Abstract image of a woman sitting on books and studying on a laptop

Avoiding Friendly Fire in AWS

D
DebHawk

The document provides guidance on managing permissions and avoiding accidental deletions in AWS by implementing best practices such as not sharing credentials and using IAM users instead of root accounts. It highlights the need for strict resource policies, explicit deny rules, and resource tagging to enhance security. Additionally, it discusses the importance of using multiple accounts for teams, refining permissions based on responsibilities, and employing permissions boundaries for delegated IAM management.

Technology
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Avoiding Friendly Fire in AWS Deborah Hawkins 2019 July 8 Austin DevOps
Chance of accidentally deleting needed resources 2 Number of people using the account Chance for any given month 1 person 10% 2 people 25% 5 people 75% 20 people 99% Source: I made these numbers up
3 Once upon a time, Sid took a trip... https://flic.kr/p/b6yinB
4 … and decided to create an app
5 Sid created a new AWS account
6 Sid & Jordan quickly built version 1.0 Photos: Duck - sarcasmisfun - http://pixdaus.com/cloud-that-looks-like-a-duck-airport-cloud-duck-jfk-plane-sh/items/view/933 Scottish terrier - John ‘K’ - https://www.flickr.com/photos/johnkay/3472407134/
But one day... 7
Don’t share credentials ● Don’t use the ROOT user ● Go to the IAM console ● Create a separate IAM User for each person 8 Better yet: ● Tie to your Active Directory ● Or use an SSO provider ● Multiple IAM Roles for each person
Sidenote: What’s the difference between an IAM User and Role? 9 IAM User ● Proves identity with access key, password, and/or MFA IAM Role ● Has a Trust policy that says which AWS services or other identities can assume this role ● Credentials are ephemeral and generated by AWS for trusted entities
10 The app was returning errors… All the code had been deleted from the main Lambda function!
Separate permissions by responsibility AdministratorAccess can be too powerful. Accidents happen. Attach only necessary policies. 11 Sid AdministratorAccess Jordan AmazonLambdaFullAccess AmazonAPIGatewayAdmin IAMFullAccess Sarah DatabaseAdministrator
It happened again... 12
Blacklist using an explicit Deny Attach an extra policy to each IAM User An explicit Deny rule always wins 13 { "Version": "2012-10-17", "Statement": [ { "Sid": "PreventPhotoDeletion", "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::FunnyCloudPhotos/*” } ] }
14 More people joined the team, and the Deny policy wasn’t applied to them at first
Use resource policies to restrict access Resource policies can: • Grant access to IAM Roles and Users in the current account • Grant access to other AWS accounts • Add explicit Deny rules 15 { "Version": "2012-10-17", "Statement": [ { "Sid": "PreventPhotoDeletion", "Effect": "Deny", “NotPrincipal”: {"AWS": [ "arn:aws:iam::123456789012:user/Sid", "arn:aws:iam::123456789012:root” ]}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::FunnyCloudPhotos/*” } ] }
16 The machine learning to collect and classify cloud photos wasn’t complete yet So the team hired a couple of interns to manually curate and upload additional photos to a single S3 bucket Photo: Keelan – cloudappreciationsociety.org
Don’t use AWS-managed policies AWS-managed policies are often overly permissive. For this example, the most scoped AWS-managed policy is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*” } ] } 17 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:DisableAlarmActions", "datapipeline:DeletePipeline", "dynamodb:*", "elasticache:*", "lambda:DeleteEventSourceMapping", "lambda:DeleteFunction", "rds:*", "redshift:*", "s3:DeleteObject*", "sns:DeleteTopic", ], "Resource": "*" } ] } Database Administrator
18 The curation team insisted on separating photos throughout more and more buckets Curating-Bucket AnotherCuratingBucket ReallyCoolPhotos Additional-Curated-Photos
Refine permissions using naming conventions 19 { "Version" : "2012-10-17", "Statement" : [ { "Sid": "ManageCuratedPhotos", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:iam:::Curating-Bucket/*", "arn:aws:iam:::Another-Curating-Bucket/*", "arn:aws:iam:::ReallyCoolPhotos/*", "arn:aws:iam:::Additional-Curated-Photos/*" ] } ] } { "Version" : "2012-10-17", "Statement" : [ { "Sid": "ManageCuratedPhotos", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:iam:::Curation-*/*" ] } ] }
20 The company is growing. There are now six different teams with similar policies for S3. The only difference is which buckets they own.
Use principal tags to consolidate policies 21 UserA tags Team = TeamBlue CostCenter = 102 SlackName = Sarah IAM Users and Roles can be tagged with key-value pairs Reference the tag value in the policy with the variable: ${aws:PrincipalTag/TheTagKey} UserB tags Team = TeamGreen CostCenter = 110 SlackName = Dave
Use principal tags to consolidate policies 22 { "Version" : "2012-10-17", "Statement" : [ { "Sid": "ManageCuratedPhotos", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:iam:::Curation-*" ] } ] } { "Version" : "2012-10-17", "Statement" : [ { "Sid": "ManageCuratedPhotos", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:iam:::${aws:PrincipalTag/Team}-*" ] } ] } Team = Curation https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/
23 The AI/ML team is getting frustrated. They have to wait for someone else to grant permissions when they decide to try out: Recognition EMR SageMaker DataPipeline Marketplace tools etc.
Use multiple AWS accounts By default, an IAM User or Role is restricted to access resources in that AWS account. When a team’s resources will be mostly segregated from other teams’ resources, create a separate account for them to work in. Note: Provide assistance or guardrails for cross-account access to prevent teams from taking the shortcut of sharing resources by making them public. Tips for working with a multi-account strategy à reinventvideos.com 24
Refine policies using resource tags { "Action":[ "ec2:StartInstances", "ec2:StopInstances” ], "Resource": "arn:aws:ec2:*:*:instance/*”], "Effect":"Allow", "Condition":{ "StringEquals":{ "ec2:ResourceTag/Team": "BlueTeam" } } } 25https://aws.amazon.com/blogs/security/working-backward-from-iam-policies-and-principal-tags-to-standardized-names-and-tags-for-your-aws-resources/ Team=GreenTeam CostCenter=101 Team=BlueTeam CostCenter=114 -
Resources that support tag-based access control Amazon EC2* Amazon EC2 Autoscaling AWS Elastic Beanstalk Amazon Elastic Container Registry (ECR) Elastic Load Balancing* Amazon Elastic Block Store (EBS) Amazon Elastic File System (EFS) Amazon S3 Glacier Amazon Simple Storage Service (S3)* AWS Storage Gateway Amazon Relational Database Service AWS Cloud9 CodeCommit CodePipeline AWS CodeStar Amazon Certificate Manager (ACM) Amazon Cognito AWS Directory Service AWS IAM* Secrets Manager 26 Kinesis Video Streams Amazon Athena AWS Data Pipeline Amazon EMR AWS Glue* Amazon Kinesis Data Analytics Amazon Kinesis Data Firehose Amazon MQ AWS Step Functions Amazon Simple Workflow Service (SWF) AWS Ground Station AWS IoT AWS IoT Analytics AWS IoT Events AWS IoT Greengrass RoboMaker Amazon Pinpoint Amazon Simple Email Service (SES) Amazon Appstream 2.0 Amazon Workspaces Amazon Comprehend Amazon Machine Learning Amazon SageMaker* AWS CloudFormation Amazon CloudWatch Amazon CloudWatch Events Amazon CloudWatch Logs AWS Config AWS Resource Groups AWS Service Catalog* AWS Systems Manager AWS Database Migration Service AWS Amplify AWS Device Farm Amazon API Gateway Amazon VPC AWS Elemental MediaConvert AWS Elemental MediaLive AWS Elemental MediaPackage AWS Elemental MediaTailor AWS re:Inforce 2019: Scale Permissions Management in AWS w/ Attribute-Based Access Control (SDD350) https://www.youtube.com/watch?v=Iq_hDc385t4 NEW! ECS
Resources that support tag-based access control 27https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
28 One day alerts started going off all over the place. The Internet Gateway had been removed.
29 Ram had been given permissions for S3 and Lambda development. How did he get network modification access?
Delegate IAM with Permissions Boundaries Allow people to create and manage their own IAM resources with one condition… There must be a Permissions Boundary attached. 30 https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/
Setting up an IAM Permissions Boundary { "Version" : "2012-10-17", "Statement" : [ { "Sid": "SetPermissionsBoundary", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<ACCT_#>:role/Team32*", "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::<ACCT_#>:policy/Team32Boundary” } } } ] } 31https://www.youtube.com/watch?v=eVNvjQ0wr84 - AWS Live re:Inforce - Becky Sets Some IAM Permissions Boundaries
Recap Don’t share credentials Separate permissions by responsibility Blacklist using an explicit Deny Use resource policies to restrict access Don’t use AWS-managed policies Refine permissions using naming conventions Use principal tags to consolidate Policies Use multiple AWS accounts Refine policies using resource tags Delegate IAM with Permissions Boundaries Use Infrastructure as Code 32
IAM Policy evaluation 33 https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
The asset you save may be your own 34
Learn More References: ● The Open Guide to AWS - https://github.com/open-guides/og-aws ← Join the Slack! ● AWS IAM Reference - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions- resources-contextkeys.html ● AWS re:Invent 2018: Become an IAM Policy Master in 60 Minutes or Less (SEC316) - https://www.youtube.com/watch?v=YQsK4MtsELU 35
Avoiding Friendly Fire in AWS

More Related Content

PDF
A 60-minute tour of AWS Compute (November 2016)
Julien SIMON
 
PDF
Building a Sustainable Data Platform on AWS
SmartNews, Inc.
 
PDF
Using Amazon CloudWatch Events, AWS Lambda and Spark Streaming to Process E...
Julien SIMON
 
PDF
Hands-on with AWS IoT (November 2016)
Julien SIMON
 
PDF
An Overview of AWS IoT (November 2016)
Julien SIMON
 
PDF
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
Amazon Web Services Korea
 
PDF
Aws microservice keynote
nextbuild
 
PPTX
AWS CloudFormation Intrinsic Functions and Mappings
Adam Book
 
A 60-minute tour of AWS Compute (November 2016)
Julien SIMON
 
Building a Sustainable Data Platform on AWS
SmartNews, Inc.
 
Using Amazon CloudWatch Events, AWS Lambda and Spark Streaming to Process E...
Julien SIMON
 
Hands-on with AWS IoT (November 2016)
Julien SIMON
 
An Overview of AWS IoT (November 2016)
Julien SIMON
 
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
Amazon Web Services Korea
 
Aws microservice keynote
nextbuild
 
AWS CloudFormation Intrinsic Functions and Mappings
Adam Book
 

Similar to Avoiding Friendly Fire in AWS (18)

PPTX
Architecting Cloud Apps
jineshvaria
 
PDF
20181027 deep learningcommunity_aws
Hirokuni Uchida
 
PDF
Serverless use cases with AWS Lambda
Boaz Ziniman
 
PDF
Overview of Security Issues with Amazon S3
Ekkard Schnedermann
 
PPTX
Aws primer Amazon Web Services
Mamun Rashid, CCDH
 
PDF
Serverless cat detector workshop - cloudyna 2017 (16.12.2017)
Paweł Pikuła
 
PDF
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps_Fest
 
PDF
A New Perspective on Resource-Level Cloud Forensics
Christopher Doman
 
PDF
Voxxed Athens 2018 - Serverless by Design
Voxxed Athens
 
PDF
Amazon Web Services User Group Sydney - March 2018
PolarSeven Pty Ltd
 
PPT
Amazon
iamzkz
 
PPT
Building Highly Scalable Web Applications
IWMW
 
PDF
Managing Multiple Clouds in an Enteprise - A Heterogenous Lens
Mayur Shintre
 
PPTX
Aws Introduction, technology and $ sense
Sachin Dole
 
PDF
AWS re:Invent 2016 Day 2 Keynote re:Cap
Adrian Hornsby
 
PDF
AWS re:Invent 2016 Day 2 Keynote re:Cap
Ian Massingham
 
PDF
Deep Dive on Microservices and Docker
Kristana Kane
 
PPT
The Future is Now: Leveraging the Cloud with Ruby
Robert Dempsey
 
Architecting Cloud Apps
jineshvaria
 
20181027 deep learningcommunity_aws
Hirokuni Uchida
 
Serverless use cases with AWS Lambda
Boaz Ziniman
 
Overview of Security Issues with Amazon S3
Ekkard Schnedermann
 
Aws primer Amazon Web Services
Mamun Rashid, CCDH
 
Serverless cat detector workshop - cloudyna 2017 (16.12.2017)
Paweł Pikuła
 
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps_Fest
 
A New Perspective on Resource-Level Cloud Forensics
Christopher Doman
 
Voxxed Athens 2018 - Serverless by Design
Voxxed Athens
 
Amazon Web Services User Group Sydney - March 2018
PolarSeven Pty Ltd
 
Amazon
iamzkz
 
Building Highly Scalable Web Applications
IWMW
 
Managing Multiple Clouds in an Enteprise - A Heterogenous Lens
Mayur Shintre
 
Aws Introduction, technology and $ sense
Sachin Dole
 
AWS re:Invent 2016 Day 2 Keynote re:Cap
Adrian Hornsby
 
AWS re:Invent 2016 Day 2 Keynote re:Cap
Ian Massingham
 
Deep Dive on Microservices and Docker
Kristana Kane
 
The Future is Now: Leveraging the Cloud with Ruby
Robert Dempsey
 
Ad

Recently uploaded (20)

PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
August Patch Tuesday
Ivanti
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Five Habits of High-Impact Board Members
OnBoard
 
Unlock new opportunities with location data.pdf
Precisely
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
August Patch Tuesday
Ivanti
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
What is a Computer? Input Devices /output devices
GulJan8
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Ad

Avoiding Friendly Fire in AWS

  • 1. Avoiding Friendly Fire in AWS Deborah Hawkins 2019 July 8 Austin DevOps
  • 2. Chance of accidentally deleting needed resources 2 Number of people using the account Chance for any given month 1 person 10% 2 people 25% 5 people 75% 20 people 99% Source: I made these numbers up
  • 3. 3 Once upon a time, Sid took a trip... https://flic.kr/p/b6yinB
  • 4. 4 … and decided to create an app
  • 5. 5 Sid created a new AWS account
  • 6. 6 Sid & Jordan quickly built version 1.0 Photos: Duck - sarcasmisfun - http://pixdaus.com/cloud-that-looks-like-a-duck-airport-cloud-duck-jfk-plane-sh/items/view/933 Scottish terrier - John ‘K’ - https://www.flickr.com/photos/johnkay/3472407134/
  • 8. Don’t share credentials ● Don’t use the ROOT user ● Go to the IAM console ● Create a separate IAM User for each person 8 Better yet: ● Tie to your Active Directory ● Or use an SSO provider ● Multiple IAM Roles for each person
  • 9. Sidenote: What’s the difference between an IAM User and Role? 9 IAM User ● Proves identity with access key, password, and/or MFA IAM Role ● Has a Trust policy that says which AWS services or other identities can assume this role ● Credentials are ephemeral and generated by AWS for trusted entities
  • 10. 10 The app was returning errors… All the code had been deleted from the main Lambda function!
  • 11. Separate permissions by responsibility AdministratorAccess can be too powerful. Accidents happen. Attach only necessary policies. 11 Sid AdministratorAccess Jordan AmazonLambdaFullAccess AmazonAPIGatewayAdmin IAMFullAccess Sarah DatabaseAdministrator
  • 13. Blacklist using an explicit Deny Attach an extra policy to each IAM User An explicit Deny rule always wins 13 { "Version": "2012-10-17", "Statement": [ { "Sid": "PreventPhotoDeletion", "Effect": "Deny", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::FunnyCloudPhotos/*” } ] }
  • 14. 14 More people joined the team, and the Deny policy wasn’t applied to them at first
  • 15. Use resource policies to restrict access Resource policies can: • Grant access to IAM Roles and Users in the current account • Grant access to other AWS accounts • Add explicit Deny rules 15 { "Version": "2012-10-17", "Statement": [ { "Sid": "PreventPhotoDeletion", "Effect": "Deny", “NotPrincipal”: {"AWS": [ "arn:aws:iam::123456789012:user/Sid", "arn:aws:iam::123456789012:root” ]}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::FunnyCloudPhotos/*” } ] }
  • 16. 16 The machine learning to collect and classify cloud photos wasn’t complete yet So the team hired a couple of interns to manually curate and upload additional photos to a single S3 bucket Photo: Keelan – cloudappreciationsociety.org
  • 17. Don’t use AWS-managed policies AWS-managed policies are often overly permissive. For this example, the most scoped AWS-managed policy is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*” } ] } 17 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DeleteAlarms", "cloudwatch:DisableAlarmActions", "datapipeline:DeletePipeline", "dynamodb:*", "elasticache:*", "lambda:DeleteEventSourceMapping", "lambda:DeleteFunction", "rds:*", "redshift:*", "s3:DeleteObject*", "sns:DeleteTopic", ], "Resource": "*" } ] } Database Administrator
  • 18. 18 The curation team insisted on separating photos throughout more and more buckets Curating-Bucket AnotherCuratingBucket ReallyCoolPhotos Additional-Curated-Photos
  • 19. Refine permissions using naming conventions 19 { "Version" : "2012-10-17", "Statement" : [ { "Sid": "ManageCuratedPhotos", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:iam:::Curating-Bucket/*", "arn:aws:iam:::Another-Curating-Bucket/*", "arn:aws:iam:::ReallyCoolPhotos/*", "arn:aws:iam:::Additional-Curated-Photos/*" ] } ] } { "Version" : "2012-10-17", "Statement" : [ { "Sid": "ManageCuratedPhotos", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:iam:::Curation-*/*" ] } ] }
  • 20. 20 The company is growing. There are now six different teams with similar policies for S3. The only difference is which buckets they own.
  • 21. Use principal tags to consolidate policies 21 UserA tags Team = TeamBlue CostCenter = 102 SlackName = Sarah IAM Users and Roles can be tagged with key-value pairs Reference the tag value in the policy with the variable: ${aws:PrincipalTag/TheTagKey} UserB tags Team = TeamGreen CostCenter = 110 SlackName = Dave
  • 22. Use principal tags to consolidate policies 22 { "Version" : "2012-10-17", "Statement" : [ { "Sid": "ManageCuratedPhotos", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:iam:::Curation-*" ] } ] } { "Version" : "2012-10-17", "Statement" : [ { "Sid": "ManageCuratedPhotos", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:iam:::${aws:PrincipalTag/Team}-*" ] } ] } Team = Curation https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/
  • 23. 23 The AI/ML team is getting frustrated. They have to wait for someone else to grant permissions when they decide to try out: Recognition EMR SageMaker DataPipeline Marketplace tools etc.
  • 24. Use multiple AWS accounts By default, an IAM User or Role is restricted to access resources in that AWS account. When a team’s resources will be mostly segregated from other teams’ resources, create a separate account for them to work in. Note: Provide assistance or guardrails for cross-account access to prevent teams from taking the shortcut of sharing resources by making them public. Tips for working with a multi-account strategy à reinventvideos.com 24
  • 25. Refine policies using resource tags { "Action":[ "ec2:StartInstances", "ec2:StopInstances” ], "Resource": "arn:aws:ec2:*:*:instance/*”], "Effect":"Allow", "Condition":{ "StringEquals":{ "ec2:ResourceTag/Team": "BlueTeam" } } } 25https://aws.amazon.com/blogs/security/working-backward-from-iam-policies-and-principal-tags-to-standardized-names-and-tags-for-your-aws-resources/ Team=GreenTeam CostCenter=101 Team=BlueTeam CostCenter=114 -
  • 26. Resources that support tag-based access control Amazon EC2* Amazon EC2 Autoscaling AWS Elastic Beanstalk Amazon Elastic Container Registry (ECR) Elastic Load Balancing* Amazon Elastic Block Store (EBS) Amazon Elastic File System (EFS) Amazon S3 Glacier Amazon Simple Storage Service (S3)* AWS Storage Gateway Amazon Relational Database Service AWS Cloud9 CodeCommit CodePipeline AWS CodeStar Amazon Certificate Manager (ACM) Amazon Cognito AWS Directory Service AWS IAM* Secrets Manager 26 Kinesis Video Streams Amazon Athena AWS Data Pipeline Amazon EMR AWS Glue* Amazon Kinesis Data Analytics Amazon Kinesis Data Firehose Amazon MQ AWS Step Functions Amazon Simple Workflow Service (SWF) AWS Ground Station AWS IoT AWS IoT Analytics AWS IoT Events AWS IoT Greengrass RoboMaker Amazon Pinpoint Amazon Simple Email Service (SES) Amazon Appstream 2.0 Amazon Workspaces Amazon Comprehend Amazon Machine Learning Amazon SageMaker* AWS CloudFormation Amazon CloudWatch Amazon CloudWatch Events Amazon CloudWatch Logs AWS Config AWS Resource Groups AWS Service Catalog* AWS Systems Manager AWS Database Migration Service AWS Amplify AWS Device Farm Amazon API Gateway Amazon VPC AWS Elemental MediaConvert AWS Elemental MediaLive AWS Elemental MediaPackage AWS Elemental MediaTailor AWS re:Inforce 2019: Scale Permissions Management in AWS w/ Attribute-Based Access Control (SDD350) https://www.youtube.com/watch?v=Iq_hDc385t4 NEW! ECS
  • 27. Resources that support tag-based access control 27https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
  • 28. 28 One day alerts started going off all over the place. The Internet Gateway had been removed.
  • 29. 29 Ram had been given permissions for S3 and Lambda development. How did he get network modification access?
  • 30. Delegate IAM with Permissions Boundaries Allow people to create and manage their own IAM resources with one condition… There must be a Permissions Boundary attached. 30 https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/
  • 31. Setting up an IAM Permissions Boundary { "Version" : "2012-10-17", "Statement" : [ { "Sid": "SetPermissionsBoundary", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<ACCT_#>:role/Team32*", "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::<ACCT_#>:policy/Team32Boundary” } } } ] } 31https://www.youtube.com/watch?v=eVNvjQ0wr84 - AWS Live re:Inforce - Becky Sets Some IAM Permissions Boundaries
  • 32. Recap Don’t share credentials Separate permissions by responsibility Blacklist using an explicit Deny Use resource policies to restrict access Don’t use AWS-managed policies Refine permissions using naming conventions Use principal tags to consolidate Policies Use multiple AWS accounts Refine policies using resource tags Delegate IAM with Permissions Boundaries Use Infrastructure as Code 32
  • 34. The asset you save may be your own 34
  • 35. Learn More References: ● The Open Guide to AWS - https://github.com/open-guides/og-aws ← Join the Slack! ● AWS IAM Reference - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions- resources-contextkeys.html ● AWS re:Invent 2018: Become an IAM Policy Master in 60 Minutes or Less (SEC316) - https://www.youtube.com/watch?v=YQsK4MtsELU 35