonexistent key, your policy will fail to evaluate (in other words,
access denied).
• You can add IfExists at the end of any condition operator except the Null
condition (for example, StringLikeIfExists).
• Allows you to create policies that “don’t care” if the key is not present.
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Back to: Improved Support for Tags
Would IfExists help here?
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:us-west-2::image/*",
"arn:aws:ec2:us-west-2:570118607132:subnet/*",
"arn:aws:ec2:us-west-2:570118607132:network-interface/*",
"arn:aws:ec2:us-west-2:570118607132:security-group/*",
"arn:aws:ec2:us-west-2:570118607132:key-pair/*",
"arn:aws:ec2:us-west-2:570118607132:instance/*",
"arn:aws:ec2:us-west-2:570118607132:volume/*"],
"Condition":
{"StringEquals": {"aws:RequestTag/environment": "dev", "aws:RequestTag/costcenter": "01"},
"ForAllValues:StringEquals": {"aws:TagKeys": ["environment", "costcenter" ]}}},
Demo
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Principal (WHO) – Examples
• An entity that is allowed or denied access to a resource
• Indicated by an Amazon Resource Name (ARN)
• With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":{"AWS":"*“}
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":{"AWS":"arn:aws:iam::123456789012:user/username“}
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Principal
Action
Resource
Condition
Replace
with your
account
number
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Debugging
• Use the decode-authorization
command
– aws sts decode-authorization-message
–encoded-message
• If a user is not authorized to perform an
action that he or she has requested, the
request returns
a Client.UnauthorizedOperation
• Only certain AWS actions return an
encoded authorization message.
The message is encoded because the details of the
authorization status can constitute privileged
information.
Launch Failed
You are not authorized to perform this operation. Encoded authorization failure
message: -VfI1U7UrRUcnnquJI-
_e0M8S92blCJyHwP7WFGG6ywdmofrR4VTe9i_ypEEZtD1jmgBQwTbpZX8v6rB
3e2h_-
EqsrvbjwKJ4ibYFYNmuMWU2ErOTOHHHQzwxlRxFpdP43IUP8zt6HT6b9tuWXa
CgaJeG3kZdcO6VRqjx_zr4gc9v51W1OVCU-
g94xuhPohfH9kCapGL82wamnjyfPDXCnWS26lKPx90FwZf9ALab5z2OKrzvq5Y
MY7-
VgNPDfNxHCPZgFRaoVwZYBDJsiR4HQKHJxUE0KfroAPaTPzGajTWeKN5OC
RwogOrW8J5Q9XA2dQH3W8yTz9EHqo-nv8jRp-
EAzAUMaq28q92SfENj_gDCZ7KnJ217Ec-Ne-RLao_bmHNB7819Y_H-
WhFV3mXQAe76v5Dy6so9qx0-
x9RBy_sekHPjiMZ7z9QVIDQs0N3bUgBrGVCsbG5XxTb7oSI29JjpHmrr2YOG-
YJPHfeYsaoUget3jXYPRH8REX0MZv5I3OFrGVXk2nr2af3OIralo5gqFOIUAYaE
BT0z0SMnxq9oZKKonvEMA
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Group Lab – With a Prize!
• Instructions URL:
loftlab.gregmcconnel.net/groupdemo.html
• Read out the phrase in the file “readme”
• Role: No permissions (also this is a very insecure
and is just for demo purposes – don’t try this at
home!)
• Using Role you can access the Bucket and then
open the file “readme”
• Read out the phrase in the file “readme”
• Account ID: 570118607132
• Role Name: loft-demo-mixed-permissions
• Bucket Name: aws-loft-group-demo
• File: readme
Group
Lab
38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Additional Resources
• AWS Services that work with IAM:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-
iam.html
• Service Specific Actions and Condition Keys:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actionsconditions.html
• Global Condition Keys:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-
keys.html#AvailableKeys
• Condition Operators:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolic
yLanguage_ConditionType
• Policy Variables:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-
infotouse
39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Additional Resources
• Documentation
– http://aws.amazon.com/documentation/iam/
– http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-
apipermissions.html
• AWS Security Blog (blogs.aws.amazon.com/security)
– http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-
EC2-Resource-Level-Permissions
– http://blogs.aws.amazon.com/security/post/Tx29ZC3VE9SQGQM/Granting-
Users-Permission-to-Work-in-the-Amazon-EC2-Console
• http://aws.amazon.com/iam
• https://forums.aws.amazon.com/forum.jspa?forumID=76
• Twitter: @AWSIdentity