SlideShare a Scribd company logo

AWS IAM and security

Download as PPTX, PDF
Erik Paulsson, profile picture
Erik Paulsson

The document provides a comprehensive overview of Identity and Access Management (IAM) within AWS, detailing essential concepts such as IAM users, groups, roles, and policies. It emphasizes the importance of implementing least privilege access and avoiding common security pitfalls, particularly regarding the management of AWS credentials. Additionally, it discusses advanced IAM features like temporary credentials, account federation, and best practices for securing AWS resources and permissions.

Technology
Related topics:
Amazon Web Services
1 of 22
Downloaded 449 times
1
2
Most read
3
4
Most read
5
Most read
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Identity and Access Management Erik Paulsson https://www.linkedin.com/in/erikpaulsson
Agenda / Topics • Basics o What is IAM? o What to do right after creating an AWS account o What are the main components of IAM? • What not to do o Don’t be that person / company… • Intermediate o Least privilege access permissions o How to manage / distribute AWS creds o How to write code that auto-discovers AWS creds o AWS Services that support IAM and at what level • Advanced o Temporary credentials / Avoiding long-lived creds o AWS account federation / SSO
What is AWS IAM? • Identity and Access Management is an AWS service that enables you to provide fine grained access control to: o Interact with AWS services on behalf of your AWS account o Interact with AWS resources created in your AWS account • The main components are: o IAM Users o IAM Groups o IAM Roles o IAM Polices
IAM Users • Can have username / password to login to the AWS Console • Can have AWS credentials for making API calls to interact with AWS services • New IAM users have no permissions to do anything, implicit deny all. Permissions must be explicitly granted. • An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. o An IAM User with only AWS creds can be created so the creds can be used by an application to make API calls into AWS.
IAM Groups • A collection of IAM Users • You assign permissions to the IAM Group, all IAM Users in the Group inherit those permissions. o Implicit deny of permissions applies to IAM Groups as well
IAM Roles / Instance Profiles • IAM Roles define permissions much like an IAM User o IAM Roles do NOT have: • Username/password like an IAM User can • AWS creds that can be retrieved like an IAM User creds • The permissions of an IAM Role can be granted / assigned to an EC2 instance o An Instance Profile is just a “container” for one or more IAM Roles o An Instance Profile is what you actually assign to an EC2 instance • IAM Roles and Instance Profiles provide enhanced security because these structures provide temporary AWS creds o These temporary creds are made available by the EC2 meta-data service • … More on IAM Roles later
IAM Policies • When you create an IAM Group, User, or Role in your AWS account, you associate an IAM policy with it, which specifies the permissions that you want to grant. • IAM Polices are JSON formatted documents that define AWS permissions • Working with IAM Policies
Security firsts for new AWS accounts • For AWS root account: o Store username/password somewhere safe and secure o Setup multi-factor authentication • Create IAM User(s) with "least privileges" necessary o Least privilege = only the permissions necessary to accomplish needed tasks • After IAM Users have been created never use root account again o An IAM User with root permissions can be created • If IAM Users have username/password for AWS console login then they should also have multi factor authentication (MFA) enabled o https://aws.amazon.com/iam/details/mfa/ • If you don’t want some users having access to billing o Control access to AWS account billing through IAM • IAM controls “the keys to the (AWS) kingdom” o Only highly privileged users should have permissions to perform IAM actions
Getting AWS credentials onto EC2 instances • Always use an IAM Role / Instance Profile • Never ever..... ever o Self manage credentials for EC2 instances (environment variables, etc) o Put AWS credentials into source code or config files • Don't make yourself or company a victim like these guys: o Key slurping bots crawl github, use creds to run EC2 instances for bitcoin mining • http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_ crawling_with_keyslurping_bots o Companies have gone out of business because they were careless with their AWS creds • CodeSpaces had EVERYTHING deleted o http://arstechnica.com/security/2014/06/aws-console-breach- leads-to-demise-of-service-with-proven-backup-plan/
…continued Getting creds onto EC2 instances • Use IAM Instance Profile assigned to EC2 instance • An Instance Profile is created from an IAM Role • The instance profile must be assigned to an EC2 instance when it is launched • AWS credentials retrieved through the EC2 metadata service o curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<instance- profile-name> • These temporary credentials never have to be shared or managed by developers • These temporary AWS credentials are automatically rotated so instance always has valid credentials • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-instanceprofile.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-ec2instance.html
How can code use Instance Profile creds? • All AWS SDKs have a built in way to auto-discover AWS credentials on EC2 instances o Simplifies code by not having to explicitly set AWS credentials • SDKs for all languages can automatically check standard locations for AWS credentials to use: o Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY (legacy, not recommended anymore) o Credentials file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI (great for applications/scripts being run outside of AWS) o Instance Profile Credentials - delivered through the Amazon EC2 metadata service (best practice for getting AWS creds onto EC2 instances) • Example - Java SDK docs which document AWS creds auto-discovery: o http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws /services/s3/AmazonS3Client.html - AmazonS3Client()
Local development • If you are running scripts or an application locally that needs to call AWS APIs then store AWS creds in the AWS “credentials” file: o http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and- Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs • Allows you to define multiple sets of credentials each identified by a profile name • A “default” profile name can be defined so a profile doesn’t have to be specified in your code/script • AWS CLI (command line interface) o http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting- started.html#cli-multiple-profiles o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ (uses default profile defined in ~/.aws/credentials file) o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ --profile user2 (uses user2 profile defined in ~/.aws/credentials file)
IAM least privilege rights • "Anything" with AWS access should have the minimal rights it needs to accomplish its specific actions • "Anything" with AWS access refers to the following: o IAM Users or Groups o IAM Roles / Instance Profiles • IAM Roles can be assumed by end users • Instance Profiles can be assigned to EC2 instances o Your applications or scripts (which use IAM Role or User creds) • Example: if an application only needs read access to files in S3, then create an IAM Role with only “GetObject” rights on S3.
S3 IAM Policies • Granting access to an S3 bucket (Simple) • Granting access to specific “folders” in S3 bucket • S3 Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
Amazon Resource Names (ARNs) • ARNs are unique identifiers for AWS resources. • Format of an ARN: o arn:partition:service:region:account-id:resource o arn:partition:service:region:account-id:resourcetype/resource o arn:partition:service:region:account-id:resourcetype:resource • Details of ARNs for each AWS Service o http://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html
Elements of an IAM Policy • Main elements of an IAM Policy o Version o Statement • Main element of the policy • Contains an array of statements • Each statement defines whether permissions are allowed or denied for certain service actions against particular resources. These are defined by the values of the following elements in each statement: o Effect – Allow or Deny o Action – array of service actions o Resource – array of ARNs that actions can occur on o Principal – identifies who/what is allowed/denied access • Details on IAM Policy elements o http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_e lements.html
Advanced uses of IAM Roles • IAM Roles can be “assumed” by: o IAM Users in the either the same or different AWS account o AWS services (EC2 instances or even another IAM Role) o External users authenticated outside of AWS (Federation) • IAM Roles provide enhanced security: o Temporary credentials • If credentials do get compromised they won’t be valid for long • “Long-lived” credentials are bad… mmmmmkkk o Users can be logged into AWS console without username/password o Temporary credentials + Least privilege permissions!!!
AWS Federation • My real world scenario o Many AWS accounts o Many users needing access to 1 or many AWS accounts o Management of many of the “same” IAM Users and Groups across many AWS accounts • Equals… o Maintenance nightmare o Potential for security lapses when employee leaves company • What AWS accounts did the employee have access to? • Have to delete IAM User from each AWS account • Most mid to large companies have a central Identity Provider o Active Directory o Federation could also use social login providers
…continued AWS Federation • We took a web application that uses SSO via SAML to authenticate with our corp AD o Runs in AWS on EC2 instance with Instance Profile that has rights to “assume” Roles o The IAM Roles that can be “assumed” can exist in any AWS account as long as a trust relationship is created. o IAM Roles are kept track of in the application DB o For each user of this web application 0 or more IAM Roles can be mapped to a user o The application can then retrieve temporary credentials from a Role on behalf of a user of the web application • AWS creds can be returned to user for local use • AWS console access can be granted based on permissions of the IAM Role • Simplified solution o Delete all IAM Users across all AWS accounts o Replace all IAM Groups with IAM Roles in each AWS account o One set of users (web application users) that can be granted access to any IAM Role from any AWS account. o Enhances security • If a user leaves the company they are removed from corporate AD, no longer have access to web application and therefore no more access to any AWS accounts • TEMPORARY AWS creds (only last 1 hour, AWS allowed max… for now) • Creating a URL that Enables Federated Access to the AWS Management Console o Java example code
AWS Console Federated Username • Federated Login/Identifier uses the name of the IAM Role that was used plus a specified identifier. • It is cutoff in this image • AutomationFederationRoles-AutomationAdmins-1VGJS9PG5J8JO/erik.paulsson
AWS Federation Local dev with temp creds • It is a pain for developers and cloud admins to work locally when AWS creds expire o Every hour have to: • Retrieve new AWS creds from web application • Copy/paste into local AWS credentials file • Solution o Wrote small GUI tool • Local thick client since it needs to write to file system • User authenticates to same web application using SSO still • Tool retrieves new credentials on hourly schedule from web application REST APIs • Writes these AWS credentials to local AWS credentials file o Tool allows users to retrieve creds for 0 or more of the IAM Roles they are allowed to use o A credentials profile name can be assigned to each o Used NW.js to build client (formerly known as “node-webkit”) • Single code base • Compiles to self executable for all platforms (Linux, Mac, Win) • No run-time dependencies (JRE, python, etc) o Just download and run
Other Links • Advanced Assume Role using “policy” parameter: o http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.h tml • IDC White Paper: You can be more secure in the cloud than in your own data center • AWS in Plain English o https://www.expeditedssl.com/aws-in-plain-english

More Related Content

PPTX
AWS core services
Nagesh Ramamoorthy
 
ODP
Introduction to AWS IAM
Knoldus Inc.
 
PPTX
AWS Monitoring & Logging
Jason Poley
 
PDF
AWS Systems Manager
Crishantha Nanayakkara
 
PPTX
Aws IAM
Chamali Liyanage
 
PDF
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
PPTX
Introduction to AWS VPC, Guidelines, and Best Practices
Gary Silverman
 
PPTX
AWS Basics
achudhivi
 
AWS core services
Nagesh Ramamoorthy
 
Introduction to AWS IAM
Knoldus Inc.
 
AWS Monitoring & Logging
Jason Poley
 
AWS Systems Manager
Crishantha Nanayakkara
 
Aws IAM
Chamali Liyanage
 
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
Introduction to AWS VPC, Guidelines, and Best Practices
Gary Silverman
 
AWS Basics
achudhivi
 

What's hot (20)

PPTX
AWS Storage - S3 Fundamentals
Piyush Agrawal
 
PPTX
Azure Identity and access management
Dinusha Kumarasiri
 
PPT
Intro to Amazon S3
Yu Lun Teo
 
PPTX
Aws VPC
Abhishek Amralkar
 
PDF
AWS Control Tower
CloudHesive
 
PDF
Serverless computing with AWS Lambda
Apigee | Google Cloud
 
PPTX
AWS Lambda Features and Uses
GlobalLogic Ukraine
 
PPTX
AWS Storage services
Nagesh Ramamoorthy
 
PPTX
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
Simplilearn
 
PPTX
AWS Cloud trail
zekeLabs Technologies
 
PDF
Aws cloud watch
Mahesh Raj
 
PPTX
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
PDF
AWS VPC
KiranChinnagangannag
 
PPTX
ABCs of AWS: S3
Mark Cohen
 
PDF
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
Edureka!
 
PPTX
What is AWS?
Martin Yan
 
PDF
AWS Lambda
Scott Leberknight
 
PDF
AWS EBS
Mahesh Raj
 
PPTX
Elastic Compute Cloud (EC2) on AWS Presentation
Knoldus Inc.
 
PPTX
AWS Simple Storage Service (s3)
zekeLabs Technologies
 
AWS Storage - S3 Fundamentals
Piyush Agrawal
 
Azure Identity and access management
Dinusha Kumarasiri
 
Intro to Amazon S3
Yu Lun Teo
 
Aws VPC
Abhishek Amralkar
 
AWS Control Tower
CloudHesive
 
Serverless computing with AWS Lambda
Apigee | Google Cloud
 
AWS Lambda Features and Uses
GlobalLogic Ukraine
 
AWS Storage services
Nagesh Ramamoorthy
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
Simplilearn
 
AWS Cloud trail
zekeLabs Technologies
 
Aws cloud watch
Mahesh Raj
 
IAM Deep Dive - Custom IAM Policies with Conditions
Bryant Poush
 
AWS VPC
KiranChinnagangannag
 
ABCs of AWS: S3
Mark Cohen
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
Edureka!
 
What is AWS?
Martin Yan
 
AWS Lambda
Scott Leberknight
 
AWS EBS
Mahesh Raj
 
Elastic Compute Cloud (EC2) on AWS Presentation
Knoldus Inc.
 
AWS Simple Storage Service (s3)
zekeLabs Technologies
 
Ad

Similar to AWS IAM and security (20)

PPTX
AWS deployment and management Services
Nagesh Ramamoorthy
 
PPTX
AWSM2C3.pptx
RahulDange13
 
PPTX
Aws iam best practices to live by
John Varghese
 
PDF
Aws security Fundamentals
Christopher Caplan
 
PPTX
Aws security best practices
Sundeep Roxx
 
PPTX
AWS Identity and access management for users
StephenEfange3
 
PPTX
AWS Users Authentication
chandrasen Reddy
 
PPTX
IAM_part1.pptx
Shawshank Redemption
 
PPTX
Identity and Access Management-CLOUD.pptx
muthulakshmi279332
 
PPTX
Identity Access Management presented by Techserverglobal
HarpalGohil4
 
PDF
AWS Identity Access Management
Richard Harvey
 
PPTX
Identity and access management
genesesoftware
 
PPTX
Identity Access Management by Techserverglobal.pptx
HarpalGohil4
 
PPTX
AWS-IAM-intro-2016-08-03.pptx
Bima Ariateja
 
PDF
Advanced Security Masterclass - Tel Aviv Loft
Ian Massingham
 
PPTX
Aws education interest to enhance career IAM.pptx
Minionjaipur
 
PDF
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jean-François LOMBARDO
 
PPTX
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
😸 Richard Spindler
 
PPTX
Identity access management (iam)
Parag Patil
 
PDF
Security Best Practices: AWS AWSome Day Management Track
Ian Massingham
 
AWS deployment and management Services
Nagesh Ramamoorthy
 
AWSM2C3.pptx
RahulDange13
 
Aws iam best practices to live by
John Varghese
 
Aws security Fundamentals
Christopher Caplan
 
Aws security best practices
Sundeep Roxx
 
AWS Identity and access management for users
StephenEfange3
 
AWS Users Authentication
chandrasen Reddy
 
IAM_part1.pptx
Shawshank Redemption
 
Identity and Access Management-CLOUD.pptx
muthulakshmi279332
 
Identity Access Management presented by Techserverglobal
HarpalGohil4
 
AWS Identity Access Management
Richard Harvey
 
Identity and access management
genesesoftware
 
Identity Access Management by Techserverglobal.pptx
HarpalGohil4
 
AWS-IAM-intro-2016-08-03.pptx
Bima Ariateja
 
Advanced Security Masterclass - Tel Aviv Loft
Ian Massingham
 
Aws education interest to enhance career IAM.pptx
Minionjaipur
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jean-François LOMBARDO
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
😸 Richard Spindler
 
Identity access management (iam)
Parag Patil
 
Security Best Practices: AWS AWSome Day Management Track
Ian Massingham
 
Ad

Recently uploaded (20)

PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Encapsulation theory and applications.pdf
gurumoop
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
KodekX | Application Modernization Development
KodekX
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 

AWS IAM and security

  • 2. Agenda / Topics • Basics o What is IAM? o What to do right after creating an AWS account o What are the main components of IAM? • What not to do o Don’t be that person / company… • Intermediate o Least privilege access permissions o How to manage / distribute AWS creds o How to write code that auto-discovers AWS creds o AWS Services that support IAM and at what level • Advanced o Temporary credentials / Avoiding long-lived creds o AWS account federation / SSO
  • 3. What is AWS IAM? • Identity and Access Management is an AWS service that enables you to provide fine grained access control to: o Interact with AWS services on behalf of your AWS account o Interact with AWS resources created in your AWS account • The main components are: o IAM Users o IAM Groups o IAM Roles o IAM Polices
  • 4. IAM Users • Can have username / password to login to the AWS Console • Can have AWS credentials for making API calls to interact with AWS services • New IAM users have no permissions to do anything, implicit deny all. Permissions must be explicitly granted. • An IAM user doesn't necessarily have to represent an actual person. An IAM user is really just an identity with associated permission. o An IAM User with only AWS creds can be created so the creds can be used by an application to make API calls into AWS.
  • 5. IAM Groups • A collection of IAM Users • You assign permissions to the IAM Group, all IAM Users in the Group inherit those permissions. o Implicit deny of permissions applies to IAM Groups as well
  • 6. IAM Roles / Instance Profiles • IAM Roles define permissions much like an IAM User o IAM Roles do NOT have: • Username/password like an IAM User can • AWS creds that can be retrieved like an IAM User creds • The permissions of an IAM Role can be granted / assigned to an EC2 instance o An Instance Profile is just a “container” for one or more IAM Roles o An Instance Profile is what you actually assign to an EC2 instance • IAM Roles and Instance Profiles provide enhanced security because these structures provide temporary AWS creds o These temporary creds are made available by the EC2 meta-data service • … More on IAM Roles later
  • 7. IAM Policies • When you create an IAM Group, User, or Role in your AWS account, you associate an IAM policy with it, which specifies the permissions that you want to grant. • IAM Polices are JSON formatted documents that define AWS permissions • Working with IAM Policies
  • 8. Security firsts for new AWS accounts • For AWS root account: o Store username/password somewhere safe and secure o Setup multi-factor authentication • Create IAM User(s) with "least privileges" necessary o Least privilege = only the permissions necessary to accomplish needed tasks • After IAM Users have been created never use root account again o An IAM User with root permissions can be created • If IAM Users have username/password for AWS console login then they should also have multi factor authentication (MFA) enabled o https://aws.amazon.com/iam/details/mfa/ • If you don’t want some users having access to billing o Control access to AWS account billing through IAM • IAM controls “the keys to the (AWS) kingdom” o Only highly privileged users should have permissions to perform IAM actions
  • 9. Getting AWS credentials onto EC2 instances • Always use an IAM Role / Instance Profile • Never ever..... ever o Self manage credentials for EC2 instances (environment variables, etc) o Put AWS credentials into source code or config files • Don't make yourself or company a victim like these guys: o Key slurping bots crawl github, use creds to run EC2 instances for bitcoin mining • http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_ crawling_with_keyslurping_bots o Companies have gone out of business because they were careless with their AWS creds • CodeSpaces had EVERYTHING deleted o http://arstechnica.com/security/2014/06/aws-console-breach- leads-to-demise-of-service-with-proven-backup-plan/
  • 10. …continued Getting creds onto EC2 instances • Use IAM Instance Profile assigned to EC2 instance • An Instance Profile is created from an IAM Role • The instance profile must be assigned to an EC2 instance when it is launched • AWS credentials retrieved through the EC2 metadata service o curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<instance- profile-name> • These temporary credentials never have to be shared or managed by developers • These temporary AWS credentials are automatically rotated so instance always has valid credentials • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-instanceprofile.html • http://docs.aws.amazon.com/IAM/latest/UserGuide/roles- usingrole-ec2instance.html
  • 11. How can code use Instance Profile creds? • All AWS SDKs have a built in way to auto-discover AWS credentials on EC2 instances o Simplifies code by not having to explicitly set AWS credentials • SDKs for all languages can automatically check standard locations for AWS credentials to use: o Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY (legacy, not recommended anymore) o Credentials file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI (great for applications/scripts being run outside of AWS) o Instance Profile Credentials - delivered through the Amazon EC2 metadata service (best practice for getting AWS creds onto EC2 instances) • Example - Java SDK docs which document AWS creds auto-discovery: o http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws /services/s3/AmazonS3Client.html - AmazonS3Client()
  • 12. Local development • If you are running scripts or an application locally that needs to call AWS APIs then store AWS creds in the AWS “credentials” file: o http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and- Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs • Allows you to define multiple sets of credentials each identified by a profile name • A “default” profile name can be defined so a profile doesn’t have to be specified in your code/script • AWS CLI (command line interface) o http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting- started.html#cli-multiple-profiles o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ (uses default profile defined in ~/.aws/credentials file) o aws s3 cp ./awesome.tgz s3://mybucket/path/to/awesome/files/ --profile user2 (uses user2 profile defined in ~/.aws/credentials file)
  • 13. IAM least privilege rights • "Anything" with AWS access should have the minimal rights it needs to accomplish its specific actions • "Anything" with AWS access refers to the following: o IAM Users or Groups o IAM Roles / Instance Profiles • IAM Roles can be assumed by end users • Instance Profiles can be assigned to EC2 instances o Your applications or scripts (which use IAM Role or User creds) • Example: if an application only needs read access to files in S3, then create an IAM Role with only “GetObject” rights on S3.
  • 14. S3 IAM Policies • Granting access to an S3 bucket (Simple) • Granting access to specific “folders” in S3 bucket • S3 Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::test"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::test/*"] } ] }
  • 15. Amazon Resource Names (ARNs) • ARNs are unique identifiers for AWS resources. • Format of an ARN: o arn:partition:service:region:account-id:resource o arn:partition:service:region:account-id:resourcetype/resource o arn:partition:service:region:account-id:resourcetype:resource • Details of ARNs for each AWS Service o http://docs.aws.amazon.com/general/latest/gr/aws-arns-and- namespaces.html
  • 16. Elements of an IAM Policy • Main elements of an IAM Policy o Version o Statement • Main element of the policy • Contains an array of statements • Each statement defines whether permissions are allowed or denied for certain service actions against particular resources. These are defined by the values of the following elements in each statement: o Effect – Allow or Deny o Action – array of service actions o Resource – array of ARNs that actions can occur on o Principal – identifies who/what is allowed/denied access • Details on IAM Policy elements o http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_e lements.html
  • 17. Advanced uses of IAM Roles • IAM Roles can be “assumed” by: o IAM Users in the either the same or different AWS account o AWS services (EC2 instances or even another IAM Role) o External users authenticated outside of AWS (Federation) • IAM Roles provide enhanced security: o Temporary credentials • If credentials do get compromised they won’t be valid for long • “Long-lived” credentials are bad… mmmmmkkk o Users can be logged into AWS console without username/password o Temporary credentials + Least privilege permissions!!!
  • 18. AWS Federation • My real world scenario o Many AWS accounts o Many users needing access to 1 or many AWS accounts o Management of many of the “same” IAM Users and Groups across many AWS accounts • Equals… o Maintenance nightmare o Potential for security lapses when employee leaves company • What AWS accounts did the employee have access to? • Have to delete IAM User from each AWS account • Most mid to large companies have a central Identity Provider o Active Directory o Federation could also use social login providers
  • 19. …continued AWS Federation • We took a web application that uses SSO via SAML to authenticate with our corp AD o Runs in AWS on EC2 instance with Instance Profile that has rights to “assume” Roles o The IAM Roles that can be “assumed” can exist in any AWS account as long as a trust relationship is created. o IAM Roles are kept track of in the application DB o For each user of this web application 0 or more IAM Roles can be mapped to a user o The application can then retrieve temporary credentials from a Role on behalf of a user of the web application • AWS creds can be returned to user for local use • AWS console access can be granted based on permissions of the IAM Role • Simplified solution o Delete all IAM Users across all AWS accounts o Replace all IAM Groups with IAM Roles in each AWS account o One set of users (web application users) that can be granted access to any IAM Role from any AWS account. o Enhances security • If a user leaves the company they are removed from corporate AD, no longer have access to web application and therefore no more access to any AWS accounts • TEMPORARY AWS creds (only last 1 hour, AWS allowed max… for now) • Creating a URL that Enables Federated Access to the AWS Management Console o Java example code
  • 20. AWS Console Federated Username • Federated Login/Identifier uses the name of the IAM Role that was used plus a specified identifier. • It is cutoff in this image • AutomationFederationRoles-AutomationAdmins-1VGJS9PG5J8JO/erik.paulsson
  • 21. AWS Federation Local dev with temp creds • It is a pain for developers and cloud admins to work locally when AWS creds expire o Every hour have to: • Retrieve new AWS creds from web application • Copy/paste into local AWS credentials file • Solution o Wrote small GUI tool • Local thick client since it needs to write to file system • User authenticates to same web application using SSO still • Tool retrieves new credentials on hourly schedule from web application REST APIs • Writes these AWS credentials to local AWS credentials file o Tool allows users to retrieve creds for 0 or more of the IAM Roles they are allowed to use o A credentials profile name can be assigned to each o Used NW.js to build client (formerly known as “node-webkit”) • Single code base • Compiles to self executable for all platforms (Linux, Mac, Win) • No run-time dependencies (JRE, python, etc) o Just download and run
  • 22. Other Links • Advanced Assume Role using “policy” parameter: o http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.h tml • IDC White Paper: You can be more secure in the cloud than in your own data center • AWS in Plain English o https://www.expeditedssl.com/aws-in-plain-english

Editor's Notes