Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
November 29, 2016
SEC302
Workshop:
Adhering to L...
virtual private cloud
S3 bucket DynamoDB
table
SQS queue Amazon
Kinesis
stream
Application Load
Balancer
Amazon
Redshift c...
Principle of Least Privilege: Definition
“In information security, computer science, and other fields,
the principle of le...
Identity and Access Management (IAM)
IAM policy
Temporary
credentials
IAM role
Virtual Private Cloud (VPC)
security group
security group
Auditing, Monitoring and Troubleshooting
AWS
CloudTrail
Amazon
CloudWatch Events
and
CloudWatch Logs
AWS
Lambda
What to Expect from the Session
Hands-on practice working with IAM and Amazon VPC
• Techniques for scoping access and conn...
Prerequisites
You will get the most out of this session if you:
• Have some experience with AWS
• Have an AWS account with...
Handouts
Handouts zip file:
https://s3.amazonaws.com/awsiammedia/public/sample/Le
astPrivilegeWorkshopreInvent/SEC302_hand...
Getting set up
Meet your neighbors!
Look to your left, look to your right…
Introduce yourself!
You’ll be working with your neighbor later...
Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template
Setup:
AWS Command Line Interface
Installing the CLI
OS-specific instructions:
http://docs.aws.amazon.com/cli/latest/userguide/installing.h
tml
Test it:
C:U...
Configuring the CLI
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-
getting-started.html
Note: We will be using ...
Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template
Setup:
CloudTrail
Always run
CloudTrail
And we’ll come back later
Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template
Setup:
IAM Users, Credentials, SSH
Keys
I actually could have shown
you these, since I later deleted
the user.
BUT: These are long-term
security credentials. Don’...
Configuring an IAM User Profile in the CLI
C:Usersbecky>aws configure --profile sec302demo
AWS Access Key ID [None]: AKIA*...
Use the CLI as Sec302DemoUser
C:Usersbecky>aws ec2 describe-vpcs --profile
sec302demo
An error occurred (UnauthorizedOpera...
Give the new user some
permissions
Handy filter
Attach it
IAM managed policies:
Predefined sets of
commonly-used policies.
You can also write your
own (and w...
Test Access
> aws ec2 describe-vpcs --profile sec302demo
{
"Vpcs": [
{
"VpcId": "vpc-c6a649a1",
"InstanceTenancy": "defaul...
Create an EC2 Key Pair For SSH Access
If you already have an SSH
key:
aws ec2 import-key-pair `
--profile sec302demo `
--k...
Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template
Setup:
CloudFormation Template
CloudFormation Stack Setup
CloudFormation Stack Setup
Handout:
sec302_setup_template.json
CloudFormation Stack Setup
Your email address
A name for the stack
Your SSH key name
Your IP address
The VPC You Just Created
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
The Application You Just Launched
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
...
Looking at your VPC
Your VPC Has Flow Logs Enabled
Logs will be delivered to this
CloudWatch Logs group.
Optional: Subscribe to SNS Topic
Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template
Setup:
Test SSH Access
Launch an EC2 Instance
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
S...
Use the SSH Security Group
Cheat sheet: Launch an EC2 instance
Handout: run_instances_cheat_sheet.txt
> aws ec2 run-instances --profile sec302demo
>>...
Verify SSH Access
Test your ssh access, e.g.:
putty.exe -i c:tempSec302DemoPriv.ppk ec2-
user@52.24.192.187
You can now te...
All done setting up
Let’s get started
Introduction to IAM Roles
Beyond simple credentials
Granting Permissions, the Wrong Way
EC2 instance DynamoDB
table
Granting Permissions, the Right Way
EC2 instance
IAM role
DynamoDB
table
Granting Permissions, the Right Way
AWS Lambda
function
DynamoDB
table
Granting Permissions, the Right Way
Other AWS
accounts
DynamoDB
table
Hands-On with IAM Roles
We’ll create an IAM role with some very specific privileges
Create an IAM Role for an EC2 Instance
Create an IAM Role for an EC2 Instance
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
This will allow Amazon EC2 to
launch EC2 instances into this
IAM role.
Create an IAM Role for an EC2 Instance
Catchup Clou...
Policy for the IAM Role: S3 Read-Only Access
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.js...
Anatomy of an IAM Role
ARN for referring to it later
For use by EC2
Right now, permits all ReadOnly operations in S3.
(We’...
Launch an EC2 instance
Launching with IAM role:
This EC2 Instance will have S3
ReadOnly permissions
Catchup CloudFormation...
Attempt Actions From the EC2 Instance
SSH to your EC2 instance, and from there, try some actions:
# Tell the CLI your defa...
Where Are the Credentials?
There are credentials, but:
• They are completely hands-off: You don’t touch them.
• They are t...
Making IAM Policy More Restrictive
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
Making IAM Policy More Restrictive
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
Making IAM Policy More Restrictive:
Choosing Specific Actions
Only the s3.GetObject action is
allowed
Catchup handout: ec2...
Making IAM Policy More Restrictive:
Choosing Specific Actions
“*” means permission to s3.GetObject on
all S3 objects
Catch...
Making IAM Policy More Restrictive:
Delete the Old Policy
Detach this managed policy:
We’re going to write our own
Making IAM Policy More Restrictive:
Choosing Specific Actions
Our policy so far:
{
"Version": "2012-10-17",
"Statement": [...
Attempt Actions From the EC2 Instance
SSH to your EC2 instance, and from there, try some
actions:
# This should fail
aws s...
Making IAM Policy More Restrictive:
IAM Resource-Level Policies
Catchup handout: ec2_instance_in_iam_role_policy_update_te...
Making IAM Policy More Restrictive:
IAM Resource-Level Policies
In English: s3.ListBucket is allowed, only on the specifie...
Testing the ListBuckets Policy
SSH to your EC2 instance and try it:
[ec2-user@ip-10-0-2-49 ~]$ aws s3 ls
s3://$YOUR_CLOUDT...
Making IAM Policy More Restrictive:
IAM Resource-Level Policies
In English: s3.GetObject is allowed, only on objects match...
Testing the GetObject Policy
[ec2-user@ip-10-0-2-49 ~]$ aws s3 cp s3://becky-20161001-
cloudtrail/AWSLogs/778340376510/Clo...
Reference: AWS Services That Work With IAM
Bookmark this page:
http://docs.aws.amazon.com/IAM/latest/UserGuide/referen
ce_...
Terminate the EC2 Instance You Launched
We will not need it anymore
Testing IAM Roles
Assuming IAM roles
Create an IAM Role: “Sec302RoleTestMe”
Grant access to your partner’s account
(or your own, if no partner)
Catchup CloudFormation template handout: iam_role_cros...
Permissions for the IAM Role
Choose a managed policy in the creation wizard
Or write your own (inline policies). For examp...
Note the IAM Role ARN
Catchup CloudFormation template handout: iam_role_cross_account_template.json
Assuming Your Partner’s IAM Role
> aws sts assume-role --profile sec302demo `
--role-arn arn:aws:iam::111122223333:role/Se...
Policy Needed By Sec302DemoUser
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:AssumeRole"...
Assuming the IAM Role
C:Usersbecky>aws sts assume-role --profile sec302demo --role-arn arn:aws:iam::
778340376510:role/Sec...
Use the Temporary Credentials
> aws configure --profile sec302assumed
AWS Access Key ID [None]: *****
AWS Secret Access Ke...
Try the Temporary Credentials
# Should succeed
aws ec2 describe-instances --profile
sec302assumed
# Should fail
aws dynamo...
More on Permissions for IAM Roles
Permissions for IAM roles should be minimal.
Example yellow flags:
• iam:AssumeRole / ia...
Going Further: IAM Resource-Based Policies
Useful for cross-account access
Supported on some AWS resources, e.g. S3 bucket...
Auditing API Call Events
Using CloudWatch Events + AWS Lambda to audit resource access
CloudWatch Events & AWS Lambda
CloudWatch Events:
AWS API calls via
CloudTrail
AWS LambdaCloudTrail
Lambda Function for CloudWatch Events
Created by the SEC302
CloudFormation stack
Lambda Function for CloudWatch Events
Setting Up the CloudWatch Events Rule
Setting Up the CloudWatch Events Rule
Setting Up the CloudWatch Events Rule
AWS API call via CloudTrail
We will see EC2 API calls
The SEC302 CloudFormation
stac...
Try it: Make EC2 API calls
Make some that succeed
Make some that fail
Get your partner to make some that fail, while
assum...
Find Lambda Logs in CloudWatch Logs
Events Delivered to Your Lambda Function
{
…
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole", ...
You Can Do a Lot With These Events
Plenty of details there, including:
• Principal that attempted the call
• API method an...
Sidebar: IAM Role for the Lambda Function
Sidebar: IAM Role for the Lambda Function
Managed policy “AWSLambdaBasicExecutionRole”:
Permits writing output to CloudWat...
Sidebar: IAM Role for the Lambda Function
Inline policy “LambdaPublishToSNSTopic”:
Permits publishing to your SNS topic
Sidebar: IAM Role for the Lambda Function
Sidebar: IAM Role for the Lambda Function
Indicates that AWS Lambda can assume this IAM role
{
"Role": {
"AssumeRolePolicy...
Activity:
React to AWS API Events
Your Turn: Modify the Function Code
Try modifying the AWS Lambda function to do something
more interesting!
For example co...
Another Idea:
Using CloudTrail to Audit Permissions
Least-privilege best practice: Audit IAM roles and users
against actua...
VPC Security Groups
Privilege of Least Principle for Connectivity
Security Groups in a VPC
virtual private cloud
0.0.0.0/0
The Application We Are Running
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0...
Backend Security Group
Port 8080
ALB Security Group: Ingress
ALB Security Group: Egress
Port 8080
What You Are Running
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
ALB...
Routing for Least-Privilege in a VPC
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-...
Routing for Least-Privilege in a VPC
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-...
VPC Flow Logs
Troubleshooting, Auditing, Monitoring, Analysis
VPC Flow Logs Are in CloudWatch Logs
VPC Flow Logs Are in CloudWatch Logs
Each ENI has its own stream
CloudWatch Logs Trigger for AWS Lambda
VPC Flow Logs in
CloudWatch Logs
AWS Lambda
Trigger a Lambda Function for VPC Flow Logs
Trigger a Lambda Function for VPC Flow Logs
Trigger a Lambda Function for VPC Flow Logs
Trigger a Lambda Function for VPC Flow Logs
Trigger a Lambda Function for VPC Flow Logs
Give it a name
Can leave blank
Your VPC Flow Log
VPC Flow Logs in CloudWatch Logs
Each ENI has its own stream
Inspecting VPC Flow Logs
10.0.0.117 = Me10.0.1.239 = ALB
Port 8080 = Backend port
ACCEPT
Inspecting VPC Flow Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
REJECT
UDP Port 53 = DNS
VPC Flow Logs in Lambda
2016-09-24T21:53:46.264Z 5e20015f-82a1-11e6-b2ab-735d6b306893
{ "messageType": "DATA_MESSAGE",
"ow...
Expected and Unexpected REJECT Packets
virtual private cloud
0.0.0.0/0
From
Internet
Lambda Function for Unexpected REJECTs
Your turn: Do something interesting with VPC Flow Logs!
Idea: Try writing a Lambda ...
Lambda Function for Unexpected REJECTs
Handout: vpc_flow_logs_rejects.js
Simple Lambda function for notifying an SNS topic...
Wrap-up
Remember To Delete Resources You Created
virtual private cloud
Remember to complete
your evaluations!
Related Sessions
More About IAM:
• SAC317 - IAM Best Practices to Live By
• SEC311 - How to Automate Policy Validation
Mor...
Thank you!
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM)...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM)...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM)...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM)...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM)...
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM)...
Prochain SlideShare
Chargement dans…5
×

AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302)

1 322 vues

Publié le

AWS IAM and Amazon VPC offer powerful tools that help you adhere to the principle of least privilege in your resource permissions and network security settings. This workshop will start with the fundamentals of IAM and VPC security techniques and will give you hands-on experience in writing, testing, applying, troubleshooting, and auditing progressively more tightly scoped IAM policies. You will also get experience building and monitoring VPC security groups that grant only the access required to perform tasks.

Publié dans : Technologie
  • Essay writing is really very hard for students and many students are really stressed to write it. So finding a best essay writing format is not easy. Anyway you can check any essay writing services and they can help you to find a good format to write the essay. I can recommend a site that has helped me. It's called HelpWriting.net Good luck!
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. November 29, 2016 SEC302 Workshop: Adhering to Least-Privilege Principles Becky Weiss, Senior Principal Engineer, AWS
  2. 2. virtual private cloud S3 bucket DynamoDB table SQS queue Amazon Kinesis stream Application Load Balancer Amazon Redshift cluster RDS databaseEC2 instances ECS tasks
  3. 3. Principle of Least Privilege: Definition “In information security, computer science, and other fields, the principle of least privilege requires that in a particular abstraction layer of a computing environment, every module must be able to access only the information and resources that are necessary for its legitimate purpose.” (Wikipedia)
  4. 4. Identity and Access Management (IAM) IAM policy Temporary credentials IAM role
  5. 5. Virtual Private Cloud (VPC) security group security group
  6. 6. Auditing, Monitoring and Troubleshooting AWS CloudTrail Amazon CloudWatch Events and CloudWatch Logs AWS Lambda
  7. 7. What to Expect from the Session Hands-on practice working with IAM and Amazon VPC • Techniques for scoping access and connectivity: allowing exactly what you need. • Techniques for debugging, auditing, and alarming.
  8. 8. Prerequisites You will get the most out of this session if you: • Have some experience with AWS • Have an AWS account with a working, installed AWS CLI • Know how to SSH to a Linux host • Have some basic programming experience (examples will be in JavaScript)
  9. 9. Handouts Handouts zip file: https://s3.amazonaws.com/awsiammedia/public/sample/Le astPrivilegeWorkshopreInvent/SEC302_handouts.zip Download and unzip it on your machine
  10. 10. Getting set up
  11. 11. Meet your neighbors! Look to your left, look to your right… Introduce yourself! You’ll be working with your neighbor later in this workshop.
  12. 12. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  13. 13. Setup: AWS Command Line Interface
  14. 14. Installing the CLI OS-specific instructions: http://docs.aws.amazon.com/cli/latest/userguide/installing.h tml Test it: C:Usersbecky>aws --version aws-cli/1.10.65 Python/2.7.9 Windows/7 botocore/1.4.55
  15. 15. Configuring the CLI http://docs.aws.amazon.com/cli/latest/userguide/cli-chap- getting-started.html Note: We will be using the us-west-2 region (Oregon) for this workshop.
  16. 16. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  17. 17. Setup: CloudTrail
  18. 18. Always run CloudTrail
  19. 19. And we’ll come back later
  20. 20. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  21. 21. Setup: IAM Users, Credentials, SSH Keys
  22. 22. I actually could have shown you these, since I later deleted the user. BUT: These are long-term security credentials. Don’t share or post them anywhere.
  23. 23. Configuring an IAM User Profile in the CLI C:Usersbecky>aws configure --profile sec302demo AWS Access Key ID [None]: AKIA************* AWS Secret Access Key [None]: *************************** Default region name [None]: us-west-2 Default output format [None]: json Use the credentials you were given.
  24. 24. Use the CLI as Sec302DemoUser C:Usersbecky>aws ec2 describe-vpcs --profile sec302demo An error occurred (UnauthorizedOperation) when calling the DescribeVpcs operation: You are not authorized to perform this operation.
  25. 25. Give the new user some permissions
  26. 26. Handy filter Attach it IAM managed policies: Predefined sets of commonly-used policies. You can also write your own (and we will)
  27. 27. Test Access > aws ec2 describe-vpcs --profile sec302demo { "Vpcs": [ { "VpcId": "vpc-c6a649a1", "InstanceTenancy": "default", "State": "available", "DhcpOptionsId": "dopt-e4650b80", "CidrBlock": "172.31.0.0/16", "IsDefault": true } ] }
  28. 28. Create an EC2 Key Pair For SSH Access If you already have an SSH key: aws ec2 import-key-pair ` --profile sec302demo ` --key-name Sec302DemoSSH ` --public-key-material file://c:tempSec302DemoPub.t xt To create a new SSH key: aws ec2 create-key-pair ` --profile sec302demo ` --key-name Sec302DemoSSH And save the KeyMaterial from the response
  29. 29. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  30. 30. Setup: CloudFormation Template
  31. 31. CloudFormation Stack Setup
  32. 32. CloudFormation Stack Setup Handout: sec302_setup_template.json
  33. 33. CloudFormation Stack Setup Your email address A name for the stack Your SSH key name Your IP address
  34. 34. The VPC You Just Created virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0
  35. 35. The Application You Just Launched virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0
  36. 36. Looking at your VPC
  37. 37. Your VPC Has Flow Logs Enabled Logs will be delivered to this CloudWatch Logs group.
  38. 38. Optional: Subscribe to SNS Topic
  39. 39. Setup Steps AWS CLI CloudTrail Credentials and keys CloudFormation setup template
  40. 40. Setup: Test SSH Access
  41. 41. Launch an EC2 Instance virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0 SSH security group
  42. 42. Use the SSH Security Group
  43. 43. Cheat sheet: Launch an EC2 instance Handout: run_instances_cheat_sheet.txt > aws ec2 run-instances --profile sec302demo >> --image-id ami-7172b611 >> --instance-type t2.nano >> --subnet-id $YOUR_SUBNET_ID >> --security-group-ids $YOUR_SECURITY_GROUP_ID >> --key-name Sec302DemoSSH Resources created by the SEC302 CloudFormation stack
  44. 44. Verify SSH Access Test your ssh access, e.g.: putty.exe -i c:tempSec302DemoPriv.ppk ec2- user@52.24.192.187 You can now terminate this EC2 instance. We won’t need it again.
  45. 45. All done setting up Let’s get started
  46. 46. Introduction to IAM Roles Beyond simple credentials
  47. 47. Granting Permissions, the Wrong Way EC2 instance DynamoDB table
  48. 48. Granting Permissions, the Right Way EC2 instance IAM role DynamoDB table
  49. 49. Granting Permissions, the Right Way AWS Lambda function DynamoDB table
  50. 50. Granting Permissions, the Right Way Other AWS accounts DynamoDB table
  51. 51. Hands-On with IAM Roles We’ll create an IAM role with some very specific privileges
  52. 52. Create an IAM Role for an EC2 Instance
  53. 53. Create an IAM Role for an EC2 Instance Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  54. 54. This will allow Amazon EC2 to launch EC2 instances into this IAM role. Create an IAM Role for an EC2 Instance Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  55. 55. Policy for the IAM Role: S3 Read-Only Access Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  56. 56. Anatomy of an IAM Role ARN for referring to it later For use by EC2 Right now, permits all ReadOnly operations in S3. (We’ll make this more restrictive later.) Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  57. 57. Launch an EC2 instance Launching with IAM role: This EC2 Instance will have S3 ReadOnly permissions Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
  58. 58. Attempt Actions From the EC2 Instance SSH to your EC2 instance, and from there, try some actions: # Tell the CLI your default region aws configure set default.region us-west-2 # This should work aws s3 ls # This should fail aws s3 mb s3://this-will-fail # This should fail aws ec2 describe-instances
  59. 59. Where Are the Credentials? There are credentials, but: • They are completely hands-off: You don’t touch them. • They are temporary and will expire; IAM will automatically rotate them To see them: curl http://169.254.169.254/latest/meta- data/iam/security-credentials/Sec302EC2Role; echo EC2 Instance Metadata Service Your role name
  60. 60. Making IAM Policy More Restrictive Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  61. 61. Making IAM Policy More Restrictive Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  62. 62. Making IAM Policy More Restrictive: Choosing Specific Actions Only the s3.GetObject action is allowed Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  63. 63. Making IAM Policy More Restrictive: Choosing Specific Actions “*” means permission to s3.GetObject on all S3 objects Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  64. 64. Making IAM Policy More Restrictive: Delete the Old Policy Detach this managed policy: We’re going to write our own
  65. 65. Making IAM Policy More Restrictive: Choosing Specific Actions Our policy so far: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1474248983000", "Effect": "Allow", "Action": [ "s3:GetObject“ ], "Resource": [ "*" ] } ] } Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  66. 66. Attempt Actions From the EC2 Instance SSH to your EC2 instance, and from there, try some actions: # This should fail aws s3 ls # This should work: It is s3.GetObject aws s3 cp s3://awsiammedia/public/sample/LeastPrivilegeWorkshopr eInvent/SEC302_handouts.zip . Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  67. 67. Making IAM Policy More Restrictive: IAM Resource-Level Policies Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  68. 68. Making IAM Policy More Restrictive: IAM Resource-Level Policies In English: s3.ListBucket is allowed, only on the specified bucket, only when the prefix matches the given pattern. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Condition" : { "StringLike": { "s3:prefix": "AWSLogs/111122223333/CloudTrail/*" } }, "Resource": [ "arn:aws:s3:::your-cloudtrail-bucket-name-here" ] } ] } Catchup handout: ec2_instance_in_iam_role_policy_update_template.json Use your own bucket name Use your own account ID
  69. 69. Testing the ListBuckets Policy SSH to your EC2 instance and try it: [ec2-user@ip-10-0-2-49 ~]$ aws s3 ls s3://$YOUR_CLOUDTRAIL_BUCKET/AWSLogs/$YOUR_ACCOUNT_ID/CloudTrai l/us-west-2/2016/11/29/ 2016-11-29 16:28:41 1213 778340376510_CloudTrail_us-west- 2_20161001T1625Z_k5gzl4muOxohMXeM.json.gz 2016-11-29 16:38:33 2311 778340376510_CloudTrail_us-west- 2_20161001T1630Z_50SqQyuABVqP5igQ.json.gz 2016-11-29 16:33:22 1881 778340376510_CloudTrail_us-west- 2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz … Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  70. 70. Making IAM Policy More Restrictive: IAM Resource-Level Policies In English: s3.GetObject is allowed, only on objects matching the given pattern. Add this statement to your policy, inside Statement[]: { "Effect": "Allow", "Action": [ "s3:GetObject“ ], "Resource": [ "arn:aws:s3:::<YOUR_CLOUDTRAIL_BUCKET>/AWSLogs/<YOUR_ACCOUNT_ID>/CloudTrail/*" ] } Catchup handout: ec2_instance_in_iam_role_policy_update_template.json Use your own bucket name and account ID
  71. 71. Testing the GetObject Policy [ec2-user@ip-10-0-2-49 ~]$ aws s3 cp s3://becky-20161001- cloudtrail/AWSLogs/778340376510/CloudTrail/us-west- 2/2016/10/01/778340376510_CloudTrail_us-west- 2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz . download: s3://becky-20161001- cloudtrail/AWSLogs/778340376510/CloudTrail/us-west- 2/2016/10/01/778340376510_CloudTrail_us-west- 2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz to ./778340376510_CloudTrail_us-west- 2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz Take a minute to unzip this and look at its contents: # gunzip $CLOUD_TRAIL_FILE.gz # sudo yum -y install jq # jq .Records[0] $CLOUD_TRAIL_FILE Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
  72. 72. Reference: AWS Services That Work With IAM Bookmark this page: http://docs.aws.amazon.com/IAM/latest/UserGuide/referen ce_aws-services-that-work-with-iam.html This has pointers to how you can use IAM with each AWS service.
  73. 73. Terminate the EC2 Instance You Launched We will not need it anymore
  74. 74. Testing IAM Roles Assuming IAM roles
  75. 75. Create an IAM Role: “Sec302RoleTestMe”
  76. 76. Grant access to your partner’s account (or your own, if no partner) Catchup CloudFormation template handout: iam_role_cross_account_template.json
  77. 77. Permissions for the IAM Role Choose a managed policy in the creation wizard Or write your own (inline policies). For example: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances" ], "Resource": [ "*" ] } ] } Catchup CloudFormation template handout: iam_role_cross_account_template.json
  78. 78. Note the IAM Role ARN Catchup CloudFormation template handout: iam_role_cross_account_template.json
  79. 79. Assuming Your Partner’s IAM Role > aws sts assume-role --profile sec302demo ` --role-arn arn:aws:iam::111122223333:role/Sec302RoleTestMe ` --role-session-name MyTestSession An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::410436118402:user/sec302demo is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::778340376510:role/Sec302RoleTestMe Oops! What did we miss? Your partner’s account
  80. 80. Policy Needed By Sec302DemoUser { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["sts:AssumeRole"], "Resource": ["arn:aws:iam::<YOUR_PARTNERS_ACCOUNT_ID>:role/Sec302RoleTestMe"] } ] } Catchup CloudFormation template handout: sts_assume_role_policy_template.json
  81. 81. Assuming the IAM Role C:Usersbecky>aws sts assume-role --profile sec302demo --role-arn arn:aws:iam:: 778340376510:role/Sec302RoleTestMe --role-session-name MyTestSession { "AssumedRoleUser": { "AssumedRoleId": "AROAJCO64ENYICVBJQRWM:MyTestSession", "Arn": "arn:aws:sts::778340376510:assumed-role/Sec302RoleTestMe/MyTestSe ssion" }, "Credentials": { "SecretAccessKey": “****", "SessionToken": “*****************", "Expiration": "2016-09-21T16:57:03Z", "AccessKeyId": "ASIA***********" } } Temporary credentials: I could have shown them. They have expired and are useless
  82. 82. Use the Temporary Credentials > aws configure --profile sec302assumed AWS Access Key ID [None]: ***** AWS Secret Access Key [None]:************* Default region name [None]: us-west-2 Default output format [None]: json > aws configure set aws_session_token *************************** --profile sec302assumed
  83. 83. Try the Temporary Credentials # Should succeed aws ec2 describe-instances --profile sec302assumed # Should fail aws dynamodb list-tables --profile sec302assumed
  84. 84. More on Permissions for IAM Roles Permissions for IAM roles should be minimal. Example yellow flags: • iam:AssumeRole / iam:PassRole -- If needed, be specific about the IAM role that this IAM role can assume • iam:PutRolePolicy -- Usually only for highly privileged principals !
  85. 85. Going Further: IAM Resource-Based Policies Useful for cross-account access Supported on some AWS resources, e.g. S3 buckets Attach policy to the resource itself: Analogous to access control lists &&
  86. 86. Auditing API Call Events Using CloudWatch Events + AWS Lambda to audit resource access
  87. 87. CloudWatch Events & AWS Lambda CloudWatch Events: AWS API calls via CloudTrail AWS LambdaCloudTrail
  88. 88. Lambda Function for CloudWatch Events Created by the SEC302 CloudFormation stack
  89. 89. Lambda Function for CloudWatch Events
  90. 90. Setting Up the CloudWatch Events Rule
  91. 91. Setting Up the CloudWatch Events Rule
  92. 92. Setting Up the CloudWatch Events Rule AWS API call via CloudTrail We will see EC2 API calls The SEC302 CloudFormation stack created this. Catchup CloudFormation handout: cloudwatch_events_aws_api_rule_template.json
  93. 93. Try it: Make EC2 API calls Make some that succeed Make some that fail Get your partner to make some that fail, while assuming your IAM role
  94. 94. Find Lambda Logs in CloudWatch Logs
  95. 95. Events Delivered to Your Lambda Function { … "detail": { "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJCO64ENYICVBJQRWM:MyTestSession", "arn": "arn:aws:sts::410436118402:assumed- role/Sec302RoleTestMe/MyTestSession", … "eventTime": "2016-09-21T17:03:13Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateVpc", "awsRegion": "us-west-2", "errorCode": "Client.UnauthorizedOperation", "errorMessage": "You are not authorized to perform this operation.", "requestParameters": { "cidrBlock": "192.168.0.0/16" }, … Someone tried and failed to use CreateVpc while assuming this role
  96. 96. You Can Do a Lot With These Events Plenty of details there, including: • Principal that attempted the call • API method and request parameters • Result: Success or error (with detail) • Response All of this is also in CloudTrail in S3 But Lambda functions can take actions: Ideas?
  97. 97. Sidebar: IAM Role for the Lambda Function
  98. 98. Sidebar: IAM Role for the Lambda Function Managed policy “AWSLambdaBasicExecutionRole”: Permits writing output to CloudWatch Logs
  99. 99. Sidebar: IAM Role for the Lambda Function Inline policy “LambdaPublishToSNSTopic”: Permits publishing to your SNS topic
  100. 100. Sidebar: IAM Role for the Lambda Function
  101. 101. Sidebar: IAM Role for the Lambda Function Indicates that AWS Lambda can assume this IAM role { "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" } } ] }, … } AWS Lambda is allowed to assume this role
  102. 102. Activity: React to AWS API Events
  103. 103. Your Turn: Modify the Function Code Try modifying the AWS Lambda function to do something more interesting! For example code that publishes to an SNS topic, see handout: lambda_function_with_publish_to_sns.js
  104. 104. Another Idea: Using CloudTrail to Audit Permissions Least-privilege best practice: Audit IAM roles and users against actual usage in CloudTrail Does anyone have permissions that have gone unused?
  105. 105. VPC Security Groups Privilege of Least Principle for Connectivity
  106. 106. Security Groups in a VPC virtual private cloud 0.0.0.0/0
  107. 107. The Application We Are Running virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0 SSH Security Group ALB Security Group Backend Security Group ALLOW
  108. 108. Backend Security Group Port 8080
  109. 109. ALB Security Group: Ingress
  110. 110. ALB Security Group: Egress Port 8080
  111. 111. What You Are Running virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0 ALB Security Group Backend Security Group
  112. 112. Routing for Least-Privilege in a VPC virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0
  113. 113. Routing for Least-Privilege in a VPC virtual private cloud VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c 0.0.0.0/0 VPC subnet us-west-2b VPC subnet us-west-2a VPC subnet us-west-2c Access to S3 via VPC Endpoints Private subnets
  114. 114. VPC Flow Logs Troubleshooting, Auditing, Monitoring, Analysis
  115. 115. VPC Flow Logs Are in CloudWatch Logs
  116. 116. VPC Flow Logs Are in CloudWatch Logs Each ENI has its own stream
  117. 117. CloudWatch Logs Trigger for AWS Lambda VPC Flow Logs in CloudWatch Logs AWS Lambda
  118. 118. Trigger a Lambda Function for VPC Flow Logs
  119. 119. Trigger a Lambda Function for VPC Flow Logs
  120. 120. Trigger a Lambda Function for VPC Flow Logs
  121. 121. Trigger a Lambda Function for VPC Flow Logs
  122. 122. Trigger a Lambda Function for VPC Flow Logs Give it a name Can leave blank Your VPC Flow Log
  123. 123. VPC Flow Logs in CloudWatch Logs Each ENI has its own stream
  124. 124. Inspecting VPC Flow Logs 10.0.0.117 = Me10.0.1.239 = ALB Port 8080 = Backend port ACCEPT
  125. 125. Inspecting VPC Flow Logs Who’s this? # dig +short -x 109.236.86.32 internetpolice.co. REJECT UDP Port 53 = DNS
  126. 126. VPC Flow Logs in Lambda 2016-09-24T21:53:46.264Z 5e20015f-82a1-11e6-b2ab-735d6b306893 { "messageType": "DATA_MESSAGE", "owner": "280328680831", "logGroup": "VPCFlowLogs", "logStream": "eni-18027f46-all", "subscriptionFilters": [ "myTrigger" ], "logEvents": [ { "id": "32888099581059259498575118542779913238350648463663169536", "timestamp": 1474753390000, "message": "2 280328680831 eni-18027f46 10.0.2.92 10.0.2.98 8080 32906 6 5 650 1474753390 1474753446 ACCEPT OK" }, … Available after 10 mins
  127. 127. Expected and Unexpected REJECT Packets virtual private cloud 0.0.0.0/0 From Internet
  128. 128. Lambda Function for Unexpected REJECTs Your turn: Do something interesting with VPC Flow Logs! Idea: Try writing a Lambda function that notifies your SNS topic when within-VPC traffic gets REJECTed. The code in your Lambda function already unzips and pretty-prints the messages.
  129. 129. Lambda Function for Unexpected REJECTs Handout: vpc_flow_logs_rejects.js Simple Lambda function for notifying an SNS topic whenever a packet sent within the VPC gets rejected.
  130. 130. Wrap-up
  131. 131. Remember To Delete Resources You Created
  132. 132. virtual private cloud
  133. 133. Remember to complete your evaluations!
  134. 134. Related Sessions More About IAM: • SAC317 - IAM Best Practices to Live By • SEC311 - How to Automate Policy Validation More About VPC: • NET201 - Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options • SEC401 - Automated Formal Reasoning About AWS Systems
  135. 135. Thank you!

×