AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302)
AWS IAM and Amazon VPC offer powerful tools that help you adhere to the principle of least privilege in your resource permissions and network security settings. This workshop will start with the fundamentals of IAM and VPC security techniques and will give you hands-on experience in writing, testing, applying, troubleshooting, and auditing progressively more tightly scoped IAM policies. You will also get experience building and monitoring VPC security groups that grant only the access required to perform tasks.
Similar to AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302)
Similar to AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302) (20)
AWS re:Invent 2016: Workshop: Adhere to the Principle of Least Privilege by Using AWS Identity and Access Management (IAM) and Amazon Virtual Private Cloud (VPC) (SEC302)
3. Principle of Least Privilege: Definition
“In information security, computer science, and other fields,
the principle of least privilege requires that in a particular
abstraction layer of a computing environment, every
module must be able to access only the information and
resources that are necessary for its legitimate purpose.”
(Wikipedia)
4. Identity and Access Management (IAM)
IAM policy
Temporary
credentials
IAM role
6. Auditing, Monitoring and Troubleshooting
AWS
CloudTrail
Amazon
CloudWatch Events
and
CloudWatch Logs
AWS
Lambda
7. What to Expect from the Session
Hands-on practice working with IAM and Amazon VPC
• Techniques for scoping access and connectivity:
allowing exactly what you need.
• Techniques for debugging, auditing, and alarming.
8. Prerequisites
You will get the most out of this session if you:
• Have some experience with AWS
• Have an AWS account with a working, installed AWS CLI
• Know how to SSH to a Linux host
• Have some basic programming experience (examples
will be in JavaScript)
25. I actually could have shown
you these, since I later deleted
the user.
BUT: These are long-term
security credentials. Don’t
share or post them anywhere.
26. Configuring an IAM User Profile in the CLI
C:Usersbecky>aws configure --profile sec302demo
AWS Access Key ID [None]: AKIA*************
AWS Secret Access Key [None]:
***************************
Default region name [None]: us-west-2
Default output format [None]: json Use the credentials you
were given.
27. Use the CLI as Sec302DemoUser
C:Usersbecky>aws ec2 describe-vpcs --profile
sec302demo
An error occurred (UnauthorizedOperation) when
calling the DescribeVpcs operation: You are not
authorized to perform this operation.
32. Create an EC2 Key Pair For SSH Access
If you already have an SSH
key:
aws ec2 import-key-pair `
--profile sec302demo `
--key-name Sec302DemoSSH `
--public-key-material
file://c:tempSec302DemoPub.t
xt
To create a new SSH key:
aws ec2 create-key-pair `
--profile sec302demo `
--key-name Sec302DemoSSH
And save the KeyMaterial from the
response
47. Cheat sheet: Launch an EC2 instance
Handout: run_instances_cheat_sheet.txt
> aws ec2 run-instances --profile sec302demo
>> --image-id ami-7172b611
>> --instance-type t2.nano
>> --subnet-id $YOUR_SUBNET_ID
>> --security-group-ids $YOUR_SECURITY_GROUP_ID
>> --key-name Sec302DemoSSH
Resources created by the
SEC302 CloudFormation stack
48. Verify SSH Access
Test your ssh access, e.g.:
putty.exe -i c:tempSec302DemoPriv.ppk ec2-
user@52.24.192.187
You can now terminate this EC2 instance. We won’t need
it again.
58. Create an IAM Role for an EC2 Instance
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
59. This will allow Amazon EC2 to
launch EC2 instances into this
IAM role.
Create an IAM Role for an EC2 Instance
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
60. Policy for the IAM Role: S3 Read-Only Access
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
61. Anatomy of an IAM Role
ARN for referring to it later
For use by EC2
Right now, permits all ReadOnly operations in S3.
(We’ll make this more restrictive later.)
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
62. Launch an EC2 instance
Launching with IAM role:
This EC2 Instance will have S3
ReadOnly permissions
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json
63. Attempt Actions From the EC2 Instance
SSH to your EC2 instance, and from there, try some actions:
# Tell the CLI your default region
aws configure set default.region us-west-2
# This should work
aws s3 ls
# This should fail
aws s3 mb s3://this-will-fail
# This should fail
aws ec2 describe-instances
64. Where Are the Credentials?
There are credentials, but:
• They are completely hands-off: You don’t touch them.
• They are temporary and will expire; IAM will automatically rotate
them
To see them:
curl http://169.254.169.254/latest/meta-
data/iam/security-credentials/Sec302EC2Role; echo
EC2 Instance Metadata Service
Your role name
65. Making IAM Policy More Restrictive
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
66. Making IAM Policy More Restrictive
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
67. Making IAM Policy More Restrictive:
Choosing Specific Actions
Only the s3.GetObject action is
allowed
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
68. Making IAM Policy More Restrictive:
Choosing Specific Actions
“*” means permission to s3.GetObject on
all S3 objects
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
69. Making IAM Policy More Restrictive:
Delete the Old Policy
Detach this managed policy:
We’re going to write our own
70. Making IAM Policy More Restrictive:
Choosing Specific Actions
Our policy so far:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1474248983000",
"Effect": "Allow",
"Action": [ "s3:GetObject“ ],
"Resource": [ "*" ]
}
]
}
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
71. Attempt Actions From the EC2 Instance
SSH to your EC2 instance, and from there, try some
actions:
# This should fail
aws s3 ls
# This should work: It is s3.GetObject
aws s3 cp
s3://awsiammedia/public/sample/LeastPrivilegeWorkshopr
eInvent/SEC302_handouts.zip .
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
72. Making IAM Policy More Restrictive:
IAM Resource-Level Policies
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
73. Making IAM Policy More Restrictive:
IAM Resource-Level Policies
In English: s3.ListBucket is allowed, only on the specified bucket, only when the prefix matches the
given pattern.
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "s3:ListBucket" ],
"Condition" : {
"StringLike": {
"s3:prefix": "AWSLogs/111122223333/CloudTrail/*"
}
},
"Resource": [ "arn:aws:s3:::your-cloudtrail-bucket-name-here" ]
} ]
}
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
Use your own bucket name
Use your own account ID
74. Testing the ListBuckets Policy
SSH to your EC2 instance and try it:
[ec2-user@ip-10-0-2-49 ~]$ aws s3 ls
s3://$YOUR_CLOUDTRAIL_BUCKET/AWSLogs/$YOUR_ACCOUNT_ID/CloudTrai
l/us-west-2/2016/11/29/
2016-11-29 16:28:41 1213 778340376510_CloudTrail_us-west-
2_20161001T1625Z_k5gzl4muOxohMXeM.json.gz
2016-11-29 16:38:33 2311 778340376510_CloudTrail_us-west-
2_20161001T1630Z_50SqQyuABVqP5igQ.json.gz
2016-11-29 16:33:22 1881 778340376510_CloudTrail_us-west-
2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz
…
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
75. Making IAM Policy More Restrictive:
IAM Resource-Level Policies
In English: s3.GetObject is allowed, only on objects matching the
given pattern.
Add this statement to your policy, inside Statement[]:
{
"Effect": "Allow",
"Action": [ "s3:GetObject“ ],
"Resource": [
"arn:aws:s3:::<YOUR_CLOUDTRAIL_BUCKET>/AWSLogs/<YOUR_ACCOUNT_ID>/CloudTrail/*" ]
}
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
Use your own bucket name
and account ID
76. Testing the GetObject Policy
[ec2-user@ip-10-0-2-49 ~]$ aws s3 cp s3://becky-20161001-
cloudtrail/AWSLogs/778340376510/CloudTrail/us-west-
2/2016/10/01/778340376510_CloudTrail_us-west-
2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz .
download: s3://becky-20161001-
cloudtrail/AWSLogs/778340376510/CloudTrail/us-west-
2/2016/10/01/778340376510_CloudTrail_us-west-
2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz to
./778340376510_CloudTrail_us-west-
2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz
Take a minute to unzip this and look at its contents:
# gunzip $CLOUD_TRAIL_FILE.gz
# sudo yum -y install jq
# jq .Records[0] $CLOUD_TRAIL_FILE
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
77. Reference: AWS Services That Work With IAM
Bookmark this page:
http://docs.aws.amazon.com/IAM/latest/UserGuide/referen
ce_aws-services-that-work-with-iam.html
This has pointers to how you can use IAM with each AWS
service.
81. Grant access to your partner’s account
(or your own, if no partner)
Catchup CloudFormation template handout: iam_role_cross_account_template.json
82. Permissions for the IAM Role
Choose a managed policy in the creation wizard
Or write your own (inline policies). For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "ec2:DescribeInstances" ],
"Resource": [ "*" ]
}
]
}
Catchup CloudFormation template handout: iam_role_cross_account_template.json
83. Note the IAM Role ARN
Catchup CloudFormation template handout: iam_role_cross_account_template.json
84. Assuming Your Partner’s IAM Role
> aws sts assume-role --profile sec302demo `
--role-arn arn:aws:iam::111122223333:role/Sec302RoleTestMe `
--role-session-name MyTestSession
An error occurred (AccessDenied) when calling the
AssumeRole operation: User:
arn:aws:iam::410436118402:user/sec302demo is not
authorized to perform: sts:AssumeRole on resource:
arn:aws:iam::778340376510:role/Sec302RoleTestMe
Oops! What did we miss?
Your partner’s account
86. Assuming the IAM Role
C:Usersbecky>aws sts assume-role --profile sec302demo --role-arn arn:aws:iam::
778340376510:role/Sec302RoleTestMe --role-session-name MyTestSession
{
"AssumedRoleUser": {
"AssumedRoleId": "AROAJCO64ENYICVBJQRWM:MyTestSession",
"Arn": "arn:aws:sts::778340376510:assumed-role/Sec302RoleTestMe/MyTestSe
ssion"
},
"Credentials": {
"SecretAccessKey": “****",
"SessionToken": “*****************",
"Expiration": "2016-09-21T16:57:03Z",
"AccessKeyId": "ASIA***********"
}
}
Temporary credentials: I could have shown them.
They have expired and are useless
87. Use the Temporary Credentials
> aws configure --profile sec302assumed
AWS Access Key ID [None]: *****
AWS Secret Access Key [None]:*************
Default region name [None]: us-west-2
Default output format [None]: json
> aws configure set aws_session_token
*************************** --profile
sec302assumed
88. Try the Temporary Credentials
# Should succeed
aws ec2 describe-instances --profile
sec302assumed
# Should fail
aws dynamodb list-tables --profile
sec302assumed
89. More on Permissions for IAM Roles
Permissions for IAM roles should be minimal.
Example yellow flags:
• iam:AssumeRole / iam:PassRole -- If needed, be
specific about the IAM role that this IAM role can
assume
• iam:PutRolePolicy -- Usually only for highly privileged
principals
!
90. Going Further: IAM Resource-Based Policies
Useful for cross-account access
Supported on some AWS resources, e.g. S3 buckets
Attach policy to the resource itself:
Analogous to access control lists
&&
91. Auditing API Call Events
Using CloudWatch Events + AWS Lambda to audit resource access
92. CloudWatch Events & AWS Lambda
CloudWatch Events:
AWS API calls via
CloudTrail
AWS LambdaCloudTrail
93.
94. Lambda Function for CloudWatch Events
Created by the SEC302
CloudFormation stack
98. Setting Up the CloudWatch Events Rule
AWS API call via CloudTrail
We will see EC2 API calls
The SEC302 CloudFormation
stack created this.
Catchup CloudFormation handout: cloudwatch_events_aws_api_rule_template.json
99. Try it: Make EC2 API calls
Make some that succeed
Make some that fail
Get your partner to make some that fail, while
assuming your IAM role
101. Events Delivered to Your Lambda Function
{
…
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole", "principalId":
"AROAJCO64ENYICVBJQRWM:MyTestSession",
"arn": "arn:aws:sts::410436118402:assumed-
role/Sec302RoleTestMe/MyTestSession",
…
"eventTime": "2016-09-21T17:03:13Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateVpc",
"awsRegion": "us-west-2",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation.",
"requestParameters": { "cidrBlock": "192.168.0.0/16" },
…
Someone tried and failed to use
CreateVpc while assuming this role
102. You Can Do a Lot With These Events
Plenty of details there, including:
• Principal that attempted the call
• API method and request parameters
• Result: Success or error (with detail)
• Response
All of this is also in CloudTrail in S3
But Lambda functions can take actions: Ideas?
107. Sidebar: IAM Role for the Lambda Function
Indicates that AWS Lambda can assume this IAM role
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
} ]
},
…
}
AWS Lambda is allowed
to assume this role
109. Your Turn: Modify the Function Code
Try modifying the AWS Lambda function to do something
more interesting!
For example code that publishes to an SNS topic, see
handout: lambda_function_with_publish_to_sns.js
110. Another Idea:
Using CloudTrail to Audit Permissions
Least-privilege best practice: Audit IAM roles and users
against actual usage in CloudTrail
Does anyone have permissions that have gone unused?
113. The Application We Are Running
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
SSH Security Group
ALB Security Group
Backend Security Group
ALLOW
117. What You Are Running
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
ALB Security Group
Backend Security Group
118. Routing for Least-Privilege in a VPC
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
119. Routing for Least-Privilege in a VPC
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
Access to S3 via VPC Endpoints
Private subnets
134. Lambda Function for Unexpected REJECTs
Your turn: Do something interesting with VPC Flow Logs!
Idea: Try writing a Lambda function that notifies your SNS
topic when within-VPC traffic gets REJECTed.
The code in your Lambda function already unzips and
pretty-prints the messages.
135. Lambda Function for Unexpected REJECTs
Handout: vpc_flow_logs_rejects.js
Simple Lambda function for notifying an SNS topic
whenever a packet sent within the VPC gets rejected.
140. Related Sessions
More About IAM:
• SAC317 - IAM Best Practices to Live By
• SEC311 - How to Automate Policy Validation
More About VPC:
• NET201 - Creating Your Virtual Data Center: VPC
Fundamentals and Connectivity Options
• SEC401 - Automated Formal Reasoning About AWS
Systems