SlideShare une entreprise Scribd logo

Becoming an IAM Policy Ninja

Amazon Web Services
Amazon Web Services

by Brad Dispensa, Sr. Solutions Architect, AWS

1  sur  48
Pop-up Loft Mastering Access Control Policies Brad Dispensa, Senior Solutions Architect AWS Public Sector
Goals • Know more about securing your AWS resources • Get a deeper understanding of the policy language • Learn some tips and tricks for most frequent tasks • Keep this a lively session via demos – Amazon EC2 – AWS Lambda
Launch new Instances Demo
The Policy Language
Policy Specification Basics Amazon S3 Read-Only Access Template • JSON-formatted documents • Contain a statement (permissions) which specify: – What actions a principal can perform – Which resources can be accessed Example of an IAM user/group/role access policy { "Statement": [ { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": "*" } ] }
Anatomy of a Statement { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } Principal Action Resource Conditions Effect: Allow Principal:123456789012:user/bob Action: s3:* Resource: jeff_bucket/* Condition: Referer = example.com Effect: Deny Principal:123456789012:user/brad Action: s3:DeleteBucket Resource: jeff_bucket Condition: Referer = example.com You can have multiple statements and each statement is comprised of PARK
Principal - Examples • An entity that is allowed or denied access to a resource • These are indicated by an Amazon Resource Name (ARN) • A principal element is required for resource-based, but not IAM policies <!-- Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!-- Specific account or accounts --> "Principal":{"AWS":"arn:aws:iam::123456789012:root" } "Principal":{"AWS":"123456789012"} <!-- Individual IAM user --> "Principal":"AWS":"arn:aws:iam::123456789012:user/username" <!-- Federated user (using web identity federation) --> "Principal":{"Federated":"www.amazon.com"} "Principal":{"Federated":"graph.facebook.com"} "Principal":{"Federated":"accounts.google.com"} <!-- Specific role --> "Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"} <!-- Specific service --> "Principal":{"Service":"ec2.amazonaws.com"} Replace with your account number
Action - Examples • Describes the type of access that should be allowed or denied • You can find these in the docs or use the policy editor to get a drop down list • Statements must include either an Action or NotAction element <!-- EC2 action --> "Action":"ec2:StartInstances" <!-- IAM action --> "Action":"iam:ChangePassword" <!-- S3 action --> "Action":"s3:GetObject" <!-- Specify multiple values for the Action element--> "Action":["sqs:SendMessage","sqs:ReceiveMessage"] <--Use wildcards (* or ?) as part of the action name. This would cover Create/Delete/List/Update--> "Action":"iam:*AccessKey*"
Understanding NotAction • Let’s you specify an exception to a list of actions • Can sometimes result in shorter policies than using Action and denying many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ] } or This is not a Deny. A user could still have a separate policy that grants IAM:* If you want to prevent the user from ever being able to call IAM APIs, use an explicit deny Notice the difference?
Understanding NotAction • Lets you specify an exception to a list of actions • Can sometimes result in shorter policies than using Action and denying many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ] } Even more strict Grants only what you want while ensuring you’re always denying what you don’t want granted.
Resource - Examples • The object or objects that are being requested • Statements must include either a Resource or a NotResource element <-- S3 Bucket --> "Resource":"arn:aws:s3:::my_corporate_bucket/*" <-- SQS queue--> "Resource":"arn:aws:sqs:us-west-2:123456789012:queue1" <-- Multiple DynamoDB tables --> "Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table", "arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"] <-- All EC2 instances for an account in a region --> "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
Conditions • Optional criteria that must evaluate to true for the policy to evaluate as true (ex. Restrict to an IP address range) • Can contain multiple conditions • Condition keys can contain multiple values • If a single condition includes multiple values for one key, the condition is evaluated using logical OR • Multiple conditions (or multiple keys in a single condition) the conditions are evaluated using logical AND Condition Element Condition 1: Key1: Value1A Condition 2: Key3: Value3A AND AND Key2: Value2A OR Value2B OR ORKey1: Value1A Value1B Value 1C
Condition Example "Condition" : { "DateGreaterThan" : {"aws:CurrentTime" : "2016-11-13T12:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2016-11-13T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]} } Allows a user to access a resource under the following conditions: • The time is after 12:00 p.m. on 11/13/2014 AND • The time is before 3:00 p.m. on 11/13/2014 AND • The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range All of these conditions must be met in order for the statement to evaluate to TRUE AND OR What if you wanted to restrict access to a timeframe and IP address range?
Policy Variables
{ "Version": "2012-10-17", "Statement": [{ "Sid": "THISLIMITSACCESSTOOWNINSTANCES", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:us-east-1:12345678912:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Owner": "${aws:username}" } } }] } The Anatomy of a Policy with Variables Version is required Variable in conditions Grants a user access to a home directory in Amazon S3 that can be accessed programmatically
{ "Version": "2012-10-17", "Statement": [{ "Sid": "InvokePermission", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:us-east-1:12345678912:function:"${aws:username}" }, { "Sid": "CloudWatchLogsPerms", "Effect": "Allow", "Action": [ "cloudwatchlog:DescribeLogGroups", "cloudwatchlog:DescribeLogStreams", "cloudwatchlog:GetLogEvents" ], "Resource": "arn:aws:logs:us-east-1:12345678912:log-group:/aws/lambda/*" }] } The Anatomy of a Policy with Variables Variable in Resource Grants a user access to a home directory in Amazon S3 that can be accessed programmatically
Managing Your Policies
IAM Policies Two types of entity-based policies in IAM • Managed policies (newer way) – Can be attached to multiple users, groups, and roles – AWS managed policies (created and managed by AWS) – Customer managed policies (created and managed by you) • Up to 5K per policy • Up to 5 versions – You can attach 2 managed policies per user, group, role – You can limit who can attach managed policies • Inline policies (the older way) – You create and embed directly in a single user, group, or role – Variable policy size (2K per user, 5K per group, 10K per role)
AWS vs. Customer Managed Policies
Inline Policies Example AWS Account Group Admins User Alice User Susan Role books-app Role EC2-access Policy account-admins- mfa Policy limited-admins-mfa Policy EC2-access Policy DynamoDB-books-app Inline Policies Group LtdAdmins User Dave User Sarah Policy DynamoDB-books-app
Resource-Based Policies • IAM policies live with – IAM Users – IAM Groups – IAM Roles • Some services allow storing policy with resources – Amazon S3 (bucket policy) – Amazon Glacier (vault policy) – Amazon SNS (topic policy) – Amazon SQS (queue policy) { "Statement": { "Sid":"Queue1_SendMessage", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1" } } Principal required here Managed policies apply only to users, groups, and roles - not resources
Enough Already… Let’s look at some examples
But wait…Just in…today… Policy Summaries in the IAM Console Let’s check it out
Demos for 3 service: 1) EC2 2) Lambda
Time for Policy Demos with Amazon EC2: 1) Allow your developers to poke around the EC2 Console. 2) Allow your developers to start and stop their own developer machines 3) Allow your developers to launch new instances for a proof of concept.
Allow your developers to poke around the EC2 Console. { "Version": "2012-10-17", "Statement": [{ "Sid": "THISALLOWSEC2READACCESS", "Effect": "Allow", "Action": [ "ec2:Describe*", "elasticloadbalancing:Describe*", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*", "autoscaling:Describe*" ], "Resource": "*" }] } Necessary Actions to navigate the EC2 Console
Entering…. EC2 Resource-Level Permissions
Allow your developers to start and stop their own developer machines. { "Version": "2012-10-17", "Statement": [{ "Sid": "THISLIMITSACCESSTOOWNINSTANCES", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:us-east-1:12345678912:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Owner": "${aws:username}" } } }] } Don’t forget: we need the read policy too! Policy Variable How does this tag get there? Let’s talk about it.
Categorize Your Amazon EC2 Resources Use tags as a resource attribute Be careful who you allow to tag your resources if you use tags for access control
Remember this? Launch new Instances Demo
Allow your developers to launch new instances for a proof of concept. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1:028103658970:instance/*" ], "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1:028103658970:subnet/*", "arn:aws:ec2:us-east-1:028103658970:volume/*", "arn:aws:ec2:us-east-1:028103658970:network-interface/*", "arn:aws:ec2:us-east-1:028103658970:key-pair/*", "arn:aws:ec2:us-east-1:028103658970:security-group/*", "arn:aws:ec2:us-east-1::image/ami-*" ] }] } Instance Size
Supported Amazon EC2 Actions http://docs.aws.amazon.com/AWSEC2 /latest/UserGuide/ec2-supported-iam- actions-resources.html Your best friend!
Policy Enforcement
Determining if a Request is Allowed or Denied Final decision =“deny” (explicit deny) Yes Final decision =“allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all Applicable policies 2 Is there an explicit deny? 3 No Final decision =“deny” (default deny) 5 • AWS retrieves all policies associated with the user and resource • Only policies that match the action & conditions are evaluated • If a policy statement has a deny, it trumps all other policy statements • Access is granted if there is an explicit allow and no deny • By default, a implicit (default) deny is returned
Time for Policy Demos with Lambda: 1) Allow your developers to navigate existing Lambda functions. 2) Enable your developers to invoke a specific Lambda function.
Allow your developers to navigate existing Lambda functions. { "Version": "2012-10-17", "Statement": [{ "Sid": "DisplayFunctionDetailsPermissions", "Effect": "Allow", "Action": [ "lambda:ListVersionsByFunction", "lambda:ListFunctions", "lambda:ListAliases", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:ListEventSourceMappings", "lambda:GetPolicy", "lambda:GetAccountSettings" ], "Resource": "*" }] } Necessary Actions to navigate the Lambda Console
Entering…. Lambda Resource-Level Permissions
Enable your developers to invoke a specific Lambda function. { "Version": "2012-10-17", "Statement": [{ "Sid": "InvokePermission", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:us-east-1:028103658970:function:HelloWorld" }, { "Action": [ "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Effect": "Allow", "Resource": "*" }] } Specific resource Read the logs
Testing and Debugging
Policy Editor • Policy validation checks: – JSON errors – Policy grammar errors • Policy formatting: – On demand – Auto-formatting
Policy Simulator
Decoding the EC2 Authorization Message • The decoded message includes: – Whether the request was denied due to an explicit deny or absence of an explicit allow. – The principal who made the request. – The requested action. – The requested resource. – The values of condition keys in the context of the user's request. The message is encoded because the details of the authorization status can constitute privileged information! • Additional information about the authorization status of a request Output
Steps to Decode 1. Run the decode-authorization command aws sts decode-authorization-message --encoded-message encodedmessage Output { "DecodedMessage": "{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]}, "failures":{"items":[]},"context":{"principal":{"id":"AIDAEXAMPLEKXD 6SH2EXE","name":"Bob","arn ":"arn:aws:iam::accountid:user/Bob"},"action":"ec2:RunInstances", "resource":"arn:aws:ec2:us-east-1:accountid:key- pair/keypairid","conditions":{"items":[{"key":"ec2:Region","values":{ "items":[{"value":"us-east-1"}]}}]}}}" }
Steps to Decode 2. Remove the “DecodeMessage” Wrapper Output { "DecodedMessage": "{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]}, "failures":{"items":[]},"context":{"principal":{"id":"AIDAEXAMPLEKXD 6SH2EXE","name":"Bob","arn ":"arn:aws:iam::accountid:user/Bob"},"action":"ec2:RunInstances", "resource":"arn:aws:ec2:us-east-1:accountid:key- pair/keypairid","conditions":{"items":[{"key":"ec2:Region","values":{ "items":[{"value":"us-east-1"}]}}]}}}" }
Steps to Decode 3. Format using your favorite JSON tool 4. Now you can see what failed { "allowed": false, "explicitDeny": false, "matchedStatements": { "items": [] }, "failures": { "items": [] }, "context": { "principal": { "id": "AIDAEXAMPLEKXD6SH2EXE", "name": "Bob", "arn": "arn: aws: iam: : accountid: user/Bob" }, "action": "ec2: RunInstances", "resource": "arn: aws: ec2: us-east-1: accountid: key-pair/keypairid", "conditions": { "items": [ { "key": "ec2: Region", "values": { "items": [ { "value": "us-east-1" } ] } } ] } } }
Summary • IAM provides access control for your AWS account • The policy language authorizes that access • All applicable policies are evaluated – Users are denied access by default – Deny always trumps an allow • Use policy variables and remember the version! • Keep in mind what Amazon EC2 actions or resources are currently supported
Additional resources • Documentation • http://aws.amazon.com/documentation/iam/ • http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api- permissions.html • AWS Security Blog (blogs.aws.amazon.com/security) • http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2- Resource-Level-Permissions – http://blogs.aws.amazon.com/security/post/Tx29ZC3VE9SQGQM/Granting-Users- Permission-to-Work-in-the-Amazon-EC2-Console • http://aws.amazon.com/iam • https://forums.aws.amazon.com/forum.jspa?forumID=76 • Twitter: @AWSIdentity • brigidj@amazon.com
Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

Recommandé

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 

Recommandé

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
Amazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Amazon Web Services
 
Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...
Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...
Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...
Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
zekeLabs Technologies
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
Edureka!
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
Amazon Web Services
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
Amazon Web Services
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
Lukas Weichselbaum
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
Amazon Web Services
 
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon Web Services Korea
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
Amazon Web Services
 
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity PlanDay 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
Amazon Web Services
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Amazon Web Services
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
Amazon Web Services
 

Contenu connexe

Tendances

Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
Amazon Web Services
 
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
Amazon Web Services
 
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity PlanDay 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
Amazon Web Services
 

Tendances (20)

Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...
Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...
Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Inve...
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
AWS Secrets Manager: Best Practices for Managing, Retrieving, and Rotating Se...
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
 
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
 
Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015Amazon Route 53 - Webinar Presentation 9.16.2015
Amazon Route 53 - Webinar Presentation 9.16.2015
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity PlanDay 5 - AWS Autoscaling Master Class - The New Capacity Plan
Day 5 - AWS Autoscaling Master Class - The New Capacity Plan
 

Similaire à Becoming an IAM Policy Ninja

Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Amazon Web Services
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
Amazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
Amazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
Amazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Amazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
Amazon Web Services
 

Similaire à Becoming an IAM Policy Ninja (20)

Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 
SID314_IAM Policy Ninja
SID314_IAM Policy NinjaSID314_IAM Policy Ninja
SID314_IAM Policy Ninja
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS Security
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 
Policy Ninja
Policy NinjaPolicy Ninja
Policy Ninja
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
 
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
Mastering Access Control Policies (SEC302) | AWS re:Invent 2013
 
Masting Access Control Policies
Masting Access Control PoliciesMasting Access Control Policies
Masting Access Control Policies
 
Become an IAM Policy Ninja
Become an IAM Policy NinjaBecome an IAM Policy Ninja
Become an IAM Policy Ninja
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on awsAWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Becoming an IAM Policy Ninja

  • 1. Pop-up Loft Mastering Access Control Policies Brad Dispensa, Senior Solutions Architect AWS Public Sector
  • 2. Goals • Know more about securing your AWS resources • Get a deeper understanding of the policy language • Learn some tips and tricks for most frequent tasks • Keep this a lively session via demos – Amazon EC2 – AWS Lambda
  • 5. Policy Specification Basics Amazon S3 Read-Only Access Template • JSON-formatted documents • Contain a statement (permissions) which specify: – What actions a principal can perform – Which resources can be accessed Example of an IAM user/group/role access policy { "Statement": [ { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": "*" } ] }
  • 6. Anatomy of a Statement { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } Principal Action Resource Conditions Effect: Allow Principal:123456789012:user/bob Action: s3:* Resource: jeff_bucket/* Condition: Referer = example.com Effect: Deny Principal:123456789012:user/brad Action: s3:DeleteBucket Resource: jeff_bucket Condition: Referer = example.com You can have multiple statements and each statement is comprised of PARK
  • 7. Principal - Examples • An entity that is allowed or denied access to a resource • These are indicated by an Amazon Resource Name (ARN) • A principal element is required for resource-based, but not IAM policies <!-- Everyone (anonymous users) --> "Principal":"AWS":"*.*" <!-- Specific account or accounts --> "Principal":{"AWS":"arn:aws:iam::123456789012:root" } "Principal":{"AWS":"123456789012"} <!-- Individual IAM user --> "Principal":"AWS":"arn:aws:iam::123456789012:user/username" <!-- Federated user (using web identity federation) --> "Principal":{"Federated":"www.amazon.com"} "Principal":{"Federated":"graph.facebook.com"} "Principal":{"Federated":"accounts.google.com"} <!-- Specific role --> "Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"} <!-- Specific service --> "Principal":{"Service":"ec2.amazonaws.com"} Replace with your account number
  • 8. Action - Examples • Describes the type of access that should be allowed or denied • You can find these in the docs or use the policy editor to get a drop down list • Statements must include either an Action or NotAction element <!-- EC2 action --> "Action":"ec2:StartInstances" <!-- IAM action --> "Action":"iam:ChangePassword" <!-- S3 action --> "Action":"s3:GetObject" <!-- Specify multiple values for the Action element--> "Action":["sqs:SendMessage","sqs:ReceiveMessage"] <--Use wildcards (* or ?) as part of the action name. This would cover Create/Delete/List/Update--> "Action":"iam:*AccessKey*"
  • 9. Understanding NotAction • Let’s you specify an exception to a list of actions • Can sometimes result in shorter policies than using Action and denying many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ] } or This is not a Deny. A user could still have a separate policy that grants IAM:* If you want to prevent the user from ever being able to call IAM APIs, use an explicit deny Notice the difference?
  • 10. Understanding NotAction • Lets you specify an exception to a list of actions • Can sometimes result in shorter policies than using Action and denying many actions • Example: Let’s say you want to allow everything but IAM APIs { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ] } Even more strict Grants only what you want while ensuring you’re always denying what you don’t want granted.
  • 11. Resource - Examples • The object or objects that are being requested • Statements must include either a Resource or a NotResource element <-- S3 Bucket --> "Resource":"arn:aws:s3:::my_corporate_bucket/*" <-- SQS queue--> "Resource":"arn:aws:sqs:us-west-2:123456789012:queue1" <-- Multiple DynamoDB tables --> "Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table", "arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"] <-- All EC2 instances for an account in a region --> "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
  • 12. Conditions • Optional criteria that must evaluate to true for the policy to evaluate as true (ex. Restrict to an IP address range) • Can contain multiple conditions • Condition keys can contain multiple values • If a single condition includes multiple values for one key, the condition is evaluated using logical OR • Multiple conditions (or multiple keys in a single condition) the conditions are evaluated using logical AND Condition Element Condition 1: Key1: Value1A Condition 2: Key3: Value3A AND AND Key2: Value2A OR Value2B OR ORKey1: Value1A Value1B Value 1C
  • 13. Condition Example "Condition" : { "DateGreaterThan" : {"aws:CurrentTime" : "2016-11-13T12:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2016-11-13T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]} } Allows a user to access a resource under the following conditions: • The time is after 12:00 p.m. on 11/13/2014 AND • The time is before 3:00 p.m. on 11/13/2014 AND • The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24 range All of these conditions must be met in order for the statement to evaluate to TRUE AND OR What if you wanted to restrict access to a timeframe and IP address range?
  • 15. { "Version": "2012-10-17", "Statement": [{ "Sid": "THISLIMITSACCESSTOOWNINSTANCES", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:us-east-1:12345678912:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Owner": "${aws:username}" } } }] } The Anatomy of a Policy with Variables Version is required Variable in conditions Grants a user access to a home directory in Amazon S3 that can be accessed programmatically
  • 16. { "Version": "2012-10-17", "Statement": [{ "Sid": "InvokePermission", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:us-east-1:12345678912:function:"${aws:username}" }, { "Sid": "CloudWatchLogsPerms", "Effect": "Allow", "Action": [ "cloudwatchlog:DescribeLogGroups", "cloudwatchlog:DescribeLogStreams", "cloudwatchlog:GetLogEvents" ], "Resource": "arn:aws:logs:us-east-1:12345678912:log-group:/aws/lambda/*" }] } The Anatomy of a Policy with Variables Variable in Resource Grants a user access to a home directory in Amazon S3 that can be accessed programmatically
  • 18. IAM Policies Two types of entity-based policies in IAM • Managed policies (newer way) – Can be attached to multiple users, groups, and roles – AWS managed policies (created and managed by AWS) – Customer managed policies (created and managed by you) • Up to 5K per policy • Up to 5 versions – You can attach 2 managed policies per user, group, role – You can limit who can attach managed policies • Inline policies (the older way) – You create and embed directly in a single user, group, or role – Variable policy size (2K per user, 5K per group, 10K per role)
  • 19. AWS vs. Customer Managed Policies
  • 20. Inline Policies Example AWS Account Group Admins User Alice User Susan Role books-app Role EC2-access Policy account-admins- mfa Policy limited-admins-mfa Policy EC2-access Policy DynamoDB-books-app Inline Policies Group LtdAdmins User Dave User Sarah Policy DynamoDB-books-app
  • 21. Resource-Based Policies • IAM policies live with – IAM Users – IAM Groups – IAM Roles • Some services allow storing policy with resources – Amazon S3 (bucket policy) – Amazon Glacier (vault policy) – Amazon SNS (topic policy) – Amazon SQS (queue policy) { "Statement": { "Sid":"Queue1_SendMessage", "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1" } } Principal required here Managed policies apply only to users, groups, and roles - not resources
  • 22. Enough Already… Let’s look at some examples
  • 23. But wait…Just in…today… Policy Summaries in the IAM Console Let’s check it out
  • 24. Demos for 3 service: 1) EC2 2) Lambda
  • 25. Time for Policy Demos with Amazon EC2: 1) Allow your developers to poke around the EC2 Console. 2) Allow your developers to start and stop their own developer machines 3) Allow your developers to launch new instances for a proof of concept.
  • 26. Allow your developers to poke around the EC2 Console. { "Version": "2012-10-17", "Statement": [{ "Sid": "THISALLOWSEC2READACCESS", "Effect": "Allow", "Action": [ "ec2:Describe*", "elasticloadbalancing:Describe*", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*", "autoscaling:Describe*" ], "Resource": "*" }] } Necessary Actions to navigate the EC2 Console
  • 28. Allow your developers to start and stop their own developer machines. { "Version": "2012-10-17", "Statement": [{ "Sid": "THISLIMITSACCESSTOOWNINSTANCES", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:us-east-1:12345678912:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Owner": "${aws:username}" } } }] } Don’t forget: we need the read policy too! Policy Variable How does this tag get there? Let’s talk about it.
  • 29. Categorize Your Amazon EC2 Resources Use tags as a resource attribute Be careful who you allow to tag your resources if you use tags for access control
  • 30. Remember this? Launch new Instances Demo
  • 31. Allow your developers to launch new instances for a proof of concept. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1:028103658970:instance/*" ], "Condition": { "StringEquals": { "ec2:InstanceType": "t2.micro" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1:028103658970:subnet/*", "arn:aws:ec2:us-east-1:028103658970:volume/*", "arn:aws:ec2:us-east-1:028103658970:network-interface/*", "arn:aws:ec2:us-east-1:028103658970:key-pair/*", "arn:aws:ec2:us-east-1:028103658970:security-group/*", "arn:aws:ec2:us-east-1::image/ami-*" ] }] } Instance Size
  • 32. Supported Amazon EC2 Actions http://docs.aws.amazon.com/AWSEC2 /latest/UserGuide/ec2-supported-iam- actions-resources.html Your best friend!
  • 34. Determining if a Request is Allowed or Denied Final decision =“deny” (explicit deny) Yes Final decision =“allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all Applicable policies 2 Is there an explicit deny? 3 No Final decision =“deny” (default deny) 5 • AWS retrieves all policies associated with the user and resource • Only policies that match the action & conditions are evaluated • If a policy statement has a deny, it trumps all other policy statements • Access is granted if there is an explicit allow and no deny • By default, a implicit (default) deny is returned
  • 35. Time for Policy Demos with Lambda: 1) Allow your developers to navigate existing Lambda functions. 2) Enable your developers to invoke a specific Lambda function.
  • 36. Allow your developers to navigate existing Lambda functions. { "Version": "2012-10-17", "Statement": [{ "Sid": "DisplayFunctionDetailsPermissions", "Effect": "Allow", "Action": [ "lambda:ListVersionsByFunction", "lambda:ListFunctions", "lambda:ListAliases", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:ListEventSourceMappings", "lambda:GetPolicy", "lambda:GetAccountSettings" ], "Resource": "*" }] } Necessary Actions to navigate the Lambda Console
  • 38. Enable your developers to invoke a specific Lambda function. { "Version": "2012-10-17", "Statement": [{ "Sid": "InvokePermission", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:us-east-1:028103658970:function:HelloWorld" }, { "Action": [ "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents" ], "Effect": "Allow", "Resource": "*" }] } Specific resource Read the logs
  • 40. Policy Editor • Policy validation checks: – JSON errors – Policy grammar errors • Policy formatting: – On demand – Auto-formatting
  • 42. Decoding the EC2 Authorization Message • The decoded message includes: – Whether the request was denied due to an explicit deny or absence of an explicit allow. – The principal who made the request. – The requested action. – The requested resource. – The values of condition keys in the context of the user's request. The message is encoded because the details of the authorization status can constitute privileged information! • Additional information about the authorization status of a request Output
  • 43. Steps to Decode 1. Run the decode-authorization command aws sts decode-authorization-message --encoded-message encodedmessage Output { "DecodedMessage": "{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]}, "failures":{"items":[]},"context":{"principal":{"id":"AIDAEXAMPLEKXD 6SH2EXE","name":"Bob","arn ":"arn:aws:iam::accountid:user/Bob"},"action":"ec2:RunInstances", "resource":"arn:aws:ec2:us-east-1:accountid:key- pair/keypairid","conditions":{"items":[{"key":"ec2:Region","values":{ "items":[{"value":"us-east-1"}]}}]}}}" }
  • 44. Steps to Decode 2. Remove the “DecodeMessage” Wrapper Output { "DecodedMessage": "{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]}, "failures":{"items":[]},"context":{"principal":{"id":"AIDAEXAMPLEKXD 6SH2EXE","name":"Bob","arn ":"arn:aws:iam::accountid:user/Bob"},"action":"ec2:RunInstances", "resource":"arn:aws:ec2:us-east-1:accountid:key- pair/keypairid","conditions":{"items":[{"key":"ec2:Region","values":{ "items":[{"value":"us-east-1"}]}}]}}}" }
  • 45. Steps to Decode 3. Format using your favorite JSON tool 4. Now you can see what failed { "allowed": false, "explicitDeny": false, "matchedStatements": { "items": [] }, "failures": { "items": [] }, "context": { "principal": { "id": "AIDAEXAMPLEKXD6SH2EXE", "name": "Bob", "arn": "arn: aws: iam: : accountid: user/Bob" }, "action": "ec2: RunInstances", "resource": "arn: aws: ec2: us-east-1: accountid: key-pair/keypairid", "conditions": { "items": [ { "key": "ec2: Region", "values": { "items": [ { "value": "us-east-1" } ] } } ] } } }
  • 46. Summary • IAM provides access control for your AWS account • The policy language authorizes that access • All applicable policies are evaluated – Users are denied access by default – Deny always trumps an allow • Use policy variables and remember the version! • Keep in mind what Amazon EC2 actions or resources are currently supported
  • 47. Additional resources • Documentation • http://aws.amazon.com/documentation/iam/ • http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api- permissions.html • AWS Security Blog (blogs.aws.amazon.com/security) • http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2- Resource-Level-Permissions – http://blogs.aws.amazon.com/security/post/Tx29ZC3VE9SQGQM/Granting-Users- Permission-to-Work-in-the-Amazon-EC2-Console • http://aws.amazon.com/iam • https://forums.aws.amazon.com/forum.jspa?forumID=76 • Twitter: @AWSIdentity • brigidj@amazon.com
  • 48. Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS