AWS Identity and Access Management

AWS SECURITY | IAM FUNDAMENTALS
AWS Identity and Access Management

Gathering 2
Nino Gotsiridze Yazan Khalaf

Technical Account Manager Associate Solutions Architect
AWS AWS
© 2022, Amazon Web Services, Inc. or its affiliates. © 2023, Amazon Web Services, Inc. or its affiliates.
Gathering Agenda
• 09:00 - 09:30 Gathering
• 09:30 - 10:20 Introduction to IAM
• 10:20 - 10:30 Short Break
• 10:30 - 11:20 AWS Least privileges journey
• 11:20 - 11:45 Break
• 11:45 - 12:35 Strategies for achieving least privileges
• 12:35 - 13:25 Optional: Meet the expert Q&A
© 2023, Amazon Web Services, Inc. or its affiliates.

Introduction to IAM
Starting your IAM Journey
Nino Gotsiridze
Technical Account Manager
AWS
Agenda
• Identity basics
• AWS Organizations
• IAM Policies
• IAM Tools

Building strong foundations
© 2023, Amazon Web Services, Inc. or its affiliates. 5

Image by Sherry Galey from Pixabay
Identity, access, and resource management
Who Can access What

AWS account
AWS account
Identity Access Resource

management management management
Name Policies Isolation

Credentials Compliance Grouping
Metadata Tagging
Sharing

AWS Cloud Service alignment
AWS AWS IAM AWS Identity AWS AWS Resource

AWS Amazon AWS Security
Directory Identity and Access Resource Access
Organizations Cognito Token Service
Service Center Management Groups Manager
Governance
Workforce Id. Mgmt.
Customer Id. Mgmt.
Access Mgmt.
Resource Mgmt.
Main function Can play a role

AWS Cloud Service alignment
1 2 3
AWS AWS IAM AWS Identity AWS AWS Resource

AWS Amazon AWS Security
Directory Identity and Access Resource Access
Organizations Cognito Token Service
Service Center Management Groups Manager
Governance
Workforce Id. Mgmt.
Customer Id. Mgmt.
Access Mgmt.
Resource Mgmt.
Main function Can play a role

Who can access what?
First understand an AWS account
AWS Cloud
Each AWS account is
• a resource container for AWS Cloud services Account A
• an explicit security boundary
Compute
• a container for cost tracking and billing
• a mechanism to enforce limits and thresholds
• e.g. Service Quotas and API thresholds Networking
& content
delivery
+ users, groups, roles, policies
Storage
Over time, customers will add more accounts to
support more applications and services and much more…
AWS Organizations
Central governance and management across AWS accounts
for a comprehensive multi-account AWS environment
Manage and define Control access and Audit, monitor, and Share resources Centrally manage
your organisation permission secure your across accounts costs and billing
and accounts environment for
compliance
https://aws.amazon.com/organizations/getting-started/best-practices/

Ensure AWS accounts are governed
Org root
Prod Dev
Blue Red Account

Test
Account
Account Account Account Account Account

How to access AWS
Start with AWS IAM Identity Center
This enables you to
• Manage users and groups where they want;

AWS Directory connect to AWS once
Service for Microsoft
Active Directory
• Centrally assign and manage access to AWS
accounts; AWS IAM Identity Center–integrated and
cloud-based business applications
IAM Identity Center • Provide IAM Identity Center user portal to

identity store assigned AWS accounts; AWS and business
or AWS SSO user portal applications
external IdP
• Increase developer productivity with AWS
Command Line Interface (AWS CLI) v2
AWS Organizations One AWS access control model
AWS IAM Identity You choose your identity source
Center
https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/

AWS IAM Identity Center access management model
AWS account access Application access
Users Groups SAML

x
+
Choose Define Assign groups/users Connect Assign
identity role-oriented to permission sets in cloud applications groups/users
source permission sets selected accounts with SAML to applications
1 2 3 4 5

Who can access what?
AWS Access Management
Policy Categories
Guardrails Grants
Policies that set the Policies that

maximum permission give permission
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html

Policy Categories
Guardrails Grants
Identity-based policies
Resource-based policies
Object ACLs

Policy Categories
Guardrails Grants
Organizations SCPs Identity-based policies
Tag Policies Backup Policies

IAM Permissions Boundaries

Object ACLs
Session-based policies
© 2023, Amazon Web Services, Inc. or its affiliates. SCP – Service Control Policy
ACL – Access Control List
Keep in mind, least privilege
The right access
To the right things
At the right time
To do their job
And nothing more

Evolution Of “least privilege”
Separate workloads Federation using Prevention of Review and Fine-grained

using multiple Identity and Access access using refinement of permissions using
accounts Management (IAM) permission permissions attribute-based
roles guardrails using AWS access control
access analyzer (ABAC)
1 2 3 4 5

AWS resource management
at cloud scale…
of
Hundreds Thousands of Billions of

Trillions of Amazon
of AWS Amazon EC2 Amazon S3
DynamoDB items
accounts instances objects
and thousands of workloads

Managing AWS resources
at scale in three steps
Find my stuff Organize my stuff Manage my stuff
“Find all the resources that “Group all of the resources “Allow only Project Blue
belong to Project Blue” that belong to Project Blue” developers to access the
resources that are in Project Blue”
Standardise the tagging of your AWS resources

Define tag key capitalisation and allowed tag values
Tag Policies
“Project=bule” “Project=Blue”
Tags can be attached to IAM principals (users or roles) and to AWS resources
Resulting in AWS providing fine-grained
access controls
Control access based on For example, allow developers to
Specific services Use Amazon EC2
Specific actions Launch new instances…
Specific resources Within a particular subnet…
In approved regions and

Specific conditions
cost centers

AWS service interaction with IAM
Security, identity, and compliance services
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

AWS IAM policy structure
Sid
Effect
Principal
Action
Resource
Condition Block

AWS IAM policy structure example 1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewAccountPasswordRequirements",
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Sid": "ChangeOwnPassword",
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:ChangePassword"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}

AWS IAM policy structure example 2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”AllowStopStartEC2forUser",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "${aws:username}"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
} © 2023, Amazon Web Services, Inc. or its affiliates.
AWS IAM policy evaluation logic. End-to-end
Guardrails Grants Guardrails Guardrails Grants

AWS IAM Tools
AWS IAM Tools – Policy generator
3
AWS IAM Tools – Policy simulator
1 2 3
https://policysim.aws.amazon.com/

How to remove unused permissions
Identify unused permissions for:

• User’s service last accessed timestamp,
• Role’s last used timestamp
• Remove unused permissions with confidence

Identify unused permissions 1 2 3
for:
• User’s service last accessed
timestamp,
• Role’s last used timestamp
• Remove unused permissions
with confidence

AWS IAM Tools – Access Analyzer
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

2 3

IAM ACCESS ANALYZER
Analyze access continuously

• Identify resources with public or cross-account access in your AWS
accounts
Achieve the highest levels of security assurance
• Access Analyzer uses automated reasoning, a form of mathematical
logic and inference, to determine all access paths
Remediate broad access
• Resolve or archive findings based on your security requirements
Centrally analyze access across your entire AWS Organizations accounts

Building your strong foundations

Image by DebraJean from Pixabay © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
To learn more
• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
• https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html
• https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/
• https://aws.amazon.com/organizations/getting-started/best-practices/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
• https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
• http://awspolicygen.s3.amazonaws.com/policygen.html / https://policysim.aws.amazon.com/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
• https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Learn security with AWS Training
and Certification
TRAINING CREATED BY AWS EXPERTS TO HELP YOU BUILD AND SHOWCASE CLOUD SECURITY SKILLS
Learn online with 25 free digital courses, including:

AWS Security Fundamentals (2 hours) and
Deep Dive with Security: AWS Identity and Access Management (8 hours)
Go deep with classroom training from accredited AWS expert instructors,

available virtually, including: Security Engineering on AWS (3 days)
Build credibility and confidence with AWS Certifications,

including: AWS Certified Security – Specialty
Visit aws.training/Security
Go build
https://wellarchitectedlabs.com/security/

Thank you!
Nino Gotsiridze
AWS EXPERIENCE TEL AVIV - SECURITY TRACK
A Least Privilege Journey

AWS IAM policies and Access
Analyzer
Yazan Khalaf
Solutions Architect
AWS
Who can access what
Who Can access What
People and Permissions Resources

applications
AWS Identity Overview

What you need to know about AWS Identity
Govern your AWS environment with AWS accounts and AWS Organizations
Centralize identity management with AWS IAM Identity Center
Rely on short-term credentials with federation and application roles
Organize your resources with tags and resource groups
Establish a data perimeter with policies and conditions
Journey to least privilege with AWS Identity and Access Management

(IAM) policies and IAM Access Analyzer
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
Permissions in AWS

Focus on access in AWS
Your job: AWS’s job:

specify enforce
Access control

Specify: The goal
Adhere to the principle of least privilege (POLP)
Grant users and systems the narrowest set of
privileges to complete required tasks
Goals
Business to innovate Dangerous action prevention

Agility to move fast Accountable security posture
Freedom for builders Cost-effective solutions

Specify: IAM policy language
{
Principal – the entity that is allowed or denied access
"Statement":[{
"principal":"AWS":"arn:aws:iam::123456789012:user/username"
"Effect":"effect",
"Principal":"principal",
"Action":"action",
"Resource":"arn", Action – type of access that is allowed or denied access
"Condition":
"action":"secretsmanager:getSecret"
{ "condition":{
"key":"value" }
} Resource – the Amazon resources the action will act on
}
] "Resource":"arn:aws:secretsmanager:us-east-2:111122223333:secret:yourusername"
}
Condition – the condition under which the access defined is valid

"StringEquals": {"aws:CalledViaFirst": "lambda.amazonaws.com "}
Specify: Tools to grant access
IAM principal policies
Attach policies to IAM identities (users, groups, or roles)
Managed policies are standalone and attached to multiple principals
Inline policies are attached directly to a single principal
Resource policies
IAM roles Amazon Simple AWS Lambda AWS Key Amazon Simple
(trust policies) Storage Service functions Management Service Queue Service
(Amazon S3) (AWS KMS) keys (Amazon SQS) queues
buckets © 2023, Amazon Web Services, Inc. or its affiliates.
Specify: Tools to restrict access
• AWS Organizations service control policies (SCPs)
§ Permissions guardrails to restrict access for principals
across accounts in your organization
• IAM permissions boundaries
§ Developers can manage permissions and control
the maximum permissions they grant
• Amazon VPC endpoint policies
§ Require that traffic stays within your VPC
• Block public access

§ Block existing public access and ensure that public access
is not granted to newly created items

Pro tip: Use the right permissions tool
Service control policies (SCPs) Restrict powerful actions except for admins
Permissions boundaries
Grant only the actions your role uses

IAM permissions policy
Scoped-down policies
Developers can manage roles safely
Endpoint policies Grant direct, cross-account access

Enforce: Context and policies to evaluate
Context of AWS request Policies evaluated
IAM
action: terminateInstance Allow

resource: action: ec2:terminateInstance
arn:aws:ec2:us-east-1:111122223333:
instance/i-054dsfg34gdsfg38
resource: *
ResourceTag/project: CloudMigration
PrincipalTag/project: CloudMigration ResourceTag/project: CloudMigration
Allowed
CalledViaFirst :
cloudformation.amazonaws.com
Denied

Enforce: How AWS evaluates policies
DENY
If using SCPs SCP must allow
If using permissions boundaries Permissions boundary must allow
AWS KMS keys and

If same account access Identity or resource IAM roles require
policy must allow resource policy
If direct, cross-account Both the identity and resource

access policy must allow
If using a session policy Session and identity policy
must allow
Specify: Granting AWS services access
Roles linked directly to an AWS IAM Access Analyzer Grant access
Service-linked service; permissions predefined to Amazon Elastic to create SLRs
Compute Cloud
roles (SLR) only those required by the service to for services
call other AWS services on your behalf (Amazon EC2) you use
Auto Scaling
A role an AWS service assumes to Specify the

Service roles Amazon EC2
perform actions on your behalf; you service in the
Lambda
manage permissions trust policy
AWS services use temporary AWS CloudFormation Principal needs

Requester credentials generated from Encryption with access for all
permissions the requester to perform AWS KMS permissions
actions on your behalf AWS will use

Least privilege is a journey

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Getting to the right permissions
Data perimeter
Set Verify Refine

Setting permissions

Set: Tools to define policies
Exploring AWS Right sizing Specific conditions
Start broader with Generate and Author custom policies

AWS managed policies customize using policy and validate by using
or custom templates generation with policy validation with
IAM Access Analyzer IAM Access Analyzer

Set: Policy generation with
IAM Access Analyzer
Helps you get to the right permissions more quickly by analyzing your access activity in AWS CloudTrail
Run your application or task
Request a policy from IAM Access Analyzer
IAM Access Analyzer gets to work
Customize further and apply

Set: Policy generation inputs
Run your application or task
Request a policy from IAM Access Analyzer
Tell us the following inputs from Step 1:

Ø Application role used
Ø Time period
Ø CloudTrail trail and access
Ø AWS Regions

Set: Policy generation analysis
IAM Access Analyzer gets to work

Ø Looks for all unique AWS actions
Ø Maps CloudTrail activity to IAM
actions for 50+ services
Ø Generates policy that adheres to IAM
policy language
Customize and apply
Ø Specify additional actions

Ø Specify resource-level permissions
with templates
Pro tip: Become besties with conditions
Grant access to these actions, but only if these conditions are met
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"],
"Resource": "*",
"Condition": {
"StringEquals": {"ec2:ResourceTag/project": ”CloudMigration"}
}

Conditions: Deep dive
"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}
Specify the type of operator Use predefined keys to look The value you define
used to compare the value up the value in the context that is based on your
from the context to the for policy comparison; you permissions requirements
value in the policy can use global condition keys
or service-specific keys
true
StringEquals PrincipalIsAWSService CloudMigration
StringLike ResourceTag/project ${PrincipalTag/project}
If you don’t have any You cannot put a A single-valued

wildcard characters, wildcard character condition key can be
use stringEquals in the condition key used as a variable for
condition values

Conditions: Using multiple conditions
{
"Version":"2012-10-17",
Every policy statement stands "Statement":[
on its own; if there is a match, {
"Sid":“CreateSLRs",
the effect applies "Effect":"Allow",
"Action":"iam:CreateServiceLinkedRole",
"Resource":"*",
AND
"Condition":{
"StringEquals":{
"aws:PrincipalServiceName":"access-analyzer.amazonaws.com"
OR
}
}
All conditions met together },
{
"Sid":“RoleCreate-CFN",
Same statement "Effect":"Allow",
"Action":"iam:CreateRole",
"Resource":"*",
OR "Condition":{
"StringEquals":{
"iam:PermissionsBoundary":"arn:aws:iam::111122223333:
policy/business-plan-modify",
Any part of conditions met AND }
"aws:CalledViaFirst":"cloudformation.amazonaws.com",
"aws:RequestTag/project":[”CloudMigration", ”IPO"]
}
Separate statements }
]
}

Conditions: Using multi-value conditions
Compare values in context to the values in the policy
ForAllValues: Is the context a subset of the policy? If there are no mismatches, the condition applies
Reminder: An empty set is a subset of all other sets
ForAnyValues: Is the context an intersection of the policy? If there is at least one match, the condition applies
aws:TagKeys project
ForAllValues:StringEquals "aws:TagKeys": Not subset
costcenter ["project","name"]
name
ForAllValues:StringEquals "aws:TagKeys": Subset

aws:TagKeys
["project","name"]
aws:TagKeys project "aws:TagKeys":

ForAnyValues:StringEquals Intersection
bubbles ["project","name"]
"aws:TagKeys":
aws:TagKeys ForAnyValues:StringEquals Not intersection
["project","name"]
Conditions: Noteworthy condition keys
Allow actions, but only if these
aws:ResourceTag Attribute-based access control
tags exist
Create resources, but only with

aws:RequestTag Attribute-based access control
these tags
Allow actions, but only if requesting

CalledViaFirst Access through AWS CloudFormation
through this service
Allow, but only if this is the last

CalledViaLast AWS KMS access to Amazon S3 bucket
service acting on the resource
Allow actions, but only if the

PrincipalOrgID A condition for most resource policies
principal is from my organization
Deny actions for all principals except Use in SCPs to deny with exceptions
PrincipalArn
this ARN
PrincipalIsAWSService Restrict access to corporate IP and Use in SCPs when restricting SourceIP
AWS services © 2023, Amazon Web Services, Inc. or its affiliates.
Using Conditions with Denies
Deny access if the call is made outside of my network (a
Deny access to principals if they are outside of
list of IPs and VPCs) and the API call is not made by an
my organization (PrincipalOrgID) and if they are
AWS service principal (PrincipalIsAWSService) or by an
not an AWS service (PrincipalIsAWSService).
AWS service using the caller’s identity (ViaAWSService).
If the principal is from my organization or the {
principal is an AWS service (such as AWS "Sid":"EnforceNetworkPerimeter",
"Effect":"Deny",
CloudTrail or AWS Billing and Cost Management), "Principal":"*",
"Action":"s3:*",
do not deny. "Resource":[
{ "arn:aws:s3:::your-bucket-name",
"Sid":"EnforceIdentityPerimeter", "arn:aws:s3:::your-bucket-name/*"
"Effect":"Deny", ],
"Principal":"*", "Condition":{
"Action":"s3:*", "StringNotEqualsIfExists":{
"Resource":[ "aws:SourceVpc":[
"arn:aws:s3:::your-bucket-name", "vpc-111bbb22",
"arn:aws:s3:::your-bucket-name/*" "vpc-222ccc33"
], ]
"Condition":{ },
"StringNotEqualsIfExists":{ "NotIpAddressIfExists":{
"aws:PrincipalOrgID":"o-n8ecxxxxx" "aws:SourceIp":[
}, "111.222.333.444/25",
"BoolIfExists":{ "555.666.777.888/29"
"aws:PrincipalIsAWSService":"false" ]
} },
} "BoolIfExists":{
} "aws:PrincipalIsAWSService":"false",
"aws:ViaAWSService":"false"
}}}
Set: Policy validation with
IAM Access Analyzer
Makes it easier to author secure and functional policies with more than 100 checks
General warnings
Security
A policy doesn’t conform to best
A policy contains access that
practices, but the issues are not
can be overly permissive
security risks
IAM
Access
Analyzer
Errors Suggestions
A policy contains errors A policy contains statements to
that prevent the policy be improved but doesn’t impact
from functioning the permissions of the policy
We are always adding new checks! Let us know if you have an idea
Verifying permissions

Verify: Inspecting overly permissive access
Public and cross- PassRole Powerful
account access access permissions
Findings using Security warnings using Service and action

IAM Access Analyzer policy validation with last accessed
IAM Access Analyzer

Pro tip: Restrict public and
cross-account access
Block public access Condition: PrincipalArn
Easy control to limit public access Restrict access to a specific

to Amazon S3 resources that are principal, or deny access to all
enforced regardless of how the but a specific principal
resources are created
Condition: PrincipalOrgID Condition: PrincipalServiceName
Require all principals accessing Restrict access to specific AWS

the resource to be from an service principals, such as
account in the AWS organization cloudtrail.amazonaws.com

Verify: Findings with IAM Access Analyzer
Identify and remediate public and cross-account access
Enable IAM Access Analyzer in your

account or organization
Continuously monitors and reviews access

controls across seven resources types
Uses automated reasoning to determine

public or cross-account access
Generates findings for you to review and

determine if they match your intent
Verify public and cross-account access by

previewing access as you modify resource policies
Refining permissions

Refine: Tools to identify unused access
Multi-account
Roles and IAM users Unused permissions
restrictions
AWS account
Role last used and Service and action Service last accessed
access key last used last accessed for SCPs

Permissions challenges

Challenge: Pick the right tool
Task 1
Require a specific tag key and value when creating a secret in AWS Secrets Manager
Block public access Identity policy Resource policy
Task 2
Implement a guardrail so that no one outside your organization can access data in a bucket
Resource policy Service control policy Permissions boundary

Challenge: Pick the condition key
Task 3
Prevent everyone but your network admin from creating and attaching internet gateways
aws:PrincipalARN aws:CalledVia aws:PrincipalOrgID
Task 4
Allow the creation of infrastructure, but only when using CloudFormation
aws:PrincipalIsAWSService aws:PrincipalServiceName aws:CalledViaFirst

Challenge: True or false?
If you need to evaluate more than one
type of condition together, you keep them TRUE
in the same statement
You can always use any condition

FALSE
key anywhere in an IAM policy
If you have a list of condition values, you always

FALSE
need to use forAllValues or forAnyValues

Pro tips: Recap
Use the right permissions tool
Become besties with conditions
Restrict public and cross-account access
Restrict PassRole permissions
Enable IAM Access Analyzer
Validate your policies
Use policy generation with IAM Access Analyzer

Thank you!
Yazan Khalaf
Solutions Architect
AWS
Strategies for achieving least
privilege
Yazan Khalaf
Solutions Architect
AWS
The goal
Grant users and systems the

narrowest set of privileges to
complete required tasks.
Principle of least privilege
© 2023, Amazon Web Services, Inc. or its affiliates. 91

Balancing the goal
d o w a nt
in gs y ou
Th ss to i n n ovate
Busine o v e q uickly
t to m
d o n ’ t wan Agility fo r b u i ld ers
in gs y ou Freedom
Th ge r o u s a ctions
Dan b le teams
u n ta
Unacco r e so u rces
v e
Expensi

How do they pursue least privilege?
LEAST PRIVILEGE IS A JOURNEY
Mental
model
Set
permissions Journey
=
Least
privilege
Feedback
loops
Refine Verify
permissions access

Strategies for implementing
least privilege in IAM
© 2022,
2023, Amazon Web Services, Inc. or its affiliates.
3P strategies
Plan Policy Process
3 strategies 3 strategies 3 strategies

Strategies for least privilege
Plan 1. Begin with coarse-grained controls

Plan
Plan
Policy
Policy
Policy
Process
Process
Process

#1 (Plan): Begin with coarse-grained controls
Identify broad, coarse-grained AWS Organizations

controls
§ Multi-account strategy Start here Organizational unit
(coarse-grained)
§ Service control policies (SCPs)
§ Block public access
Then move to Account Account
fine-grained
Then tailor with fine-grained access control
access control Network/endpoints Network/endpoints
§ Additional guardrails
§ AWS KMS encryption Principals Resources Principals Resources
§ Conditions, tags
#1 (Plan): Begin with coarse-grained controls
CONSIDER DATA PERIMETERS
Multi-account strategy
Identity PrincipalOrgID
Service control policies
Resource
ResourceOrgID
Network SourceIp
SourceVpc
VPC endpoint policies
SourceVpce
Set data perimeters’
definition based on
control objectives
Data perimeters

More info and resources

Plan 2. Use accounts as strong boundaries around resources
Plan
Policy
Policy
Policy
Process
Process
Process

#2 (Plan): Use accounts as strong boundaries around
resources
Single account Multiple accounts

resources
Dev OU Prod OU Business OU
Project ABC Project PQR Test account Finance team Audit team Biz dev team
Production accounts
resources
IAM Access Analyzer cross-account access findings
Analyze access continuously Comprehensive findings Recognize broad access

resources
IAM Access Analyzer cross-account access findings
Create analyzer
Review active findings
Archive intended access
Remove unintended access

Plan 3. Prioritize short-term credentials
Policy
Policy
Policy
Process
Process
Process

#3 (Plan): Prioritize short-term credentials
Short-term Long-term
credentials credentials
Benefits
§ Temporary (minutes to hours)
§ You don’t have to rotate them or explicitly revoke them
§ You don’t have to embed within an application

IAM roles
Credentials for builders Credentials for applications
Console Programmatic Compute Cross-account
Direct IAM federation IAM Identity IAM roles for IAM roles and
or Center + AWS CLI Amazon EC2, external ID
IAM Identity AWS Lambda, etc.
Center federation
Protecting secrets
AWS Cloud
AWS Secrets Manager
Encrypted AWS KMS key

AWS Lambda secret
Amazon Automatic
DocumentDB rotation
AWS Lambda


Policy 4. Enforce broad security invariants
Policy
Policy
Process
Process
Process

#4 (Policy): Enforce broad security invariants
AWS Organizations
Organizational unit
Service control policies
Account Account Invariants: Conditions that

should always be true
Network/Endpoints Network/Endpoints
Principals Resources Principals Resources

AWS Organizations
Organizational unit Examples

§ Block access for root user
§ Disable access to Regions
Account Account
§ Prevent disabling AWS CloudTrail,
Amazon CloudWatch, Amazon
Network/Endpoints Network/Endpoints
GuardDuty
Principals Resources Principals Resources

EXAMPLE SERVICE CONTROL POLICY
{
“Effect”: ”Deny”,
“Action”: “s3:PutAccountPublicAccessBlock”,
“Resource”: ”*”,
“Condition”: {
“ArnNotLikeIfExists”: {
“aws:PrincipalArn”: "arn:aws:iam::*:role/admin"
}
}
}

MORE EXAMPLES OF SERVICE CONTROL POLICIES
Example service AWS Control Tower

control policies guardrail reference


Policy 5. Identify the right tool for the job
Policy
Process
Process
Process

#5 (Policy): Identify the right tool for the job
NOT EVERY TASK NEEDS A HAMMER
Restricting access
Service control Permission

policies boundaries
VPC endpoint
Block public access
policies

NOT EVERY TASK NEEDS A HAMMER
Granting access IAM principal policies

§ Attach policies to IAM identities (users, groups, and roles)
– Managed policies
– Inline policies
Resource policies
IAM roles Amazon S3 AWS Lambda AWS KMS Amazon SQS

(trust policies) buckets functions keys queues

Can
Who What?
access
Policies attached to Policies attached to

principals resources
{ {
“Effect”: ”Allow”, “Effect”: ”Allow”,
“Action”: “ ”, “Principal”: “ ”,
“Resource”: ” ”, “Action”: “ ”,
“Condition”: ”” “Resource”: ” ”,
} “Condition”: ””
}
EVALUATION MODEL: GRANTS AND DENIES
Identity-based Identity-based Identity-based

policy policy policy
Effective Effective Total

Organizations permissions Permissions permissions Resource- permissions
SCP boundary based policy

PUTTING IT ALL TOGETHER
Blog: IAM policy types: How

and when to use them


Policy 6. Empower developers to author application policies
Process
Process
Process

#6 (Policy): Empower developers to author application
policies
I need to create a
role and policy for
my Lambda I’ll write it for you!
function
Developer Admin
Knows the Knows a lot about
application’s intent identity and security
policies
al
Ment l Bottlenecks
mode
Developer
Developer
Central team Developer
Developer
Reduce or remove Operators

constraints

policies
Developers know what their app’s intent is
Their app needs new permissions
Problem
How can developers safely
create new permissions?

policies
Hands-on approach Set up processes Native tools

and automation

policies
Permissions boundaries Identity-based

policy
§ Maximum permissions allowed
§ Net effective permissions
§ Use conditions to restrict further
With permissions boundaries, your Permissions

Effective
permissions
development team can safely create boundary
new roles and policies

policies
With permission boundaries

Builders can safely create The effective permission of
new roles and policies the role is the intersection
of the two policies
The new roles’ maximum

Require another policy permissions are bounded!
(permissions boundary) be
attached to the role
policies
IAM Access Analyzer policy generation
Reviews CloudTrail Generates fine-grained Provides resource

control policy placeholders

policies
IAM Access Analyzer policy generation
• Select a time window #1

• Select the trail
• Set up a service role #2
Review and create policy

#3

Process 7. Maintain well-written policies
Process
Process

#7 (Process): Maintain well-written policies
Identify different use cases Create templates Maintain repositories

All AWS services and actions
Build tool Possible set of

permissions application
permissions
Developer needs != Application needs
App1
App2
App3
May vary per

environment*

Low variety
Account Account
Default policies Common across accounts
Permission boundaries Low amounts of variation
Policies for applications Bespoke/Customized
High variety


Process 8. Peer-review and validate policies
Process

#8 (Process): Peer-review and validate policies
YOU DON’T HAVE TO JOURNEY ALONE
al
Ment l Feedback loops
mode
Feedback
Eyeballs Automation

IAM Access Analyzer policy validation
1. Available via AWS Management

Console, API, and CLI
2. Use policy editor in IAM,
Amazon S3, or IAM Identity Center
3. In the policy editor, choose the
JSON tab
4. View the findings in the validation
pane below the policy

Error Security warning General warning Suggestion
Prevents the Access is overly Policy doesn’t AWS recommends

policy from permissive conform to improvements
functioning best practices

YOU DON’T HAVE TO JOURNEY ALONE
Infrastructure as code (IaC)

Store your IAM policies in version-control systems
IAM policies can be written and deployed as AWS
CloudFormation
Can easily test and deploy to multiple accounts
Can use CloudFormation testing tools

IDE integrations
Precommit
hooks
Commit stage Validation stage Deploy stage
Source code step CloudFormation Policy check step Other Deploy step
lint step Check IAM test
Application code CloudFormation policies using steps Deploy the
IaC verification template
AWS including IAM policies
policy
checks
CloudFormation validation
template
Peer
review
AWS Security Blog
Validate IAM policies in CloudFormation
templates using IAM Access Analyzer

Process 9. Remove excess privileges over time

#9 (Process): Remove excess privileges
over time
1 2 3 4
Remove unused Remove unused Remove unused Review CloudTrail

permissions identities (such as roles) services and actions to restrict access
from SCPs from policies to resources

over time
Last-accessed IAM information

over time
Notify on unused AWS Config rules SCPs: CloudWatch (denies)

roles or permissions Policies: individual teams
tickets/GitHub issues


Process 9. Remove excess privileges over time

Notable mentions
Description URL
Serverless microframework + automatic
AWS Chalice IAM policy generation
https://github.com/aws/chalice
Salesforce Policy IAM least-privilege policy generator https://github.com/salesforce

Sentry via abstraction /policy_sentry
IAM permissions and credential

Netflix ConsoleMe management; self-service wizard
https://github.com/Netflix/consoleme
Generate policies from calls using client-

Ian Mckay’s iamlive side monitoring or embedded proxy
https://github.com/iann0036/iamlive
Policy-as-code domain-specific language

https://github.com/aws-
cfn-guard (DSL) to write rules and validate
cloudformation/cloudformation-guard
CloudFormation, Terraform, K8
CLI tool that parses CloudFormation for
https://github.com/awslabs/aws-
cfn-policy-validator IAM policies and runs them through IAM
cloudformation-iam-policy-validator
Access Analyzer validation checks

Next steps?
Try out IAM Access Analyzer!

1. Use it to find externally shared resources
2. Then use IAM Access Analyzer policy validation
3. Then test IAM Access Analyzer policy generation

A least-privilege
“Where should I start?” journey: IAM
policies and IAM
Access Analyzer
(re:Invent 2021)
“Which policies should I use?”
AWS identity:
“Who can access what?” Choosing the
right mix of IAM
policies for scale
(re:Invent 2020)
© 2022,
2023, Amazon Web Services, Inc. or its affiliates. 160
Thank you!
Yazan Khalaf
Solutions Architect
AWS

AWS Identity and Access Management

Uploaded by

Copyright:

Available Formats

AWS Identity and Access Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AWS Identity and Access Management

Uploaded by

Copyright:

Available Formats

AWS SECURITY | IAM FUNDAMENTALS

AWS Identity and Access Management

Nino Gotsiridze Yazan Khalaf

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates. 5

Who Can access What

Identity Access Resource

Name Policies Isolation

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS AWS IAM AWS Identity AWS AWS Resource

Workforce Id. Mgmt.

Customer Id. Mgmt.

Main function Can play a role

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS AWS IAM AWS Identity AWS AWS Resource

Workforce Id. Mgmt.

Customer Id. Mgmt.

Main function Can play a role

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

Blue Red Account

Account Account Account Account Account

© 2023, Amazon Web Services, Inc. or its affiliates.

This enables you to

• Manage users and groups where they want;

IAM Identity Center • Provide IAM Identity Center user portal to

© 2023, Amazon Web Services, Inc. or its affiliates.

AWS account access Application access

Users Groups SAML

© 2023, Amazon Web Services, Inc. or its affiliates.

Policies that set the Policies that

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

Organizations SCPs Identity-based policies

Tag Policies Backup Policies

IAM Permissions Boundaries

To the right things

At the right time

And nothing more

© 2023, Amazon Web Services, Inc. or its affiliates.

Separate workloads Federation using Prevention of Review and Fine-grained

© 2023, Amazon Web Services, Inc. or its affiliates.

Hundreds Thousands of Billions of

and thousands of workloads

© 2023, Amazon Web Services, Inc. or its affiliates.

Standardise the tagging of your AWS resources

Specific services Use Amazon EC2

Specific actions Launch new instances…

Specific resources Within a particular subnet…

In approved regions and

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.

Guardrails Grants Guardrails Guardrails Grants

© 2023, Amazon Web Services, Inc. or its affiliates.

Identify unused permissions for:

© 2023, Amazon Web Services, Inc. or its affiliates.

© 2023, Amazon Web Services, Inc. or its affiliates.