More Related Content Similar to Module 3: Security, Identity and Access Management - AWSome Day Online Conference APAC (20) More from Amazon Web Services (20) Module 3: Security, Identity and Access Management - AWSome Day Online Conference APAC3. AWS Shared Responsibility Model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS is responsible
for the security OF
the cloud
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
4. AWS Shared Responsibility Model
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity, and Access Management
Operating System, Network, and Firewall Configuration
Customer Applications & ContentCustomers
Customers are
responsible for
security IN the cloud
AWS is responsible
for the security OF
the cloud
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
5. Physical Security
• 24/7 trained security staff
• AWS data centers in nondescript and
undisclosed facilities
• Two-factor authentication for
authorized staff
• Authorization for data center access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
6. Hardware, Software, and Network
• Automated change-control
process
• Bastion servers that record all
access attempts
• Firewall and other boundary
devices
• AWS monitoring tools
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
7. Certifications and Accreditations
ISO 9001, ISO 27001, ISO 27017, ISO 27018, IRAP (Australia), MLPS Level 3 (China),
MTCS Tier 3 Certification (Singapore) and more …
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
8. SSL Endpoints
VPC
Secure Transmission
Use secure endpoints
to establish secure
communication
sessions (HTTPS).
Instance Firewalls
Use security groups
to configure firewall
rules for instances.
SSL Endpoints Security Groups
Network Control
Use public and
private subnets,
NAT, and VPN
support in your
virtual private cloud
to create low-level
networking
constraints for
resource access.
SSL Endpoints
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
9. Security Groups
SSL Endpoints Security Groups
Instance Firewalls
Use security groups
to configure firewall
rules for instances.
VPC
Secure Transmission
Use secure endpoints
to establish secure
communication
sessions (HTTPS).
Network Control
Use public and
private subnets,
NAT, and VPN
support in your
virtual private cloud
to create low-level
networking
constraints for
resource access.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
10. AWS Multi-Tier Security Groups
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
www server
www server
www server
app server
app server
app server
Database Tier
security group
Application Tier
security group
Web Tier
security group
db server
db server
db server
Internet
Corporate
Admin Network
ssh/rdp
api api
(all other ports are blocked)
11. AWS Identity and Access Management (IAM)
AWS IAM
3
Manage federated users
and their permissions
2
Manage AWS IAM roles
and their permissions
1
Manage AWS IAM users
and their access
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
12. AWS IAM Authentication
• Authentication
• AWS Management Console
• User Name and Password
IAM User
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
13. AWS IAM Authentication
• Authentication
• AWS CLI or SDK API
• Access Key and Secret Key
Access Key ID: AKIAIOSFODNN7EXAMPLE
Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Java Python .NET
AWS SDK & APIAWS CLI
IAM User
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
14. AWS IAM User Management - Groups
User D
DevOps Group
User C
AWS Account
TestDev Group
User BUser A
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
15. AWS IAM Authorization
Authorization
• Policies:
• Are JSON documents to describe
permissions.
• Are assigned to users, groups or
roles.
IAM User IAM Group
IAM Roles
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
16. AWS IAM Policy Elements
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1453690971587",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances”
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "54.64.34.65/32”
}
}
},
{
"Sid": "Stmt1453690998327",
"Action": [
"s3:GetObject*”
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::example_bucket/*”
}
]
}
IAM Policy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
17. AWS IAM Policy Assignment(1)
IAM User
IAM Group
Assigned Assigned
IAM Policy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
18. AWS IAM Policy Assignment(2)
IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM Policy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
19. AWS IAM Roles
• An IAM role uses a policy.
• An IAM role has no associated credentials.
• IAM users, applications, and services may assume IAM
roles.
IAM Roles
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
20. AWS IAM Policy Assignment
IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM Policy
IAM User
Assumed Assumed
AWS Resources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
21. Example: Application Access to AWS
Resources
• Python application hosted on an Amazon EC2 Instance
needs to interact with Amazon S3.
• AWS credentials are required:
• Option 1: Store AWS Credentials on the Amazon EC2 instance.
IAM Roles
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
22. Example: Application Access to AWS
Resources
• Python application hosted on an Amazon EC2 Instance
needs to interact with Amazon S3.
• AWS credentials are required:
• Option 1: Store AWS Credentials on the Amazon EC2 instance.
• Option 2: Securely distribute AWS credentials to AWS Services
and Applications.
IAM Roles
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
23. AWS IAM Roles - Instance Profiles
Amazon EC2 Amazon S3
1
Create Instance
24. AWS IAM Roles - Instance Profiles
Amazon EC2
App &
Amazon S3
1
2
Create Instance
SelectIAMRole
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
25. AWS IAM Roles - Instance Profiles
Amazon EC2
App &
EC2 MetaData Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S3
1
2
3
Create Instance
SelectIAMRole
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
26. AWS IAM Roles - Instance Profiles
Amazon EC2
App &
EC2 MetaData Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S3
1
2
3
4
Create Instance
SelectIAMRole
ApplicationinteractswithS3
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
27. Temporary Security Credentials (AWS STS)
Use Cases
• Cross account access
• Federation
• Mobile Users
• Key rotation for Amazon EC2-based apps
Session
Access Key ID
Secret Access Key
Session Token
Expiration
Temporary Security Credentials
15 minutes to 36 hours
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
29. AWS IAM Best Practices
• Delete AWS account (root) access keys.
• Create individual IAM users.
• Use groups to assign permissions to IAM users.
• Grant least privilege.
• Configure a strong password policy.
• Enable MFA for privileged users.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
30. AWS IAM Best Practices (cont.)
• Use roles for applications that run on Amazon EC2
instances.
• Delegate by using roles instead of by sharing
credentials.
• Rotate credentials regularly.
• Remove unnecessary users and credentials.
• Use policy conditions for extra security.
• Monitor activity in your AWS account.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
31. DEMO TIME
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
32. New to AWS
Introductory labs
and videos can
help you ramp up
Start learning
Take a Class
Build technical
skills and learn
best practices from
an accredited
instructor
Find a class
AWS Certification
Validate knowledge
and show expertise
with industry
recognized
certifications
Get Certified
Online Labs
Take an online
Self-Paced Lab to
get hands-on-
practice with AWS
services
Start practicing
Learn more: aws.amazon.com/training
33. Thank You for Attending AWSome Day Online Conference
We hope you found it interesting! A kind reminder to complete the survey.
Let us know what you thought of today’s event and how we can improve
the event experience for you in the future.
aws-apac-marketing@amazon.com
twitter.com/AWSCloud
facbook.com/AmazonWebServices
youtube.com/user/AmazonWebServices
slideshare.net/AmazonWebServices
twitch.tv/aws