SlideShare una empresa de Scribd logo

AWS IAM Primer and Serverless Application Security

Amazon Web Services
Amazon Web Services

This document discusses identity and access management for serverless applications. It provides an overview of AWS Identity and Access Management (IAM) including IAM users, groups, roles, and policies. It also discusses Amazon Cognito for user management and the WildRydes serverless application workshop which involves restricting access to an S3 bucket and setting up user authentication with Cognito user pools.

1 de 31
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Identity Round Robin Workshop Serverless Round – Static Hosted Website Jesse Fuchs Security Solutions Architect Amazon Web Services
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What to expect from this round • AWS IAM Primer • Using Cognito for Application User Management • WildRydes Serverless Application • Group Exercise – Build Phase • Group Exercise – Verify Phase • Review and Discussion
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications. Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Principals • Access to specific services. • Access to console and/or APIs. • Access to Customer Support (Business and Enterprise). AWS Identity and Access Management (IAM) • Access to all subscribed services. • Access to billing. • Access to console and APIs. • Access to Customer Support. Account Owner ID (Root Account)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Identity and Access Management (IAM) IAM Users IAM Groups IAM Roles Policies Enables you to control who can do what in your AWS account
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Identity-based policies Resource-based policies Access Control Lists
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs) Principal (implicit) Action Resource Condition JSON-formatted documents Attached to a principal (or identity) Contains a statement (permissions) that specifies: • what actions that identity can perform, on which resources, and under what conditions.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs) Principal Action Resource Condition JSON-formatted documents Attached to a resource Contains a statement (permissions) that specifies: • what actions a specified principal can perform on that resource under what conditions.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs) Manage access to buckets and objects Contains a Grantee and Permissions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Identity-Based Policy Example AWS IAM Identity-Based Policy AWS IAM User (Alice) "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*" } ]
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Identity-Based Policy Example AWS IAM Identity-Based Policy AWS IAM User (Alice) "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*”, "Condition": { "StringEquals": { "s3:ExistingObjectTag/classification": ”sensitive" } } ]
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Resource-Based Policy Example AWS IAM Resource-Based Policy Amazon S3 Bucket "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", ”Principal": { "AWS" : "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*” } ]
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Resource-Based Policy Example AWS IAM Resource-Based Policy Amazon S3 Bucket "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", ”Principal": { "AWS" : "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*”, "Condition" : { "IpAddress" : { "aws:SourceIp": "192.168.143.0/24" }, } } ]
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic Decision starts at Deny Evaluate all applicable policies Explicit Deny? • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. No Explicit Allow? • By default, an implicit (default) deny is returned. Final decision =“deny” (default deny) No Final decision =“allow” • Access is granted if there is an explicit allow and no deny. Yes Final decision =“deny” • If a policy statement has a deny, it trumps all other policy statements. Yes
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic ACL Identity-Based Policy Resource-Based Policy AWS IAM Resource-Based Policy Amazon S3 Bucket AWS IAM Identity-Based Policy AWS IAM User (Alice) Effect: Allow Action: s3:GetObject Resource: * Effect: Deny Principal: * Action: s3:GetObject Resource: * Resulting Permission X GetObject
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito Security & Access User Ownership Experience Customer Relationships Identity for your web and mobile apps
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito Federation Web and Mobile Apps Amazon Cognito Developers focus on what is special about their app Cognito handles auth and identity Managed User Directory AWS Credentials Hosted-UI Standard Tokens Cognito User Pools Cognito Identity Pools
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application What does serverless mean? No Server Management Flexible Scaling No Idle Capacity $ High Availability
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Building blocks for serverless applications AWS Lambda Amazon DynamoDB Amazon SNS Amazon API Gateway Amazon SQS Amazon Kinesis Amazon S3 Orchestration and State Management API Proxy and GraphQL Messaging and Queues Analytics Monitoring and Debugging Compute Storage Database AWS X-RayAWS Step Functions Amazon Cognito User Management and IdP AWS AppSync Amazon Athena AWS Lambda@Edge
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application • Build Phase – Complete the access controls • Verify Phase – Validate the new controls S3 Bucket Static Website CloudFront Distribution End User HTML CSS JS (OVER HTTPS) Cognito User Pool NO APPLICATION USER MANAGEMENT HTML CSS JS (OVER HTTP)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Build Phase - Task 1 S3 Bucket Static Website CloudFront Distribution End User HTML CSS JS (OVER HTTPS) X Reduce the attack surface of your origin
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Build Phase - Task 2 End User Authentication Cognito User Pool Cognito Hosted-UI Setup application user management Self sign-up Password complexity Email verification
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Build Phase (1 hour) 1. Click on Level 300 2. Click on Identity Round-Robin Workshop 3. Click on Serverless Round https://awssecworkshops.com
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Verify Phase (15 Minutes) 1. Click on Verify Phase at the bottom left https://awssecworkshops.com
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Architecture S3 Bucket Static Website CloudFront Distribution End User HTML CSS JS (OVER HTTPS) X Authentication Cognito User Pool Cognito Hosted-UI Self sign-up Password complexity Email verification
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Review and Discussion How did you restrict access to the S3 Bucket?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Review and Discussion What response type did you put in your Hosted-UI URL?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Review and Discussion Where are your JWT Tokens stored?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Thank You!

Recomendados

Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAmazon Web Services
 
re:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF Loftre:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF LoftAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview Amazon Web Services
 
Design, Deploy, & Optimize SQL Server Workloads
Design, Deploy, & Optimize SQL Server Workloads Design, Deploy, & Optimize SQL Server Workloads
Design, Deploy, & Optimize SQL Server Workloads Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 

Recomendados

Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAdding the Sec to Your DevOps Pipelines: AWS Security Week at the SF Loft
Adding the Sec to Your DevOps Pipelines: AWS Security Week at the SF LoftAmazon Web Services
 
re:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF Loftre:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF LoftAmazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Amazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview Amazon Web Services
 
Design, Deploy, & Optimize SQL Server Workloads
Design, Deploy, & Optimize SQL Server Workloads Design, Deploy, & Optimize SQL Server Workloads
Design, Deploy, & Optimize SQL Server Workloads Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Amazon Web Services
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise SecurityAmazon Web Services
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Amazon Web Services
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Amazon Web Services
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Amazon Web Services
 
Deep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentDeep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentAmazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Amazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Building a Hybrid Cloud Architecture Utilizing AWS Landing Zones
Building a Hybrid Cloud Architecture Utilizing AWS Landing ZonesBuilding a Hybrid Cloud Architecture Utilizing AWS Landing Zones
Building a Hybrid Cloud Architecture Utilizing AWS Landing ZonesTom Laszewski
 
01 aw some day_main track_aws basics
01 aw some day_main track_aws basics01 aw some day_main track_aws basics
01 aw some day_main track_aws basicsAmazon Web Services Germany GmbH
 
AWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAmazon Web Services
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveAmazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Amazon Web Services
 
Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Amazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Amazon Web Services
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Amazon Web Services
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Amazon Web Services
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Amazon Web Services
 
Deep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentDeep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentAmazon Web Services
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Amazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
Building a Hybrid Cloud Architecture Utilizing AWS Landing Zones
Building a Hybrid Cloud Architecture Utilizing AWS Landing ZonesBuilding a Hybrid Cloud Architecture Utilizing AWS Landing Zones
Building a Hybrid Cloud Architecture Utilizing AWS Landing ZonesTom Laszewski
 
AWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAmazon Web Services
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveAmazon Web Services
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Amazon Web Services
 
Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Amazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 

La actualidad más candente (20)

Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS Migrations
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
 
Deep Dive on Serverless Application Development
Deep Dive on Serverless Application DevelopmentDeep Dive on Serverless Application Development
Deep Dive on Serverless Application Development
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
Set Up a CI/CD Pipeline for Deploying Containers Using the AWS Developer Tool...
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
 
Building a Hybrid Cloud Architecture Utilizing AWS Landing Zones
Building a Hybrid Cloud Architecture Utilizing AWS Landing ZonesBuilding a Hybrid Cloud Architecture Utilizing AWS Landing Zones
Building a Hybrid Cloud Architecture Utilizing AWS Landing Zones
 
01 aw some day_main track_aws basics
01 aw some day_main track_aws basics01 aw some day_main track_aws basics
01 aw some day_main track_aws basics
 
AWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day IsraelAWS Lambda use cases and best practices - Builders Day Israel
AWS Lambda use cases and best practices - Builders Day Israel
 
Multi-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica HiveMulti-Account Strategy and Security with Centrica Hive
Multi-Account Strategy and Security with Centrica Hive
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
 
Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced Attacks
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 

Similar a AWS IAM Primer and Serverless Application Security

IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Amazon Web Services
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Amazon Web Services
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural PatternsAmazon Web Services
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceAmazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...Amazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Amazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...Amazon Web Services
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural PatternsAmazon Web Services
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural PatternsAdrian Hornsby
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Visualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityVisualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityAmazon Web Services
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全Amazon Web Services
 

Similar a AWS IAM Primer and Serverless Application Security (20)

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural Patterns
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
Serverless Architectural Patterns and Best Practices (ARC305-R2) - AWS re:Inv...
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural Patterns
 
Serverless Architectural Patterns
Serverless Architectural PatternsServerless Architectural Patterns
Serverless Architectural Patterns
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Visualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityVisualise and Voice-Enable Your Security
Visualise and Voice-Enable Your Security
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS IAM Primer and Serverless Application Security

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Identity Round Robin Workshop Serverless Round – Static Hosted Website Jesse Fuchs Security Solutions Architect Amazon Web Services
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What to expect from this round • AWS IAM Primer • Using Cognito for Application User Management • WildRydes Serverless Application • Group Exercise – Build Phase • Group Exercise – Verify Phase • Review and Discussion
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications. Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Principals • Access to specific services. • Access to console and/or APIs. • Access to Customer Support (Business and Enterprise). AWS Identity and Access Management (IAM) • Access to all subscribed services. • Access to billing. • Access to console and APIs. • Access to Customer Support. Account Owner ID (Root Account)
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Identity and Access Management (IAM) IAM Users IAM Groups IAM Roles Policies Enables you to control who can do what in your AWS account
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Identity-based policies Resource-based policies Access Control Lists
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs) Principal (implicit) Action Resource Condition JSON-formatted documents Attached to a principal (or identity) Contains a statement (permissions) that specifies: • what actions that identity can perform, on which resources, and under what conditions.
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs) Principal Action Resource Condition JSON-formatted documents Attached to a resource Contains a statement (permissions) that specifies: • what actions a specified principal can perform on that resource under what conditions.
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Permission policies Identity-based policies Resource- based policies Access controls lists (ACLs) Manage access to buckets and objects Contains a Grantee and Permissions
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Identity-Based Policy Example AWS IAM Identity-Based Policy AWS IAM User (Alice) "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*" } ]
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Identity-Based Policy Example AWS IAM Identity-Based Policy AWS IAM User (Alice) "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*”, "Condition": { "StringEquals": { "s3:ExistingObjectTag/classification": ”sensitive" } } ]
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Resource-Based Policy Example AWS IAM Resource-Based Policy Amazon S3 Bucket "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", ”Principal": { "AWS" : "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*” } ]
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Resource-Based Policy Example AWS IAM Resource-Based Policy Amazon S3 Bucket "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", ”Principal": { "AWS" : "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*”, "Condition" : { "IpAddress" : { "aws:SourceIp": "192.168.143.0/24" }, } } ]
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic Decision starts at Deny Evaluate all applicable policies Explicit Deny? • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. No Explicit Allow? • By default, an implicit (default) deny is returned. Final decision =“deny” (default deny) No Final decision =“allow” • Access is granted if there is an explicit allow and no deny. Yes Final decision =“deny” • If a policy statement has a deny, it trumps all other policy statements. Yes
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic ACL Identity-Based Policy Resource-Based Policy AWS IAM Resource-Based Policy Amazon S3 Bucket AWS IAM Identity-Based Policy AWS IAM User (Alice) Effect: Allow Action: s3:GetObject Resource: * Effect: Deny Principal: * Action: s3:GetObject Resource: * Resulting Permission X GetObject
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito Security & Access User Ownership Experience Customer Relationships Identity for your web and mobile apps
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Amazon Cognito Federation Web and Mobile Apps Amazon Cognito Developers focus on what is special about their app Cognito handles auth and identity Managed User Directory AWS Credentials Hosted-UI Standard Tokens Cognito User Pools Cognito Identity Pools
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application What does serverless mean? No Server Management Flexible Scaling No Idle Capacity $ High Availability
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Building blocks for serverless applications AWS Lambda Amazon DynamoDB Amazon SNS Amazon API Gateway Amazon SQS Amazon Kinesis Amazon S3 Orchestration and State Management API Proxy and GraphQL Messaging and Queues Analytics Monitoring and Debugging Compute Storage Database AWS X-RayAWS Step Functions Amazon Cognito User Management and IdP AWS AppSync Amazon Athena AWS Lambda@Edge
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application • Build Phase – Complete the access controls • Verify Phase – Validate the new controls S3 Bucket Static Website CloudFront Distribution End User HTML CSS JS (OVER HTTPS) Cognito User Pool NO APPLICATION USER MANAGEMENT HTML CSS JS (OVER HTTP)
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Build Phase - Task 1 S3 Bucket Static Website CloudFront Distribution End User HTML CSS JS (OVER HTTPS) X Reduce the attack surface of your origin
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Build Phase - Task 2 End User Authentication Cognito User Pool Cognito Hosted-UI Setup application user management Self sign-up Password complexity Email verification
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Build Phase (1 hour) 1. Click on Level 300 2. Click on Identity Round-Robin Workshop 3. Click on Serverless Round https://awssecworkshops.com
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Verify Phase (15 Minutes) 1. Click on Verify Phase at the bottom left https://awssecworkshops.com
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved WildRydes Serverless Application Architecture S3 Bucket Static Website CloudFront Distribution End User HTML CSS JS (OVER HTTPS) X Authentication Cognito User Pool Cognito Hosted-UI Self sign-up Password complexity Email verification
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Review and Discussion How did you restrict access to the S3 Bucket?
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Review and Discussion What response type did you put in your Hosted-UI URL?
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Review and Discussion Where are your JWT Tokens stored?
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft Thank You!