SlideShare ist ein Scribd-Unternehmen logo

Security Day IAM Recommended Practices

Als PPTX, PDF herunterladen
Amazon Web Services
Amazon Web Services

Security Day IAM Recommended Practices

Business
1 von 74
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved IAM Recommended Practices Dave Walker – Specialised Solutions Architect, Security and Compliance Amazon Web Services UK Ltd 28/01/16
What to expect from this session We will look at: • Best practices – To help you get started • Versus – When to use one technology over another • Demos – “Show and tell”
AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account
AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account • Users, groups, roles, and permissions
AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account • Users, groups, roles, and permissions • Control – Centralised – Fine-grained - APIs, resources, and AWS Management Console
AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account • Users, groups, roles, and permissions • Control – Centralized – Fine-grained - APIs, resources, and AWS Management Console • Security – Secure (deny) by default – Multiple users, individual security credentials and permissions
IAM Best Practices • Basic user and permission management • Credential management • Delegation
Basic user and permission management • 0. Create individual users. Benefits • Unique credentials • Individual credential rotation • Individual permissions
Basic user and permission management • 0. Create individual users. 1. Grant least privilege. (and monitor permission usage with the IAM console – revoke permissions if they haven’t been used for some time period) Benefits • Less chance of people making mistakes • Easier to relax than tighten up • More granular control
Basic user and permission management • 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. Benefits • Easier to assign the same permissions to multiple users • Simpler to reassign permissions based on change in responsibilities • Only one change to update permissions for multiple users
Basic user and permission management • 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. 3. Restrict privileged access further with conditions. Benefits • Additional granularity when defining permissions • Can be enabled for any AWS service API • Minimises chances of accidentally performing privileged actions
Basic user and permission management • 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. 3. Restrict privileged access further with conditions. 4. Enable AWS CloudTrail to get logs of API calls. Benefits • Visibility into your user activity by recording AWS API calls to an Amazon S3 bucket
Credential management 5. Configure a strong password policy. Benefits • Ensures your users and your data are protected
Credential management 5. Configure a strong password policy. 6. Rotate security credentials regularly. Benefits • Normal best practice • (often for compliance reasons)
Credential management 5. Configure a strong password policy. 6. Rotate security credentials regularly. 7. Enable MFA for privileged users. Benefits • Supplements user name and password to require a one-time code during authentication
Delegation 8. Use IAM roles to share access. Benefits • No need to share security credentials • No need to store long-term credentials • Use cases - Cross-account access - Intra-account delegation - Federation
Delegation 8. Use IAM roles to share access. 9. Use IAM roles for Amazon EC2 instances. Benefits • Easy to manage access keys on EC2 instances • Automatic key rotation • Assign least privilege to the application • AWS SDKs fully integrated • AWS CLI fully integrated
Delegation 8. Use IAM roles to share access. 9. Use IAM roles for Amazon EC2 instances. 10. Reduce or remove use of root. Benefits • Reduce potential for misuse of credentials
Top 11 IAM best practices 0. Users – Create individual users. 1. Permissions – Grant least privilege. 2. Groups – Manage permissions with groups. 3. Conditions – Restrict privileged access further with conditions. 4. Auditing – Enable AWS CloudTrail to get logs of API calls. 5. Password – Configure a strong password policy. 6. Rotate – Rotate security credentials regularly. 7. MFA – Enable MFA for privileged users. 8. Sharing – Use IAM roles to share access. 9. Roles – Use IAM roles for Amazon EC2 instances. 10. Root – Reduce or remove use of root.
Versus – When should I use…? AWS access keys vs. passwords
IAM users vs. federated users • Depends on where you want to manage your users – On-premises → Federated users (IAM roles) – In your AWS account → IAM users
IAM users vs. federated users • Depends on where you want to manage your users – On-premises → Federated users (IAM roles) – In your AWS account → IAM users • Other important use cases – Delegating access to your account → Federated users (IAM roles) – Mobile application access → Should always be federated access – Draining PII from AWS / IAM → Federated users
IAM users vs. federated users • Depends on where you want to manage your users – On-premises → Federated users (IAM roles) – In your AWS account → IAM users • Other important use cases – Delegating access to your account → Federated users (IAM roles) – Mobile application access → Should always be federated access – Draining PII from AWS / IAM → Federated users IMPORTANT: Never share security credentials.
prod@example.com Acct ID: 111122223333dev@example.com Acct ID: 123456789012 How does federated access work? IAM user: Anders STS
prod@example.com Acct ID: 111122223333 ddb-role dev@example.com Acct ID: 123456789012 How does federated access work? IAM user: Anders STS
prod@example.com Acct ID: 111122223333 ddb-role dev@example.com Acct ID: 123456789012 { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) IAM user: Anders STS
prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? IAM user: Anders Permissions assigned to ddb-role STS ddb-role trusts IAM users from the AWS account dev@example.com (123456789012)
prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to Anders granting him permission to assume ddb-role in account B IAM user: Anders Permissions assigned to ddb-role STS
prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Authenticate with Anders’ access keys { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? IAM user: Anders STS { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Anders granting him permission to assume ddb-role in account B ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to ddb-role
prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Get temporary security credentials for ddb-role { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? IAM user: Anders STS ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to ddb-role Authenticate with Anders’ access keys { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Anders granting him permission to assume ddb-role in account B
prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? IAM user: Anders STS Get temporary security credentials for ddb-role ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to ddb-role Authenticate with Anders’ access keys { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Anders granting him permission to assume ddb-role in account B
AWS access keys vs. passwords • Depends on how your users will access AWS – Console → Password – API, CLI, SDK → Access keys
AWS access keys vs. passwords • Depends on how your users will access AWS – Console → Password – API, CLI, SDK → Access keys • In either case make sure to rotate credentials regularly – Use Credential Report to audit credential rotation. – Configure password policy. – Configure policy to allow access key rotation.
Enabling credential rotation for IAM users (Enable access key rotation sample policy) Access keys { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012: user/${aws:username}" }]}
Enabling credential rotation for IAM users (Enable access key rotation sample policy) 1. While the first set of credentials is still active, create a second set of credentials, which will also be active by default. 2. Update all applications to use the new credentials. 3. Change the state of the first set of credentials to Inactive. 4. Using only the new credentials, confirm that your applications are working well. 5. Delete the first set of credentials. Steps to rotate access keysAccess keys { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012: user/${aws:username}" }]}
Show and Tell
Inline policies vs. managed policies • Use inline policies when you need to: – Enforce a strict one-to-one relationship between policy and principal. – Avoid the wrong policy being attached to a principal. – Ensure the policy is deleted when deleting the principal.
Inline policies vs. managed policies • Use inline policies when you need to: – Enforce a strict one-to-one relationship between policy and principal. – Avoid the wrong policy being attached to a principal. – Ensure the policy is deleted when deleting the principal. • Use managed policies when you need: – Reusability. – Central change management. – Versioning and rollback. – Delegation of permissions management. – Automatic updates for AWS managed policies. – Larger policy size.
Groups vs. managed policies • Provide similar benefits – Can be used to assign the same permission to many users. – Central location to manage permissions. – Policy updates affect multiple users.
Groups vs. managed policies • Provide similar benefits – Can be used to assign the same permission to many users. – Central location to manage permissions. – Policy updates affect multiple users. • Use groups when you need to – Logically group and manage users .
Groups vs. managed policies • Provide similar benefits – Can be used to assign the same permission to many users. – Central location to manage permissions. – Policy updates affect multiple users. • Use groups when you need to – Logically group and manage users . • Use managed policies when you need to – Assign the same policy to users, groups, and roles.
Combine the power of groups AND managed policies • Use groups to organize your users into logical clusters. • Attach managed policies to those groups with the permissions those groups need. • Pro tip: Create managed policies based on logically separated permissions such as AWS service or project, and attach managed policies mix-and- match style to your groups.
Show and Tell
Resource-specific policy vs. tag-based access control • Use resource-specific policy when you need to: • Control access to a specific resource. • Control access to most AWS service resources.
Resource-specific policy vs. tag-based access control • Use resource-specific policy when you need to: • Control access to a specific resource. • Control access to most AWS service resources. • Use tag-based access control when you need to: • Treat resources as a unit, such as a project. • Automatically enforce permissions when new resources are created.
Resource-specific policy vs. tag-based access control • Use resource-specific policy when you need to: • Control access to a specific resource. • Control access to most AWS service resources. • Use tag-based access control when you need to: • Treat resources as a unit, such as a project. • Automatically enforce permissions when new resources are created. NOTE: The following services currently support tag-based access control: Amazon EC2, Amazon VPC, Amazon EBS, Amazon RDS, Amazon Simple Workflow Service, and AWS Data Pipeline
How does tag-based access control work? { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue IAM user: Anders
How does tag-based access control work? IAM user: Anders i-a1234b12 Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
How does tag-based access control work? IAM user: Anders i-a1234b12 Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
How does tag-based access control work? IAM user: Anders i-a1234b12 Project=Blue i-a4321b12 Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
How does tag-based access control work? IAM user: Anders i-a1234b12 i-a4321b12 Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
How does tag-based access control work? IAM user: Anders Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue i-a1234b12 i-a4321b12
How does tag-based access control work? IAM user: Anders Project=Blue i-a4321b12 Project=Green i-a1234b12 i-a4321b12 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
Show and Tell
One AWS account vs. multiple AWS accounts? • Use a single AWS account when you: – Want simpler control of who does what in your AWS environment. – Have no need to isolate projects/products/teams. – Have no need for breaking up the cost.
One AWS account vs. multiple AWS accounts? • Use a single AWS account when you: – Want simpler control of who does what in your AWS environment. – Have no need to isolate projects/products/teams. – Have no need for breaking up the cost. • Use multiple AWS accounts when you: – Need full isolation between projects/teams/environments. – Want to isolate recovery data and/or auditing data (e.g., writing your CloudTrail logs to a different account). – Want something close to Mandatory Access Control – Need a single bill, but want to break out the cost and usage.
Cross-account access with IAM roles dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566 IAM user: Anders
Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
Cross-account access with IAM roles External identity provider acme@example.com Acct ID: 123456789012 IAM user: Anders IAM user: Bob dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
Cross-account access with IAM roles External identity provider IAM user: Anders IAM user: Bob acme@example.com Acct ID: 123456789012 dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
Show and Tell
What did we cover? 1. Top 1011 best practices. 2. IAM users vs. federated users. 3. Access keys vs. passwords. 4. Inline policies vs. managed policies. 5. Groups vs. managed policies. 6. Resource-specific policy vs. tag-based access control. 7. One AWS account vs. multiple AWS accounts. X
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Dave Walker – Specialised Solutions Architect Security/Compliance Amazon Web Services UK Ltd 22/10/15 Thank You

Empfohlen

IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended PracticesAmazon Web Services
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Amazon Web Services
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceAmazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
Become an IAM Policy Ninja
Become an IAM Policy NinjaBecome an IAM Policy Ninja
Become an IAM Policy NinjaAmazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWSAmazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
 

Empfohlen

IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended PracticesAmazon Web Services
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Amazon Web Services
 
Security and Compliance
Security and ComplianceSecurity and Compliance
Security and ComplianceAmazon Web Services
 
Controlling Access to your Resources
Controlling Access to your ResourcesControlling Access to your Resources
Controlling Access to your ResourcesAmazon Web Services
 
Become an IAM Policy Ninja
Become an IAM Policy NinjaBecome an IAM Policy Ninja
Become an IAM Policy NinjaAmazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWSAmazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
 
AWS and the ASD Essential Eight
AWS and the ASD Essential EightAWS and the ASD Essential Eight
AWS and the ASD Essential EightAmazon Web Services
 
(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The CloudAmazon Web Services
 
AWS business essentials - Toronto
AWS business essentials - TorontoAWS business essentials - Toronto
AWS business essentials - TorontoAmazon Web Services
 
Getting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute ServicesGetting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute ServicesAmazon Web Services
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control PoliciesAmazon Web Services
 
Crypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinCrypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinAmazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) NewAmazon Web Services
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAmazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best PracticesAmazon Web Services
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)Amazon Web Services
 
AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS Amazon Web Services
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAmazon Web Services
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Amazon Web Services
 
IAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivIAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivAmazon Web Services
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte ScaleAmazon Web Services
 
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)Amazon Web Services
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 
What's (nearly) new | AWS Security Roadshow
What's (nearly) new | AWS Security RoadshowWhat's (nearly) new | AWS Security Roadshow
What's (nearly) new | AWS Security RoadshowAmazon Web Services
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWSAmazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The CloudAmazon Web Services
 
AWS business essentials - Toronto
AWS business essentials - TorontoAWS business essentials - Toronto
AWS business essentials - TorontoAmazon Web Services
 
Getting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute ServicesGetting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute ServicesAmazon Web Services
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control PoliciesAmazon Web Services
 
Crypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinCrypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinAmazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) NewAmazon Web Services
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAmazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best PracticesAmazon Web Services
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)Amazon Web Services
 
AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS Amazon Web Services
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAmazon Web Services
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Amazon Web Services
 
IAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivIAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivAmazon Web Services
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte ScaleAmazon Web Services
 
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)Amazon Web Services
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 

Was ist angesagt? (20)

AWS and the ASD Essential Eight
AWS and the ASD Essential EightAWS and the ASD Essential Eight
AWS and the ASD Essential Eight
 
(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud
 
AWS business essentials - Toronto
AWS business essentials - TorontoAWS business essentials - Toronto
AWS business essentials - Toronto
 
Getting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute ServicesGetting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute Services
 
Mastering Access Control Policies
Mastering Access Control PoliciesMastering Access Control Policies
Mastering Access Control Policies
 
Crypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinCrypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow Dublin
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) New
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing Zone
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best Practices
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS AWS Webcast - Highly Available SQL Server on AWS
AWS Webcast - Highly Available SQL Server on AWS
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - Keynote
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
 
IAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel AvivIAM Best Practices to Live By - Pop-up Loft Tel Aviv
IAM Best Practices to Live By - Pop-up Loft Tel Aviv
 
(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale(SEC313) Security & Compliance at the Petabyte Scale
(SEC313) Security & Compliance at the Petabyte Scale
 
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
 

Andere mochten auch

What's (nearly) new | AWS Security Roadshow
What's (nearly) new | AWS Security RoadshowWhat's (nearly) new | AWS Security Roadshow
What's (nearly) new | AWS Security RoadshowAmazon Web Services
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAmazon Web Services
 
Account Separation and Mandatory Access Control
Account Separation and Mandatory Access ControlAccount Separation and Mandatory Access Control
Account Separation and Mandatory Access ControlAmazon Web Services
 
AWS Black Belt Techシリーズ AWS Service Catalog
AWS Black Belt Techシリーズ AWS Service CatalogAWS Black Belt Techシリーズ AWS Service Catalog
AWS Black Belt Techシリーズ AWS Service CatalogAmazon Web Services Japan
 
Building Scalable Application on the Cloud
Building Scalable Application on the CloudBuilding Scalable Application on the Cloud
Building Scalable Application on the CloudKeisuke Nishitani
 
AWS re:Inventに行くために今日からやるべき3つのこと
AWS re:Inventに行くために今日からやるべき3つのことAWS re:Inventに行くために今日からやるべき3つのこと
AWS re:Inventに行くために今日からやるべき3つのこと真吾 吉田
 
サバ缶のない世界でスカイアーチはこの先生きのこれるのか考える
サバ缶のない世界でスカイアーチはこの先生きのこれるのか考えるサバ缶のない世界でスカイアーチはこの先生きのこれるのか考える
サバ缶のない世界でスカイアーチはこの先生きのこれるのか考える真吾 吉田
 
NuGetの社内利用のススメ
NuGetの社内利用のススメNuGetの社内利用のススメ
NuGetの社内利用のススメNarami Kiyokura
 
Webinar: Delivering Static and Dynamic Content Using CloudFront
Webinar: Delivering Static and Dynamic Content Using CloudFrontWebinar: Delivering Static and Dynamic Content Using CloudFront
Webinar: Delivering Static and Dynamic Content Using CloudFrontAmazon Web Services
 
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012Amazon Web Services
 
Running Microsoft Enterprise Workloads on Amazon Web Services
Running Microsoft Enterprise Workloads on Amazon Web ServicesRunning Microsoft Enterprise Workloads on Amazon Web Services
Running Microsoft Enterprise Workloads on Amazon Web ServicesAmazon Web Services
 
AWS Cloud Kata 2013 | Singapore - Opening Keynote: Running Lean & Scaling Fas...
AWS Cloud Kata 2013 | Singapore - Opening Keynote: Running Lean & Scaling Fas...AWS Cloud Kata 2013 | Singapore - Opening Keynote: Running Lean & Scaling Fas...
AWS Cloud Kata 2013 | Singapore - Opening Keynote: Running Lean & Scaling Fas...Amazon Web Services
 
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...Amazon Web Services
 
MED301 Is My CDN Performing? - AWS re: Invent 2012
MED301 Is My CDN Performing? - AWS re: Invent 2012MED301 Is My CDN Performing? - AWS re: Invent 2012
MED301 Is My CDN Performing? - AWS re: Invent 2012Amazon Web Services
 
Canonical AWS Summit London 2011
Canonical AWS Summit London 2011Canonical AWS Summit London 2011
Canonical AWS Summit London 2011Amazon Web Services
 
AWS Customer Presentation : PBS - AWS Summit 2012 - NYC
AWS Customer Presentation : PBS - AWS Summit 2012 - NYCAWS Customer Presentation : PBS - AWS Summit 2012 - NYC
AWS Customer Presentation : PBS - AWS Summit 2012 - NYCAmazon Web Services
 
Journey Through the AWS Cloud; Application Services
Journey Through the AWS Cloud; Application ServicesJourney Through the AWS Cloud; Application Services
Journey Through the AWS Cloud; Application ServicesAmazon Web Services
 

Andere mochten auch (20)

What's (nearly) new | AWS Security Roadshow
What's (nearly) new | AWS Security RoadshowWhat's (nearly) new | AWS Security Roadshow
What's (nearly) new | AWS Security Roadshow
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWS
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in Practice
 
Account Separation and Mandatory Access Control
Account Separation and Mandatory Access ControlAccount Separation and Mandatory Access Control
Account Separation and Mandatory Access Control
 
AWS Black Belt Techシリーズ AWS Service Catalog
AWS Black Belt Techシリーズ AWS Service CatalogAWS Black Belt Techシリーズ AWS Service Catalog
AWS Black Belt Techシリーズ AWS Service Catalog
 
Building Scalable Application on the Cloud
Building Scalable Application on the CloudBuilding Scalable Application on the Cloud
Building Scalable Application on the Cloud
 
AWS re:Inventに行くために今日からやるべき3つのこと
AWS re:Inventに行くために今日からやるべき3つのことAWS re:Inventに行くために今日からやるべき3つのこと
AWS re:Inventに行くために今日からやるべき3つのこと
 
サバ缶のない世界でスカイアーチはこの先生きのこれるのか考える
サバ缶のない世界でスカイアーチはこの先生きのこれるのか考えるサバ缶のない世界でスカイアーチはこの先生きのこれるのか考える
サバ缶のない世界でスカイアーチはこの先生きのこれるのか考える
 
profile
profileprofile
profile
 
NuGetの社内利用のススメ
NuGetの社内利用のススメNuGetの社内利用のススメ
NuGetの社内利用のススメ
 
Webinar: Delivering Static and Dynamic Content Using CloudFront
Webinar: Delivering Static and Dynamic Content Using CloudFrontWebinar: Delivering Static and Dynamic Content Using CloudFront
Webinar: Delivering Static and Dynamic Content Using CloudFront
 
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
STP205 Making it Big Without Breaking the Bank - AWS re: Invent 2012
 
Running Microsoft Enterprise Workloads on Amazon Web Services
Running Microsoft Enterprise Workloads on Amazon Web ServicesRunning Microsoft Enterprise Workloads on Amazon Web Services
Running Microsoft Enterprise Workloads on Amazon Web Services
 
AWS Cloud Kata 2013 | Singapore - Opening Keynote: Running Lean & Scaling Fas...
AWS Cloud Kata 2013 | Singapore - Opening Keynote: Running Lean & Scaling Fas...AWS Cloud Kata 2013 | Singapore - Opening Keynote: Running Lean & Scaling Fas...
AWS Cloud Kata 2013 | Singapore - Opening Keynote: Running Lean & Scaling Fas...
 
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
AWS Webcast - Accelerating Application Performance Using In-Memory Caching in...
 
MED301 Is My CDN Performing? - AWS re: Invent 2012
MED301 Is My CDN Performing? - AWS re: Invent 2012MED301 Is My CDN Performing? - AWS re: Invent 2012
MED301 Is My CDN Performing? - AWS re: Invent 2012
 
NoSQL like there is No Tomorrow
NoSQL like there is No TomorrowNoSQL like there is No Tomorrow
NoSQL like there is No Tomorrow
 
Canonical AWS Summit London 2011
Canonical AWS Summit London 2011Canonical AWS Summit London 2011
Canonical AWS Summit London 2011
 
AWS Customer Presentation : PBS - AWS Summit 2012 - NYC
AWS Customer Presentation : PBS - AWS Summit 2012 - NYCAWS Customer Presentation : PBS - AWS Summit 2012 - NYC
AWS Customer Presentation : PBS - AWS Summit 2012 - NYC
 
Journey Through the AWS Cloud; Application Services
Journey Through the AWS Cloud; Application ServicesJourney Through the AWS Cloud; Application Services
Journey Through the AWS Cloud; Application Services
 

Ähnlich wie Security Day IAM Recommended Practices

(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live ByAmazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live byJohn Varghese
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityAmazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for StartupsMark Bate
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for StartupsAWS Germany
 
Advanced security best practices - Masterclass - Pop-up Loft Tel Aviv
Advanced security best practices - Masterclass - Pop-up Loft Tel AvivAdvanced security best practices - Masterclass - Pop-up Loft Tel Aviv
Advanced security best practices - Masterclass - Pop-up Loft Tel AvivAmazon Web Services
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftIan Massingham
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 

Ähnlich wie Security Day IAM Recommended Practices (20)

(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By(SEC302) IAM Best Practices To Live By
(SEC302) IAM Best Practices To Live By
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS Security
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
AWS Users Authentication
AWS Users AuthenticationAWS Users Authentication
AWS Users Authentication
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for Startups
 
Simple Security for Startups
Simple Security for StartupsSimple Security for Startups
Simple Security for Startups
 
Advanced security best practices - Masterclass - Pop-up Loft Tel Aviv
Advanced security best practices - Masterclass - Pop-up Loft Tel AvivAdvanced security best practices - Masterclass - Pop-up Loft Tel Aviv
Advanced security best practices - Masterclass - Pop-up Loft Tel Aviv
 
Advanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv LoftAdvanced Security Masterclass - Tel Aviv Loft
Advanced Security Masterclass - Tel Aviv Loft
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Kürzlich hochgeladen

Event mailer assignment progress report .pdf
Event mailer assignment progress report .pdfEvent mailer assignment progress report .pdf
Event mailer assignment progress report .pdftbatkhuu1
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒anilsa9823
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxpriyanshujha201
 
Understanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key InsightsUnderstanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key Insightsseri bangash
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876dlhescort
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Best Basmati Rice Manufacturers in India
Best Basmati Rice Manufacturers in IndiaBest Basmati Rice Manufacturers in India
Best Basmati Rice Manufacturers in IndiaShree Krishna Exports
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesDipal Arora
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communicationskarancommunications
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsP&CO
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Unlocking the Secrets of Affiliate Marketing.pdf
Unlocking the Secrets of Affiliate Marketing.pdfUnlocking the Secrets of Affiliate Marketing.pdf
Unlocking the Secrets of Affiliate Marketing.pdfOnline Income Engine
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 

Kürzlich hochgeladen (20)

Event mailer assignment progress report .pdf
Event mailer assignment progress report .pdfEvent mailer assignment progress report .pdf
Event mailer assignment progress report .pdf
 
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
VIP Call Girls In Saharaganj ( Lucknow ) 🔝 8923113531 🔝 Cash Payment (COD) 👒
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Understanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key InsightsUnderstanding the Pakistan Budgeting Process: Basics and Key Insights
Understanding the Pakistan Budgeting Process: Basics and Key Insights
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Best Basmati Rice Manufacturers in India
Best Basmati Rice Manufacturers in IndiaBest Basmati Rice Manufacturers in India
Best Basmati Rice Manufacturers in India
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Unlocking the Secrets of Affiliate Marketing.pdf
Unlocking the Secrets of Affiliate Marketing.pdfUnlocking the Secrets of Affiliate Marketing.pdf
Unlocking the Secrets of Affiliate Marketing.pdf
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 

Security Day IAM Recommended Practices

  • 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved IAM Recommended Practices Dave Walker – Specialised Solutions Architect, Security and Compliance Amazon Web Services UK Ltd 28/01/16
  • 2. What to expect from this session We will look at: • Best practices – To help you get started • Versus – When to use one technology over another • Demos – “Show and tell”
  • 3. AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account
  • 4. AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account • Users, groups, roles, and permissions
  • 5. AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account • Users, groups, roles, and permissions • Control – Centralised – Fine-grained - APIs, resources, and AWS Management Console
  • 6. AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account • Users, groups, roles, and permissions • Control – Centralized – Fine-grained - APIs, resources, and AWS Management Console • Security – Secure (deny) by default – Multiple users, individual security credentials and permissions
  • 7. IAM Best Practices • Basic user and permission management • Credential management • Delegation
  • 8. Basic user and permission management • 0. Create individual users. Benefits • Unique credentials • Individual credential rotation • Individual permissions
  • 9. Basic user and permission management • 0. Create individual users. 1. Grant least privilege. (and monitor permission usage with the IAM console – revoke permissions if they haven’t been used for some time period) Benefits • Less chance of people making mistakes • Easier to relax than tighten up • More granular control
  • 10. Basic user and permission management • 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. Benefits • Easier to assign the same permissions to multiple users • Simpler to reassign permissions based on change in responsibilities • Only one change to update permissions for multiple users
  • 11. Basic user and permission management • 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. 3. Restrict privileged access further with conditions. Benefits • Additional granularity when defining permissions • Can be enabled for any AWS service API • Minimises chances of accidentally performing privileged actions
  • 12. Basic user and permission management • 0. Create individual users. 1. Grant least privilege. 2. Manage permissions with groups. 3. Restrict privileged access further with conditions. 4. Enable AWS CloudTrail to get logs of API calls. Benefits • Visibility into your user activity by recording AWS API calls to an Amazon S3 bucket
  • 13. Credential management 5. Configure a strong password policy. Benefits • Ensures your users and your data are protected
  • 14. Credential management 5. Configure a strong password policy. 6. Rotate security credentials regularly. Benefits • Normal best practice • (often for compliance reasons)
  • 15. Credential management 5. Configure a strong password policy. 6. Rotate security credentials regularly. 7. Enable MFA for privileged users. Benefits • Supplements user name and password to require a one-time code during authentication
  • 16. Delegation 8. Use IAM roles to share access. Benefits • No need to share security credentials • No need to store long-term credentials • Use cases - Cross-account access - Intra-account delegation - Federation
  • 17. Delegation 8. Use IAM roles to share access. 9. Use IAM roles for Amazon EC2 instances. Benefits • Easy to manage access keys on EC2 instances • Automatic key rotation • Assign least privilege to the application • AWS SDKs fully integrated • AWS CLI fully integrated
  • 18. Delegation 8. Use IAM roles to share access. 9. Use IAM roles for Amazon EC2 instances. 10. Reduce or remove use of root. Benefits • Reduce potential for misuse of credentials
  • 19. Top 11 IAM best practices 0. Users – Create individual users. 1. Permissions – Grant least privilege. 2. Groups – Manage permissions with groups. 3. Conditions – Restrict privileged access further with conditions. 4. Auditing – Enable AWS CloudTrail to get logs of API calls. 5. Password – Configure a strong password policy. 6. Rotate – Rotate security credentials regularly. 7. MFA – Enable MFA for privileged users. 8. Sharing – Use IAM roles to share access. 9. Roles – Use IAM roles for Amazon EC2 instances. 10. Root – Reduce or remove use of root.
  • 20. Versus – When should I use…? AWS access keys vs. passwords
  • 21.
  • 22. IAM users vs. federated users • Depends on where you want to manage your users – On-premises → Federated users (IAM roles) – In your AWS account → IAM users
  • 23. IAM users vs. federated users • Depends on where you want to manage your users – On-premises → Federated users (IAM roles) – In your AWS account → IAM users • Other important use cases – Delegating access to your account → Federated users (IAM roles) – Mobile application access → Should always be federated access – Draining PII from AWS / IAM → Federated users
  • 24. IAM users vs. federated users • Depends on where you want to manage your users – On-premises → Federated users (IAM roles) – In your AWS account → IAM users • Other important use cases – Delegating access to your account → Federated users (IAM roles) – Mobile application access → Should always be federated access – Draining PII from AWS / IAM → Federated users IMPORTANT: Never share security credentials.
  • 25. prod@example.com Acct ID: 111122223333dev@example.com Acct ID: 123456789012 How does federated access work? IAM user: Anders STS
  • 26. prod@example.com Acct ID: 111122223333 ddb-role dev@example.com Acct ID: 123456789012 How does federated access work? IAM user: Anders STS
  • 27. prod@example.com Acct ID: 111122223333 ddb-role dev@example.com Acct ID: 123456789012 { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) IAM user: Anders STS
  • 28. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? IAM user: Anders Permissions assigned to ddb-role STS ddb-role trusts IAM users from the AWS account dev@example.com (123456789012)
  • 29. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to Anders granting him permission to assume ddb-role in account B IAM user: Anders Permissions assigned to ddb-role STS
  • 30. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Authenticate with Anders’ access keys { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? IAM user: Anders STS { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Anders granting him permission to assume ddb-role in account B ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to ddb-role
  • 31. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Get temporary security credentials for ddb-role { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? IAM user: Anders STS ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to ddb-role Authenticate with Anders’ access keys { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Anders granting him permission to assume ddb-role in account B
  • 32. prod@example.com Acct ID: 111122223333 ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*“ }]} dev@example.com Acct ID: 123456789012 Call AWS APIs using temporary security credentials of ddb-role { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} How does federated access work? IAM user: Anders STS Get temporary security credentials for ddb-role ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) Permissions assigned to ddb-role Authenticate with Anders’ access keys { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Anders granting him permission to assume ddb-role in account B
  • 33.
  • 34. AWS access keys vs. passwords • Depends on how your users will access AWS – Console → Password – API, CLI, SDK → Access keys
  • 35. AWS access keys vs. passwords • Depends on how your users will access AWS – Console → Password – API, CLI, SDK → Access keys • In either case make sure to rotate credentials regularly – Use Credential Report to audit credential rotation. – Configure password policy. – Configure policy to allow access key rotation.
  • 36. Enabling credential rotation for IAM users (Enable access key rotation sample policy) Access keys { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012: user/${aws:username}" }]}
  • 37. Enabling credential rotation for IAM users (Enable access key rotation sample policy) 1. While the first set of credentials is still active, create a second set of credentials, which will also be active by default. 2. Update all applications to use the new credentials. 3. Change the state of the first set of credentials to Inactive. 4. Using only the new credentials, confirm that your applications are working well. 5. Delete the first set of credentials. Steps to rotate access keysAccess keys { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey"], "Resource": "arn:aws:iam::123456789012: user/${aws:username}" }]}
  • 39.
  • 40. Inline policies vs. managed policies • Use inline policies when you need to: – Enforce a strict one-to-one relationship between policy and principal. – Avoid the wrong policy being attached to a principal. – Ensure the policy is deleted when deleting the principal.
  • 41. Inline policies vs. managed policies • Use inline policies when you need to: – Enforce a strict one-to-one relationship between policy and principal. – Avoid the wrong policy being attached to a principal. – Ensure the policy is deleted when deleting the principal. • Use managed policies when you need: – Reusability. – Central change management. – Versioning and rollback. – Delegation of permissions management. – Automatic updates for AWS managed policies. – Larger policy size.
  • 42.
  • 43. Groups vs. managed policies • Provide similar benefits – Can be used to assign the same permission to many users. – Central location to manage permissions. – Policy updates affect multiple users.
  • 44. Groups vs. managed policies • Provide similar benefits – Can be used to assign the same permission to many users. – Central location to manage permissions. – Policy updates affect multiple users. • Use groups when you need to – Logically group and manage users .
  • 45. Groups vs. managed policies • Provide similar benefits – Can be used to assign the same permission to many users. – Central location to manage permissions. – Policy updates affect multiple users. • Use groups when you need to – Logically group and manage users . • Use managed policies when you need to – Assign the same policy to users, groups, and roles.
  • 46. Combine the power of groups AND managed policies • Use groups to organize your users into logical clusters. • Attach managed policies to those groups with the permissions those groups need. • Pro tip: Create managed policies based on logically separated permissions such as AWS service or project, and attach managed policies mix-and- match style to your groups.
  • 48.
  • 49. Resource-specific policy vs. tag-based access control • Use resource-specific policy when you need to: • Control access to a specific resource. • Control access to most AWS service resources.
  • 50. Resource-specific policy vs. tag-based access control • Use resource-specific policy when you need to: • Control access to a specific resource. • Control access to most AWS service resources. • Use tag-based access control when you need to: • Treat resources as a unit, such as a project. • Automatically enforce permissions when new resources are created.
  • 51. Resource-specific policy vs. tag-based access control • Use resource-specific policy when you need to: • Control access to a specific resource. • Control access to most AWS service resources. • Use tag-based access control when you need to: • Treat resources as a unit, such as a project. • Automatically enforce permissions when new resources are created. NOTE: The following services currently support tag-based access control: Amazon EC2, Amazon VPC, Amazon EBS, Amazon RDS, Amazon Simple Workflow Service, and AWS Data Pipeline
  • 52. How does tag-based access control work? { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue IAM user: Anders
  • 53. How does tag-based access control work? IAM user: Anders i-a1234b12 Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
  • 54. How does tag-based access control work? IAM user: Anders i-a1234b12 Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
  • 55. How does tag-based access control work? IAM user: Anders i-a1234b12 Project=Blue i-a4321b12 Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
  • 56. How does tag-based access control work? IAM user: Anders i-a1234b12 i-a4321b12 Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
  • 57. How does tag-based access control work? IAM user: Anders Project=Blue { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue i-a1234b12 i-a4321b12
  • 58. How does tag-based access control work? IAM user: Anders Project=Blue i-a4321b12 Project=Green i-a1234b12 i-a4321b12 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project" : "Blue" } } } ] } Permissions assigned to Anders granting him permission to perform any EC2 action on resources tagged with Project=Blue
  • 60.
  • 61. One AWS account vs. multiple AWS accounts? • Use a single AWS account when you: – Want simpler control of who does what in your AWS environment. – Have no need to isolate projects/products/teams. – Have no need for breaking up the cost.
  • 62. One AWS account vs. multiple AWS accounts? • Use a single AWS account when you: – Want simpler control of who does what in your AWS environment. – Have no need to isolate projects/products/teams. – Have no need for breaking up the cost. • Use multiple AWS accounts when you: – Need full isolation between projects/teams/environments. – Want to isolate recovery data and/or auditing data (e.g., writing your CloudTrail logs to a different account). – Want something close to Mandatory Access Control – Need a single bill, but want to break out the cost and usage.
  • 63. Cross-account access with IAM roles dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566 IAM user: Anders
  • 64. Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
  • 65. Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
  • 66. Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
  • 67. Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
  • 68. Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
  • 69. Cross-account access with IAM roles IAM user: Anders dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
  • 70. Cross-account access with IAM roles External identity provider acme@example.com Acct ID: 123456789012 IAM user: Anders IAM user: Bob dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
  • 71. Cross-account access with IAM roles External identity provider IAM user: Anders IAM user: Bob acme@example.com Acct ID: 123456789012 dev@example.com Acct ID: 123456123456 proj2@example.com Acct ID: 111222333444 proj1@example.com Acct ID: 112233445566
  • 73. What did we cover? 1. Top 1011 best practices. 2. IAM users vs. federated users. 3. Access keys vs. passwords. 4. Inline policies vs. managed policies. 5. Groups vs. managed policies. 6. Resource-specific policy vs. tag-based access control. 7. One AWS account vs. multiple AWS accounts. X
  • 74. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Dave Walker – Specialised Solutions Architect Security/Compliance Amazon Web Services UK Ltd 22/10/15 Thank You