IAM Recommended Practices

Size: px

Start display at page:

Download "IAM Recommended Practices"

Pamela Butler
5 years ago
Views:

2 What to expect from this session We will look at: Best practices To help you get started Versus When to use one technology over another

3 AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account Users, groups, roles, and permissions Control Centralised Fine-grained - APIs, resources, and AWS Management Console Security Secure (deny) by default Multiple users, individual security credentials and permissions

4 IAM Best Practices Basic user and permission management Credential management Delegation

5 Basic user and permission management 0. Create individual users. Benefits Unique credentials Individual credential rotation Individual permissions

6 Basic user and permission management 0. Create individual users. 1. Grant least privilege. (and monitor permission usage with the IAM console revoke permissions if they haven t been used for some time period) Benefits Less chance of people making mistakes Easier to relax than tighten up More granular control

7 Basic user and permission management 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. Benefits Easier to assign the same permissions to multiple users Simpler to reassign permissions based on change in responsibilities Only one change to update permissions for multiple users

8 Basic user and permission management 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. 3. Restrict privileged access further with conditions. Benefits Additional granularity when defining permissions Can be enabled for any AWS service API Minimises chances of accidentally performing privileged actions

9 Basic user and permission management 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. 3. Restrict privileged access further with conditions. 4. Enable AWS CloudTrail to get logs of API calls. Benefits Visibility into your user activity by recording AWS API calls to an Amazon S3 bucket

10 Credential management 5. Configure a strong password policy. Benefits Ensures your users and your data are protected

11 Credential management 5. Configure a strong password policy. 6. Rotate security credentials regularly. Benefits Normal best practice (often for compliance reasons)

12 Credential management 5. Configure a strong password policy. 6. Rotate security credentials regularly. 7. Enable MFA for privileged users. Benefits Supplements user name and password to require a one-time code during authentication

13 Delegation 8. Use IAM roles to share access. Benefits No need to share security credentials No need to store long-term credentials Use cases - Cross-account access - Intra-account delegation - Federation

14 Delegation 8. Use IAM roles to share access. 9. Use IAM roles for Amazon EC2 instances. Benefits Easy to manage access keys on EC2 instances Automatic key rotation Assign least privilege to the application AWS SDKs fully integrated AWS CLI fully integrated

15 Delegation 8. Use IAM roles to share access. 9. Use IAM roles for Amazon EC2 instances. 10. Reduce or remove use of root. Benefits Reduce potential for misuse of credentials

16 Top 11 IAM best practices 0. Users Create individual users. 1. Permissions Grant least privilege. 2. Groups Manage permissions with groups. 3. Conditions Restrict privileged access further with conditions. 4. Auditing Enable AWS CloudTrail to get logs of API calls. 5. Password Configure a strong password policy. 6. Rotate Rotate security credentials regularly. 7. MFA Enable MFA for privileged users. 8. Sharing Use IAM roles to share access. 9. Roles Use IAM roles for Amazon EC2 instances. 10. Root Reduce or remove use of root.

17 AWS access keys vs. passwords Versus When should I use?

19 IAM users vs. federated users Depends on where you want to manage your users On-premises Federated users (IAM roles) In your AWS account IAM users

20 IAM users vs. federated users Depends on where you want to manage your users On-premises Federated users (IAM roles) In your AWS account IAM users Other important use cases Delegating access to your account Federated users (IAM roles) Mobile application access Should always be federated access Draining PII from AWS / IAM Federated users

21 IAM users vs. federated users Depends on where you want to manage your users On-premises Federated users (IAM roles) In your AWS account IAM users Other important use cases Delegating access to your account Federated users (IAM roles) Mobile application access Should always be federated access Draining PII from AWS / IAM Federated users IMPORTANT: Never share security credentials.

22 How does federated access work? Acct ID: Acct ID: STS IAM user: Anders

23 How does federated access work? Acct ID: Acct ID: STS ddb-role IAM user: Anders

How does federated access work? dev@example.com Acct ID: 123456789012 prod@example.

24 How does federated access work? Acct ID: Acct ID: STS ddb-role trusts IAM users from the AWS account ( ) { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":" "}, "Action":"sts:AssumeRole" }]} IAM user: Anders ddb-role

25 How does federated access work? Acct ID: Acct ID: STS ddb-role trusts IAM users from the AWS account ( ) { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":" "}, "Action":"sts:AssumeRole" }]} IAM user: Anders ddb-role Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:getitem", "dynamodb:batchgetitem", "dynamodb:describetable", "dynamodb:listtables" ], "Effect": "Allow", "Resource": "* }]}

26 How does federated access work? Acct ID: Acct ID: STS ddb-role trusts IAM users from the AWS account ( ) { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":" "}, "Action":"sts:AssumeRole" }]} IAM user: Anders Permissions assigned to Anders granting him permission to assume ddb-role in account B { "Statement": [ { "Effect": "Allow", "Action": "sts:assumerole", "Resource": "arn:aws:iam:: :role/ddb-role" }]} ddb-role Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:getitem", "dynamodb:batchgetitem", "dynamodb:describetable", "dynamodb:listtables" ], "Effect": "Allow", "Resource": "* }]}

27 How does federated access work? Acct ID: Authenticate with Anders access keys Acct ID: STS ddb-role trusts IAM users from the AWS account ( ) { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":" "}, "Action":"sts:AssumeRole" }]} IAM user: Anders Permissions assigned to Anders granting him permission to assume ddb-role in account B { "Statement": [ { "Effect": "Allow", "Action": "sts:assumerole", "Resource": "arn:aws:iam:: :role/ddb-role" }]} ddb-role Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:getitem", "dynamodb:batchgetitem", "dynamodb:describetable", "dynamodb:listtables" ], "Effect": "Allow", "Resource": "* }]}

28 How does federated access work? Acct ID: Authenticate with Anders access keys Acct ID: STS ddb-role trusts IAM users from the AWS account ( ) { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":" "}, "Action":"sts:AssumeRole" }]} IAM user: Anders Permissions assigned to Anders granting him permission to assume ddb-role in account B Get temporary security credentials for ddb-role { "Statement": [ { "Effect": "Allow", "Action": "sts:assumerole", "Resource": "arn:aws:iam:: :role/ddb-role" }]} ddb-role Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:getitem", "dynamodb:batchgetitem", "dynamodb:describetable", "dynamodb:listtables" ], "Effect": "Allow", "Resource": "* }]}

29 How does federated access work? Acct ID: Authenticate with Anders access keys Acct ID: STS ddb-role trusts IAM users from the AWS account ( ) { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":" "}, "Action":"sts:AssumeRole" }]} IAM user: Anders Permissions assigned to Anders granting him permission to assume ddb-role in account B Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect": "Allow", "Action": "sts:assumerole", "Resource": "arn:aws:iam:: :role/ddb-role" }]} ddb-role Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:getitem", "dynamodb:batchgetitem", "dynamodb:describetable", "dynamodb:listtables" ], "Effect": "Allow", "Resource": "* }]}

31 AWS access keys vs. passwords Depends on how your users will access AWS Console Password API, CLI, SDK Access keys

32 AWS access keys vs. passwords Depends on how your users will access AWS Console Password API, CLI, SDK Access keys In either case make sure to rotate credentials regularly Use Credential Report to audit credential rotation. Configure password policy. Configure policy to allow access key rotation.

33 Enabling credential rotation for IAM users (Enable access key rotation sample policy) Access keys { "Version":" ", "Statement": [{ "Effect": "Allow", "Action": [ "iam:createaccesskey", "iam:deleteaccesskey", "iam:listaccesskeys", "iam:updateaccesskey"], "Resource": "arn:aws:iam:: : user/${aws:username}" }]}

34 Enabling credential rotation for IAM users (Enable access key rotation sample policy) Access keys { "Version":" ", "Statement": [{ "Effect": "Allow", "Action": [ "iam:createaccesskey", "iam:deleteaccesskey", "iam:listaccesskeys", "iam:updateaccesskey"], "Resource": "arn:aws:iam:: : user/${aws:username}" }]} Steps to rotate access keys 1. While the first set of credentials is still active, create a second set of credentials, which will also be active by default. 2. Update all applications to use the new credentials. 3. Change the state of the first set of credentials to Inactive. 4. Using only the new credentials, confirm that your applications are working well. 5. Delete the first set of credentials.

36 Inline policies vs. managed policies Use inline policies when you need to: Enforce a strict one-to-one relationship between policy and principal. Avoid the wrong policy being attached to a principal. Ensure the policy is deleted when deleting the principal.

37 Inline policies vs. managed policies Use inline policies when you need to: Enforce a strict one-to-one relationship between policy and principal. Avoid the wrong policy being attached to a principal. Ensure the policy is deleted when deleting the principal. Use managed policies when you need: Reusability. Central change management. Versioning and rollback. Delegation of permissions management. Automatic updates for AWS managed policies. Larger policy size.

39 Groups vs. managed policies Provide similar benefits Can be used to assign the same permission to many users. Central location to manage permissions. Policy updates affect multiple users.

40 Groups vs. managed policies Provide similar benefits Can be used to assign the same permission to many users. Central location to manage permissions. Policy updates affect multiple users. Use groups when you need to Logically group and manage users.

41 Groups vs. managed policies Provide similar benefits Can be used to assign the same permission to many users. Central location to manage permissions. Policy updates affect multiple users. Use groups when you need to Logically group and manage users. Use managed policies when you need to Assign the same policy to users, groups, and roles.

42 Combine the power of groups AND managed policies Use groups to organize your users into logical clusters. Attach managed policies to those groups with the permissions those groups need. Pro tip: Create managed policies based on logically separated permissions such as AWS service or project, and attach managed policies mix-andmatch style to your groups.

44 Resource-specific policy vs. tag-based access control Use resource-specific policy when you need to: Control access to a specific resource. Control access to most AWS service resources.

45 Resource-specific policy vs. tag-based access control Use resource-specific policy when you need to: Control access to a specific resource. Control access to most AWS service resources. Use tag-based access control when you need to: Treat resources as a unit, such as a project. Automatically enforce permissions when new resources are created.

46 Resource-specific policy vs. tag-based access control Use resource-specific policy when you need to: Control access to a specific resource. Control access to most AWS service resources. Use tag-based access control when you need to: Treat resources as a unit, such as a project. Automatically enforce permissions when new resources are created. NOTE: The following services currently support tag-based access control: Amazon EC2, Amazon VPC, Amazon EBS, Amazon RDS, Amazon Simple Workflow Service, and AWS Data Pipeline

47 How does tag-based access control work? Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue { } "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:resourcetag/project" : "Blue" } } } ] IAM user: Anders

48 How does tag-based access control work? Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue { } "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:resourcetag/project" : "Blue" } } } ] IAM user: Anders i-a1234b12 Project=Blue

49 How does tag-based access control work? Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue { } "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:resourcetag/project" : "Blue" } } } ] IAM user: Anders i-a1234b12 Project=Blue

50 How does tag-based access control work? Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue { } "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:resourcetag/project" : "Blue" } } } ] IAM user: Anders i-a1234b12 Project=Blue i-a4321b12 Project=Blue

51 How does tag-based access control work? Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue { } "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:resourcetag/project" : "Blue" } } } ] IAM user: Anders i-a1234b12 i-a4321b12 Project=Blue

52 How does tag-based access control work? Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue { } "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:resourcetag/project" : "Blue" } } } ] IAM user: Anders i-a1234b12 i-a4321b12 Project=Blue

53 How does tag-based access control work? Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue { } "Version": " ", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:resourcetag/project" : "Blue" } } } ] IAM user: Anders i-a1234b12 i-a4321b12 i-a4321b12 Project=Green Project=Blue

55 One AWS account vs. multiple AWS accounts? Use a single AWS account when you: Want simpler control of who does what in your AWS environment. Have no need to isolate projects/products/teams. Have no need for breaking up the cost.

56 One AWS account vs. multiple AWS accounts? Use a single AWS account when you: Want simpler control of who does what in your AWS environment. Have no need to isolate projects/products/teams. Have no need for breaking up the cost. Use multiple AWS accounts when you: Need full isolation between projects/teams/environments. Want to isolate recovery data and/or auditing data (e.g., writing your CloudTrail logs to a different account). Want something close to Mandatory Access Control Need a single bill, but want to break out the cost and usage.

57 Cross-account access with IAM roles Acct ID: Acct ID: Acct ID: IAM user: Anders

58 Cross-account access with IAM roles Acct ID: Acct ID: Acct ID: IAM user: Anders

59 Cross-account access with IAM roles Acct ID: Acct ID: Acct ID: IAM user: Anders

60 Cross-account access with IAM roles Acct ID: Acct ID: Acct ID: IAM user: Anders

61 Cross-account access with IAM roles Acct ID: Acct ID: Acct ID: IAM user: Anders

62 Cross-account access with IAM roles Acct ID: Acct ID: Acct ID: IAM user: Anders

Cross-account access with IAM roles proj1@example.

63 Cross-account access with IAM roles Acct ID: Acct ID: Acct ID: IAM user: Anders

64 Cross-account access with IAM roles External identity provider Acct ID: Acct ID: Acct ID: Acct ID: IAM user: Anders IAM user: Bob

65 Cross-account access with IAM roles External identity provider Acct ID: Acct ID: Acct ID: Acct ID: IAM user: Anders IAM user: Bob

66 What did we cover? 1. Top 1011 X best practices. 2. IAM users vs. federated users. 3. Access keys vs. passwords. 4. Inline policies vs. managed policies. 5. Groups vs. managed policies. 6. Resource-specific policy vs. tag-based access control. 7. One AWS account vs. multiple AWS accounts.

Thank You Tom Maddox Manager, Solution Architecture 2015,

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Simple Security for Startups. Mark Bate, AWS Solutions Architect BERLIN Simple Security for Startups Mark Bate, AWS Solutions Architect Agenda Our Security Compliance Your Security Account Management (the keys to the kingdom) Service Isolation Visibility and Auditing