AWS IAM and Amazon VPC offer powerful tools that help you adhere to the principle of least privilege in your resource permissions and network security settings. This workshop will start with the fundamentals of IAM and VPC security techniques and will give you hands-on experience in writing, testing, applying, troubleshooting, and auditing progressively more tightly scoped IAM policies. You will also get experience building and monitoring VPC security groups that grant only the access required to perform tasks.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
November 29, 2016
SEC302
Workshop:
Adhering to Least-Privilege Principles
Becky Weiss, Senior Principal Engineer, AWS

2. virtual private cloud
S3 bucket DynamoDB
table
SQS queue Amazon
Kinesis
stream
Application Load
Balancer
Amazon
Redshift cluster
RDS databaseEC2 instances
ECS tasks

3. Principle of Least Privilege: Definition
“In information security, computer science, and other fields,
the principle of least privilege requires that in a particular
abstraction layer of a computing environment, every
module must be able to access only the information and
resources that are necessary for its legitimate purpose.”
(Wikipedia)

4. Identity and Access Management (IAM)
IAM policy
Temporary
credentials
IAM role

5. Virtual Private Cloud (VPC)
security group
security group

6. Auditing, Monitoring and Troubleshooting
AWS
CloudTrail
Amazon
CloudWatch Events
and
CloudWatch Logs
AWS
Lambda

7. What to Expect from the Session
Hands-on practice working with IAM and Amazon VPC
• Techniques for scoping access and connectivity:
allowing exactly what you need.
• Techniques for debugging, auditing, and alarming.

8. Prerequisites
You will get the most out of this session if you:
• Have some experience with AWS
• Have an AWS account with a working, installed AWS CLI
• Know how to SSH to a Linux host
• Have some basic programming experience (examples
will be in JavaScript)

9. Handouts
Handouts zip file:
https://s3.amazonaws.com/awsiammedia/public/sample/Le
astPrivilegeWorkshopreInvent/SEC302_handouts.zip
Download and unzip it on your machine

10. Getting set up

11. Meet your neighbors!
Look to your left, look to your right…
Introduce yourself!
You’ll be working with your neighbor later in this workshop.

12. Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template

13. Setup:
AWS Command Line Interface

14. Installing the CLI
OS-specific instructions:
http://docs.aws.amazon.com/cli/latest/userguide/installing.h
tml
Test it:
C:Usersbecky>aws --version
aws-cli/1.10.65 Python/2.7.9 Windows/7 botocore/1.4.55

15. Configuring the CLI
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-
getting-started.html
Note: We will be using the us-west-2 region (Oregon) for
this workshop.

16. Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template

17. Setup:
CloudTrail

19. Always run
CloudTrail

20. And we’ll come back later

21. Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template

22. Setup:
IAM Users, Credentials, SSH
Keys

25. I actually could have shown
you these, since I later deleted
the user.
BUT: These are long-term
security credentials. Don’t
share or post them anywhere.

26. Configuring an IAM User Profile in the CLI
C:Usersbecky>aws configure --profile sec302demo
AWS Access Key ID [None]: AKIA*************
AWS Secret Access Key [None]:
***************************
Default region name [None]: us-west-2
Default output format [None]: json Use the credentials you
were given.

27. Use the CLI as Sec302DemoUser
C:Usersbecky>aws ec2 describe-vpcs --profile
sec302demo
An error occurred (UnauthorizedOperation) when
calling the DescribeVpcs operation: You are not
authorized to perform this operation.

28. Give the new user some
permissions

29. Handy filter
Attach it
IAM managed policies:
Predefined sets of
commonly-used policies.
You can also write your
own (and we will)

30. Test Access
> aws ec2 describe-vpcs --profile sec302demo
{
"Vpcs": [
{
"VpcId": "vpc-c6a649a1",
"InstanceTenancy": "default",
"State": "available",
"DhcpOptionsId": "dopt-e4650b80",
"CidrBlock": "172.31.0.0/16",
"IsDefault": true
}
]
}

32. Create an EC2 Key Pair For SSH Access
If you already have an SSH
key:
aws ec2 import-key-pair `
--profile sec302demo `
--key-name Sec302DemoSSH `
--public-key-material
file://c:tempSec302DemoPub.t
xt
To create a new SSH key:
aws ec2 create-key-pair `
--profile sec302demo `
--key-name Sec302DemoSSH
And save the KeyMaterial from the
response

33. Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template

34. Setup:
CloudFormation Template

35. CloudFormation Stack Setup

36. CloudFormation Stack Setup
Handout:
sec302_setup_template.json

37. CloudFormation Stack Setup
Your email address
A name for the stack
Your SSH key name
Your IP address

38. The VPC You Just Created
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0

39. The Application You Just Launched
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0

40. Looking at your VPC

41. Your VPC Has Flow Logs Enabled
Logs will be delivered to this
CloudWatch Logs group.

42. Optional: Subscribe to SNS Topic

43. Setup Steps
AWS CLI CloudTrail Credentials and
keys
CloudFormation
setup template

44. Setup:
Test SSH Access

45. Launch an EC2 Instance
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
SSH security group

46. Use the SSH Security Group

47. Cheat sheet: Launch an EC2 instance
Handout: run_instances_cheat_sheet.txt
> aws ec2 run-instances --profile sec302demo
>> --image-id ami-7172b611
>> --instance-type t2.nano
>> --subnet-id $YOUR_SUBNET_ID
>> --security-group-ids $YOUR_SECURITY_GROUP_ID
>> --key-name Sec302DemoSSH
Resources created by the
SEC302 CloudFormation stack

48. Verify SSH Access
Test your ssh access, e.g.:
putty.exe -i c:tempSec302DemoPriv.ppk ec2-
user@52.24.192.187
You can now terminate this EC2 instance. We won’t need
it again.

49. All done setting up
Let’s get started

50. Introduction to IAM Roles
Beyond simple credentials

51. Granting Permissions, the Wrong Way
EC2 instance DynamoDB
table

52. Granting Permissions, the Right Way
EC2 instance
IAM role
DynamoDB
table

53. Granting Permissions, the Right Way
AWS Lambda
function
DynamoDB
table

54. Granting Permissions, the Right Way
Other AWS
accounts
DynamoDB
table

55. Hands-On with IAM Roles
We’ll create an IAM role with some very specific privileges

57. Create an IAM Role for an EC2 Instance

58. Create an IAM Role for an EC2 Instance
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json

59. This will allow Amazon EC2 to
launch EC2 instances into this
IAM role.
Create an IAM Role for an EC2 Instance
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json

60. Policy for the IAM Role: S3 Read-Only Access
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json

61. Anatomy of an IAM Role
ARN for referring to it later
For use by EC2
Right now, permits all ReadOnly operations in S3.
(We’ll make this more restrictive later.)
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json

62. Launch an EC2 instance
Launching with IAM role:
This EC2 Instance will have S3
ReadOnly permissions
Catchup CloudFormation template handout: ec2_instance_in_iam_role_template.json

63. Attempt Actions From the EC2 Instance
SSH to your EC2 instance, and from there, try some actions:
# Tell the CLI your default region
aws configure set default.region us-west-2
# This should work
aws s3 ls
# This should fail
aws s3 mb s3://this-will-fail
# This should fail
aws ec2 describe-instances

64. Where Are the Credentials?
There are credentials, but:
• They are completely hands-off: You don’t touch them.
• They are temporary and will expire; IAM will automatically rotate
them
To see them:
curl http://169.254.169.254/latest/meta-
data/iam/security-credentials/Sec302EC2Role; echo
EC2 Instance Metadata Service
Your role name

65. Making IAM Policy More Restrictive
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

66. Making IAM Policy More Restrictive
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

67. Making IAM Policy More Restrictive:
Choosing Specific Actions
Only the s3.GetObject action is
allowed
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

68. Making IAM Policy More Restrictive:
Choosing Specific Actions
“*” means permission to s3.GetObject on
all S3 objects
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

69. Making IAM Policy More Restrictive:
Delete the Old Policy
Detach this managed policy:
We’re going to write our own

70. Making IAM Policy More Restrictive:
Choosing Specific Actions
Our policy so far:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1474248983000",
"Effect": "Allow",
"Action": [ "s3:GetObject“ ],
"Resource": [ "*" ]
}
]
}
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

71. Attempt Actions From the EC2 Instance
SSH to your EC2 instance, and from there, try some
actions:
# This should fail
aws s3 ls
# This should work: It is s3.GetObject
aws s3 cp
s3://awsiammedia/public/sample/LeastPrivilegeWorkshopr
eInvent/SEC302_handouts.zip .
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

72. Making IAM Policy More Restrictive:
IAM Resource-Level Policies
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

73. Making IAM Policy More Restrictive:
IAM Resource-Level Policies
In English: s3.ListBucket is allowed, only on the specified bucket, only when the prefix matches the
given pattern.
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "s3:ListBucket" ],
"Condition" : {
"StringLike": {
"s3:prefix": "AWSLogs/111122223333/CloudTrail/*"
}
},
"Resource": [ "arn:aws:s3:::your-cloudtrail-bucket-name-here" ]
} ]
}
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
Use your own bucket name
Use your own account ID

74. Testing the ListBuckets Policy
SSH to your EC2 instance and try it:
[ec2-user@ip-10-0-2-49 ~]$ aws s3 ls
s3://$YOUR_CLOUDTRAIL_BUCKET/AWSLogs/$YOUR_ACCOUNT_ID/CloudTrai
l/us-west-2/2016/11/29/
2016-11-29 16:28:41 1213 778340376510_CloudTrail_us-west-
2_20161001T1625Z_k5gzl4muOxohMXeM.json.gz
2016-11-29 16:38:33 2311 778340376510_CloudTrail_us-west-
2_20161001T1630Z_50SqQyuABVqP5igQ.json.gz
2016-11-29 16:33:22 1881 778340376510_CloudTrail_us-west-
2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz
…
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

75. Making IAM Policy More Restrictive:
IAM Resource-Level Policies
In English: s3.GetObject is allowed, only on objects matching the
given pattern.
Add this statement to your policy, inside Statement[]:
{
"Effect": "Allow",
"Action": [ "s3:GetObject“ ],
"Resource": [
"arn:aws:s3:::<YOUR_CLOUDTRAIL_BUCKET>/AWSLogs/<YOUR_ACCOUNT_ID>/CloudTrail/*" ]
}
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json
Use your own bucket name
and account ID

76. Testing the GetObject Policy
[ec2-user@ip-10-0-2-49 ~]$ aws s3 cp s3://becky-20161001-
cloudtrail/AWSLogs/778340376510/CloudTrail/us-west-
2/2016/10/01/778340376510_CloudTrail_us-west-
2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz .
download: s3://becky-20161001-
cloudtrail/AWSLogs/778340376510/CloudTrail/us-west-
2/2016/10/01/778340376510_CloudTrail_us-west-
2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz to
./778340376510_CloudTrail_us-west-
2_20161001T1630Z_m5PVy8DKqjCtq9pF.json.gz
Take a minute to unzip this and look at its contents:
# gunzip $CLOUD_TRAIL_FILE.gz
# sudo yum -y install jq
# jq .Records[0] $CLOUD_TRAIL_FILE
Catchup handout: ec2_instance_in_iam_role_policy_update_template.json

77. Reference: AWS Services That Work With IAM
Bookmark this page:
http://docs.aws.amazon.com/IAM/latest/UserGuide/referen
ce_aws-services-that-work-with-iam.html
This has pointers to how you can use IAM with each AWS
service.

78. Terminate the EC2 Instance You Launched
We will not need it anymore

79. Testing IAM Roles
Assuming IAM roles

80. Create an IAM Role: “Sec302RoleTestMe”

81. Grant access to your partner’s account
(or your own, if no partner)
Catchup CloudFormation template handout: iam_role_cross_account_template.json

82. Permissions for the IAM Role
Choose a managed policy in the creation wizard
Or write your own (inline policies). For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "ec2:DescribeInstances" ],
"Resource": [ "*" ]
}
]
}
Catchup CloudFormation template handout: iam_role_cross_account_template.json

83. Note the IAM Role ARN
Catchup CloudFormation template handout: iam_role_cross_account_template.json

84. Assuming Your Partner’s IAM Role
> aws sts assume-role --profile sec302demo `
--role-arn arn:aws:iam::111122223333:role/Sec302RoleTestMe `
--role-session-name MyTestSession
An error occurred (AccessDenied) when calling the
AssumeRole operation: User:
arn:aws:iam::410436118402:user/sec302demo is not
authorized to perform: sts:AssumeRole on resource:
arn:aws:iam::778340376510:role/Sec302RoleTestMe
Oops! What did we miss?
Your partner’s account

85. Policy Needed By Sec302DemoUser
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Resource":
["arn:aws:iam::<YOUR_PARTNERS_ACCOUNT_ID>:role/Sec302RoleTestMe"]
}
]
}
Catchup CloudFormation template handout: sts_assume_role_policy_template.json

86. Assuming the IAM Role
C:Usersbecky>aws sts assume-role --profile sec302demo --role-arn arn:aws:iam::
778340376510:role/Sec302RoleTestMe --role-session-name MyTestSession
{
"AssumedRoleUser": {
"AssumedRoleId": "AROAJCO64ENYICVBJQRWM:MyTestSession",
"Arn": "arn:aws:sts::778340376510:assumed-role/Sec302RoleTestMe/MyTestSe
ssion"
},
"Credentials": {
"SecretAccessKey": “****",
"SessionToken": “*****************",
"Expiration": "2016-09-21T16:57:03Z",
"AccessKeyId": "ASIA***********"
}
}
Temporary credentials: I could have shown them.
They have expired and are useless

87. Use the Temporary Credentials
> aws configure --profile sec302assumed
AWS Access Key ID [None]: *****
AWS Secret Access Key [None]:*************
Default region name [None]: us-west-2
Default output format [None]: json
> aws configure set aws_session_token
*************************** --profile
sec302assumed

88. Try the Temporary Credentials
# Should succeed
aws ec2 describe-instances --profile
sec302assumed
# Should fail
aws dynamodb list-tables --profile
sec302assumed

89. More on Permissions for IAM Roles
Permissions for IAM roles should be minimal.
Example yellow flags:
• iam:AssumeRole / iam:PassRole -- If needed, be
specific about the IAM role that this IAM role can
assume
• iam:PutRolePolicy -- Usually only for highly privileged
principals
!

90. Going Further: IAM Resource-Based Policies
Useful for cross-account access
Supported on some AWS resources, e.g. S3 buckets
Attach policy to the resource itself:
Analogous to access control lists
&&

91. Auditing API Call Events
Using CloudWatch Events + AWS Lambda to audit resource access

92. CloudWatch Events & AWS Lambda
CloudWatch Events:
AWS API calls via
CloudTrail
AWS LambdaCloudTrail

94. Lambda Function for CloudWatch Events
Created by the SEC302
CloudFormation stack

95. Lambda Function for CloudWatch Events

96. Setting Up the CloudWatch Events Rule

97. Setting Up the CloudWatch Events Rule

98. Setting Up the CloudWatch Events Rule
AWS API call via CloudTrail
We will see EC2 API calls
The SEC302 CloudFormation
stack created this.
Catchup CloudFormation handout: cloudwatch_events_aws_api_rule_template.json

99. Try it: Make EC2 API calls
Make some that succeed
Make some that fail
Get your partner to make some that fail, while
assuming your IAM role

100. Find Lambda Logs in CloudWatch Logs

101. Events Delivered to Your Lambda Function
{
…
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole", "principalId":
"AROAJCO64ENYICVBJQRWM:MyTestSession",
"arn": "arn:aws:sts::410436118402:assumed-
role/Sec302RoleTestMe/MyTestSession",
…
"eventTime": "2016-09-21T17:03:13Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateVpc",
"awsRegion": "us-west-2",
"errorCode": "Client.UnauthorizedOperation",
"errorMessage": "You are not authorized to perform this operation.",
"requestParameters": { "cidrBlock": "192.168.0.0/16" },
…
Someone tried and failed to use
CreateVpc while assuming this role

102. You Can Do a Lot With These Events
Plenty of details there, including:
• Principal that attempted the call
• API method and request parameters
• Result: Success or error (with detail)
• Response
All of this is also in CloudTrail in S3
But Lambda functions can take actions: Ideas?

103. Sidebar: IAM Role for the Lambda Function

104. Sidebar: IAM Role for the Lambda Function
Managed policy “AWSLambdaBasicExecutionRole”:
Permits writing output to CloudWatch Logs

105. Sidebar: IAM Role for the Lambda Function
Inline policy “LambdaPublishToSNSTopic”:
Permits publishing to your SNS topic

106. Sidebar: IAM Role for the Lambda Function

107. Sidebar: IAM Role for the Lambda Function
Indicates that AWS Lambda can assume this IAM role
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
} ]
},
…
}
AWS Lambda is allowed
to assume this role

108. Activity:
React to AWS API Events

109. Your Turn: Modify the Function Code
Try modifying the AWS Lambda function to do something
more interesting!
For example code that publishes to an SNS topic, see
handout: lambda_function_with_publish_to_sns.js

110. Another Idea:
Using CloudTrail to Audit Permissions
Least-privilege best practice: Audit IAM roles and users
against actual usage in CloudTrail
Does anyone have permissions that have gone unused?

111. VPC Security Groups
Privilege of Least Principle for Connectivity

112. Security Groups in a VPC
virtual private cloud
0.0.0.0/0

113. The Application We Are Running
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
SSH Security Group
ALB Security Group
Backend Security Group
ALLOW

114. Backend Security Group
Port 8080

115. ALB Security Group: Ingress

116. ALB Security Group: Egress
Port 8080

117. What You Are Running
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
ALB Security Group
Backend Security Group

118. Routing for Least-Privilege in a VPC
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0

119. Routing for Least-Privilege in a VPC
virtual private cloud
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
0.0.0.0/0
VPC subnet
us-west-2b
VPC subnet
us-west-2a
VPC subnet
us-west-2c
Access to S3 via VPC Endpoints
Private subnets

120. VPC Flow Logs
Troubleshooting, Auditing, Monitoring, Analysis

121. VPC Flow Logs Are in CloudWatch Logs

122. VPC Flow Logs Are in CloudWatch Logs
Each ENI has its own stream

123. CloudWatch Logs Trigger for AWS Lambda
VPC Flow Logs in
CloudWatch Logs
AWS Lambda

124. Trigger a Lambda Function for VPC Flow Logs

125. Trigger a Lambda Function for VPC Flow Logs

126. Trigger a Lambda Function for VPC Flow Logs

127. Trigger a Lambda Function for VPC Flow Logs

128. Trigger a Lambda Function for VPC Flow Logs
Give it a name
Can leave blank
Your VPC Flow Log

129. VPC Flow Logs in CloudWatch Logs
Each ENI has its own stream

130. Inspecting VPC Flow Logs
10.0.0.117 = Me10.0.1.239 = ALB
Port 8080 = Backend port
ACCEPT

131. Inspecting VPC Flow Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
REJECT
UDP Port 53 = DNS

132. VPC Flow Logs in Lambda
2016-09-24T21:53:46.264Z 5e20015f-82a1-11e6-b2ab-735d6b306893
{ "messageType": "DATA_MESSAGE",
"owner": "280328680831",
"logGroup": "VPCFlowLogs",
"logStream": "eni-18027f46-all",
"subscriptionFilters": [ "myTrigger" ],
"logEvents": [
{
"id": "32888099581059259498575118542779913238350648463663169536",
"timestamp": 1474753390000,
"message": "2 280328680831 eni-18027f46 10.0.2.92 10.0.2.98 8080 32906
6 5 650 1474753390 1474753446 ACCEPT OK"
},
…
Available after 10 mins

133. Expected and Unexpected REJECT Packets
virtual private cloud
0.0.0.0/0
From
Internet

134. Lambda Function for Unexpected REJECTs
Your turn: Do something interesting with VPC Flow Logs!
Idea: Try writing a Lambda function that notifies your SNS
topic when within-VPC traffic gets REJECTed.
The code in your Lambda function already unzips and
pretty-prints the messages.

135. Lambda Function for Unexpected REJECTs
Handout: vpc_flow_logs_rejects.js
Simple Lambda function for notifying an SNS topic
whenever a packet sent within the VPC gets rejected.

136. Wrap-up

137. Remember To Delete Resources You Created

138. virtual private cloud

139. Remember to complete
your evaluations!

140. Related Sessions
More About IAM:
• SAC317 - IAM Best Practices to Live By
• SEC311 - How to Automate Policy Validation
More About VPC:
• NET201 - Creating Your Virtual Data Center: VPC
Fundamentals and Connectivity Options
• SEC401 - Automated Formal Reasoning About AWS
Systems

141. Thank you!