Ever wondered how to help secure your AWS environment? This session explains a series of best practices that help you do just that with AWS Identity and Access Management (IAM). We discuss how to create great access policies; manage security credentials (access keys, password, multi-factor authentication (MFA) devices, etc.); how to set up least privilege; how to minimize the use of your root account, and much, much more.
15. {
"Statement":[{
"Effect":"Allow",
"Action":["ec2:TerminateInstances"],
"Resource":["*"],
"Condition":{
"Null":{"aws:MultiFactorAuthAge":"false"}
}
}
]
}
Enables a user to terminate EC2 instances only
if the user has authenticated with their MFA
device.
MFA
{
"Statement":[{
"Effect":"Allow",
"Action":"iam:*AccessKey*",
"Resource”:"arn:aws:iam::123456789012:user/*",
"Condition":{
"Bool":{"aws:SecureTransport":"true"}
}
}
]
}
Enables a user to manage access keys for all
IAM users only if the user is coming over SSL.
SSL
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:TerminateInstances“],
"Resource":["*“],
"Condition":{
"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}
}
}
]
}
Enables a user to terminate EC2 instances only if the
user is accessing Amazon EC2 from the 192.168.176.0/24
address range.
SourceIP
{
"Statement":[{
"Effect": "Allow",
"Action":"ec2:TerminateInstances",
"Resource": "*",
"Condition":{
"StringEquals":{"ec2:ResourceTag/Environment":"Dev"}
}
}
]
}
Enables a user to terminate EC2 instances only if the
instance is tagged with “Environment=Dev”.
Tags
{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment":
{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment
{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environme
17. 4. Enable AWS CloudTrail to get logs of API calls
Benefits
• Visibility into your user activity
by recording AWS API calls to
an Amazon S3 bucket
How to get started
• Set up an Amazon S3
bucket
• Enable AWS CloudTrail
Ensure the services you want are integrated with AWS CloudTrail
23. (enable password rotation sample policy)
Password
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource":
"arn:aws:iam::123456789012:user/${aws:username}"
}
]
}
Enforcing a password policy will automatically enable
IAM users to manage their passwords
Note the use of
a policy
variable
25. (enable access key rotation sample policy)
Access Keys
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"],
"Resource":
"arn:aws:iam::123456789012:
user/${aws:username}"
}
]
}
1. While the first set of credentials is still
active, create a second set of
credentials, which will also be active
by default.
2. Update all applications to use the
new credentials.
3. Change the state of the first set of
credentials to Inactive.
4. Using only the new credentials,
confirm that your applications are
working well.
5. Delete the first set of credentials.
Steps to rotate access keys
29. Benefits How to get started
ExternalID
IMPORTANT NOTE: Never share credentials.
30. prod@example.com
Acct ID: 111122223333
ddb-role
{ "Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*"
}]}
dev@example.com
Acct ID: 123456789012
Authenticate with
Jeff access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS account
dev@example.com (123456789012)
Permissions assigned to Jeff granting him permission
to assume ddb-role in account B
IAM user: Jeff
Permissions assigned
to ddb-role
STS
External access
User
Login With Amazon
Google
Facebook
Open ID Connect
SAML
Authenticate with
Users tokens
41. Session When Where
SEC302 – Delegating Access to your AWS
Environment
Wednesday 11/12, 2.15pm Palazzo J
SEC304 – Bring Your Own Identities – Federating
Access to your AWS Environment
Wednesday 11/12, 4.30pm Palazzo J
SEC303 – Mastering Access Control Policies Thursday 11/13, 3.15pm Palazzo J
SEC306 – Turn on CloudTrail. Log API Activity in
your AWS account
Thursday 11/13, 3.15pm Lando 4305
MBL401 – Social Logins for Mobile Apps with
Amazon Cognito
Thursday 11/13, 3.15pm Palazzo B
42. Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals