1. Control your Cloud Infrastructure: AWS IAM
✍️ Identities that can make AWS calls
✍️ How to read and write IAM policy
2. Control your Data: AWS KMS
✍️ How AWS KMS integrates with AWS services
✍️ How to authorize access to AWS KMS keys
3. Control your Network: Amazon VPC ⛅️
✍️ How to get least-privilege connectivity
✍️ How to use your network as a security perimeter
2. Learn a few patterns, secure everything in AWS
Data encryption
AWS Key Management Service
(AWS KMS)
Network security controls
Amazon Virtual Private Cloud
(Amazon VPC)
Permissions management
AWS Identity and Access Management
(AWS IAM)
3. Agenda
A Builder-focused introduction to AWS Security Controls
• Control your Cloud Infrastructure: AWS IAM
• Control your Data: AWS KMS
• Control your Network: Amazon VPC
You will leave this session
with the foundation you need to secure an AWS environment 🛠⛅️🚀
6. Everything to know about IAM
• What it is
• I = Authentication (support for human and application caller Identities)
• AM = Authorization (powerful, flexible permissions language for controlling
access to cloud resources)
• Why it matters to you: Every AWS service uses IAM to
authenticate and authorize API calls
• What builders need to know
• How to make authenticated API calls to AWS from IAM identities
• Basic fluency in IAM policy language
• Where to find and how to understand service-specific authorization control details
7. AWS identities for human callers: IAM users
AWS account
IAM user
Long-term security
credential
8. AWS identities for human callers: Federated Identities
AWS account
IAM role
Administrator
IAM role
Developer
Temporary security
credentials
10. Amazon Comprehend AWS SMS
Amazon Lex
AWS AppSync
AWS Config
Amazon Connect
Amazon EMR
Amazon ECS Amazon ML
DMS Amazon SageMaker
Creating a role in the AWS Management Console
11. How an Authentication works in AWS
Caller IAM role
AWS Services
(e.g., Amazon S3)
AWS Management
Console
AWS Command
Line Interface
(AWS CLI)
AWS Tools
and SDKs
via
API request signed
with secret key
13. Reading and writing IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
}
]
}
Allowed to take all
Amazon DynamoDB actions
14. Reading and writing IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query"
],
"Resource": "*"
}
]
}
Allowed to take only a few
specific DynamoDB actions
15. Reading and writing IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
],
"Resource": [
"arn:aws:dynamodb:ap-southeast-1:111122223333:table/MyTableName",
"arn:aws:dynamodb:ap-southeast-1:111122223333:table/MyTableName/index/*"
]
}
]
}
Allowed to take specific DynamoDB actions
on a specific table and its indexes
16. S S
Reading and writing IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/Project": "${aws:PrincipalTag/Project}"
}
}
}
]
}
You can read secrets whose
project tag matches your own
Red Blue
18. IAM in an AWS enterprise environment
AWS Cloud
Account
Account
Account
Account
19. Working across AWS account boundaries
Account 111122223333 Account 444455556666
Caller IAM role
Caller IAM policy
Target S3 bucket
other-account-bucket
20. Working across AWS account boundaries
S3 bucket
policy
Account 111122223333
Caller IAM role
Account 444455556666
Target S3 bucket
other-account-bucket
Caller IAM policy
21. Working across AWS account boundaries
Target DynamoDB Table
MyTable
Account 111122223333 Account 444455556666
Caller IAM role
22. Working across AWS account boundaries
Target DynamoDB table
MyTable
Cross-account
access IAM role
Account 111122223333 Account 444455556666
Caller IAM role
23. Working across AWS account boundaries
Target DynamoDB table
MyTable
Cross-account
access IAM role
Account 111122223333 Account 444455556666
Caller IAM role
24. Working across AWS account boundaries
Target DynamoDB table
MyTable
Cross-account
access IAM role
Account 111122223333 Account 444455556666
Caller IAM role
25. Organizational unit (OU) Organizational unit (OU)
Managing multi-account environments with
AWS Organizations
AWS Cloud
Account Account Account
Account
AWS organization
26. Organizational unit (OU) Organizational unit (OU)
AWS Cloud
Account Account Account
Account
AWS organization
Managing multi-account environments with
AWS Organizations
AWS Single Sign-On
27. Organizations provides Guardrails for IAM
Organizational unit (OU) Organizational unit (OU)
AWS Cloud
Account Account Account
Account
AWS organization
30. Everything to know about AWS KMS
• What it is: AWS-managed encryption/decryption service
• Why it matters to you: Many data-handling AWS services offer simple
AWS KMS integrations; if you know how to use AWS KMS, you can
protect your data at rest simply with no management overhead
• What builders need to know
• The basics of how to use an AWS KMS key
• Familiarity with the AWS KMS integrations offered by many AWS data-handling services
• How to use IAM to control access to keys
32. The mechanics of an AWS KMS key
For encrypting individual pieces of data (<=4KB)
• KMS.Encrypt(“hello world”) AQICAHiwKPHZcwiIv….
• KMS.Decrypt(“AQICAHiwKPHZcwiIv….”) “hello world”
For encrypting application data, use envelope encryption
• KMS.GenerateDataKey symmetric data key (plaintext and encrypted)
• Use plaintext data key to encrypt your data, then discard
• Store encrypted data key alongside your data
• To decrypt
• KMS.Decrypt(encryptedDataKey) plaintextDataKey
• Then, decrypt the data with the plaintext symmetric key
AWS KMS key
EncryptedDataKey
AQIDAHiwKPHZcwiIv+V4760rokzKMlVWo0M9O2D5yV
e3tqrBtwGBaaY6AwTrEcsjY0gTN8J8AAAAfjB8Bgk…
EncryptedPayload
AQICAHiwKPHZcwiIv+V4760rokzKMlVWo0M9O2D5yV
e3tqrBtwGEZdK9s3SxlUE11PSPSadGAAAAaTBnBgk…
33.
34. Encrypting the easy way with AWS Service Integrations
Amazon S3-Managed Keys manages
the encryption key
35. Encrypting the easy way with AWS Service Integrations
An AWS KMS key in your account is used for
encryption: Customer-Managed Key (CMK)
36. IAM permissions for AWS KMS keys
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
37. IAM permissions for AWS KMS keys
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
41. Everything to know about Amazon VPC
• What it is: “Your virtual data center in the cloud”
(i.e., the network for your cloud infrastructure)
• Why it matters to you: When you deploy cloud infrastructure,
your VPC is the network that provides connectivity to and from
that infrastructure
• What builders need to know
• VPC core concepts: Subnets and security groups
• Routing basics in VPC
• Private connectivity capabilities
42. What a VPC is and what goes in it
Region (e.g., ap-southeast-1)
43. What a VPC is and what goes in it
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
44. What a VPC is and what goes in it
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
VPC: 10.0.0.0/16
45. What a VPC is and what goes in it
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
VPC: 10.0.0.0/16
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
46. What a VPC is and what goes in it
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
VPC: 10.0.0.0/16
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
EC2 instances EC2 instances EC2 instances
Amazon RDS Amazon RDS
47. If you understand nothing else about VPC . . .
EC2 instances EC2 instances EC2 instances
VPC: 10.0.0.0/16
Security group
Security group
Security group
. . . understand security groups
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
Amazon RDS Amazon RDS
48. If you understand nothing else about VPC . . .
. . . understand security groups
EC2 instances EC2 instances EC2 instances
VPC: 10.0.0.0/16
Security group
Security group
Security group
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
Amazon RDS Amazon RDS
49. If you understand nothing else about VPC . . .
. . . understand security groups
EC2 instances EC2 instances EC2 instances
VPC: 10.0.0.0/16
Security group
Security group
Security group
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
Amazon RDS Amazon RDS
50. EC2 instances EC2 instances EC2 instances
VPC: 10.0.0.0/16
Security group
Security group
Security group
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
Amazon RDS Amazon RDS
If you understand nothing else about VPC . . .
. . . understand security groups
51. If you understand only two things about VPC . . .
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
VPC: 10.0.0.0/16
. . . understand routing
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
52. If you understand only two things about VPC . . .
Public subnet: 10.0.0.0/24
Private subnet: 10.0.50.0/24
Public subnet: 10.0.1.0/24
Private subnet: 10.0.51.0/24
Public subnet: 10.0.2.0/24
Private subnet: 10.0.52.0/24
VPC: 10.0.0.0/16
. . . understand routing
Region (e.g., ap-southeast-1)
Availability Zone: ap-southeast-1a Availability Zone: ap-southeast-1b Availability Zone: ap-southeast-1c
Internet
gateway
53. AWS resources not in your VPC
VPC: 10.0.0.0/16
Region (e.g., ap-southeast-1)
$ dig logs.ap-southeast-1.amazonaws.com
+short
52.94.221.80
60. Learn a few patterns, secure everything in AWS
Data encryption
AWS KMS
Network security controls
Amazon VPC
61. Learn a few patterns, secure everything in AWS
Network security controls
Amazon VPC
Data encryption
AWS KMS
62. Learn a few patterns, secure everything in AWS
Network security controls
Amazon VPC
Data encryption
AWS KMS
63. Learn a few patterns, secure everything in AWS
Network security controls
Amazon VPC
Data encryption
AWS KMS
64. Isolation with IAM and VPC in one account?
“Gray” boundaries
Complicated and messy over time
Difficult to track resources
People stepping on each other
AWS Account
What about IAM or VPC, How we used to do this was IAM and VPC boundaries. App per VPC, dev team per IAM group, etc. But the problem persisted because…
Here are some more shortcomings:
Mary needs access to EC2, Joe needs access to beanstalk (which needs EC2 also), and Mike needs access to RDS.
Once that’s all setup, Willy needs to work on a special project and he wants his own VPC and full admin privileges.
The whole work is heavily relying on the wisdom of the Ops guys.
Wait, whose server is this that’s been running for 4mnths on a c3.8xl with no tags; can we just terminate it?
Someone dropped a key on github and that server has been bitcoin mining!?
Now Joe terminated one of the prod web tier instances by mistake…
content owner: Sam Elmalak <selmalak@amazon.com>