Windsor AWS UG Deep dive IAM 2 - no json101

Deep Dive: IAM
IAM Roles & Policies, STS, CloudTrail

Got Compliance?
• Does being compliant make us secure?
• If we are secure, are we compliant?

Next Meetup
• VPC (Virtual Private Cloud)
• Build a most commonly used network architecture with a CloudFormation
Template
• Entire Data Centre Networking Infrastructure in <20min

Refresher
• AWS Organizations
• Architecting Governance and Security with multi-account strategy
• Immutable Architecture
• Security Control Policies: BL / WL

Switch Role
Master Account InfoSec Account
{"Version":"2012-10-
17","Statement":[{"Effect":"Allow","Action":"*","R
esource":"*"}]}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": “arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1499879069000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
“arn:aws:iam::222222222222:role/OrganizationAccountAccess
Role-InfoSec"
]
}
]
}
Trusting AccountTrusted Account
InfoSec Admin Group
1111-1111-1111 2222-2222-2222
OrganizationAccountAccessRole-InfoSec
Access Policy
Trust PolicyInline Policy Attached to a Group

AWS Security Mind Map
https://cloudonaut.io

AWS Identity and Access
Management
• Enables us to control who can do what in our AWS account
• Secure (deny) by default
• Global service

Custom Console Login URL
• https://alias.signin.aws.amazon.com/console
( redirected to a regional sign-in endpoint such as https://us-east-
2.signin.aws.amazon.com, resulting in a regional CloudTrail log entry in the
user's region's log )
• https://alias.signin.aws.amazon.com/console/s3
( AWS redirects you to the global sign-in endpoint at
https://signin.aws.amazon.com, resulting in a global CloudTrail log entry )
• https://alias.signin.aws.amazon.com/console/ec2?region=ca-central-1
(results in a CloudTrail log event in that region)

Demo: Custom Console
Login URL & Switch Role

No Cameras During
the Web Demo!!!

10 Best IAM Practices
• Create individual users
• Grant least privilege
• Manage permissions with groups
• Restrict privileged access further with conditions
• Enable AWS CloudTrail to get logs of API calls
• Configure a strong password policy
• Rotate security credentials regularly.
• Enable MFA for privileged users
• Use IAM roles to share access
• Use IAM roles for Amazon EC2 instances
• Reduce or remove use of root
https://www.slideshare.net/AmazonWebServices/sec302-iam-best-practices-to-live-by

IAM Policies
• A policy is a document that contains one or more permissions.
• Each permission describes actions that are allowed or not allowed
• Written in JSON
• User Based or Resource Based
• Managed Policies and Inline Policies
• Managed Policies:
• AWS managed policies
• Customer managed policies
• Managed Policies feature:
• Reusability
• Central change management
• Versioning and rolling back
• Delegating permissions management
• Automatic updates for AWS managed policies
• Inline Policies feature:
• Embedded into user/group/role
• Strict one to one relationship between a policy and the principal entity that it’s attached
• What happens to a inline policy when we delete a principal entity that it’s attached to?

IAM Policy
Evaluation
Logic
Requests that are made by the AWS
account root user are allowed for
resources in that account.
IAM user in an account that is in an
organization can use the intersection
of the permissions allowed by both
Organizations SCPs and by the IAM
permission policies

User Based Policies
• Attached to a User, Group, or Role
• Policies DO NOT specify a Principal (User/Group/Role); it is implied

Resource Based Policies
• Attached to a resource such as S3 Bucket or DynamoDB Table
• Policies DO specify a Principal (User/Group/Role)
• Policy describes what access is assigned to the principal

Tag-based Access Control
• Allows us to treat resources as a unit (i.e. project
• Allows us to autmatically enforce permissions when new resources are created
• Supported services: EC2,VPC, EBS, RDS, SWS, Data Pipeline

Amazon Resource Names
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM
policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.
The following is the common Amazon Resource Name (ARN) format to identify any resources in AWS.
arn:partition:service:region:namespace:relative-id
General formats for ARNs; the specific components and values used depend on the AWS service.
arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
• 
• arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
• 
• arn:aws:rds:eu-west-1:123456789012:db:mysql-db
•
• 
• arn:aws:s3:::my_corporate_bucket/exampleobject.png
•
• Paths in ARNs
• arn:aws:iam::123456789012:user/Development/product_1234/*
• "Resource":"arn:aws:iam::123456789012:user/*"
• "Resource":"arn:aws:iam::123456789012:group/*"
•
• http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-rds

ARNs Cont.
• arn:aws:s3:::bucket_name
• arn:aws:s3:::bucket_name/key_name
• arn:aws:s3:::examplebucket/developers/design_info.doc
• arn:aws:s3:::examplebucket/*
• arn:aws:s3:::example?bucket/*
• arn:aws:s3:::bucket_name/developers/${aws:username}/

AWS Account Identifiers
AWS assigns two unique IDs to each AWS account:
• An AWS account ID (123456789012)
• A canonical user ID - an obfuscated form of the AWS account ID
(79a59df900b949665d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2b
e)

A Few Rules
• You cannot use a wildcard to specify all users in the Principal element in a
resource-based policy or a role trust policy.
• You cannot use groups as principals in any policy.
• You can use wildcard characters (* and ?) within any ARN segment
• You can specify user/* to mean all users or group/* to mean all groups

Policy Elements
• Effect - Required - specifies statements result is “Allow” or “Deny
• Principal - Required for Resource Policies only
• Action - Required - An AWS Service “Action” that statement applies to
• Resource - Required - An AWS object (ARN) that statement applies to.
• Condition - Optional

Policy Elements II
• Version policy element defines the version of the policy language
• Statement policy element is the main element for a policy
• Sid (Statement ID)
• Notprincipal (Effect: Allow with Notprincipal allows access to anonymous
(unauthenticated) uses; try not to use Notprincipal)
• Notaction

Basics
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": “Allow or Deny",
"Action": “some API action:*”,
“Resource": “some resource",
"Condition": {
“Key”: “Value”
}
}
]
}

Tag-based Access Control
Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
“Resource": "*",
"Condition": {
"StringEquals": { "ec2:ResourceTag/Project" : "Blue"
}
}
}
]
}

Allow Only T2 Instances
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": “arn:aws:ec2:*:123456789012:instance/*",
"Condition": {
"StringNotLikeIfExists": {
"ec2:InstanceType": [
"t2.*"
]
}
}
}
]
}

Policy Variables - Access
Home Folder Programatically
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
}
]
}

Allows IAM Users Access to Their S3
Home Directory, Programmatically and In
the Console
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<BUCKET-NAME>",
"Condition": {"StringLike": {"s3:prefix": [
"",
"home/",
"home/${aws:username}/*"
]}}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET-NAME>/home/${aws:username}",
"arn:aws:s3:::<BUCKET-NAME>/home/${aws:username}/*"
]
}
]
}

How IAM Users Change
Their Own Password
• Log into your account -> Click User Name in navigation bar of the console
• Click Security Credentials
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
]
}

Home Folders Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET-NAME",
"Condition": {"StringLike": {"s3:prefix": [
"",
"home/",
"home/${aws:username}/"
]}}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}",
"arn:aws:s3:::BUCKET-NAME/home/${aws:username}/*"
]
}
]
}

Custom EC2 Policy
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["ec2:RunInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:Describe*"],
"Resource":"*"
},
{
"Effect":"Deny",
"NotAction":["ec2:RunInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:Describe*"],
"Resource":"*"
}
]
}

How to apply what we learnt?
• Write a policy granting minimal set of permissions
• Let default ‘Deny’ prevent access to everything else
• Create a test user
• Attach the policy to the test user
• Make API / CLI calls as the test user with Dry Run option
• Confirm that policy works as intended
• If errors out, use AWS STS Encoded Authorization Message API to decode the
error
• Tweak the policy
• Iterate

IAM Role
• An AWS identity with permission policies that determine what the identity can
and cannot do in AWS.
• Temporary privilege escalation
• Enable users to perform a task that they normally would not be able to do (kind
of like ‘sudo’ command)
• A user can only assume one Role at a time
• Roles can be passed to EC2 Instances
• Credentials passed through a role have pre-set expiration times

Benefits of Using Roles
• Reduced the surface area of attack
• Temporary authentication credentials
• Auditable activity
• Automatically generated authentication credentials
• Limited privilege

When Launching EC2
Instances Into a Role…
• Any process or user running on the EC2 instance with access to the instance
metadata can access the credentials
• Instances with Role need to implement their own access control measures if
users will be logging into the instances
• Ask yourself: Do users need to log into the instances?

Switch Role Link
• After you create a role and grant your user permissions to switch to it, you must
provide the user with the role name and the account ID number or account
alias that contains the role. You can make things easier for your users by
sending them a link that is preconfigured with the account ID and role name.
• You can see the role link on the final page of the Create Role wizard or in the
Role Summary page for any cross-account enabled role.
https://signin.aws.amazon.com/switchrole?account=YourAccountIDorAlias
Here&roleName=pathIfAny/YourRoleNameHere

References
• http://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
• http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluati
on-logic.html
• http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html
• http://docs.aws.amazon.com/cli/latest/userguide/generate-cli-skeleton.html
• http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/working-
with-json.html
• http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_element
s.html

Windsor AWS UG Deep dive IAM 2 - no json101

More Related Content

What's hot

What's hot (20)

Similar to Windsor AWS UG Deep dive IAM 2 - no json101

Similar to Windsor AWS UG Deep dive IAM 2 - no json101 (20)

Recently uploaded

Recently uploaded (20)

Windsor AWS UG Deep dive IAM 2 - no json101

Editor's Notes