How to use IAM roles grant access to AWS
•
3 gefällt mir•2,300 views
by Brigid Johnson, Product Management Manager, AWS How to Use IAM Roles to Grant Access to AWS: Customers use IAM roles to delegate access to services, applications, accounts, and federated users using temporary credentials. We will start by defining use cases for IAM roles, tools to use IAM roles in your account, and techniques to manage role permissions. We will cover how customers can use roles to grant access to AWS. Using demonstrations, we will learn how to monitor roles across accounts, grant cross account access, and scope down permissions for a particular entity. This session will cover how to use roles for developers building applications on AWS and for administrators controlling and monitoring access. Level 300
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie How to use IAM roles grant access to AWS
Ähnlich wie How to use IAM roles grant access to AWS (20)
Mehr von Amazon Web Services
Mehr von Amazon Web Services (20)
How to use IAM roles grant access to AWS
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Brigid Johnson, AWS Identity October 9th, 2017 How to use IAM roles grant access to AWS
- 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to expect from this session • Overview of roles • Use cases for IAM roles • Best practices for IAM roles • Demo – cross account access • Demo – Permissions with roles • Demo – Tracking roles with CloudTrail
- 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What are IAM roles? • IAM entities used to delegate access to users, applications, and AWS services. • Intended to be assumed by trusted entities. Once assumed they have the permissions attached to the IAM role. • IAM roles do not have credentials (password or access keys) associated with it. Credentials are associated dynamically.
- 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why use IAM roles? Roles are a secure way to delegate access to users, applications, and AWS services because they use temporary credentials. Roles have a many to one relationship, therefore you can enable many users and applications to assume the same role to grant the same set of permissions. Best Practice: Use temporary credentials when possible
- 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Breakdown of IAM role use cases Grant Access to AWS Services Federate Identities into AWS Enable Cross Account Access
- 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ø Enable applications running on EC2 to make AWS API calls. Ø Manage security credentials for you. Ø Rotates credentials automatically. Ø Easy to attach and detach an IAM role to a new or existing instance. Ø Add/update permissions without logging into the instance. Grant Access to AWS Services Roles for EC2 Service Roles Service-linked Roles Ø Grant AWS services access to perform actions on your behalf. Ø Control permissions that service can run. Ø Track actions AWS services perform on your behalf using CloudTrail. Ø Examples: AWS Config, AWS OpsWorks, and AWS Directory Service. Ø Grant AWS services access to perform actions on your behalf. Ø Pre-defined permissions that the linked service requires. Ø Protect you from inadvertently deleting a role. Ø Track actions AWS services perform on your behalf using CloudTrail. Ø Examples: Amazon Lex
- 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federate Identities into AWS Ø Enable users to log into the AWS Management Console Ø Call the AWS APIs without you having to create an IAM user for everyone in your organization. Ø Enable federated single sign- on (SSO) to your AWS accounts. SAML IDP OpenID Connect Provider Ø Enable your application users to sign in using an identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC) compatible IdPs. Ø Helps you keep your AWS account secure, because you don't have to embed and distribute long-term security credentials in your application If your organization has its own identity system, create an IAM identity provider entity to establish trust between your AWS account and the IdP. Use IAM roles to grant permissions to your users.
- 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Enable Cross Account Access Ø Configure the AWS Command Line Interface to use a role by creating a profile. Ø Configure your application or script to assume a role for temporary credentials use to call AWS APIs. Assume Role Switch Role in the Console Ø Sign in to the console as an IAM user or via federated Single Sign-On and then switch the console to manage another account without having to enter (or remember) another user name and password.
- 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Creating Roles Using the IAM Console
- 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do you access an IAM role? Secure Token Service (STS): A web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). Example APIs: AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, GetSessionToken
- 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Some best practices for using IAM Roles Trust: Validate your trust policies to ensure only appropriate entities can assume the role. Permissions: Set granular permissions on your IAM roles an use scope down policies to further control access. Tracking and Monitoring: Track cross account access using AWS CloudTrail
- 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trust
- 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trust policy for an AWS service { "Version": "2012-10-17", "Statement": [{ "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }] }
- 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trust policy for an identity provider { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::468826461431:saml-provider/ADFS" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } }] }
- 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trust policy for another account { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789123:user/Brigid" }, "Action": "sts:AssumeRole" }] }
- 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account A (Staging) User: Brigid Credentials: • Password for console • Access and secret key for programmatic access Permissions: Assume role prod- support-read-only-account-b in Account B. Demo: Assume Role using the CLI Account B (Production) Role: prod-support-read-only-account-b Trust : Brigid user ARN (Amazon Resource Name) Permissions: Read only access using the AWS Managed Policy
- 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Assume Role Policy for Brigid { "Version": "2012-10-17", "Statement": [{ "Sid": "Stmt1503507543000", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::123456789666:role/prod-support-read-only-account-b" ] }] }
- 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Credentials and Config File Credentials [default] aws_access_key_id=XXXXXXXXXXXXXXXXXXXX aws_secret_access_key=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY Config [default] aws_access_key_id=XXXXXXXXXXXXXXXXXXXX aws_secret_access_key=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY region = us-east-1 output = text [profile prod-support-read-only] role_arn = arn:aws:iam::123456789666:role/prod-support-read-only-account-b source_profile=default
- 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Permissions
- 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Many to one relationship Fact: IAM roles are intended that multiple users assume the role. Best Practice: Logically separate your roles based on types of access required. Examples: ReadOnly, ProductionSupport, Auditor, S3BucketAccessA, Billing
- 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account A (Staging) User: Brigid Credentials: • Password for console • Access and secret key for programmatic access Permissions: Assume role prod- support-S3-bucket-account-b in Account B. Demo: Put Objects to a Specific S3 Bucket Account B (Production) Role: prod-support-S3-bucket-account-b Trust : Brigid user ARN (Amazon Resource Name) Permissions: List buckets, put, get, and delete for iam-roles-webinar- product-support-account-b
- 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policy for Assume Role { "Version": "2012-10-17", "Statement": [{ "Sid": “AllowAssumeRoleProdSupport", "Effect": "Allow", "Action": ["sts:AssumeRole"], "Resource": ["arn:aws:iam::784011040245:role/prod- support-S3-bucket-account-b"] }] }
- 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM Policy for S3 bucket access { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListAllMyBuckets"], "Resource": ["*"] }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::iam-roles-webinar-product-support-account-b"] }, { "Effect": "Allow", "Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"], "Resource": ["arn:aws:s3:::iam-roles-webinar-product-support-account-b/*"] }] }
- 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstrating success and access denied Success: Brigid successfully adds a file to an S3 bucket Access Denied: Brigid cannot add a file a different S3 bucket
- 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tracking and Monitoring
- 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Many to one relationship Production Support Bob Production Support Alice Production Support Casey Production Support Dory prod-support-S3-bucket-account-b Assume role Put object A B C Who?
- 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tracking IAM roles using CloudTrail Step 1: Locate the put object call using the object name. Step 2: Find the assume role call using the temporary access key. Step 3: Find the assume role call from the originating account using the shared event ID.
- 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Step 1: Find the put object call "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJN6FXOWE7SY7KDNKW:AWS-CLI-session-1503619346", "arn": "arn:aws:sts::123456789666:assumed-role/prod-support-S3-bucket-account-b/AWS-CLI-session-1503619346", "accountId": "123456789666", "accessKeyId": "ASIAJDCQY5DSKNVSQUKQ", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAJN6FXOWE7SY7KDNKW", "arn": "arn:aws:iam::123456789666:role/prod-support-S3-bucket-account-b", "accountId": "784011040245", "userName": "prod-support-S3-bucket-account-b" }, "attributes": { "creationDate": "2017-08-25T00:02:26Z", "mfaAuthenticated": "false" } } }, "eventTime": "2017-08-25T00:02:27Z", "eventSource": "s3.amazonaws.com", "eventName": "PutObject", "awsRegion": "us-east-1", "sourceIPAddress": “XX.XX.XXX.XX", "userAgent": "[aws-cli/1.11.46 Python/2.7.9 Windows/7 botocore/1.5.9]", "requestParameters": { "bucketName": "iam-roles-webinar-product-support-account-b", "key": "mobile-resources/iam-roles-testFile.txt"
- 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Step 2: Find the assume role call "eventSource": "sts.amazonaws.com", "eventName": "AssumeRole", "awsRegion": "us-east-1", "sourceIPAddress": “XX.XX.XXX.XX", "userAgent": "aws-cli/1.11.46 Python/2.7.9 Windows/7 botocore/1.5.9", "requestParameters": { "roleArn": "arn:aws:iam::123456789666:role/prod-support-S3-bucket-account-b", "roleSessionName": "AWS-CLI-session-1503619346" }, "responseElements": { "credentials": { "accessKeyId": "ASIAJDCQY5DSKNVSQUKQ", "expiration": "Aug 25, 2017 1:02:26 AM", "sessionToken": “XXX" }, "assumedRoleUser": { "assumedRoleId": "AROAJN6FXOWE7SY7KDNKW:AWS-CLI-session-1503619346", "arn": "arn:aws:sts::123456789666:assumed-role/prod-support-S3-bucket-account-b/AWS-CLI-session-1503619346" }}, "requestID": "adeb855c-8928-11e7-a0a2-8d7a034d3805", "eventID": "f48cebce-2194-44c3-bc7d-a4b64b0c5802", "resources": [{ "ARN": "arn:aws:iam::123456789666:role/prod-support-S3-bucket-account-b", "accountId": "123456789666", "type": "AWS::IAM::Role" }], "eventType": "AwsApiCall", "recipientAccountId": "123456789666", "sharedEventID": "245452c8-af00-44fa-bd12-d13c16e1da2c"}]
- 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Step 3: Locate the original assume role call { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDAJI6WTWP4ZQ6ABT7BW", "arn": "arn:aws:iam:: 123456789123:user/Brigid", "accountId": “123456789123", "accessKeyId": "AKIAJCZ6IERGFDSFAH4Q", "userName": "Brigid" }, "eventTime": "2017-08-25T00:02:26Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRole", "awsRegion": "us-east-1", "sourceIPAddress": “XX.XX.XXX.XX", "userAgent": "aws-cli/1.11.46 Python/2.7.9 Windows/7 botocore/1.5.9", "requestParameters": { "roleArn": "arn:aws:iam::123456789123:role/prod-support-S3-bucket-account-b", "roleSessionName": "AWS-CLI-session-1503619346" }, "responseElements": {…}, "assumedRoleUser": {…}}, … "eventType": "AwsApiCall", "recipientAccountId": "123456789123", "sharedEventID": "245452c8-af00-44fa-bd12-d13c16e1da2c" }
- 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: Cross account access in CT Remember the put object call we just made? 1) Locate the put object call 2) Find the assume role call 3) Find the original assume role call in account A
- 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tracking actions performed by AWS Services { "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "{principal-id}:OrderFlowers", "arn": "arn:aws:sts::{account-id}:assumed-role/AWSServiceRoleForLexBots/OrderFlowers", …."sessionIssuer": { "type": "Role", "principalId": "{principal-id}", "arn": "arn:aws:iam:: {account-id}:role/aws-service- role/lex.amazonaws.com/AWSServiceRoleForLexBots", "accountId": "{account-id}", "userName": "AWSServiceRoleForLexBots" } }, "invokedBy": "lex.amazonaws.com" }, "eventTime": "2017-09-17T17:30:05Z", "eventSource": "polly.amazonaws.com", "eventName": "SynthesizeSpeech", "awsRegion": "us-east-1",…}
- 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Additional Resources AWS Security Blog: Announcements, use cases, and best practices https://aws.amazon.com/blogs/security/ “AWS CloudTrail Now Tracks Cross-Account Activity to Its Origin” “Enable a New Feature in the AWS Management Console: Cross-Account Access” “Demystifying EC2 Resource-Level Permissions”
- 34. Thank you! © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws.amazon.com/activate