(SEC305) IAM Best Practices | AWS re:Invent 2014

November 12, 2014 | Las Vegas, NV

Oops, looks

like a 0-based

code error

0. UsersCreate individual users

Benefits How to get started

1. PermissionsGrant least privilege

IMPORTANT NOTE: Permissions do not apply to root!

2. GroupsManage permissions with groups

3. ConditionsRestrict privileged access further with conditions

{ "Statement":[{"Effect":"Allow","Action":["ec2:TerminateInstances"],"Resource":["*"],"Condition":{

"Null":{"aws:MultiFactorAuthAge":"false"}}

Enables a user to terminate EC2 instances only

if the user has authenticated with their MFA

device.

{"Statement":[{ "Effect":"Allow", "Action":"iam:*AccessKey*","Resource”:"arn:aws:iam::123456789012:user/*", "Condition":{

"Bool":{"aws:SecureTransport":"true"}}

Enables a user to manage access keys for all

IAM users only if the user is coming over SSL.

{"Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances“],"Resource":["*“], "Condition":{

"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}}

Enables a user to terminate EC2 instances only if the

user is accessing Amazon EC2 from the 192.168.176.0/24

address range.

{"Statement":[{"Effect": "Allow","Action":"ec2:TerminateInstances","Resource": "*","Condition":{

"StringEquals":{"ec2:ResourceTag/Environment":"Dev"}}

Enables a user to terminate EC2 instances only if the

instance is tagged with “Environment=Dev”.Ta

{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment": "Dev"} } }{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment": "Dev"} } }

{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment": "Dev"} } }

4. AuditingEnable AWS CloudTrail to get logs of API calls

4. Enable AWS CloudTrail to get logs of API calls

Benefits

• Visibility into your user activity

by recording AWS API calls to

an Amazon S3 bucket

How to get started

• Set up an Amazon S3

bucket

• Enable AWS CloudTrail

Ensure the services you want are integrated with AWS CloudTrail

Manage Users and Permissions

5. PasswordsConfigure a strong password policy

IMPORTANT NOTE: Password policy does not apply to root!

6. RotationRotate (or delete) security credentials regularly

(enable password rotation sample policy)

Password{"Version":"2012-10-17","Statement": [{"Effect": "Allow","Action": "iam:ChangePassword","Resource":

"arn:aws:iam::123456789012:user/${aws:username}"}

Enforcing a password policy will automatically enable

IAM users to manage their passwords

Note the use of

a policy

variable

(enable access key rotation sample policy)

Access Keys

{"Version":"2012-10-17","Statement": [{"Effect": "Allow","Action": [

"iam:CreateAccessKey","iam:DeleteAccessKey","iam:ListAccessKeys","iam:UpdateAccessKey"],

"Resource": "arn:aws:iam::123456789012:user/${aws:username}"

(enable access key rotation sample policy)

Access Keys{"Version":"2012-10-17","Statement": [{"Effect": "Allow","Action": [

"iam:CreateAccessKey","iam:DeleteAccessKey","iam:ListAccessKeys","iam:UpdateAccessKey"],

"Resource": "arn:aws:iam::123456789012:

user/${aws:username}"}

1. While the first set of credentials is still active, create a second set of credentials, which will also be active by default.

2. Update all applications to use the new credentials.

3. Change the state of the first set of credentials to Inactive.

4. Using only the new credentials, confirm that your applications are working well.

5. Delete the first set of credentials.

Steps to rotate access keys

7. MFAEnable multi-factor authentication for privileged users

8. SharingUse IAM roles to share access

ExternalID

IMPORTANT NOTE: Never share credentials.

prod@example.comAcct ID: 111122223333

ddb-role

{ "Statement": [{

"Action": ["dynamodb:GetItem","dynamodb:BatchGetItem","dynamodb:Query","dynamodb:Scan","dynamodb:DescribeTable","dynamodb:ListTables"

],"Effect": "Allow","Resource": "*"

dev@example.comAcct ID: 123456789012

Authenticate with

Jeff access keys

Get temporary

security credentials

for ddb-role

Call AWS APIs

using temporary

security credentials

of ddb-role

{ "Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Resource":

"arn:aws:iam::111122223333:role/ddb-role"}]}

{ "Statement": [{"Effect":"Allow","Principal":{"AWS":"123456789012"},"Action":"sts:AssumeRole"

ddb-role trusts IAM users from the AWS account

dev@example.com (123456789012)

Permissions assigned to Jeff granting him permission

to assume ddb-role in account B

IAM user: Jeff

Permissions assigned

to ddb-role

External access

Login With Amazon

Google

Facebook

Open ID Connect

Authenticate with

Users tokens

9. RolesUse IAM roles for Amazon EC2 instances

Manage Credentials

10. Root Reduce or remove use of root

0. Users

1. Permissions

2. Groups

3. Conditions

4. Auditing

0. Users

1. Permissions

2. Groups

3. Conditions

4. Auditing

5. Passwords

6. Rotation

7. MFA

8. Sharing

9. Roles

10.Root

http://aws.amazon.com/iam

https://forums.aws.amazon.com/forum.jspa?forumID=76

http://aws.amazon.com/documentation/iam/

http://blogs.aws.amazon.com/security

http://aws.amazon.com/cloudtrail/

@AWSIdentity

Session When Where

SEC302 – Delegating Access to your AWS

Environment

Wednesday 11/12, 2.15pm Palazzo J

SEC304 – Bring Your Own Identities – Federating

Access to your AWS Environment

Wednesday 11/12, 4.30pm Palazzo J

SEC303 – Mastering Access Control Policies Thursday 11/13, 3.15pm Palazzo J

SEC306 – Turn on CloudTrail. Log API Activity in

your AWS account

Thursday 11/13, 3.15pm Lando 4305

MBL401 – Social Logins for Mobile Apps with

Amazon Cognito

Thursday 11/13, 3.15pm Palazzo B

Please give us your feedback on this session.

Complete session evaluations and earn re:Invent swag.

http://bit.ly/awsevals

(SEC305) IAM Best Practices | AWS re:Invent 2014

Technology

Transcript of (SEC305) IAM Best Practices | AWS re:Invent 2014

AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302)

Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013

Continuous Deployment @ AWS Re:Invent

Brian Limperopulos Programs Manager IAM. IAM Programs IAM Governing Members’ Meeting How IAM serves its Governing Membership: Receivable Protection Program.

Samsung SDS IAM & EMM SDS IAM & EM… · IAM & EMM application to authenticate with Samsung SDS IAM & EMM Mobile Authenticator—see “Using the Samsung SDS IAM & EMM application

The ROI of IAM - docs.bankinfosecurity.comdocs.bankinfosecurity.com/files/handbooks/IAM/IAM-eHandbook.pdf · IAM, of course, is a huge issue for financial institutions – not just

Iam Completo

Asset Management – the IAM · 2017. 11. 14. · IAM Qualifications – targets IAM Certificate: aimed at those new to Asset Management IAM Diploma: designed to help existing Asset

IAM Cahier7

IAM RoadSmart

INTERMOT - ADVANCED - MOTORS IAM SERIES H1 … · pag. 16 IAM rev. 01 HYDRAULIC MOTORS ITALY s.r.l. TECHNICAL DATA H1 MODEL IAM 80 H1 IAM 100 H1 IAM 150 H1 IAM 175 H1 IAM 195 H1 IAM

IAM Qualifications

IAM Certificate And IAM Diploma Syllabi Modules and Contents · SUMMARY This document deals with the detailed content of the IAM Certificate and IAM Diploma examinations, describing

AWS re:Invent Hackathon

AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)

(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less

AWS re:Invent 2013 Recap

Iam Brochure

AWS re:Invent 2017 re:View

(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014