Role-based Access Control on AWS
-
Upload
freeman-zhang -
Category
Technology
-
view
104 -
download
0
Transcript of Role-based Access Control on AWS
FINRA AWS Role Permissions Compliance System
Shijie Zhang
Copyright 2011 FINRA 1
AGENDA
■How It Works
■System Components Gold Source
Amazon Web Services
Developed Scripts
Splunk
AWS Compliance Dashboard
■Demo
■Summary
Copyright 2011 FINRA 2
AGENDA
■How It Works
■System Components Gold Source
Amazon Web Services
Developed Scripts
Splunk
AWS Compliance Dashboard
■Demo
■Summary
Copyright 2011 FINRA
How It Works
3
Copyright 2011 FINRA
How It Works
4
Input output
Copyright 2011 FINRA
How It Works
5
Developed Programs
Copyright 2011 FINRA
How It Works?
6
Two Use Cases of the Developed Programs:
Monthly full check: Check compliant status for all the roles in all environments
When changes to role permissions are detected:Check compliant status for the changed role
Copyright 2011 FINRA
How It Works?
7
Copyright 2011 FINRA
How It Works?
8
Copyright 2011 FINRA
How It Works?
9
Copyright 2011 FINRA
How It Works?
10
Copyright 2011 FINRA 11
AGENDA
■How It Works
■System Components Gold Source
Amazon Web Services
Developed Scripts
Splunk
AWS Compliance Dashboard
■Demo
■Summary
Copyright 2011 FINRA
COMPONENTS – Gold Source
12
Copyright 2011 FINRA
COMPONENTS – Gold Source
13
······
Copyright 2011 FINRA
COMPONENTS – Gold Source
14
······
Copyright 2011 FINRA
COMPONENTS – Gold Source
15
■ api_list.csv
service api risk rating
Copyright 2011 FINRA
COMPONENTS – Gold Source
16
······
Copyright 2011 FINRA
COMPONENTS – Gold Source
17
······
Copyright 2011 FINRA
COMPONENTS – Gold Source
18
service api Allow/Deny
Copyright 2011 FINRA
COMPONENTS – Amazon Web Services
19
Copyright 2011 FINRA
COMPONENTS – Amazon Web Services
20
Copyright 2011 FINRA
COMPONENTS – Amazon Web Services
21
Copyright 2011 FINRA
COMPONENTS – Amazon Web Services
22
Copyright 2011 FINRA
COMPONENTS – Amazon Web Services
23
Copyright 2011 FINRA
COMPONENTS – Amazon Web Services
24
Copyright 2011 FINRA
COMPONENTS – Python Scripts
25
Copyright 2011 FINRA
COMPONENTS – Python Scripts
26
Copyright 2011 FINRA
COMPONENTS – Python Scripts
27
■ A simple example:
Environment: Development
Role name: priv_aws_cloudets_d
Service: sqs
API: RemovePermission
Copyright 2011 FINRA
COMPONENTS – Python Scripts
28
Part of policies in ETS-Core:
Copyright 2011 FINRA
COMPONENTS – Python Scripts
29
Copyright 2011 FINRA
COMPONENTS – Python Scripts
30
Copyright 2011 FINRA
COMPONENTS – Splunk
31
Copyright 2011 FINRA
COMPONENTS – Python Scripts
32
Copyright 2011 FINRA
COMPONENTS – Splunk
33
■ Severity of Incidents
Factor I : Environment (Development, QC, Production)
e.g. : The noncompliance in Production is more severe than in Development
Factor II : Noncompliant incident type (Type I, Type II)
Type I : A role has been granted access to an API for which it should not
have access
Type II : A role has not been granted access to an API for which it should
have access
Severity of Type I noncompliance is higher than Type II noncompliance
Factor III : API capabilities
e.g. : S3:ListBucket, S3:CreateBucket
Severity of S3:ListBucket noncompliance is higher than S3:CreateBucket
Copyright 2011 FINRA
COMPONENTS – Splunk
34
■ Initial Rating Scale
SCALE
HIGH > 30
MEDIUM 26 to 30LOW 0 to 26
Copyright 2011 FINRA
COMPONENTS – Dashboard
35
Copyright 2011 FINRA
COMPONENTS – Dashboard
36
Copyright 2011 FINRA 37
AGENDA
■How It Works
■System Components Gold Source
Amazon Web Services
Developed Scripts
Splunk
AWS Compliance Dashboard
■Demo
■Summary
Copyright 2011 FINRA
Summary
■ Accomplishments:
Build an AWS Role Permission Compliance System
■ Thanks to my boss, teammates and many other co-workers
■ Questions and Comments?
38