This document discusses various topics related to AWS Identity and Access Management (IAM), including:
1. An overview of IAM roles, policies, and the Security Token Service (STS), as well as a discussion on compliance and security.
2. Details about upcoming meetup topics on Virtual Private Cloud (VPC) networking and AWS Organizations.
3. Examples and explanations of IAM policies, roles, resource-based vs user-based policies, policy variables, Amazon Resource Names (ARNs), and other IAM concepts.
4. A demonstration of custom login URLs and switching roles in the AWS Management Console.
The document discusses AWS Security Token Service (STS), which enables users to request temporary security credentials. STS works with AWS Identity and Access Management (IAM) to provide credentials for IAM users or federated users authenticated outside of AWS. STS allows generating limited-privilege credentials for IAM users, federated users authenticated by an identity provider, and for delegating access to services that need to access AWS resources. The temporary credentials provided by STS can be used to make AWS API calls for the duration specified, providing a secure way to access AWS resources without long-term credentials.
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
Learn about best practices on how to secure your AWS environment with AWS Identity and Access Management (IAM). We will discuss how you best create access policies; manage security credentials (i.e., access keys, password, multi factor authentication (MFA) devices etc); how to set up least privilege; minimizing the use of your root account etc.
by Joy Chatterjee, Sr. Technical Product Manager, AWS
We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type. Level 300
This document provides an overview of AWS Identity and Access Management (IAM) and how it can be used to control access to AWS resources. IAM enables control of who can access AWS accounts and what actions they can perform by creating users, groups, and roles with permissions. The document discusses IAM concepts and common use cases, and includes demonstrations of creating IAM users and groups and assigning permissions through policies.
The document outlines 10 best practices for managing identity and access management (IAM) on AWS:
1. Create individual users instead of sharing credentials.
2. Configure a strong password policy and regularly rotate credentials.
3. Enable multi-factor authentication for privileged users.
4. Manage permissions with groups and grant least privilege.
5. Use IAM roles to allow cross-account access and provide access to EC2 instances and federated users.
6. Enable AWS CloudTrail logging to monitor API activity.
7. Reduce use of root credentials where possible.
The document provides explanations and examples for each best practice.
by Brigid Johnson, Product Management Manager, AWS
How to Use IAM Roles to Grant Access to AWS: Customers use IAM roles to delegate access to services, applications, accounts, and federated users using temporary credentials. We will start by defining use cases for IAM roles, tools to use IAM roles in your account, and techniques to manage role permissions. We will cover how customers can use roles to grant access to AWS. Using demonstrations, we will learn how to monitor roles across accounts, grant cross account access, and scope down permissions for a particular entity. This session will cover how to use roles for developers building applications on AWS and for administrators controlling and monitoring access. Level 300
This document discusses federated access to AWS resources using temporary security credentials. It describes how users in other AWS accounts or identity stores can be provided access to resources in an AWS account. Common use cases include delegating access to team members or third parties. The document outlines how federation works using sessions generated by AWS Security Token Service (STS). It provides examples of proxy-based and SAML-based federation using STS operations like GetFederationToken and AssumeRoleWithSAML. Web identity federation via AssumeRoleWithWebIdentity with external providers like Login with Amazon is also covered.
This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources.
IAM Deep Dive - Custom IAM Policies with ConditionsBryant Poush
This document provides an overview of using conditions with IAM policies to customize access. It begins with examples of basic IAM policy structures and progresses to using conditions to limit actions based on factors like region, instance type, volume type and size. The document demonstrates how to structure policies with condition blocks and test policies to ensure the intended access is allowed or denied.
The document outlines 10 best practices for managing identity and access management (IAM) on AWS: 1) Create individual users, 2) Configure a strong password policy, 3) Rotate security credentials regularly, 4) Enable multi-factor authentication for privileged users, 5) Manage permissions with groups, 6) Grant least privilege, 7) Use IAM roles to share access, 8) Use IAM roles for Amazon EC2 instances, 9) Enable AWS CloudTrail for auditing API calls, and 10) Reduce or remove use of the root account. The document provides explanations and examples for implementing each best practice.
by Apurv Awasthi, Sr. Technical Product Manager, AWS
This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources. We also cover the concept of trust relationships, and how you can use them to delegate access to your AWS resources. This session covers also covers IAM best practices that can help improve your security posture. We cover how to manage IAM users and roles, and their security credentials. We also explain ways for how you can securely manage you AWS access keys. Using common use cases, we demonstrate how to choose between using IAM users or IAM roles. Finally, we explore how to set permissions to grant least privilege access control in one or more of your AWS accounts. Level 100
Secure Amazon EC2 Environment with AWS IAM & Resource-Based Permissions (CPN2...Amazon Web Services
Customers with multiple AWS administrators need a way to control who can do what in their Amazon EC2 environment to ensure both security and availability. This session demonstrates how to secure your Amazon EC2 environment using IAM roles and resource-based permissions.
This document discusses federated access to AWS resources using temporary security credentials. It describes how federation works by allowing users in other AWS accounts or identity stores to access resources in your AWS account through the use of sessions. Common use cases for federation include delegating access to other AWS accounts or teams and federating with corporate directories. The document then demonstrates how to request and use sessions to access AWS through the console and CLI using SAML and web identity federation.
AWS Windsor User Group - June 7th 2018 - Amazon Web Services IAMBrandon Wells
Hi Everyone!
Here's the slide presentation from our last meeting (07/06/2018).
We did a 101 level overview of AWS Identity and Access Management. The goal was to enable you to create more secure AWS environments & architectures and provide you with IAM best practices.
Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM enables you to securely control access to your application or product services and resources for your users.
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
Are you interested in learning how to control access to your AWS resources? Have you ever wondered how to best scope down permissions to achieve least privilege permissions access control? If your answer to these questions is "yes," this session is for you. We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014Amazon Web Services
If you have ever wondered how best to scope down permissions in your account, this in-depth look at the AWS Access Control Policy language is for you. We start with the basics of the policy language and how to create policies for users and groups. We look at how to use policy variables to simplify policy management. Finally, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket, allowing an IAM user to manage their own credentials and passwords, and more.
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
Identity and Access Management (IAM) is first step towards AWS cloud adoption because in the cloud, first you grant access and only then can you provision infrastructure (the opposite approach of on-premises). In this session, you will learn how to define fine-grained access to AWS resources via users, roles, and groups; design privileged user and multi-factor authentication mechanisms; and operate IAM at scale.
Level: 100
Speaker: Don Edwards - Sr. Technical Delivery Manager, AWS
SEC302 Delegating Access to Your AWS Environment - AWS re: Invent 2012Amazon Web Services
At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
Are you interested in becoming an expert in managing access to your AWS resources? Have you ever wondered how to best scope down permissions for least privilege access? Do you have multiple AWS accounts and need to know how to manage access to resources centrally? In this session, we take an in-depth look at AWS Identity and Access Management (IAM) and AWS Organizations. You will learn how to quickly create IAM policies to manage fine-grained access to your resources. Throughout the session, we will cover common use cases, such as how to grant a user access to an Amazon S3 bucket or permissions to launch an Amazon EC2 instance of a specific type. You will also learn how to create and use Service Control Policies (SCPs) through Organizations to manage AWS service use across all your accounts centrally.
This document provides an overview of becoming an expert at using IAM policies to control access to AWS resources. It discusses the key components of IAM policies including principals, actions, resources, and conditions. It also covers best practices for authoring, testing, and debugging policies. The document demonstrates how to create a policy that allows launching EC2 instances in specific regions and of specific types. It also shows how to decode the EC2 authorization message to help debug access issues.
The document provides an overview of mastering AWS Identity and Access Management (IAM) access control policies. It discusses policy basics like specifying actions, resources, principals, and conditions. It demonstrates example policies for allowing access to specific AWS services like EC2, S3, and Lambda. It also covers best practices for managing policies and provides demonstrations of policy configurations for common use cases in EC2.
This document provides an overview of data encryption options in AWS. It discusses encryption at rest using AWS Key Management Service (KMS) and bringing your own keys. KMS allows customers to centralize control of encryption keys while integrating with many AWS services. It provides assurances around key security and auditing of key usage. Alternatives like AWS CloudHSM and do-it-yourself key management are also presented. The document emphasizes starting with a threat model and using least privilege access controls to properly secure data.
TIB Academy Offers best AWS training in bangalore. this tutorial contains the following aspects,
security mind map
identity and access management
IAM policies
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
Are you interested in becoming an expert in managing access to your AWS resources? Have you ever wondered how to best scope down permissions for least privilege access? Do you have multiple AWS accounts and need to know how to manage access to resources centrally? In this session, we take an in-depth look at AWS Identity and Access Management (IAM) and AWS Organizations. You will learn how to quickly create IAM policies to manage fine-grained access to your resources. Throughout the session, we will cover common use cases, such as how to grant a user access to an Amazon S3 bucket or permissions to launch an Amazon EC2 instance of a specific type. You will also learn how to create and use Service Control Policies (SCPs) through Organizations to manage AWS service use across all your accounts centrally.
We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
In this session, learn how Vanguard has matured their IAM controls and automation to support a micro-account strategy, providing further agility to developers while reducing blast radius and improving governance. You learn how Vanguard uses STS Federation at the OU level, builds common roles across all micro accounts, implements AWS Organizations SCPs, and uses different network control zones for admin vs. non-admin functions. Vanguard also shares how they are using AWS Lambda to block escalation of privilege.
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
This document discusses identity and access management for serverless applications. It provides an overview of AWS Identity and Access Management (IAM) including IAM users, groups, roles, and policies. It also discusses Amazon Cognito for user management and the WildRydes serverless application workshop which involves restricting access to an S3 bucket and setting up user authentication with Cognito user pools.
This document discusses limiting Amazon EC2 instance types that a user can start. It provides an example policy that attempts to limit starting an EC2 instance except for t2.* instance types. The policy would be created as a managed policy and attached to an IAM user. Then the expected behavior is demonstrated.
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013Amazon Web Services
This document provides an overview of mastering access control policies in AWS. It discusses goals of understanding how to secure AWS resources and learn the policy language. It then covers key aspects of identity and access management (IAM) including why IAM is important, how it provides granular control, and the anatomy of the policy language. Specific examples are given for policy elements like principal, action, resource, and conditions. It also demonstrates how to use policy variables and provides examples of locking down access to Amazon EC2 instances and DynamoDB tables.
SRV334-Making Things Right with AWS Config Rules and AWS LambdaAmazon Web Services
Custom rules created with AWS Config and AWS Lambda enables organizations to inspect, assess, and remediate changes to AWS resources. These tools provide the development speed and flexibility required for your team to quickly start and finish a job before it becomes an issue for your client. In this workshop, you practice using AWS Lambda to design and implement the AWS Config rules that you think an organization should have ready at a moment’s notice before their next client contacts them about an issue.
Managing security and ensuring cloud compliance for large scale applications with is complex and can be difficult to troubleshoot.
AWS Config Rules is a new set of cloud governance capabilities that allow IT Administrators to define guidelines for provisioning and configuring AWS resources and then continuously monitor compliance with those guidelines.
In this webinar, we will explain the benefits of AWS Config Rules, how it compares with other AWS security services, and walk through enabling AWS Config Rules on your account. We will explain the differences between pre-defined, AWS managed rules and guide you through the process of creating your own custom rule using AWS Lambda.
Learning Objectives:
Understand the basics of AWS Config Rules
Learn how to establish guidelines and monitor compliance using AWS Config Rules
Who Should Attend:
IT and System Administrators, Security Experts, Developers, Operators
This document discusses IAM access control policies for AWS resources. It begins with goals of understanding how to secure AWS resources using policies and learning tips for common policy tasks. The presentation then dives into details of the policy language, including the anatomy of a statement with the principal, action, resource, and condition elements. It provides examples of specifying principals, actions, resources, and conditions. It also covers policy variables and managing policies through the IAM console. The presentation concludes with demonstrations of EC2 and Lambda policies.
This session is focused on diving into the AWS IAM policy categories to understand the differences, learn how the policy evaluation logic works, and go over some best practices. We will then walk through how to use permission boundaries to truly delegate administration in AWS.
Providing more control around how to manage your AWS accounts with our newly launched service - AWS Organizations. In this session we'll look at aspects affecting your account management before and after AWS Organizations, how AWS Organizations can programmatically create and manage your AWS accounts and apply organisational controls with familiar policies across these accounts to meet your business needs. We'll also cover best practices and troubleshooting tips to get you started.
Speaker: Pierre Liddle, Solutions Architect, Amazon Web Services
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
Are you interested in becoming an expert in managing access to your AWS resources? Have you ever wondered how to best scope down permissions for least privilege access? Do you have multiple AWS accounts and need to know how to manage access to resources centrally? In this session, we take an in-depth look at AWS Identity and Access Management (IAM) and AWS Organizations. You will learn how to quickly create IAM policies to manage fine-grained access to your resources. Throughout the session, we will cover common use cases, such as how to grant a user access to an Amazon S3 bucket or permissions to launch an Amazon EC2 instance of a specific type. You will also learn how to create and use Service Control Policies (SCPs) through Organizations to manage AWS service use across all your accounts centrally.
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or LessAmazon Web Services
This document provides a summary of an AWS session on becoming an IAM policy expert in 60 minutes or less. It covers key IAM policy concepts like principal, action, resource, and condition elements. Examples are given for each element to show how policies can be used to control access to AWS services like EC2, S3, and IAM. The session also demonstrates how to use policy variables and debug policies. Attendees would learn tips and tricks for common use cases through demos of limiting EC2 instance types and using conditions.
The document discusses security at scale on AWS. It covers several topics:
- AWS security controls including over 70 services, 7,710 audit artifacts and 3,030 audit requirements.
- How AWS handles security at scale through automation, ubiquitous logging and encryption, and rapid detection and response times of under 10 minutes on average.
- AWS services that can help with security including IAM, CloudTrail, GuardDuty, and AWS Config rules.
- Reference architectures that show how to scale infrastructure securely including using multiple availability zones and services like Route 53, S3, CloudFront, and Lambda.
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Amazon Web Services
The document provides best practices for managing security operations in AWS. It discusses key aspects of the AWS shared responsibility model including that AWS manages security of the cloud while customers are responsible for security in the cloud. It also covers identity and access management best practices such as creating individual users, granting least privilege, using groups to manage permissions, restricting privileged access with conditions, enabling auditing with CloudTrail, configuring strong password policies and rotating credentials regularly. The document provides an overview of key certification programs and compliance offerings from AWS.
Similar to Windsor AWS UG Deep dive IAM 2 - no json101 (20)
Ethics guidelines for trustworthy AI (HIGH-LEVEL EXPERT GROUP ON ARTIFICIAL I...prb404
On 8 April 2019, the High-Level Expert Group on AI presented Ethics Guidelines for Trustworthy Artificial Intelligence. This followed the publication of the guidelines' first draft in December 2018 on which more than 500 comments were received through an open consultation.
According to the Guidelines, trustworthy AI should be:
(1) lawful - respecting all applicable laws and regulations
(2) ethical - respecting ethical principles and values
(3) robust - both from a technical perspective while taking into account its social environment
Tama Tonga MFT T shirts Tama Tonga MFT T shirtsexgf28
Tama Tonga MFT T shirts
https://www.pinterest.com/youngtshirt/tama-tonga-mft-t-shirts/
Tama Tonga MFT T shirts,Tama Tonga MFT shirt,Tama Tonga MFT Sweatshirts,MFT T shirts Grabs yours today. tag and share who loves it.
2. Got Compliance?
• Does being compliant make us secure?
• If we are secure, are we compliant?
3. Next Meetup
• VPC (Virtual Private Cloud)
• Build a most commonly used network architecture with a CloudFormation
Template
• Entire Data Centre Networking Infrastructure in <20min
4. Refresher
• AWS Organizations
• Architecting Governance and Security with multi-account strategy
• Immutable Architecture
• Security Control Policies: BL / WL
7. AWS Identity and Access
Management
• Enables us to control who can do what in our AWS account
• Secure (deny) by default
• Global service
8. Custom Console Login URL
• https://alias.signin.aws.amazon.com/console
( redirected to a regional sign-in endpoint such as https://us-east-
2.signin.aws.amazon.com, resulting in a regional CloudTrail log entry in the
user's region's log )
• https://alias.signin.aws.amazon.com/console/s3
( AWS redirects you to the global sign-in endpoint at
https://signin.aws.amazon.com, resulting in a global CloudTrail log entry )
• https://alias.signin.aws.amazon.com/console/ec2?region=ca-central-1
(results in a CloudTrail log event in that region)
11. 10 Best IAM Practices
• Create individual users
• Grant least privilege
• Manage permissions with groups
• Restrict privileged access further with conditions
• Enable AWS CloudTrail to get logs of API calls
• Configure a strong password policy
• Rotate security credentials regularly.
• Enable MFA for privileged users
• Use IAM roles to share access
• Use IAM roles for Amazon EC2 instances
• Reduce or remove use of root
https://www.slideshare.net/AmazonWebServices/sec302-iam-best-practices-to-live-by
12. IAM Policies
• A policy is a document that contains one or more permissions.
• Each permission describes actions that are allowed or not allowed
• Written in JSON
• User Based or Resource Based
• Managed Policies and Inline Policies
• Managed Policies:
• AWS managed policies
• Customer managed policies
• Managed Policies feature:
• Reusability
• Central change management
• Versioning and rolling back
• Delegating permissions management
• Automatic updates for AWS managed policies
• Inline Policies feature:
• Embedded into user/group/role
• Strict one to one relationship between a policy and the principal entity that it’s attached
• What happens to a inline policy when we delete a principal entity that it’s attached to?
13. IAM Policy
Evaluation
Logic
Requests that are made by the AWS
account root user are allowed for
resources in that account.
IAM user in an account that is in an
organization can use the intersection
of the permissions allowed by both
Organizations SCPs and by the IAM
permission policies
14. User Based Policies
• Attached to a User, Group, or Role
• Policies DO NOT specify a Principal (User/Group/Role); it is implied
15. Resource Based Policies
• Attached to a resource such as S3 Bucket or DynamoDB Table
• Policies DO specify a Principal (User/Group/Role)
• Policy describes what access is assigned to the principal
16. Tag-based Access Control
• Allows us to treat resources as a unit (i.e. project
• Allows us to autmatically enforce permissions when new resources are created
• Supported services: EC2,VPC, EBS, RDS, SWS, Data Pipeline
17. Amazon Resource Names
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM
policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
The following is the common Amazon Resource Name (ARN) format to identify any resources in AWS.
arn:partition:service:region:namespace:relative-id
General formats for ARNs; the specific components and values used depend on the AWS service.
arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
• <!-- Elastic Beanstalk application version -->
• arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
• <!-- IAM user name —>
• arn:aws:iam::123456789012:user/David
•
• <!-- Amazon RDS instance used for tagging -->
• arn:aws:rds:eu-west-1:123456789012:db:mysql-db
•
• <!-- Object in an Amazon S3 bucket -->
• arn:aws:s3:::my_corporate_bucket/exampleobject.png
•
• Paths in ARNs
• arn:aws:iam::123456789012:user/Development/product_1234/*
• "Resource":"arn:aws:iam::123456789012:user/*"
• "Resource":"arn:aws:iam::123456789012:group/*"
•
• http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-rds
19. AWS Account Identifiers
AWS assigns two unique IDs to each AWS account:
• An AWS account ID (123456789012)
• A canonical user ID - an obfuscated form of the AWS account ID
(79a59df900b949665d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2b
e)
20. A Few Rules
• You cannot use a wildcard to specify all users in the Principal element in a
resource-based policy or a role trust policy.
• You cannot use groups as principals in any policy.
• You can use wildcard characters (* and ?) within any ARN segment
• You can specify user/* to mean all users or group/* to mean all groups
21. Policy Elements
• Effect - Required - specifies statements result is “Allow” or “Deny
• Principal - Required for Resource Policies only
• Action - Required - An AWS Service “Action” that statement applies to
• Resource - Required - An AWS object (ARN) that statement applies to.
• Condition - Optional
22. Policy Elements II
• Version policy element defines the version of the policy language
• Statement policy element is the main element for a policy
• Sid (Statement ID)
• Notprincipal (Effect: Allow with Notprincipal allows access to anonymous
(unauthenticated) uses; try not to use Notprincipal)
• Notaction
27. Allows IAM Users Access to Their S3
Home Directory, Programmatically and In
the Console
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<BUCKET-NAME>",
"Condition": {"StringLike": {"s3:prefix": [
"",
"home/",
"home/${aws:username}/*"
]}}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET-NAME>/home/${aws:username}",
"arn:aws:s3:::<BUCKET-NAME>/home/${aws:username}/*"
]
}
]
}
28. How IAM Users Change
Their Own Password
• Log into your account -> Click User Name in navigation bar of the console
• Click Security Credentials
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
]
}
31. How to apply what we learnt?
• Write a policy granting minimal set of permissions
• Let default ‘Deny’ prevent access to everything else
• Create a test user
• Attach the policy to the test user
• Make API / CLI calls as the test user with Dry Run option
• Confirm that policy works as intended
• If errors out, use AWS STS Encoded Authorization Message API to decode the
error
• Tweak the policy
• Iterate
32. IAM Role
• An AWS identity with permission policies that determine what the identity can
and cannot do in AWS.
• Temporary privilege escalation
• Enable users to perform a task that they normally would not be able to do (kind
of like ‘sudo’ command)
• A user can only assume one Role at a time
• Roles can be passed to EC2 Instances
• Credentials passed through a role have pre-set expiration times
33. Benefits of Using Roles
• Reduced the surface area of attack
• Temporary authentication credentials
• Auditable activity
• Automatically generated authentication credentials
• Limited privilege
34. When Launching EC2
Instances Into a Role…
• Any process or user running on the EC2 instance with access to the instance
metadata can access the credentials
• Instances with Role need to implement their own access control measures if
users will be logging into the instances
• Ask yourself: Do users need to log into the instances?
35. Switch Role Link
• After you create a role and grant your user permissions to switch to it, you must
provide the user with the role name and the account ID number or account
alias that contains the role. You can make things easier for your users by
sending them a link that is preconfigured with the account ID and role name.
• You can see the role link on the final page of the Create Role wizard or in the
Role Summary page for any cross-account enabled role.
https://signin.aws.amazon.com/switchrole?account=YourAccountIDorAlias
Here&roleName=pathIfAny/YourRoleNameHere
We’ll talk at AP level which equally applies to the actions in the console, CLI, or SDK. We’ll look at permissions needed for programmatic access and permissions required for the AWS console access.
Frequent anti-pattern is to create a user and then bake user’s credentials in application so that application can access them (for example, in a file, Windows registry etc). Credentials are stored in source repos and never rotated. Is there an easy way to avoid the madness of hard-coded credentials??
AWS Organizations service creates InfoSec Account and “OrganizationAccountAccessRole-InfoSec” role in the new SecInfo account.
Admin in Master Account grants a group permission to call “OrganizationAccountAccessRole-SecInfo” role
A user in Master Account requests access to the role
STS returns roles credentials
User switches role and becomes administrator in SecInfo Account
When you create a role for cross-account access, you establish trust from the account that owns the role and the resources (trusting account) to the account that contains the users (trusted account). To do this, you specify the trusted account number as the Principal in the role's trust policy. That allows potentially any user in the trusted account to assume the role. To complete the configuration, the administrator of the trusted account must give specific groups or users in that account permission to switch to the role.
IAM evaluates policies at run time
Also can use account ID instead of alias
Create a new account.
Record account # and role name.
Create an OU
Move newly created account into the new OU.
Create a new SCP and attach it to a new OU
Create a group.
Assign cloud_admin user to the group.
Create an inline policy that allows the user to assume the role
Demonstrate switching roles
Inline - embedded into user/group /role; deleted with user/group/role; strict one to one relationship between a policy and the principal entity that it's attached
Requests that are made by the AWS account root user are allowed for resources in that account.
IAM user in an account that is in an organization can use the intersection of the permissions allowed by both Organizations SCPs and by the IAM permission policies
Partition: aws (or aws-cn in China)
Service: s3
Don't specify region and namespace for S3 global service
Bucket-name or a bucket-name/object-key or wild card
ou can also use the Amazon S3 ListBuckets API to return the canonical user ID. For more information, see GET Service Response Elements in the Amazon Simple Storage Service API Reference.
We recommend that you set the Version element to 2012-10-17 for all policies.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/myRole-S3-EC2
curl http://169.254.169.254/latest/meta-data/ <-must have slash
Run - launch
Start - starts stopped instance
Programmatically access home folder
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
Programmatically and in the Console
a role does not have any credentials (password or access keys) associated with it. Instead, if a user is assigned to a role, access keys are created dynamically and provided to the user.
Note that you can switch roles only when you sign in as an IAM user. You cannot switch roles when you sign in as the AWS account root user.
• When you switch roles in the AWS Management Console, the console always uses your original credentials to authorize the switch. This applies whether you sign in as an IAM user, as a SAML-federated role, or as a web-identity federated role. For example, if you switch to RoleA, it uses your original user or federated role credentials to determine if you are allowed to assume RoleA. If you then try to switch to RoleB while you are using RoleA, it still uses your original user or federated role credentials to authorize your attempt to switch to RoleB, not the credentials for RoleA.
aws s3 ls
aws s3 ls s3://zoomzoom-sharedservices-testbucket --region ca-central-1
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/myRole-S3-EC2
curl http://169.254.169.254/latest/meta-data/ <-must have slash