Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Introduction to AWS IAM
Introduction to AWS IAM
Wird geladen in …3
×

Hier ansehen

1 von 23 Anzeige

AWS IAM Introduction

by Apurv Awasthi, Sr. Technical Product Manager, AWS

This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources. We also cover the concept of trust relationships, and how you can use them to delegate access to your AWS resources. This session covers also covers IAM best practices that can help improve your security posture. We cover how to manage IAM users and roles, and their security credentials. We also explain ways for how you can securely manage you AWS access keys. Using common use cases, we demonstrate how to choose between using IAM users or IAM roles. Finally, we explore how to set permissions to grant least privilege access control in one or more of your AWS accounts. Level 100

by Apurv Awasthi, Sr. Technical Product Manager, AWS

This session introduces the concepts of AWS Identity and Access Management (IAM) and walks through the tools and strategies you can use to control access to your AWS environment. We describe IAM users, groups, and roles and how to use them. We demonstrate how to create IAM users and roles, and grant them various types of permissions to access AWS APIs and resources. We also cover the concept of trust relationships, and how you can use them to delegate access to your AWS resources. This session covers also covers IAM best practices that can help improve your security posture. We cover how to manage IAM users and roles, and their security credentials. We also explain ways for how you can securely manage you AWS access keys. Using common use cases, we demonstrate how to choose between using IAM users or IAM roles. Finally, we explore how to set permissions to grant least privilege access control in one or more of your AWS accounts. Level 100

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie AWS IAM Introduction (20)

Anzeige

Weitere von Amazon Web Services (20)

AWS IAM Introduction

  1. 1. Pop-up Loft IAM Introduction Apurv Awasthi, Senior Product Manager AWS Identity and Access Management (IAM)
  2. 2. What to Expect from the Session We will look at: • What is IAM? • IAM Concepts – to help you get started • Common use cases – cover the building blocks • Demos – “Show and Tell”
  3. 3. AWS Identity and Access Management (IAM) • Enables you to control who can do what in your AWS account • IAM uses access control concepts that you are already familiar with User Group Permissions (IAM Policies) Role AWS Services and Resources
  4. 4. AWS Identity and Access Management (IAM) • Control – Centralized – Fine-grained - APIs, resources, and AWS Management Console • Security – Secure (deny) by default – Multiple users, individual security credentials and permissions
  5. 5. IAM Users What • Entity that represents the person or service that uses it to interact with AWS • Consists of a name and unique set of credentials • Console password • Access Key • MFA device (SMS, Virtual, or Hardware) • Each IAM user is associated with one and only one AWS account; does not require a separate payment method. When • Enable human or programmatic access to AWS resources and services • E.g. New employee, Rob, requires access to Amazon EC2 and Amazon S3 services • E.g. Rob has created an application that stores data in Amazon DynamoDB
  6. 6. IAM Users Why (Benefits) • Unique set of credentials • Individual permissions • Granular control • Easy to revoke access Do • Create IAM user for yourself • Create individual IAM users for others Don’t • Distribute your AWS root credentials • Use your root account user • Share your IAM user credentials
  7. 7. IAM Users and Permissions • No permissions by default • Permissions specify who has access to AWS resources, and what actions they can perform on those resources • Assign permissions individually to each user (or use Groups) • Rob (UX Designer) > access to Amazon S3 • Samantha (Database Administrator) > access to select Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS Lambda, and AWS Data Pipeline APIs • Use IAM Policies to assign permissions
  8. 8. IAM Policies • Contain a statement (permissions) which specify a combination of : • Who • What actions • Which AWS resources • When • Where • How Rob Can GET/PUT objects in S3 Bucket = “*” Until Dec 31, 2017 From IP range 123.456.789.012 If using MFA
  9. 9. IAM Policies • JSON-formatted documents Example of an Amazon S3 Read-Only Access Template { "Statement": [ { "Effect": "Allow", "Action": ["s3:Get*", "s3:List*"], "Resource": "*" } ] } • Attach policy to a user, group, or role (identity-based permissions) • Attach policy to select resources e.g. Amazon S3 buckets (resource-based permissions) Example of identity-based permission Example of resource-based permission Rob Can Read, Write, List On Resource : icon-designs icon-designs Rob: Read, Write, List Samantha: List Zoe: Read, List
  10. 10. IAM Policies Two types of identity-based policies in IAM • Managed policies (newer way) • Can be attached to multiple users, groups, and roles • AWS managed policies (created and managed by AWS) • Customer managed policies (created and managed by you) o Up to 5K per policy o Up to 5 versions • You can limit who can attach managed policies • Inline policies (the older way) • You create and embed directly in a single user, group, or role • Variable policy size (2K per user, 5K per group, 10K per role)
  11. 11. Live Demo 1. Create a new IAM user called Rob 2. Assign Rob a password 3. Enable MFA for Rob (Authy 2FA app: https://www.authy.com/app/mobile/) 4. Require password reset at next sign-in 5. Grant Rob administrative permissions over Amazon S3 by attaching an AWS managed policy i. Replace with a less permissive AWS managed policy ii. Replace with a customer managed policy Demo Time
  12. 12. Side bar SSH Keys: you can associate an SSH key with your IAM user and then use the SSH key to authenticate with AWS CodeCommit (a managed source control service) Credential Reports: You can generate and download a credential report that lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. For passwords and access keys, the credential report shows how recently the password or access key has been used Example of retrieving Credential Report Example of associating SSH keys to IAM user
  13. 13. Side bar Trusted Advisor: your customized cloud expert! It helps you to observe best practices for the use of AWS by inspecting your AWS environment with an eye toward closing security gaps, saving money, and improving system performance and reliability. Example of identifying security gaps by using Trusted Advisor
  14. 14. IAM Groups What • Collection of IAM users • Specify and manage permissions for multiple users, centrally • E.g. group for all UX Designers • A group can contain many users, and a user can belong to multiple groups When • Easily manage permissions for multiple users AWS Account IAM Group: Administrators Akshay Andrea Arvind IAM Group: UX Designers Rob Rachel IAM Group: DevOps Akshay Andrew Lin Zoe Example of managing permission using groups
  15. 15. IAM Groups Why (Benefits) • Reduces the complexity of access management as number of users grow • Easy way to reassign permissions based on change in responsibility • Easy way to update permissions for multiple users • Reduces the opportunity for a user to accidently get excessive access Do • Create groups that relate to job functions • Attach policies to groups • Use managed policies to logically manage permissions • Manage group membership to assign permissions
  16. 16. Live Demo 1. Create a new IAM group called UXDesigners 2. Assign permissions to the IAM group 3. Create a new IAM user called Rachel 4. Add Rob and Rachel to the IAM group Demo Time
  17. 17. IAM Roles What • Another identity with permission policies that determine what the identity can and cannot do in AWS • Can be assumed by anyone who needs it; not uniquely associated with one person or application • Does not have credentials; access keys are created and provided dynamically When • Give cross-account access • Give access within an account • E.g. access for application running on Amazon EC2 • [Federation] Give access to identities defined outside AWS • E.g. access for identities maintained in your corporate IdP
  18. 18. Use IAM roles to share access Why (Benefits) • No need to share security credentials • No need to store long-term credentials • Control who has access Do • Use roles to delegate cross-account access • Use roles to delegate access within an account • Use roles to provide access for federated users
  19. 19. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Authenticate with Rob’ access keys Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to Rob granting him permission to assume ddb- role in account B IAM user: Rob Permissions assigned to ddb-role STS Use IAM roles for cross-account access
  20. 20. Use IAM roles for Amazon EC2 instances Why (Benefits) • Easy to manage access keys on EC2 instances • Automatic key rotation • AWS SDKs fully integrated • AWS CLI fully integrated Do • Use roles instead of long term credentials • Assign least privilege to the application
  21. 21. 1. Use Switch Role between two accounts 2. Launch an EC2 instance with a role Demo Time
  22. 22. Pop-up Loft Questions?
  23. 23. Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

×