Professional Documents
Culture Documents
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lecture overview
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2
Lecture objectives
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3
• Cloud9 IDE
• AWS Toolkit
• AWS X-Ray
• AWS CloudTrail
• AWS Cloud
Watch
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 4
Part 1: Shared responsibility
model
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 5
Shared responsibility model
6
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared responsibility example
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 7
Shared Responsibility Principle: Let’s
Checkmate You!
Which of the following does AWS own under the shared security
responsibility model? Choose 3 answers
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 8
Shared Responsibility Principle: Let’s
Checkmate You!
Which aspects of Amazon EC2 security are the responsibility of AWS?
Choose 2 answers
1. Virtualization Infrastructure
2. Physical security of hardware
3. Guest operating systems
4. Application authentication
5. VPC and security group configuration
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 9
Part 2: Overview of IAM
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 10
AWS Identity and Access Management
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 11
IAM: The big picture
Permanent Temporary
Best
practice
Authentication
S
User Group Role
Authorization
IAM policy
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 12
IAM Overview: Let’s Checkmate You!
A company uses one AWS account to run production workloads and has a separate
AWS account for the security team. During periodic audits, the security team needs to
view certain account settings and resource configurations in the other AWS account.
How can a solutions architect provide the required access to the security team
following the principle of least privilege?
1. Create an IAM user for each security team member on the production account. Attach a permissions
policy that provides the permissions required by the security team to each user.
2. Create an IAM role in the production account. Attach a permissions policy that provides the permissions
required by the security team. Add the security team account to the trust policy.
3. Create an IAM user in the production account. Assign administrative privileges to the user. Allow the
security team to use this account to log in to the systems that need to be accessed.
4. Create an IAM user for each security team member on the production account. Attach a permissions
policy that provides the permissions required by the security team to a new IAM group. Assign the
security team members to the group.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 13
Part 3: Authentication with IAM
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 14
Authentication scenarios
1. AWS authentication 3. Resource authentication
Developer builds the environment. User uploads a photo to AWS.
15
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM credentials
User name and password Access key ID and secret access key
(console access) (programmatic access)
ACCESS KEY ID
Ex: AKIAIOSFODNN7EXAMPLE
AWS Management Console SECRET KEY
Ex:
UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
API access
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 16
Multi-factor authentication
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 17
Temporary credentials
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 18
• Use AWS managed temporary
Providing AWS credentials. (Recommended)
credentials • Attach an IAM instance profile to the
EC2 instance.
• Store your permanent credentials
within the environment.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 19
AWS credentials file and credential profile
[default]
aws_access_key_id = ACCESS_KEY_ID
aws_secret_access_key = SECRET_ACCESS_KEY_ID
[prod]
aws_access_key_id = ACCESS_KEY_ID
aws_secret_access_key = SECRET_ACCESS_KEY_ID
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 20
Summary of DO
authentication best • Use credentials files
practices • Use IAM roles with temporary
credentials (preferred for
applications running on Amazon EC2
and for mobile applications)
DO NOT
• Use root account credentials
• Store AWS credentials in code
• Store credentials in public places
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 21
IAM Authentication: Let’s Checkmate
You!
Your company has separate AWS accounts for development and
production. Each developer is assigned an IAM user in the development
account. Developers occasionally need to access the production account to
roll out changes to that environment. Your company does not allow the
creation of IAM users in the production account. What strategy will
allow the development team to access the production account?
1. Create an IAM role in the production account. Allow IAM users in the development
account to assume the role.
2. Create an IAM group in the development account. Grant IAM users in the
development account membership in the group.
3. Create an IAM group in the production account. Grant IAM users in the development
account membership in the group.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 22
Part 4: Authorization with IAM
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 23
Policies and permissions
Read Amazon S3
IAM group only bucket 2
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 24
Demonstration: Create an IAM user and
IAM group
• Create an IAM user and IAM group
• Assign AmazonS3FullAccess permissions to group
• Test permissions
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 25
Identity-based and resource-based policies
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 26
Example of identity-based policy
{
"Version": "2018-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:*LoginProfile", The actions that are
"iam:*AccessKey*" allowed
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account- The AWS resource on
id-without-hyphens:user/${aws:username}" which the action is
}
performed
}
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 27
Example of resource-based policy
{
"Version": "2018-10-17",
"Statement": {
"Sid": "AccountBAccess1", Who can make the
"Principal": {"AWS": "1111222233"}, request (Account B)
"Effect": "Allow",
"Action": "s3:*", Actions that are
"Resource": [ allowed
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
Resources that are
]
} being shared by
} Account A
28
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managed versus inline IAM policies
IAM policies
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 29
Evaluation logic for IAM policies
Evaluate all applicable
policies
Explicit Yes
Deny (explicit deny)
deny?
No
Yes
Allow? Allow
No
Deny
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 30
Example of how policy logic works
{
"Version": "2012-10-17", Allows entity to perform any DynamoDB action
"Statement":[{ and any Amazon S3 action on this DynamoDB
"Effect":"Allow", table and these S3 buckets.
"Action":["dynamodb:*","s3:*"],
"Resource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/pollynotes",
"arn:aws:s3:::polly-notes-web",
"arn:aws:s3:::polly-notes-mp3/*"]
},
{
"Effect":"Deny",
"Action":["dynamodb:*","s3:*"],
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/pollynotes",
"arn:aws:s3:::polly-notes-web",
"arn:aws:s3:::polly-notes-mp3/*"]
}
]
}
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 31
Example of how policy logic works
{
"Version": "2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":["dynamodb:*","s3:*"],
"Resource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/pollynotes",
"arn:aws:s3:::polly-notes-web",
"arn:aws:s3:::polly-notes-mp3/*"]
}, Ensures that the entity cannot perform any action on
{ any DynamoDB table or S3 bucket except for the
"Effect":"Deny", tables and buckets specified in the policy
"Action":["dynamodb:*","s3:*"],
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/pollynotes",
"arn:aws:s3:::polly-notes-web",
"arn:aws:s3:::polly-notes-mp3/*"]
}
]
}
Best practices:
Full access • Don’t start with
permissions that are too
lenient.
Read
• Start with the minimum
IAM group only permissions and grant
more as necessary.
IAM policies with
permissions
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 33
IAM scenario
Login: Maria@email.com
Root Account Password: *********
IAM user
IAM group
IAM role
IAM
policy
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM scenario
Login: Maria@email.com
Root Account Password: *********
IAM user
Maria
IAM group
IAM role
IAM
policy
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM scenario
Login: Maria@email.com
Root Account Password: *********
Maria
IAM group
Joe
IAM role
IAM
policy
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM scenario
Login: Maria@email.com
Root Account Password: *********
Maria x Richard
x
IAM group
Joe x Ana
x
IAM
policy
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 37
IAM scenario
Login: Maria@email.com
Root Account Password: *********
IAM
policy
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 38
IAM scenario
Login: Maria@email.com
Root Account Password: *********
TempRole1 TempRole2
IAM
policy TempDev
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 39
DO
Summary of authorization
best practices • Use groups to assign permissions
• Use the principle of least privilege
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 40
IAM Authorization: Let’s Checkmate You!
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 41
Lecture review
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 42
Lecture review
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 43
Up next: Lecture 4 –
Developing Storage Solutions with
Amazon S3
© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon
Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course, please email us at: aws-course-feedback@amazon.com. For all other
questions, contact us at: https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.