Building a well-engaged and secure AWS account access management - FND207-R - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Building a well-engaged and secure
AWS account access management
Marcus Fritsche
Global Solutions Architect
Amazon Web Services
F N D 2 0 7

Security, access, and
resource boundary
API limits/throttling
Billing separation
AWS account

Account models
One account
Thousands of
accounts
Your
accounts

Why one account isn’t enough
Billing
Many teams,
different access
Security/
compliance controls
Business process isolation
(Apps, SaaS)

Guardrails not blockers Auditable Flexible
Automated Scalable Self-service
Goals for a multi-account environment

Account access and security considerations
Baseline requirements
Lock
Enable !
Federate
Define and map
Establish
Identify

What AWS accounts do we need for our secure,
compliant multi-account environment?
Security
Shared services
Billing-admin
Dev Prod
Sandbox
OtherPre-prod/QA
Organizations account
Log archive Network

AWS Organizations master
Network path
Data center
No connection to
data center
Service control policies
Consolidated billing
Volume discount
Minimal resources
Limited access (e.g., restrict
Organizations role)

Core accounts – OU
Core accounts
Network path
Data center
Foundational
Building blocks
Once per organization
Have their own development
life cycle (dev/QA/prod)

Log archive account
Core accounts
Log archive
Network path
Data center
Amazon S3 bucket
(versioned, restricted, MFA
delete)
CloudTrail logs
Security logs
Single source of truth
Limited access and
alarm on user login

Security account
Core accounts
Log archive
Network Path
Data center
Optional data center
connectivity
Security tools and audit
GuardDuty Master,
FW-Manager
Cross-account read/write
automated tooling
Limited access
Security

Shared services account
Security
Core accounts
Log archive
Network Path
Data center
Connected to DC
DNS
LDAP/Active Directory
Shared services VPC
Deployment tools
Golden AMIs
Pipeline
Scanning infrastructure
Inactive instances
Improper tags
Snapshot life cycle
Monitoring
Limited access (IT-Ops)
Shared
services

Network account
Security
Core accounts
Shared
Services
Log archive
Network Path
Data center
Networking services
AWS Direct Connect (DX)
AWS DX Gateway
TGW, shared VPC
AWS Client VPN
Limited access
Managed by network team
Network

Developer sandbox (OU and SBX-accounts)
Security
Core accounts
Shared
Services
Network
Log archive
Network Path
No connection to DC
Innovation space
Fixed spending limit
Autonomous
Experimentation
Developer
sandbox
Developer accounts

Team/group accounts – OU
Developer
Sandbox
Security
Core accounts
Shared
Services
Network
Log archive
Network Path
Developer Accounts Data center
Based on level of needed
isolation
Match your development life
cycle
Think small
Team/group accounts

Dev
Developer
Sandbox
Team/group accounts
Security
Core accounts
Shared
Services
Network
Log archive
Network Path
Develop and iterate quickly
Collaboration space
Stage of SDLC
Dev

Preproduction
Developer
Sandbox
Dev
Team/group accounts
Security
Core accounts
Shared
Services
Network
Log archive
Network Path
Connected to data center
Production-like
Staging
Testing automated
deployment
Pre-prod

Production
Developer
Sandbox
Dev Pre-prod
Team/group accounts
Security
Core accounts
Shared
Services
Network
Log archive
Network Path
Connected to data center
Production applications
Promoted from pre-prod
Limited access (RO-only?)
Automated deployments
Prod

Team shared services
Developer
Sandbox
Dev Pre-prod
Team/group accounts
Security
Core accounts
Shared
Services
Network
Log archive Prod
Network Path
Grows organically
Shared to the team
Product-specific common
services
Data lake
Common tooling
Common services
Team shared
services

Multi-account approach
Developer
sandbox
Dev Pre-prod
Team/group accounts
Security
Core accounts
Shared
services
Network
Log archive Prod
Team shared
services
Network path
Developer accounts Data center
Orgs: Account management
Log archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: DX
Dev sandbox: Experiments, learning
Dev: Development
Pre-prod: Staging
Prod: Production
Team shared service: Team services, data lake,
common AWS Cognito, etc.

AWS Landing Zone structure – Basic
AWS Organizations
Shared services Log archive a Security
Organizations account
• Account provisioning
• Account access (SSO)
Shared services account
• Active directory
• Log analytics
Log archive
• Security logs
Security account
• Audit/break-glass

AWS Landing Zone structure – with add-ons
AWS Organizations
Shared Services Log Archive Security
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
Parameter
Store
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics

The AWS Landing Zone pipeline
Source Validate/Build/Test
Deploy Core
Account Structure
and Policies
Deploy Core
Resources
Deploy Service
Catalog
Portfolio/Products
Deploy Baseline
Resources
Launch AVM for Core
accounts
AWS
Organizations AWS Account
Baseline StackSets
AWS Service
Catalog
Core
StackSet
AWS Service
Catalog
Landing Zone
Configuration ZIP file
AWS CodeBuild
Organizations /
SCP State
Machine
State Machine
Trigger
Lambda
StackSet
State
Machine
Service
Catalog State
Machine
StackSet
State
Machine
Launch AVM
State
Machine
AWS Landing Zone Master
Configuration
AWS
CodeBuild

Organizations (cross-account access)
Dev Pre-prod
Security
Core accounts
Shared
services
Network
ProdTeam shared
services
Developer Accounts
Log archive
Team/group accounts

AWS Organizations (no cross-account access)
Dev Pre-prod
Security
Core accounts
Shared
services
Network
ProdTeam shared
services
Developer Accounts
Log archive
Team/group accounts
• Log archive
• Security
• Backups
• PCI

The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance controls
Baseline accounts
and account
vending machine
Automated
deployment

The AWS Landing Zone solution
• Automate the creation of an AWS Landing Zone (best practice blueprints),
account factory, and AWS Single Sign-On (SSO)
• Enable curated guardrails
=> on-going policy enforcement
• Dashboard for continuous visibility
=> Visual summaries of your AWS environment

The AWS Landing Zone solution: The Dashboard for Oversight

Access management authorization with
IAM policies and secure control policies
(SCPs)

AWS Organizations (enable all features mode)
Developer
sandbox
Dev Pre-prod
Team/group accounts
Security
Core accounts
Shared
services
Network
Log archive ProdTeam shared
services
Developer accounts
Single AWS
account
Developer
Sandbox
Dev Pre-prod
Team/group accounts
Security
Core accounts
Shared
services
Network
Log archive ProdTeam shared
services
Developer accounts

IAM and AWS Organizations
Developer
Sandbox
Dev Pre-prod
Team/group accounts
Security
Core accounts
Shared
Services
Network
Log archive ProdTeam Shared
Services
Developer Accounts
Single AWS
Account
* IAM policies * SCPs (service control policies)
* Manage ARN * Manage APIs
* Start from DENIED * Start from ALLOWED
* Assigned to roles and groups * Assigned to OUs and AWS accounts
* Not for root credentials, AWS Support,
Amazon CloudFront, Alexa, etc.

IAM and SC policies
Developer
Sandbox
Dev Pre-prod
Team/group accounts
Security
Core accounts
Shared
Services
Network
Log archive ProdTeam Shared
Services
Developer Accounts
Single AWS
Account
• Choose a service
• Define actions for the service
• Apply resources for actions
• Specify condition for actions
• Effect: Deny or Allow
• Choose a service
• Define actions for the service
• Apply resource = “*”

IAM policies
• JSON-formatted set of instructions
which define permission
• Contain a statement (permissions)
that specifies:
• which actions a principal can
perform
• which resources can be accessed
{
"Statement":[{
"Effect":"effect",
"Principal":"principal", who
"Action":"action", what
"Resource":"arn", where
"Condition":{ if
"condition":{
"key":"value" }
}
}
]
}

IAM policy: Resource and conditions
• Resources and services
Defined uniquely by an Amazon resource name (ARN)
• Contain a statement (permissions) that specifies:
• which actions a principal can perform
• which resources can be accessed
arn:aws:service:region:account:resource…

IAM policies and SCPs
IAM
policies
Organizations
SCP = Effective
right
Group
User
Role
Account
OU
∩
intersection
Service
User

SCPs and IAM – Policies to protect
Organizations
. SCP
Identity-
based
policy
Effective
permission
1
2
3 Allow: S3:*
Allow: EC2:*
SCP
Allow: SQS:*
Allow: EC2:*
IAM permissions

Permissions boundaries for IAM entities(user or role)
Set the maximum permissions that
an identity-based policy can grant to an
IAM entity
The entity can perform only the actions
that are allowed by both its identity-
based policies and its permissions
boundaries

Organizations SCPs
Organizations
. SCP
Permissions
boundary
Identity-
based
policy
Effective
permission
1
2 3
4
5
6 7

Resource-based policies
Resource-based
policy
Permissions
boundary
Identity-
based
policy
Effective
permission
1
2 3
4
5
6 7

Session policies
Session
policy
Permissions
boundary
Identity-
based
policy
Effective
permission
1
2 3
4
5
6 7

IAM policies – Evaluation logic

Access best practice
• Restrict root and master account access
• Monitor activities as root and in the Organizations
Master
• Use consolidated user management/SAML
• Use principal of “least privilege” (role-based access)
• Assign SCPs to OUs and test with dedicated OUs
• Avoid “whitelisting” and “blacklisting”

Fun part – AWS Well-Architected Tool review

Workshop details & steps
https://chilp.it/f546818
https://mf-aws.s3.amazonaws.com/events/Reinforca2019-
WorkshopFND.htm
http://mf-aws.s3.amazonaws.com/events/Workshop-
Guide2019062b.pdf
Your AWS Support Team:
• Shahab Mohsen smohsen@amazon.com
• Sirirat Kongdee siriratk@amazon.com
• Kevin Dobbins kdobbin@amazon.nl
• Jonathan Jenkyn jjenkyn@amazon.co.uk
• Sean Leviseur slevise@amazon.com
• Pablo Salazar, pablosal@amazon.com
• Marcus Fritsche mafritsc@amazon.de

Whiteboard session: Useful service control and IAM policies
• SCP: No access to foundational setup services (CloudTrail, DX, etc.)
• IAM-Identity:
• Full-Admin
• IAM-User-Adm; IAM-Role Adm
• Server-Admin, only if Tag = “CostCode22”
• Permission boundary
• Resource permission

Next steps – Action required
• Build your AWS account segmentation strategy
• Set up AWS Landing Zone/Control Tower
• Search train your policy ninja
• Iterate on SCPs and IAM policies—automated using scripts!
• Use AWS security audits and WARs to check and challenge!
? What did I say that you should not forget?

Next steps – Action required
• Build your AWS account segmentation strategy
• Set up AWS Landing Zone/Control Tower
• Search train your policy ninja
• Iterate on SCPs and IAM policies—automated using scripts!
• Use AWS security audits and WARs to check and challenge!
• Enable CloudTrail, AWS Config, GuardDuty

Thank you!
Marcus Fritsche
mafritsc@amazon.de

Building a well-engaged and secure AWS account access management - FND207-R - AWS re:Inforce 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Building a well-engaged and secure AWS account access management - FND207-R - AWS re:Inforce 2019

Similar to Building a well-engaged and secure AWS account access management - FND207-R - AWS re:Inforce 2019 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Building a well-engaged and secure AWS account access management - FND207-R - AWS re:Inforce 2019