Scribd
Upload
58 views46 pages

Mod 2 Account Security

Uploaded by

cciesupply
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
58 views46 pages

Mod 2 Account Security

Uploaded by

cciesupply
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 46

AWS

Account Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Question How many AWS accounts does your
organization use?

A. 1

B. 2–10

C. More than 10

D. I don’t know

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module overview
• Business requests
• Principals and identities
• Security policies
• Managing multiple accounts
• Module review
• Knowledge check
Business The security specialist needs to know:
Requirements
• What are the best practices to
manage access to AWS accounts and
resources?
• How can we give users access to only
the resources they need?
• What is the best way to manage
multiple accounts?
Security
Specialist

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Principals and identities

“What are the best practices to manage access to AWS


accounts and resources?”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS account root user

A root user:
• Has full access to
all AWS services
• Cannot be
restricted in a AWS
single account account
model
[email protected]
• Should not be Password
used for day-to-
day interactions
with AWS
AWS Identity and Access Management (IAM)

Authenticatio
n
Use IAM to:
• Create and Sign in to AWS
manage users, Credentials
groups, and roles.
• Manage access to
AWS services and Authorization
resources. IAM
• Analyze access Allowed to
controls. carry out
Permissions request
Principals

A principal: IAM user IAM role


• Can make a
request for an
action or
operation on an AWS account
AWS resource
• Can be a person,
application,
federated user, or
assumed role

AWS service Identity provider (IdP)


or federated user
IAM users

AWS account
IAM users are users IAM
within an AWS users:
account. Amazon S3
• Each user has bucket
their own Administrato
credentials. r
• They are
authorized to Amazon EC2
Develope instance
perform specific
r
AWS actions
based on
permissions.
Auditor IAM user list
IAM users and AWS API calls

Console Programmatic Access


Access

AWS Management AWS Command AWS SDKs


Console Line Interface
(AWS CLI)
Programmatic access

IAM
user

AWS CLI AWS SDK

Java Python .NET


Setting permissions with IAM policies

Amazon S3
administrator

IAM
policy

Auditor
IAM user groups

IAM

• Assign IAM
users to an
IAM user Group:
group. Group: Analysts Group: Billing
Admins
• Attach
policies to
an IAM user Zhang Richard Richard
group to
apply to all
users within Ana
Maria
the group.

Shirley
IAM roles

• Delegate set Group: Analysts


permissions to
specific users or
services. Richard
• Users assume a
role without
sharing Ana
credentials with
others.
AssumeRol Shirley
• Permissions are e
only valid while
operating under
the assumed role. DevApp1
IAM role
Assuming a role

Production account
Trusted entities Use an API call to
IAM
assume a role.
1
Privileged
Return temporary AWS
access role
IAM user AWS services security STS
credentials. 2
Resources
Use temporary
Federated security
user 3 credentials.
(Non-AWS)
IAM policy assignments

Assigned Assigned
IAM policy
IAM user IAM group

Assigned

Assumed Assumed

IAM user AWS


IAM roles resources
Security policies

“How can we give users access to only the resources they


need?”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security policy categories

Policy types

Set maximum Grant


permissions permissions

IAM permissions IAM identity-


boundaries based policies

AWS
Organizations IAM resource-
service control based policies
policies (SCPs)
Granting permissions

• Identity-based Policy types


policies are
assigned to users,
groups, and roles.
• Resource-based Grant
policies are permissions
assigned to
resources.
• Resource-based IAM identity-
policies are based policies
checked when
someone tries to
access the IAM resource-
resource. based policies
Types of identity-based policies

Service access Job function Custom policy

• AmazonEC2FullAcce • AdministratorAcces • Level9Admins


ss s • EasternTeam
• AmazonEC2ReadOnl • Billing
y Access • DataScientist

AWS managed Customer managed


Identity-based policy example

{ Use this version date to use all of


A
the available policy features.
A "Version": "2012-10-17",
"Statement": [
{
B "Effect": "Allow", Indicate whether the policy allows
B
"Action": [ or denies an action.
C "ec2:StartInstances",
"ec2:StopInstances"
], Include a list of actions that the
D C
"Resource": "arn:aws:ec2:*:*:instance/*", policy allows or denies.
"Condition": {
E "StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}" Choose a list of resources to which
} D
the effect applies.
}
}
] Optional: Specify the conditions
} E
under which the policy applies.
Explicit allow and explicit deny
This section from a policy allows This section from a policy denies
access. access.
This is called an explicit allow. This is called an explicit deny.
{ {
"Effect": "Allow", "Effect": "Deny",
"Action": [ "Action": [
"s3:ListBucket", "ec2:*",
"s3:GetObject" "s3:*"
], ],
"Resource": [ "Resource": "*"
"arn:aws:s3:::DOC- }
EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-
BUCKET/*"
]
}
How IAM policies are evaluated

Is the action Is the action


Deny
explicitly No explicitly No
(implicit deny)
denied? allowed?
Ye Ye
s s

Deny Allow
Using a resource-based policy

{ Account A:
"Version": "2012-10-17", 111122223333
"Statement": [
{
"Sid": "AccountBAccess",
Require "Effect": "Allow",
d
"Principal": {"AWS": "444455556666"},
"Action": "s3:PutObject",
"Resource": [

"arn:aws:s3:::DOC-EXAMPLE-BUCKET/folder12 DOC-EXAMPLE-
Optional 3/*" BUCKET
]
}
]
}
Defense in depth

Users Role Amazon S3 VPC S3 bucket Documents


endpoint

IAM policy VPC Bucket


endpoint policy
policy

Identity-based Resource-
Note: Evaluate
based identity-based policies
and resource-based
policies together.
IAM permissions boundaries

Policy
categories

IAM permissions
Set maximum Grant
boundaries: permissions permissions
• Limit the user's
permissions
• Do not provide
permissions on IAM permissions IAM Identity-based
their own boundaries policies

Limit actions
allowed
Managing multiple accounts

“What is the best way to manage multiple accounts?”

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reasons to use multiple accounts

• Develop a multi-
account strategy
early.
• Refine as Business
Many teams Security Billing Isolation
business needs and process
evolve. complianc
e controls
Without AWS Organizations

• IAM policies only


apply to AWS account AWS account
individual #1 #2
principals in a
single account.
• Policies to enforce
restrictions must User User
be managed
within each
account. IAM policy #1 IAM policy #2
• The generation of
multiple bills is
Redundant work
required.
within each account
With AWS Organizations
• Create a Organization SCP
hierarchy by
grouping Management
accounts into account
organizational
units (OUs).
OU OU
• Apply service
control policies
(SCPs) to control
maximum AWS OU
AWS
OU
account account
permissions in
every account
under an OU.
• Take advantage of AWS AWS
account account AWS AWS AWS
consolidated account account account
billing.
How IAM policies interact with SCPs

Allowed

• SCPs allow only


what is at the
intersection of IAM
IAM permissions Organization identity-based
and SCPs.
s SCP ec2:* permissions
• SCPs do not grant
permissions; they Allow ec2:* Allow ec2:*
act as a filter. Allow s3:* Allow iam:*
Using policies for a layered defense

Grant
Filter Filter or
deny

• SCPs and
permissions
boundaries act as API,
a filter to limit AWS CLI, or
permissions. console
request

SCP Permissions Identity-based


boundary policy
Review

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Present Consider how you would answer
solutions the following questions:
• What are the best practices to
manage access to AWS accounts and
resources?
• How can we give users access to only
the resources they need?
• What is the best way to manage
multiple accounts?
Security
Specialist

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module review

In this module you learned about:


 Principals and identities
 Security policies
 Managing multiple accounts

Next, you review:


Knowledge check
Knowledge check

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 1

Which of the following can be attached to a user, group, or role?

A Resource-based policies

B AWS STS

C Security groups

D Identity-based policies

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 1 and answer

Which of the following can be attached to a user, group, or role?

A Resource-based policies

B AWS STS

C Security groups

D
correct Identity-based policies

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 2

Which of the following sets permissions on a specific resource and requires a principal to be
listed in the policy?

A Identity-based policies

B Service control policies (SCPs)

C Resource-based policies

D Permissions boundaries

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 2 and answer

Which of the following sets permissions on a specific resource and requires a principal to be
listed in the policy?

A Identity-based policies

B Service control policies (SCPs)

C
correct Resource-based policies

D Permissions boundaries

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 3

Which of the following are elements of an IAM user’s programmatic access? (Select TWO.)

A Username

B Access Key ID

C Password

D Secret Access Key

E MFA token

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 3 and answer

Which of the following are elements of an IAM user’s programmatic access? (Select TWO.)

A Username

B
correct Access key ID

C Password

D
correct Secret access key

E MFA token

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 4

True or False: The root user should be used for daily administration of your AWS account.

A True

B False

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 4 and answer

The root user should be used for daily administration of your AWS account.

A True

B
correct False

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 5

Which of the following can only be managed with AWS Organizations?

A Service control policies (SCPs)

B Resource-based policies

C Permissions boundaries

D Identity-based policies

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Knowledge check question 5 and answer

Which of the following can only be managed with AWS Organizations?

A
correct Service control policies (SCPs)

B Resource-based policies

C Permissions boundaries

D Identity-based policies

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

You might also like