Ever wondered how to help secure your AWS environment? This session explains a series of best practices that help you do just that with AWS Identity and Access Management (IAM). We discuss how to create great access policies; manage security credentials (access keys, password, multi-factor authentication (MFA) devices, etc.); how to set up least privilege; how to minimize the use of your root account, and much, much more.

1. November 12, 2014 | Las Vegas, NV

6. Oops, looks
like a 0-based
code error


7. 0. Users
Create individual users

8. Benefits How to get started

9. 1. Permissions
Grant least privilege

10. Benefits How to get started
IMPORTANT NOTE: Permissions do not apply to root!

11. 2. Groups
Manage permissions with groups

12. Benefits How to get started

13. 3. Conditions
Restrict privileged access further with conditions

14. Benefits How to get started

15. {
"Statement":[{
"Effect":"Allow",
"Action":["ec2:TerminateInstances"],
"Resource":["*"],
"Condition":{
"Null":{"aws:MultiFactorAuthAge":"false"}
}
}
]
}
Enables a user to terminate EC2 instances only
if the user has authenticated with their MFA
device.
MFA
{
"Statement":[{
"Effect":"Allow",
"Action":"iam:*AccessKey*",
"Resource”:"arn:aws:iam::123456789012:user/*",
"Condition":{
"Bool":{"aws:SecureTransport":"true"}
}
}
]
}
Enables a user to manage access keys for all
IAM users only if the user is coming over SSL.
SSL
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:TerminateInstances“],
"Resource":["*“],
"Condition":{
"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}
}
}
]
}
Enables a user to terminate EC2 instances only if the
user is accessing Amazon EC2 from the 192.168.176.0/24
address range.
SourceIP
{
"Statement":[{
"Effect": "Allow",
"Action":"ec2:TerminateInstances",
"Resource": "*",
"Condition":{
"StringEquals":{"ec2:ResourceTag/Environment":"Dev"}
}
}
]
}
Enables a user to terminate EC2 instances only if the
instance is tagged with “Environment=Dev”.
Tags
{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment":
{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environment
{ "Sid": "ThisBitGrantsAccessToResourcesForTerminateInstances", "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition": { "StringEquals": {"ec2:ResourceTag/Environme

16. 4. Auditing
EnableAWS CloudTrail to get logs ofAPI calls

17. 4. Enable AWS CloudTrail to get logs of API calls
Benefits
• Visibility into your user activity
by recording AWS API calls to
an Amazon S3 bucket
How to get started
• Set up an Amazon S3
bucket
• Enable AWS CloudTrail
Ensure the services you want are integrated with AWS CloudTrail

18. Manage Users and Permissions

19. 5. Passwords
Configure a strong password policy

20. Benefits How to get started
IMPORTANT NOTE: Password policy does not apply to root!

21. 6. Rotation
Rotate (or delete) security credentials regularly

22. Benefits How to get started

23. (enable password rotation sample policy)
Password
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource":
"arn:aws:iam::123456789012:user/${aws:username}"
}
]
}
Enforcing a password policy will automatically enable
IAM users to manage their passwords
Note the use of
a policy
variable

24. (enable access key rotation sample policy)
Access Keys
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"],
"Resource":
"arn:aws:iam::123456789012:user/${aws:username}"
}
]
}

25. (enable access key rotation sample policy)
Access Keys
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"],
"Resource":
"arn:aws:iam::123456789012:
user/${aws:username}"
}
]
}
1. While the first set of credentials is still
active, create a second set of
credentials, which will also be active
by default.
2. Update all applications to use the
new credentials.
3. Change the state of the first set of
credentials to Inactive.
4. Using only the new credentials,
confirm that your applications are
working well.
5. Delete the first set of credentials.
Steps to rotate access keys

26. 7. MFA
Enable multi-factor authentication for privileged users

27. Benefits How to get started

28. 8. Sharing
Use IAM roles to share access

29. Benefits How to get started
ExternalID
IMPORTANT NOTE: Never share credentials.

30. prod@example.com
Acct ID: 111122223333
ddb-role
{ "Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*"
}]}
dev@example.com
Acct ID: 123456789012
Authenticate with
Jeff access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS account
dev@example.com (123456789012)
Permissions assigned to Jeff granting him permission
to assume ddb-role in account B
IAM user: Jeff
Permissions assigned
to ddb-role
STS
External access
User
Login With Amazon
Google
Facebook
Open ID Connect
SAML
Authenticate with
Users tokens

31. 9. Roles
Use IAM roles for Amazon EC2 instances

32. Benefits How to get started

33. Manage Credentials

34. 10. Root
Reduce or remove use of root

35. Benefits How to get started

36. 0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing

37. 0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing

38. 5. Passwords
6. Rotation
7. MFA
8. Sharing
9. Roles

39. 10.Root

40. http://aws.amazon.com/iam
https://forums.aws.amazon.com/forum.jspa?forumID=76
http://aws.amazon.com/documentation/iam/
http://blogs.aws.amazon.com/security
http://aws.amazon.com/cloudtrail/
@AWSIdentity

41. Session When Where
SEC302 – Delegating Access to your AWS
Environment
Wednesday 11/12, 2.15pm Palazzo J
SEC304 – Bring Your Own Identities – Federating
Access to your AWS Environment
Wednesday 11/12, 4.30pm Palazzo J
SEC303 – Mastering Access Control Policies Thursday 11/13, 3.15pm Palazzo J
SEC306 – Turn on CloudTrail. Log API Activity in
your AWS account
Thursday 11/13, 3.15pm Lando 4305
MBL401 – Social Logins for Mobile Apps with
Amazon Cognito
Thursday 11/13, 3.15pm Palazzo B

42. Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals