Upload File

introduction to aws iam

Download Introduction to AWS IAM

If you can't read please download the document

Upload: knoldus-software-llp

Post on 06-Apr-2017

740 views

Category:

Software


3 download

Report

TRANSCRIPT

Knolx

Introduction to AWS IAM

Abhishek GiriSoftware ConsultantKnoldus Software LLP

Agenda

What is IAM?

IAM as a service

IAM Best Practices

Elements of IAM policy

UseCase

Policy Simulator

What is IAM?

Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.IAM enables you to securely control access to your application or product services and resources for your users.Using IAM, you can create and manage users and groups and use permissions to allow and deny their access to the resources.

AWS: IAM as a service

AWS Identity and Access ManagementAWS IAM roles are a web service that gives you secured "Control Access" to AWS services for your users. IAM policies specify which services/actions are allowed or denied. You attach policies to group, users, and roles, which are then subject to permissions that you define.With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.Policies can be granted either from AWS API programmatically or the AWS management console.

IAM gives you following features :Shared access to your AWS account.

Granular permission.

Secure access to your AWS resources.

Identity Information.

Integrated with many AWS resources.

Free to use.

Types of Policies

Managed Policy - Standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies apply only to identities (users, groups, and roles) - not resources.

Inline Policy - Policies that you create and manage, and that are embedded directly into a single user, group, or role. Resource-based policies are another form of inline policy.

IAM Groups

A collection of IAM users.

You assign permission to group, all IAM user in the inherit those permission.

IAM Users

Can have username/password to login to aws console.

Can have aws credentials for making API calls to interact with aws services.

New IAM user have no permission to do anything, permission must be explicilty granted.

IAM Roles / Instance profile

The permission of an IAM role can be granted/assigned to EC2 instance.

All AWS Sdk has buit-in way to auto discover AWS credentials on AWS EC2. -Credential file-Environmental variable-Instance profile

IAM Policies

When you create a IAM group,user you associate an IAM policy with it which specify the permission that you want to grant.

IAM policies are JSON formatted document that defines AWS permission.

Elements of policy

Version - Version specifies the current version of the policy language. It must specify it before the statement element. In this case, our version is "2012-10-17."

Statement - The Statement element is the main element of the policy. This element is required. The Statement element contains an array of individual statements. Each individual statement is a JSON block enclosed in braces { }.

Effect - The Effect element is required and specifies whether the statement will result in an allow or an explicit deny.

Action - The Action element describes the specific action or actions that will be allowed or denied. Each AWS service has its own set of actions that describe tasks that you can perform with that service.

Resource - The Resource element specifies the object or objects that the statement covers. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN.

Principal The Principal element specifies the identity. It is use to specify the User,AWS account that is allowed or denied acces to a resource.

Sample JSON

{"Version": "2012-10-17","Statement": {"Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::example_bucket"}}

IAM Best Practices

Protect the root account.

Create the individual IAM user.

Create and use groups.

Set up a strong password policy.

Use multifator authentication.

Use Roles/Instance profiles.

Rotate credentials often.

Monitor IAM activity.

Protect the root account.

Root account in AWS has full access to any service.

By design it permission cannot be restricted.

Never create AWS credentials keys.

Create the individual IAM user.

Each user get his/her account.

Makes managing of users easy.

Makes defining policies of each user easy.

Create and use groups

Group allows you to logically define set of users.

Groups can define different set of policies.

Users can be part of multiple groups. They will inherit permission for both the groups.

Set up a strong password policy.

Users should have permission to manage their own passwords.

You can define a strong password policy that enforces things like minimum length, complexity, periodic rotation etc.

Use multifator authentication

In addition to using a username and password, IAM has an option setting up a second factor.

Use Roles/Instance profiles.

If you have an app/script that needs to make an API call to AWS, as far as possible avoid using static access keys.

Instead use Roles/Instance Profiles.

AWS automatically expires the credentials.

Rotate credentials often

Enforce all the keys and passwords to be changed often.

Passwords should be changed once in 90 days.

Keys could be rotated much more often.

All keys should have the permission to create another set of keys and delete the old ones.

Monitor IAM activity

AWS gives you logs for ALL IAM operations.

Typically this will be in Cloud Trail. Logs are sent to S3 bucket you define.

Use this information to keep a close watch on what's happening.

Setup alerts on interesting activities.

UseCase

CodeSquad

In the above diagram, each user has access to his/her object in the bucket.{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["s3:PutObject","s3:GetObject","s3:GetObjectVersion"],

"Resource": "arn:aws:s3:::examplebucket/${aws:username}/*"}]

}Instead of attaching policies to each user, policies can be attached at the group level. After that, we can add users to that group. The following policy allows a set of Amazon S3 permissons in bucketName/${aws:username} folder. When the policy is evaluated, the policy is replaced by requested username.

Policy Simulator

https://policysim.aws.amazon.com/home/index.jsp?#

Reference Link

http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

Thank You


Architecting security & governance across your AWS environment Mark… · AWS IAM & SC Policies Developer Sandbox Dev Pre-Prod Team/GroupAccounts Security Core AWS Organizations Master

AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)

WHITE PAPER PURITY CLOUDSNAP - Pure Storage · Creating an IAM User and Attaching the IAM Policy to the User Log in to the AWS management console and navigate to IAM. Click on Add

AWS Key Management Service Best Practices · PDF file · 2017-04-20Amazon Web Services – AWS Key Management Service Best Practices Page 2 AWS KMS and IAM Policies You can use AWS

SUMMIT - Amazon Web Services Marketing... · • Introduction and use cases ... AWS Identity and Access Management (IAM) Authentication. Kubectl. 3) Authorizes AWS identity with RBAC

Cloudera’s Enterprise Data Hub on the AWS Cloud · PDF file · 2017-08-21Cloudera’s Enterprise Data Hub on the AWS Cloud ... AWS Identity and Access Management (IAM) ... (AWS)

Fanatical Support for AWS...Cloud Native Security AWS customers who want to improve their security posture by using native products like AWS Security Hub, Amazon GuardDuty and IAM

HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment

Secure Amazon EC2 Environment with AWS IAM & Resource-Based Permissions (CPN205) | AWS re:Invent 2013

Introduction to IAM Architecture (v2)

NYKAA - tothenew.com · Used AWS Identity & Access Managment (IAM) for securely controlling access to AWS services Used Amazon CloudWatch to collect information,

AWS IAM and security

Windows on AWS - london-summit-slides …london-summit-slides-2017.s3.amazonaws.com/How AWS can help yo… · AWS IAM Amazon S3 AWS CloudTrail AWS Config Logging and monitoring platform

Masterless Puppet Using AWS S3 Buckets and IAM Roles

AWS 리소스 그룹€¦ · 수 없습니다. iam 사용자 만들기에 대한 자세한 내용은 iam 사용 설명서에서 iam 사용자 생성을 참조하십시 오. 태그는

AWS Security & Compliance - Matrix · AWS Security & Compliance CJ Moses ... AWS IAM Amazon VPC AWS Direct Connect AWS Storage Gateway AWS$Public$Sector $!!! LEAST!PRIVILEGE!PRINCIPLE!

1 MIIS IAM Nationwide Journey - MIIS & IAM. 2 Agenda 1.Introduction Original objectives Definition of terms 2.MIIS 3.IAM Introduction Definition Approach

AWS - IAM - Identity Access Management · AWS - IAM - Identity Access Management AWS - IAM - Identity Access Management Notes: permissions are stored with JSON language this is globally,

AWS Step Functions · IAM role ARN (Voy a proporcionar el ARN de una función de IAM existente) y especifique el ARN de la función de IAM. Note. AWS Step Functions Guía para

(SEC305) IAM Best Practices | AWS re:Invent 2014

Get started with Cloud Volumes ONTAP in the AWS C2S … · that they need to perform actions in the AWS Commercial Cloud Services environment. You need an IAM policy and IAM role

Migrating AWS Resources to a New Region - Amazon Web … ·  · 2016-02-16Amazon Web Services – Migrating AWS Resources to a New Region March 2013 ... AWS IAM and Security Considerations

LO_ · Web viewDescribe AWS Elastic Beanstalk. AWS CloudFormation Describe AWS CloudFormation. AWS Identity and Access Management (IAM) Describe AWS IAM. AWS Cross Cloud Service Feature

SAP on AWS Webinar - Sprinklr · PDF file · 2017-10-16SAP on AWS Webinar Deployment of SAP Solutions on AWS ... AWS AWS IAM CloudTrail AWS Quick Starts AWS Service Catalog ... Follows

AVIC - Ivativ · 2020-02-04 · introduce how to connect Amazon services (including Amazon Alexa, AWS Lambda, AWS IoT, AWS IAM) and use Alexa to control LED on iVativ. 1.1 AWS LED

Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS re:Invent 2013

20150109 - AWS BlackBelt - IAM (Korean)

IAM ESSENTIALS - Best devops training institute in · PDF file · 2017-03-06SYSTEMS PVT. IAM Initial Configuration: AWS Best practices: Guidelines that recommend settings, configurations

Amazon AWS Security Basics - Black · PDF fileAmazon AWS Security Basics Escalating privileges from EC2 ... •As an Amazon AWS architect/developer you use IAM to manage: •Users

Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013

SonicWall Integration Guide: SonicOS and AWS · AWS Identity and Access Management (IAM) identities, creates, and manages Users and Groups from the IAM page in the AWS Management

AWS Identity and Access Management Using IAM · PDF fileThe iam/info document indicates a success b ut indicates "Message":"Instance Profile does not contain a role ... AWS Identity

Introduction to AWS Security - AWS Whitepaper · 01/07/2015  · Introduction to AWS Security AWS Whitepaper Abstract Introduction to AWS Security Publication date: January 2020 (Document

Agile and Keyless Cloud Security Response...ACM, AWS CloudTrail, AWS IAM, AWS IAM Access Analyzer, AWS Lambda, AWS Security Hub. • Platform: Platform independent Avoid credential

Yinlin Chen, Jim Tuttle, William A. Ingram Information ...AWS Lambda Amazon DynamoDB Amazon CloudFront Amazon Route 53 Amazon CloudWatch AWS CloudTrail AWS CloudFormation IAM Amazon