AWS IAM user management system presentation

NOT FOR DISTRIBUTION AWS Access and Identity - IAM Section

NOT FOR DISTRIBUTION I A M : U s e r s & Gr o u p s IAM = Identity and Access Management, Global service Root account created by default, shouldn’t be used or shared Users are people within your organization, and can be grouped G r ou p s on l y contai n u s e r s , no t oth e r g r ou p s Users don’t have to belong to a group, and user can belong to multiple groups Alic e B o b Charles D a vi d E d w a r d Group: Developers Group: Operations Group Audit Team F r e d

NOT FOR DISTRIBUTION I A M : P e r m i s s i o n s Use r s o r G r o u p s c a n b e a s s i g n e d J S O N d o c u m e n ts called policies T h es e p ol i ci e s d e f i n e t h e permissions of the users I n A W S y o u a p p l y t h e l e a s t p r i v il e g e p r i n c ipl e : d o n ’ t g i v e m o r e p e r m i ss i o ns tha n a u s e r needs { "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "Action" : "ec2:Describe*" , "Resource" : "*" }, { "Effect" : "Allow" , "Action" : "elasticloadbalancing:Describe*" , "Resource" : "*" }, { "Effect" : "Allow" , "Action" : [ "cloudwatch:ListMetrics" , "cloudwatch:GetMetricStatistics" , "cloudwatch:Describe*" ], "Resource" : "*" } ] }

NOT FOR DISTRIBUTION I A M P o li c i e s i n h e r ita n c e Alic e B o b Charles D a vi d E d w a r d D ev e lop e r s Operations Audit Team F r e d inlin e

NOT FOR DISTRIBUTION I A M P o li c i e s St r u c t u re Co n s i sts of Version: policy language version, always include “2012-10- 17” I d : a n i d en t i f i e r f o r t h e p o li c y ( o pt i o n a l ) Statement: one or more individual statements (required) Stat e m e nt s con s i s t s of Sid: an identifier for the statement (optional) Effect: whether the statement allows or denies access ( A ll o w , D e ny ) Principal: account/user/role to which this policy applied to Action: list of actions this policy allows or denies Resource: list of resources to which the actions applied to Condition: conditions for when this policy is in effect (optional)

NOT FOR DISTRIBUTION I A M – P a ss w o r d P o li cy Strong passwords = higher security for your account I n A W S , y o u c a n s e t u p a p a s s w o r d p o li cy : S e t a mini m u m p a s s w o r d l e ngth Re q uir e s p eci f i c cha r acter typ es: in c lu d in g u pp e r c a s e l e tt e r s l o w e r c a s e l e tt e r s numbers non-alphanumeric characters All o w all I A M u s e r s to change th e i r o w n p a s s w o r d s Require users to change their password after some time (password expiration) Pre v e n t pass w o rd r e - u s e

NOT FOR DISTRIBUTION M u l t i F a c t or A u t h e n t i c a t i on - M F A Use r s h a v e a cces s t o y o u r a cco un t a n d c a n p ossi b l y c h a n g e configurations or delete resources in your AWS account You want to protect your Root Accounts and IAM users M F A = p a ss w o r d y o u k n o w + s e c u r i t y d e v i c e y o u o w n Alice Main benefit of MFA: if a password is stolen or hacked, the account is not compromised + P as s w o r d => Successful login

NOT FOR DISTRIBUTION M F A d e v i c e s o p t i o n s i n A WS Virtual MFA device Universal 2nd Factor (U2F) Security Key Google Authenticator (phone only) Authy (multi-device) YubiKey by Yubico (3 rd party) Support for multiple tokens on a single device. Support for multiple root and IAM users using a single security key

NOT FOR DISTRIBUTION M F A d e v i c e s o p t i o n s i n A WS Hardware Key Fob MFA Device Provided by Gemalto (3 rd party) Hardware Key Fob MFA Device for AWS GovCloud (US) Provided by SurePassID (3 rd party)

NOT FOR DISTRIBUTION H o w c a n u s e r s a cc e ss A W S ? T o a cc e s s A W S , y o u h a v e t h r e e o p t i o n s : AWS Management Console (protected by password + MFA) AWS Command Line Interface (CLI): protected by access keys AWS Software Developer Kit (SDK) - for code: protected by access keys Acce s s K e y s a r e g e n e r a t e d t h r o u g h t h e A W S C o n s ol e Use r s m a n ag e t h ei r o w n a cces s k eys Access Keys are secret, just like a password. Don’t share them Acce s s K e y I D ~= u s e r n a m e Se c r e t A cc e s s K e y ~= p a ss w o r d

NOT FOR DISTRIBUTION Ex a m p l e ( F a k e ) A cc es s K e y s Access key ID: AKIASK4E37PV4983d6C Secret Access Key: AZPN3zojWozWCndIjhB0Unh8239a1bzbzO5fqqkZq Re m e m b e r : d o n ’ t s h a r e y o u r a cces s k eys

NOT FOR DISTRIBUTION W h a t ’ s t h e A WS C L I ? A tool that enables you to interact with AWS services using commands in your command-line shell D i r e c t a cc e ss t o t he p u b li c A P I s o f A W S s e r v i c e s You can develop scripts to manage your resources It’s open-source https://github.com/aws/aws-cli A l t e r n at i v e to u s i n g A W S M an ag e m e n t Con s o l e

NOT FOR DISTRIBUTION W h a t ’ s t h e A WS S D K? AWS Software Development Kit (AWS SDK) L a n g u ag e - s p ec i f i c A P I s ( set o f li b r a r i es) Ena b l e s y o u t o a cc e ss a nd m a na g e A W S s e r v i c e s programmatically Embedded within your application Supports SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++) M o b il e S D K s ( A n d r o i d , i O S , …) IoT Device SDKs (Embedded C, Arduino, …) Ex a m p l e : A W S C L I i s b u i l t o n A W S S DK f o r P y t ho n A W S S D K Your Application

NOT FOR DISTRIBUTION I A M R o l e s f o r S e r vi c e s S o m e A W S s e r v i c e w il l n ee d t o perform actions on your behalf T o d o s o , w e w il l a ss i g n permissions to AWS services with IAM Roles Common roles: E C 2 I n s t a n c e R o l e s Lam b d a Functio n Rol e s Role s f o r Cloud Fo r mation EC2 Instance (virtual server) IAM Role Access AWS

NOT FOR DISTRIBUTION I A M S e c u r it y T oo ls IAM Credentials Report (account-level) a report that lists all your account's users and the status of their various credentials IA M A cc e s s A d v i s o r ( u s e r - l e v e l) Access advisor shows the service permissions granted to a user and when those services were last accessed. You can use this information to revise your policies.

NOT FOR DISTRIBUTION Don’t use the root account except for AWS account setup O n e p h ysi c a l u se r = O n e A W S u s e r Assign users to groups and assign permissions to groups Cr e at e a s t r o n g p ass w o r d po li c y Use and enforce the use of Multi Factor Authentication (MFA) Create and use Roles for giving permissions to AWS services Us e Acces s K ey s f o r P r o g r a mm a t i c Acces s ( C L I / S D K ) Audit permissions of your account using IAM Credentials Report & IAM Access Advisor N e v e r s ha r e I A M u s e r s & A cc e s s K e y s I A M G u i d e li n e s & B e s t P r a c ti c e s

NOT FOR DISTRIBUTION S h a r e d R e s p o n s i b ili t y Mo d e l f o r I A M Infrastructure (global network security) Configuration and vulnerability analysis Compliance validation You U s e r s , G r o u p s , R o l e s , P o li c i e s m a n ag e m e n t a n d m o n i t o r i n g Ena b l e M F A o n a l l a cc o unt s R o t a t e a l l y o u r k e y s o f t e n U s e I A M t oo l s t o a pp l y appropriate permissions An a l y z e acc e s s p att e r n s & review permissions

NOT FOR DISTRIBUTION IAM Section – Summary Users: mapped to a physical user, has a password for AWS Console G r o u p s : co n t a i n s u s e r s o n l y Policies: JSON document that outlines permissions for users or groups Ro l es : f o r E C 2 i n s t a n c e s o r A W S s e r v i c e s S e c u r i t y : M F A + P a ss w o r d P o li c y AWS CLI: manage your AWS services using the command-line AWS SDK: manage your AWS services using a programming language Acc e s s K e y s : a c c e s s A W S u s i n g t h e C L I o r S D K A u di t : I AM Cr e d e n t i a l R e p o r t s & I AM A cc e s s A d v i s o r

AWS IAM user management system presentation

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

AWS IAM user management system presentation

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

DTI BPI Pivot Small Business - BUSINESS START UP PLAN

CATHOLIC EDUCATIONAL Corporate Responsibilities

Karin Schaupp – Evocation; lançamento: 2000

Pillars of Biblical Oneness in the Book of Acts

7-10. STP + Branding and Product &amp; Services Strategies.pptx

Business Legislation PPT - UNIT 1 jimllpkggg

7-10. STP + Branding and Product & Services Strategies.pptx