![Page 1: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/1.jpg)
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
November 13, 2014 | Las Vegas
SEC403
Building AWS Partner Applications Using
IAM RolesBob Van Zant, Bracket Computing
![Page 2: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/2.jpg)
Resources
• Code samples:
– https://github.com/bobveznat/sec403
• IAM policy helper:
– https://github.com/cloudtools/awacs
![Page 3: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/3.jpg)
Use cases• Cloud management platform
• Log analysis
• Cloud spend analysis
• Operating across more than one AWS account
• Generalized: AWS applications that access other
AWS accounts
![Page 4: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/4.jpg)
Anti-patterns• Ask for access key ID and secret access key
• Asking users to trust you more than they should
– “Create an admin user and send us the creds”
• Eager IAM policies
– action: *
![Page 5: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/5.jpg)
Requirements• Act within another AWS account
• Take on subset of permissions to act within AWS
• Cannot be required to persist a secret(s)
![Page 6: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/6.jpg)
AssumeRole API call“Returns a set of temporary security credentials that
you can use to access AWS resources that you might
not normally have access to. Typically, you use
AssumeRole for cross-account access or federation.”
http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
![Page 7: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/7.jpg)
DescribeInstances example• Given account ID and region
• Print instance names and status
• Setup required:
– IAM role in customer account
– Role trust in customer account
![Page 8: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/8.jpg)
To the console
![Page 9: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/9.jpg)
AssumeRole Parameters
![Page 10: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/10.jpg)
Easy ones• Duration: validity period for creds, 900-3600sec
– Go shorter with IAM policy variables
• RoleArn: The ARN of the role you’re assuming
• SerialNumber: For an MFA device
– Hardware serial number for gemalto
– ARN for virtual• arn:aws:iam::<account id>:mfa/<iam user>
• TokenCode: Code from MFA device
![Page 11: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/11.jpg)
Policy• JSON string with valid IAM policy up to 2048 bytes
• Use this to further restrict permissions by scoping
down the policy
• Imagine a logical and of the role’s policies with this
new policy.
– i.e. May only be used to restrict access of the role
being assumed
![Page 12: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/12.jpg)
To the console
![Page 13: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/13.jpg)
RoleSessionName• Between 2 and 32 characters long
• Fairly restrictive character set:
– ^[\w+=,.@-]{2,32}$
• Useful for auditing
• Shows up in AWS CloudTrail logs (i.e. name wisely)…
session_name = “Hi-Mom”
sts_conn.assume_role(role_arn, session_name)
![Page 14: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/14.jpg)
CloudTrail in your account
'requestParameters': {
‘durationSeconds': 2011,
'roleArn': ‘arn:…role/role-name’,
'roleSessionName': ‘Hi-Mom’},
![Page 15: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/15.jpg)
CloudTrail in customer account
'userIdentity': {
'accessKeyId': 'ASIA…',
‘accountId': '111122223333',
'arn':
‘arn:…:assumed-role/ROLE-NAME/Hi-Mom’
![Page 16: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/16.jpg)
Auditing Results
Time: 10/31/2014 13:05:19.000
RoleArn: arn:aws:iam::111111111111:role/brkt-readonly
RoleSessionName: adm-hub-mani
Who: arn:aws:sts::999999999999:assumed-role/prod-brkt-net-
hub-web/i-30e01eda
Time: 10/31/2014 15:07:59.000
RoleArn: arn:aws:iam::111111111112:role/brkt-readonly
RoleSessionName: adm-hub-krishnan
Who: arn:aws:sts::999999999999:assumed-role/prod-brkt-net-
hub-web/i-56e7e0b8
![Page 17: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/17.jpg)
Auditing
_sourceCategory=AWS_EAGLE
| json “eventName",
“requestParameters.durationSeconds",
“requestParameters.roleArn",
“requestParameters.roleSessionName",
"userIdentity.arn"
| where eventName = "AssumeRole"
| where %"requestParameters.roleSessionName" matches "adm-*"
• Example Sumo Logic query
![Page 18: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/18.jpg)
ExternalId• A pre-shared secret between you and your customer
• String from 2-1224 bytes long
• Used to prevent “confused deputy” problem
“A confused deputy is a computer program that is innocently
fooled by some other party into misusing its authority.”
http://en.wikipedia.org/wiki/Confused_deputy_problem
![Page 19: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/19.jpg)
Let’s confuse the deputy• Assume a cloud management platform
• Customers bring their own AWS account
![Page 20: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/20.jpg)
Getting confused
![Page 21: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/21.jpg)
Confusion is imminent
![Page 22: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/22.jpg)
Deputy confused
Image is in public domain. Obtained from http://commons.wikimedia.org/wiki/File:Don_Knotts_Jim_Nabors_Andy_Griffith_Show_1964.JPG
![Page 23: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/23.jpg)
We’ve been owned
• Attacker has obtained a login to our platform
• Attacker has given a legitimate customer’s AWS ID
(the victim’s) instead of his own
• Attacker can now use our platform to view and act
within the victim’s AWS account.
• Oops.
![Page 24: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/24.jpg)
What went wrong?
• We never verified that our user owned the AWS
account in question
• AWS provides the External ID parameters, which
lets us do that
![Page 25: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/25.jpg)
Deputy not confused
![Page 26: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/26.jpg)
Prevent that attack
• Customer brings 12-digit ID on signup
• You generate an external ID and hand to customer
• Customer sets up roles and trust, including the
external ID you specified
• Attack mitigated
– Attacker can only leverage your platform to take
over customer account if they have already
compromised the customer account and can
modify the trust policy
![Page 27: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/27.jpg)
Are you vulnerable?
• Do you allow customers to bring their own account?
• Are you using external ID as described here?
• If not, your customers are at risk.
• It’s your fault.
![Page 28: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/28.jpg)
Complete example
![Page 29: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/29.jpg)
Notch it up
• Let’s build our cloud management platform on AWS
• Use Amazon EC2 instance profiles to seed access
• Instance profile should reference an access policy
that is again least privilege
• The more privileged an instance, the further from
users/attackers it should be
![Page 30: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/30.jpg)
Sample architecture
Harder to attack; allow increasing privilege
![Page 31: (SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014](https://reader034.vdocuments.us/reader034/viewer/2022042607/5591b17f1a28ab1b518b477d/html5/thumbnails/31.jpg)
To the console