SlideShare a Scribd company logo

Deep dive into AWS IAM

Amazon Web Services
Amazon Web Services

This session is focused on diving into the AWS IAM policy categories to understand the differences, learn how the policy evaluation logic works, and go over some best practices. We will then walk through how to use permission boundaries to truly delegate administration in AWS.

1 of 52
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Deep dive into AWS IAM Jesse Fuchs Security Solutions Architect Amazon Web Services February 2019 Floor28
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What to expect from this session • AWS IAM core concepts • Policy types • Policy evaluation logic • Boundary types • Policy evaluation logic with boundaries
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications. Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Principals • Access to specific services. • Access to console and/or APIs. • Access to Customer Support (Business and Enterprise). AWS Identity and Access Management (IAM) • Access to all subscribed services. • Access to billing. • Access to console and APIs. • Access to Customer Support. Account Owner ID (Root Account)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Identity and Access Management (IAM) IAM Users IAM Groups IAM Roles Policies Enables you to control who can do what in your AWS account
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Identity-based policies Resource-based policies Access Control Lists
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Policies Identity-based policies Resource- based policies Access controls lists (ACLs) Principal (implicit) Action Resource Condition JSON-formatted documents Attached to a principal (or identity) Contains a statement (permissions) that specifies: • what actions that identity can perform, on which resources, and under what conditions.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Policies Identity-based policies Resource- based policies Access controls lists (ACLs) Principal Action Resource Condition JSON-formatted documents Attached to a resource Contains a statement (permissions) that specifies: • what actions a specified principal can perform on that resource under what conditions.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Policies Identity-based policies Resource- based policies Access controls lists (ACLs) Manage access to buckets and objects Contains a Grantee and Permissions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Identity-Based Policy Example AWS IAM Identity-Based Policy AWS IAM User (Alice) "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*" } ]
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Identity-Based Policy Example AWS IAM Identity-Based Policy AWS IAM User (Alice) "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*”, "Condition": { "StringEquals": { "s3:ExistingObjectTag/classification": ”sensitive" } } ]
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Resource-Based Policy Example AWS IAM Resource-Based Policy Amazon S3 Bucket "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", ”Principal": { "AWS" : "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*” } ]
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Resource-Based Policy Example AWS IAM Resource-Based Policy Amazon S3 Bucket "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", ”Principal": { "AWS" : "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*”, "Condition" : { "IpAddress" : { "aws:SourceIp": "192.168.143.0/24" }, } } ]
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic Decision starts at Deny Evaluate all applicable policies Explicit Deny? • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. No Explicit Allow? • By default, an implicit (default) deny is returned. Final decision =“deny” (default deny) No Final decision =“allow” • Access is granted if there is an explicit allow and no deny. Yes Final decision =“deny” • If a policy statement has a deny, it trumps all other policy statements. Yes
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic – Example 1 ACL Identity-Based Policy Resource-Based Policy AWS IAM Resource-Based Policy Amazon S3 Bucket AWS IAM Identity-Based Policy AWS IAM User (Alice) Effect: Allow Action: s3:GetObject Resource: * Effect: Deny Principal: * Action: s3:GetObject Resource: * Resulting Permission X GetObject
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic – Example 2 Identity-Based Policy (EC2 IAM Role) Resource-Based Policy (VPC Endpoint) AWS IAM Resource-Based Policy Amazon S3 Bucket AWS IAM Identity-Based Policy AWS IAM Role (ARN 1) Effect: Allow Action: s3:GetObject Resource: * Effect: Allow Principal: * Action: s3:GetObject Resource: * Resulting Permission GetObject AWS EC2 Instance AWS VPC Endpoint (Gateway) Effect: Allow Principal: ARN 2 Action: * Resource: * X
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic – Example 3 Identity-Based Policy (EC2 IAM Role) AWS IAM Identity-Based Policy AWS IAM Role Effect: Allow Action: s3:GetObject Resource: * Resulting Permission AWS Account 1 Trust Relationship AWS IAM Role AWS Account 2 Effect: Allow Principal: AWS Account 1 Action: sts:AssumeRole Resource: * AssumeRoleX
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic – Example 3 Identity-Based Policy (EC2 IAM Role) AWS IAM Identity-Based Policy AWS IAM Role Effect: Allow Action: sts:AssumeRole Resource: * Resulting Permission AWS Account 1 Trust Relationship AWS IAM Role AWS Account 2 Effect: Allow Principal: AWS Account 1 Action: sts:AssumeRole Resource: * AssumeRole Resource-Based Policy (Trust Relationship)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Boundary Types Organization SCPs Permission Boundaries
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Service Control Policies (SCPs) Policy permission categories Boundaries Organization SCPs Permission Boundaries • Enables you to control which AWS service APIs are accessible. - Define the list of APIs that are allowed – whitelisting. - Define the list of APIs that must be blocked – blacklisting. • Cannot be overridden by local administrator. • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved SCP Effective Permissions – Venn diagram Service Control Policy Identity-based policies Defined by the admin Defined by the developer Resulting permission
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Whitelisting ExampleBlacklisting Example { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": ”cloudtrail:DeleteTrail", "Resource": "*" } ] } Service Control Policies (SCPs) { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:*”, “redshift:*”, “elasticache:*” ], "Resource": "*" } ] }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Permission Boundaries Mechanism to delegate the permission to create users and/or roles while preventing privilege escalation or unnecessarily broad permissions. Method to safely grant actions like: "iam:CreateRole" "iam:PassRole" Policy permission categories Boundaries Organization SCPs Permission Boundaries
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Before and After Permission Boundaries Before • Certain IAM policy actions (e.g. PutUserPolicy, AttachRolePolicy) are essentially full admin-like permissions. • Doing any form of self-service permissions management was non-trivial. Now • Administrators can grant these full admin-like permissions, but specify a “permissions boundary.” • Allows developers to create principals for their applications and attach policies, but only within the boundary.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Use Cases • Developers that need to create roles for Lambda functions • Application owners that need to create roles for EC2 instances • Admins that need to be able to create users for particular use cases • Any others?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Just the facts • Supported only for user and roles • The mechanism at the policy level is just a condition context key • Not all IAM actions support the condition context key • It’s just a managed policy • The user or role can do only the actions allowed by both the attached identity-based policies and the permissions boundary
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Requirement: users and roles created by delegated admins must have a permissions boundary Ability: can create users and roles that have permissions boundaries attached Admins Delegated admins “Bound” IAM users and roles Create delegated admins Create “bound” users & roles Users and roles restricted by permissions boundaries Result: Permissions boundary restrict the permissions of the users and roles Restricted resources Permissions for resources restricted Permissions of the roles attached to resources like Lambda functions are limited by the permissions boundary Role Permissions Lambda Function Role Permissions Permission Boundary - workflow
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved An IAM condition context key "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/permissionboundary" } }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved … applied to principal creation actions (users and roles) "Effect": "Allow", "Action": [ "iam:CreateRole” ], "Resource": [ "arn:aws:iam::ACCOUNT_ID:role/path/” ], "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/permissionboundary" } }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved But, it’s just an IAM policy right? IAM policy Identity-based policy slot Identity-based policy Permissions boundary Permissions boundary slot IAM role
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved But, it’s just an IAM policy right? Identity-based policy slot Permissions boundary slot
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Delegated Administration – Demo • User requirements: • Lambda function that reads from an S3 bucket • Lambda function must have an IAM role to access the bucket • Role must be created with the correct permissions • Company requirements: • Policies attached to the role must not allow privilege escalation or unneeded permissions • Don’t get in the way of the user Admin Delegated admin Create: Policy for a user (plus read only policies) Permissions boundary policy User Lambda function Lambda function restricted by permissions boundary Lambda Function Role Permissions Create: Policy for a role Role Lambda function https://awssecworkshops.com/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved 1. Authenticate the principal 2. Determine which policies apply to the request 3. Evaluate the different policy types that apply which affect the order in which they are evaluated. 4. Allow or Deny the request Everything after authentication
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved PB Effective Permissions – Venn diagram Permissions boundary Identity-based policies Defined by the admin Defined by the developer Resulting permission
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – mechanism API Request Request allowed Identity-based policy Explicit deny
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – mechanism Identity-based policy Explicit deny API Request Permissions boundary Resulting permission Request allowed
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – mechanism API Request Implicit deny Explicit deny Allow Implicit deny Allow Identity-based policy Explicit deny Permissions boundary
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – allow example API Request Allow Allow Request allowed Identity-based policy Explicit deny Permissions boundary
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – scenario 1 Identity-based PolicyPermissions boundary Request: s3:GetObject / bucket name: example1 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" } } { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "s3:*" ], "Resource": "*" } ] }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – result API Request: s3:getobject Allow Request DeniedImplicit deny Identity-based policy Explicit deny Permissions boundary
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – result API Request: s3:getobject Allow Request DeniedImplicit deny Identity-based policy 2 Explicit deny Permissions boundary Identity-based policy 1
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – scenario 2 Request: s3:GetObject / bucket name: example1 Identity-based Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "s3:*" ], "Resource": "*" } ] } Permissions boundary { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource”:"arn:aws:s3:::example1/*" } }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – result API Request: s3:getobject Allow Request allowed Allow Identity-based policy Explicit deny Permissions boundary
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – scenario 3 Request: s3:GetObject / bucket name: example1 Identity-based Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Resource": "*" } ] } Permissions boundary { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource”:"arn:aws:s3:::example1/*" } }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – result API Request: s3:getobject Implicit deny Request denied Allow Identity-based policy Explicit deny Permissions boundary
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Prioritization with Boundaries Resulting permission Permissions boundary Identity-based policy Service control policy Session policy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Prioritization with Boundaries Identity-based policy Explicit deny API Request Permissions boundary SCPs Session Policy Request allowed Resource- based policy AWS Account
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Prioritization with Boundaries
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Prioritization with Boundaries Explicit deny API Request Request allowed Resource- based policy AWS Account 1 (outside of OU) AWS Account 2 Full evaluation of all applicable policies
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Categories Policy permission categories Boundaries Organization SCPs Permission Boundaries Policies Identity-based policies Resource-based policies Access controls lists (ACLs)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Thank You! Floor28

Recommended

AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 

Recommended

AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionErnest Chiang
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019John Varghese
 
Deep Dive on AWS Lambda
Deep Dive on AWS LambdaDeep Dive on AWS Lambda
Deep Dive on AWS LambdaAmazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayAmazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
Amazon s3
Amazon s3Amazon s3
Amazon s3android-vish
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 

More Related Content

What's hot

AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019John Varghese
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Aws organizations
Aws organizationsAws organizations
Aws organizationsOlaf Conijn
 

What's hot (20)

Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
 
AWS Systems manager 2019
AWS Systems manager 2019AWS Systems manager 2019
AWS Systems manager 2019
 
Deep Dive on AWS Lambda
Deep Dive on AWS LambdaDeep Dive on AWS Lambda
Deep Dive on AWS Lambda
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials Day
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
 

Similar to Deep dive into AWS IAM

Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Amazon Web Services
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Amazon Web Services
 
AWSome Day Online Conference 2018 - Module 3
AWSome Day Online Conference 2018 - Module 3AWSome Day Online Conference 2018 - Module 3
AWSome Day Online Conference 2018 - Module 3Amazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaAmazon Web Services
 
Identity and Access Management and Directory Services
Identity and Access Management and Directory ServicesIdentity and Access Management and Directory Services
Identity and Access Management and Directory ServicesAmazon Web Services
 
AWS Identity Access Management
AWS Identity Access ManagementAWS Identity Access Management
AWS Identity Access ManagementRichard Harvey
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by designRichard Harvey
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Amazon Web Services
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksAmazon Web Services
 

Similar to Deep dive into AWS IAM (20)

Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls
 
AWSome Day Online Conference 2018 - Module 3
AWSome Day Online Conference 2018 - Module 3AWSome Day Online Conference 2018 - Module 3
AWSome Day Online Conference 2018 - Module 3
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
 
Identity and Access Management and Directory Services
Identity and Access Management and Directory ServicesIdentity and Access Management and Directory Services
Identity and Access Management and Directory Services
 
AWS Identity Access Management
AWS Identity Access ManagementAWS Identity Access Management
AWS Identity Access Management
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by design
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS Workloads
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Deep dive into AWS IAM

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Deep dive into AWS IAM Jesse Fuchs Security Solutions Architect Amazon Web Services February 2019 Floor28
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved What to expect from this session • AWS IAM core concepts • Policy types • Policy evaluation logic • Boundary types • Policy evaluation logic with boundaries
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications. Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Considerations for layers of principals Operating Systems • Identities: Developers, and/or Systems Engineers Applications • Identities: Application Users, Application Administrators Amazon Web Services • Identities: Developers, Solutions Architects, Testers, Software/Platform • Interaction of AWS Identities: • Provisioning/deprovisioning EC2 instances and EBS storage. • Configuring Elastic Load Balancers. • Accessing S3 Objects or data in DynamoDB. • Accessing data in DynamoDB. • Interacting with SQS queues. • Sending SNS notifications.
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Principals • Access to specific services. • Access to console and/or APIs. • Access to Customer Support (Business and Enterprise). AWS Identity and Access Management (IAM) • Access to all subscribed services. • Access to billing. • Access to console and APIs. • Access to Customer Support. Account Owner ID (Root Account)
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Identity and Access Management (IAM) IAM Users IAM Groups IAM Roles Policies Enables you to control who can do what in your AWS account
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Identity-based policies Resource-based policies Access Control Lists
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Policies Identity-based policies Resource- based policies Access controls lists (ACLs) Principal (implicit) Action Resource Condition JSON-formatted documents Attached to a principal (or identity) Contains a statement (permissions) that specifies: • what actions that identity can perform, on which resources, and under what conditions.
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Policies Identity-based policies Resource- based policies Access controls lists (ACLs) Principal Action Resource Condition JSON-formatted documents Attached to a resource Contains a statement (permissions) that specifies: • what actions a specified principal can perform on that resource under what conditions.
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Types Policy permission categories Policies Identity-based policies Resource- based policies Access controls lists (ACLs) Manage access to buckets and objects Contains a Grantee and Permissions
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Identity-Based Policy Example AWS IAM Identity-Based Policy AWS IAM User (Alice) "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*" } ]
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Identity-Based Policy Example AWS IAM Identity-Based Policy AWS IAM User (Alice) "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*”, "Condition": { "StringEquals": { "s3:ExistingObjectTag/classification": ”sensitive" } } ]
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Resource-Based Policy Example AWS IAM Resource-Based Policy Amazon S3 Bucket "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", ”Principal": { "AWS" : "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*” } ]
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Resource-Based Policy Example AWS IAM Resource-Based Policy Amazon S3 Bucket "Version": "2012-10-17" "Statement": [ { "Effect": "Allow", ”Principal": { "AWS" : "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*”, "Condition" : { "IpAddress" : { "aws:SourceIp": "192.168.143.0/24" }, } } ]
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic Decision starts at Deny Evaluate all applicable policies Explicit Deny? • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. No Explicit Allow? • By default, an implicit (default) deny is returned. Final decision =“deny” (default deny) No Final decision =“allow” • Access is granted if there is an explicit allow and no deny. Yes Final decision =“deny” • If a policy statement has a deny, it trumps all other policy statements. Yes
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic – Example 1 ACL Identity-Based Policy Resource-Based Policy AWS IAM Resource-Based Policy Amazon S3 Bucket AWS IAM Identity-Based Policy AWS IAM User (Alice) Effect: Allow Action: s3:GetObject Resource: * Effect: Deny Principal: * Action: s3:GetObject Resource: * Resulting Permission X GetObject
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic – Example 2 Identity-Based Policy (EC2 IAM Role) Resource-Based Policy (VPC Endpoint) AWS IAM Resource-Based Policy Amazon S3 Bucket AWS IAM Identity-Based Policy AWS IAM Role (ARN 1) Effect: Allow Action: s3:GetObject Resource: * Effect: Allow Principal: * Action: s3:GetObject Resource: * Resulting Permission GetObject AWS EC2 Instance AWS VPC Endpoint (Gateway) Effect: Allow Principal: ARN 2 Action: * Resource: * X
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic – Example 3 Identity-Based Policy (EC2 IAM Role) AWS IAM Identity-Based Policy AWS IAM Role Effect: Allow Action: s3:GetObject Resource: * Resulting Permission AWS Account 1 Trust Relationship AWS IAM Role AWS Account 2 Effect: Allow Principal: AWS Account 1 Action: sts:AssumeRole Resource: * AssumeRoleX
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Evaluation Logic – Example 3 Identity-Based Policy (EC2 IAM Role) AWS IAM Identity-Based Policy AWS IAM Role Effect: Allow Action: sts:AssumeRole Resource: * Resulting Permission AWS Account 1 Trust Relationship AWS IAM Role AWS Account 2 Effect: Allow Principal: AWS Account 1 Action: sts:AssumeRole Resource: * AssumeRole Resource-Based Policy (Trust Relationship)
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Boundary Types Organization SCPs Permission Boundaries
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Service Control Policies (SCPs) Policy permission categories Boundaries Organization SCPs Permission Boundaries • Enables you to control which AWS service APIs are accessible. - Define the list of APIs that are allowed – whitelisting. - Define the list of APIs that must be blocked – blacklisting. • Cannot be overridden by local administrator. • Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions.
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved SCP Effective Permissions – Venn diagram Service Control Policy Identity-based policies Defined by the admin Defined by the developer Resulting permission
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Whitelisting ExampleBlacklisting Example { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": ”cloudtrail:DeleteTrail", "Resource": "*" } ] } Service Control Policies (SCPs) { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:*”, “redshift:*”, “elasticache:*” ], "Resource": "*" } ] }
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Permission Boundaries Mechanism to delegate the permission to create users and/or roles while preventing privilege escalation or unnecessarily broad permissions. Method to safely grant actions like: "iam:CreateRole" "iam:PassRole" Policy permission categories Boundaries Organization SCPs Permission Boundaries
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Before and After Permission Boundaries Before • Certain IAM policy actions (e.g. PutUserPolicy, AttachRolePolicy) are essentially full admin-like permissions. • Doing any form of self-service permissions management was non-trivial. Now • Administrators can grant these full admin-like permissions, but specify a “permissions boundary.” • Allows developers to create principals for their applications and attach policies, but only within the boundary.
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Use Cases • Developers that need to create roles for Lambda functions • Application owners that need to create roles for EC2 instances • Admins that need to be able to create users for particular use cases • Any others?
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Just the facts • Supported only for user and roles • The mechanism at the policy level is just a condition context key • Not all IAM actions support the condition context key • It’s just a managed policy • The user or role can do only the actions allowed by both the attached identity-based policies and the permissions boundary
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Requirement: users and roles created by delegated admins must have a permissions boundary Ability: can create users and roles that have permissions boundaries attached Admins Delegated admins “Bound” IAM users and roles Create delegated admins Create “bound” users & roles Users and roles restricted by permissions boundaries Result: Permissions boundary restrict the permissions of the users and roles Restricted resources Permissions for resources restricted Permissions of the roles attached to resources like Lambda functions are limited by the permissions boundary Role Permissions Lambda Function Role Permissions Permission Boundary - workflow
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved An IAM condition context key "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/permissionboundary" } }
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved … applied to principal creation actions (users and roles) "Effect": "Allow", "Action": [ "iam:CreateRole” ], "Resource": [ "arn:aws:iam::ACCOUNT_ID:role/path/” ], "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/permissionboundary" } }
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved But, it’s just an IAM policy right? IAM policy Identity-based policy slot Identity-based policy Permissions boundary Permissions boundary slot IAM role
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved But, it’s just an IAM policy right? Identity-based policy slot Permissions boundary slot
  • 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Delegated Administration – Demo • User requirements: • Lambda function that reads from an S3 bucket • Lambda function must have an IAM role to access the bucket • Role must be created with the correct permissions • Company requirements: • Policies attached to the role must not allow privilege escalation or unneeded permissions • Don’t get in the way of the user Admin Delegated admin Create: Policy for a user (plus read only policies) Permissions boundary policy User Lambda function Lambda function restricted by permissions boundary Lambda Function Role Permissions Create: Policy for a role Role Lambda function https://awssecworkshops.com/
  • 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved 1. Authenticate the principal 2. Determine which policies apply to the request 3. Evaluate the different policy types that apply which affect the order in which they are evaluated. 4. Allow or Deny the request Everything after authentication
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved PB Effective Permissions – Venn diagram Permissions boundary Identity-based policies Defined by the admin Defined by the developer Resulting permission
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – mechanism API Request Request allowed Identity-based policy Explicit deny
  • 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – mechanism Identity-based policy Explicit deny API Request Permissions boundary Resulting permission Request allowed
  • 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – mechanism API Request Implicit deny Explicit deny Allow Implicit deny Allow Identity-based policy Explicit deny Permissions boundary
  • 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – allow example API Request Allow Allow Request allowed Identity-based policy Explicit deny Permissions boundary
  • 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – scenario 1 Identity-based PolicyPermissions boundary Request: s3:GetObject / bucket name: example1 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" } } { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "s3:*" ], "Resource": "*" } ] }
  • 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – result API Request: s3:getobject Allow Request DeniedImplicit deny Identity-based policy Explicit deny Permissions boundary
  • 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – result API Request: s3:getobject Allow Request DeniedImplicit deny Identity-based policy 2 Explicit deny Permissions boundary Identity-based policy 1
  • 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – scenario 2 Request: s3:GetObject / bucket name: example1 Identity-based Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "s3:*" ], "Resource": "*" } ] } Permissions boundary { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource”:"arn:aws:s3:::example1/*" } }
  • 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – result API Request: s3:getobject Allow Request allowed Allow Identity-based policy Explicit deny Permissions boundary
  • 45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – scenario 3 Request: s3:GetObject / bucket name: example1 Identity-based Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Resource": "*" } ] } Permissions boundary { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream”, "logs:PutLogEvents” ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource”:"arn:aws:s3:::example1/*" } }
  • 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Effective permissions – result API Request: s3:getobject Implicit deny Request denied Allow Identity-based policy Explicit deny Permissions boundary
  • 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Prioritization with Boundaries Resulting permission Permissions boundary Identity-based policy Service control policy Session policy
  • 48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Prioritization with Boundaries Identity-based policy Explicit deny API Request Permissions boundary SCPs Session Policy Request allowed Resource- based policy AWS Account
  • 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Prioritization with Boundaries
  • 50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Prioritization with Boundaries Explicit deny API Request Request allowed Resource- based policy AWS Account 1 (outside of OU) AWS Account 2 Full evaluation of all applicable policies
  • 51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS IAM Policy Categories Policy permission categories Boundaries Organization SCPs Permission Boundaries Policies Identity-based policies Resource-based policies Access controls lists (ACLs)
  • 52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved Thank You! Floor28