Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
-
Upload
amazon-web-services -
Category
Technology
-
view
299 -
download
5
Transcript of Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
1© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 3Security, Identity, and Access
Management
2© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Physical & Environmental Security
Lock your data center. Only provide access to those who need it. Keep track of access. Mount servers on racks with locks. Have redundant utilities. Build your data center with security in mind.
3© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Security
Identification & Authentication Firewalls Patching Virus Protection Encryption
4© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Responsibility – AWSAW
S
Client-side Data Encryption and Data Integrity
Authentication
Server-side Encryption (File System and/or Data)
Network Traffic Protection(Encryption/Integrity/Identity)
Platform, Applications, Identity and Access ManagementOperating System, Network and Firewall Configuration
Customer DataC
usto
mer
Foundation ServicesCompute Storage Database Network
AWS Global Infrastructure Regions
Availability Zones Edge Locations
5© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Physical Security
24/7 trained security staffAWS data centers in nondescript and undisclosed facilitiesTwo-factor authentication for authorized staffAuthorization for data center access
6© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hardware, Software, and Network
Automated change-control processBastion servers that record all access attemptsFirewall and other boundary devicesAWS monitoring tools
7© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Certifications and Accreditations
ISO 9001, ISO 27001, ISO 27017, ISO 27018, IRAP (Australia), MLPS Level 3 (China), MTCS Tier 3 Certification (Singapore) and more …
8© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
SSL Endpoints
VPC
Secure Transmission
Establish secure communication
sessions (HTTPS) using SSL/TLS.
Instance Firewalls
Configure firewall rules for instances
using Security Groups.
SSL Endpoints Security Groups
Network Control
In your Virtual Private Cloud, create low-level networking
constraints for resource access. Public and private subnets, NAT and
VPN support.
SSL Endpoints
9© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Multi-Tier Security Groups
HTTP
SSH/RDP
Ports 80 and 443 only open to the Internet
Engineering staff have SSH/RDP access to Bastion Host
All other internet ports blocked by default
EC2
EC2
Application Tier
Web Tier
Database Tier
EC2
Bastion
10© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
AWS IAM
3
Manage federated users and their permissions
2
Manage AWS IAM roles and their permissions
1
Manage AWS IAM users and their access
11© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Authentication
AuthenticationAWS Management Console User Name and Password IAM User
12© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Authentication
Access Key ID: AKIAIOSFODNN7EXAMPLESecret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Java Python .NET
AWS SDK & APIAWS CLI
AuthenticationAWS CLI or SDK API Access Key and Secret Key IAM User
13© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM User Management - Groups
User D
DevOps Group
User C
AWS Account
TestDev Group
User BUser A
14© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Authorization
AuthorizationPolicies: Are JSON documents to
describe permissions. Are assigned to Users,
Groups or Roles.
IAM User IAM Group
IAM Roles
21© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Roles - Instance Profiles
Amazon EC2
App & EC2 MetaData Servicehttp://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S31
2
3
4
Create Instance
Sele
ct IA
M R
ole
Application interacts w
ith S3
22© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Roles – Assume Role
IAM Restricted Policy
IAM User A-1
AWS Account A
IAM Admin RoleIAM Admin
Policy
AssignedAssume
Assigned
1
2
IAM User B-1
AWS Account B
Amazon S3
Assume
4
Access53
Access
1
23© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Temporary Security Credentials (AWS STS)
Session Access Key Id
Secret Access Key
Session Token
Expiration
Temporary Security Credentials
15 minutes to 36 hours
Use CasesCross account accessFederation
Mobile Users Key rotation for Amazon EC2-based apps
24© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
sts:AssumeRole
IAM Role Permissions
Actual Permissions
[optional]Permissions passed with AssumeRole
25© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Federation
IAM federation may be used for federated access to: AWS Management ConsoleAWS APIs
Supported Identities:AWS Directory ServiceMicrosoft Active DirectoryOpenID Connect (OIDC) such as Amazon Cognito
and Login with AmazonSAML 2.0
AWS Directory Service
Amazon Cognito
26© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Cognito Federation for Mobile Applications
AWS Account
AWS Region
Cognito
DynamoDB
AWS STS
User
Identity Provider(Login with
Amazon)
Mobile Client
1
2
3
4
5
App accessed
Redirect for authentication and receive an
ID token
Exchange ID token for Cognito token
Exchange Cognito token
for temporary AWS credentials
Uses the temporary credentials to access AWS
services
27© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Federation using SAML 2.0
AWS Account
AWS Region
KinesisAWS STS
Corporate Data Center
UserClient
Application
Identity Store
(LDAP)
Identity Provider (Portal)
1
2
3
4
5
6
7
User Login
Client app request to IDP
Portal sends client SAML
assertion
App calls AssumeRoleWithSAML
AWS returns temporary security credentials
App uses credentials to access AWS resource
28© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application Authentication
AWS IAM Application
No Support
No Support
OS
30© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Best Practices
Delete AWS account (root) access keys.Create individual IAM users.Use groups to assign permissions to IAM users.Grant least privilege.Configure a strong password policy.Enable MFA for privileged users.
31© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM Best Practices (cont.)
Use roles for applications that run on Amazon EC2 instances.Delegate by using roles instead of by sharing credentials.Rotate credentials regularly.Remove unnecessary users and credentials.Use policy conditions for extra security.Monitor activity in your AWS account.
32© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Resource-Based Policies
Are an alternative to IAM and supported by some services.Grant cross-account access to your resources.Use a principal to uniquely identify account in the policy.Supported AWS services include : Amazon S3 Bucket Policy Amazon SNS Topic Policy Amazon SQS Queue Policy Amazon Glacier Vault Policy AWS OpsWorks Stack Policy AWS Lambda Function Policy
39© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.
This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial
copying, lending, or selling is prohibited.
Errors or corrections? Email us at [email protected]. For all other questions, contact us at:
https://aws.amazon.com/contact-us/aws-training/.
All trademarks are the property of their owners.