SlideShare ist ein Scribd-Unternehmen logo

The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers That You Can Use Today

Amazon Web Services
Amazon Web Services

by Quint Van Deman, Sr. Business Development Manager, AWS Across the AWS customer base there's a wide spectrum of experience levels. In this session, we'll dive deep into a number of advanced patterns that some of our most advanced customers are using to make themselves successful. By equipping you with these deep learnings, you'll be able to raise the bar within your organization, allowing you to achieve greater levels of control, speed, and visibility at a greatly accelerated pace. Level 400

1 von 45
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft The 1%: Identity and Governance patterns from the most advanced AWS customers that you can use today Quint Van Deman, Global Business Development Manager, Identity & Directory Services
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Motivations Typically, focus energy getting off start Today, set new yardstick for future By tableatny (BXP135660) [CC BY 2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Agenda • Advanced policy authoring / development: – Policy unit testing: IAM policy simulator. – Real time IAM monitoring and remediation: AWS Config. – Policy tuning: Harvesting unused permissions. • Advanced IAM deployment / management: – Policy guardrails: Master blacklist policies. – Pipeline deployments: Bringing CI/CD methods to IAM management. • Advanced access management: – Immutable infrastructure: AWS Organizations. • Honorable mentions (if time permits) – Policy tokenizing: Generic policies, environment specific deployments. – Microsegmentation: Thousands of AWS accounts. – Scoped access: The return of the token vending machine. • Q & A
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy unit testing: IAM policy simulator Does my policy result in the effective permissions I intended?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Does my result match my intent? • Of course it does, why wouldn’t it? – Multiple policy layer mistakes: Organizations SCPs, managed & inline IAM policies, scope down policies, and resource policies (i.e. bucket policies) – Policy semantic rationalization mistakes: Explicit vs. implicit allows/denies, inclusion vs. exclusion. • Be sure with API driven IAM policy simulator: – Codify your intent as a companion artifact to your policy. – Test your policy stand alone and in context with existing policies. – Prevent mistakes before deployment, regression test after deployment. – IAM:SimulateCustomPolicy, IAM:SimulatePrincipalPolicy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM policy simulation: Example Intent: “I want to create a policy for my advanced DevOps group that allows broad AWS access, except for IAM and AWS CloudTrail. Because this is the production web account, they should also not have access to Amazon WorkSpaces.” Drafted Policy: { "Version": "2012-10-17", "Statement": [ { "NotAction": [ "iam:*", "cloudtrail:*", "workspaces:*" ], "Effect": "Allow", "Resource": "*" } ] }
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM policy simulation: Example #!/usr/bin/python principalstocheck = [ 'arn:aws:iam::123456789012:user/milton', 'arn:aws:iam::123456789012:user/peter' ] actionstocheck = [ 'iam:AddRoleToInstanceProfile', <snip> 'cloudtrail:StopLogging', <snip> 'workspaces:TerminateWorkspaces' ] with open(opts['--policy']) as policy_file: policy = policy_file.read() for principal in principalstocheck: simulationdict = client.simulate_principal_policy( PolicySourceArn=principal,ActionNames=actionstocheck, PolicyInputList=[policy]) evalresults = simulationdict['EvaluationResults'] for evalresult in evalresults: evaldecision = evalresult['EvalDecision'] if (evaldecision == 'allowed'): print ‘Found an allowed action, your policy needs work!’
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM policy simulation: Example Managed policy for AdministratorAccess is also attached
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM policy simulation: Example { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:*", "cloudtrail:*", "workspaces:*" ], "Effect": "Deny", "Resource": "*" } ] } Revised Policy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Real time IAM monitoring and remediation: AWS Config Does my policy (still) result in the effective permissions I intended?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Config: Quick introduction AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. “Flight data recorder for AWS” AWS Config Rules are rules that check those configurations to determine compliance status. “Your micro-checker army”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM monitoring and remediation: Use cases • “Regression testing” for IAM policies: – Situation: Over time, the number of automated systems and human IAM administrators often increases. – Challenge: Need a mechanism to ensure that the intent of a given policy is still being met within the context of other ongoing IAM policy changes. • Lots of others: – Review another today (no spoilers!) – Even more: SEC311 – How to Automate Policy Validation (Re:Invent 2016) http://bit.ly/2EGwbAU
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM monitoring and remediation: Solution AWS Config Event notifications of IAM changes AWS Lambda Executes policy simulation checks Amazon SNS Notifications of findings (same code from simulate) (human or fully automated)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM monitoring and remediation: example
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM monitoring and remediation: example Then, an authorized IAM admin attaches a new policy to user peter… and AWS Config responds Initially, all is well
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy tuning: Harvesting unused permissions Working towards least privilege by iterative removal of unused permissions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Does my policy enforce the principle of least privilege? Perfection Operational Reality CC0 Creative Commons Free for commercial use No attribution required
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection • Start with a close (but likely not perfect) starting point: – Custom, with a specific intent. – Standard, from a selection of pre-crafted policies. – Bounded, with guardrails to make sure we maintain security and compliance. • Iterate, approach #1: Netflix Aardvark & Repokid – Deploy policy, run in prod for period of time (90 days by default). – Analyze permissions using IAM access advisor. – “Repo” unused permissions by layering explicit deny. • Iterate, approach #2: Mining CloudTrail – Deploy policy, run in dev/test for a period of time. – Mine CloudTrail events (userPrincipal, eventSource, eventName). – Revise policy in dev/test based on actual called events. – Deploy policy to prod.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Netflix OSS http://bit.ly/2EiWr0R Netflix Aardvark & Repokid
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Mining CloudTrail (mapper) #!/usr/bin/python import json, sys for line in sys.stdin: user_data = json.loads(line.strip()) for record in user_data['Records']: if 'awsRegion' in record: region = record['awsRegion'] else: region = 'region_not_found' if ('userIdentity' in record) and ('arn' in record['userIdentity']): arn = record['userIdentity']['arn'] #Transform assumed-role arns to make them more logical for this exercise if ':assumed-role/' in arn: arnnorolesession = arn.split('/')[0] + '/' + arn.split('/')[1] arn = arnnorolesession.replace(':assumed-role/',':role/',1) else: arn = 'arn_not_found' if 'eventSource' in record: eventsrc = record['eventSource'] else: eventsrc = 'eventsrc_not_found' if 'eventName' in record: eventname = record['eventName'] else: eventname = 'eventname_not_found' print ('{0}t{1}t{2}t'.format(arn,eventsrc,eventname)) This is a start, not a solution!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Mining CloudTrail (reducer) #!/usr/bin/python import sys callsperprincipal = dict() for line in sys.stdin: try: (arn, eventsrc, eventname) = line.strip().split("t") eventcomposite = eventsrc + ':' + eventname except ValueError as e: continue if arn in callsperprincipal: if eventcomposite in callsperprincipal[arn]: # I have already registered this event for this arn, so nothing to do continue else: # I've already seen this arn, but not this event, so append it. callsperprincipal[arn].append(eventcomposite) else: # This is the first time I've seen this arn, so add it to the # callsperprincipal dict with arn as key and list as value eventlist = [eventcomposite] callsperprincipal[arn] = eventlist for arn, eventlist in callsperprincipal.items(): for eventcomposite in eventlist: print ('{0},{1}'.format(arn,eventcomposite)) This is a start, not a solution!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Mining CloudTrail (steps file) [ { "Type" : "STREAMING", "Name" : "Streaming Program", "ActionOnFailure" : "CONTINUE", "Args" : [ "-files", "s3://<bucket>/Streaming/cloudtraileventsbyprincipalmapper.py, s3://<bucket>/Streaming/cloudtraileventsbyprincipalreducer.py", "-mapper", "cloudtraileventsbyprincipalmapper.py", "-reducer", "cloudtraileventsbyprincipalreducer.py", "-input", "s3://<bucket>/AWSLogs/123456789012/CloudTrail/us-west-2/2018/02/", "-output", "s3://<bucket>/Streaming/TmpOutputX" ] } ] This is a start, not a solution!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Mining CloudTrail (results) arn:aws:iam::123456789012:user/michael,dynamodb.amazonaws.com:DescribeGlobalTable arn:aws:iam::123456789012:user/michael,monitoring.amazonaws.com:DescribeAlarms arn:aws:iam::123456789012:user/michael,dynamodb.amazonaws.com:DescribeTable arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListFunctions20150331 arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:GetFunction20150331v2 arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:GetPolicy20150331v2 arn:aws:iam::123456789012:user/michael,logs.amazonaws.com:DescribeMetricFilters arn:aws:iam::123456789012:user/michael,dynamodb.amazonaws.com:ListTables arn:aws:iam::123456789012:user/michael,autoscaling.amazonaws.com:DescribeScalableTargets arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListEventSourceMappings20150331 arn:aws:iam::123456789012:user/michael,sns.amazonaws.com:ListTopics arn:aws:iam::123456789012:user/michael,apigateway.amazonaws.com:GetResources arn:aws:iam::123456789012:user/michael,kms.amazonaws.com:Decrypt arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListAliases20150331 arn:aws:iam::123456789012:user/michael,kms.amazonaws.com:ListAliases arn:aws:iam::123456789012:user/michael,cloudformation.amazonaws.com:DescribeStackResources arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListTags20170331 arn:aws:iam::123456789012:user/michael,sns.amazonaws.com:ListSubscriptions arn:aws:iam::123456789012:user/michael,apigateway.amazonaws.com:GetStages arn:aws:iam::123456789012:user/michael,apigateway.amazonaws.com:GetRestApi arn:aws:iam::123456789012:user/michael,dynamodb.amazonaws.com:DescribeReservedCapacity arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListVersionsByFunction20150331 arn:aws:iam::123456789012:user/michael,autoscaling.amazonaws.com:DescribeScalingPolicies arn:aws:iam::123456789012:user/michael,autoscaling.amazonaws.com:DescribePolicies arn:aws:iam::123456789012:user/michael,ec2.amazonaws.com:DescribeVpcs This is a start, not a solution!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy guardrails: Master blacklist policies How can I prevent an administrative error from becoming a security incident?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Final decision =“Deny” (explicit Deny) Yes Final decision =“Allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all applicable policies 2 Is there an explicit Deny? 3 No Final decision =“Deny” (default Deny) 5 • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. • If a policy statement has a Deny, it trumps all other policy statements. • Access is granted if there is an explicit Allow and no Deny. • By default, an implicit (default) Deny is returned. Quick AWS policy enforcement primer
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy guardrails: Use cases • Defense in depth for central IAM administration: – Situation: Most IAM policies are written as whitelists (explicit allows, implicit denies). – Challenge: Implicit denies can be superseded by an explicit allow in a different attached policy. • IAM administration delegation: – Situation: Certain governance scenarios require delegation of IAM administration duties to downstream entities without compromising security or compliance. – Challenge: AWS IAM works on an all or nothing model.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy guardrails: Solution Step 1: Create master blacklist policy Step 2: Create blacklist attachment function Step 3: Create new AWS Config rule Changes to Roles, Users, Groups, Policies Invoke on event Attach policy to IAM principal Event fires within seconds. Explicit deny always trumps.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy guardrails: Solution • Solution fundamentals: – Event fires within seconds. – Explicit deny trumps any allow in any other policy. • Additional details: – Blacklist must contain denies to protect the attachment mechanism itself. – Lambda function execution role should be limited to attaching the blacklist. – A list of excluded IAM principals can be stored as a Lambda parameter. – Enforce good process around Lambda code deployment. • Also consider: – Time based analysis of iam:ListEntitiesForPolicy. – External check (canary) to monitor operation of attachment mechanism.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pipeline Deployments: IAM meets CI/CD If infrastructure is code, why can’t identity and access be code too?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pipeline deployments: IAM meets CI/CD • Observation: – Over time, policy authoring maturity improves. – However, policy deployment maturity sometimes plateaus. • Deployment via CI/CD toolchain: – IAM policies and principals expressed as code. – Use AWS Code* (or toolchain of your choice). – Execute any number of automated or human checks before deployment. – Process rigor enforced by toolchain. • Several possible models: – Central team deploying standardized roles (for humans). – Distributed app teams submitting to centralized toolchain (for execution roles). – Distributed app teams deploying via distributed toolchains (adjacent to code).
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pipeline deployments: IAM meets CI/CD Clone repo Commit changes Build triggered Automated tests Human approvals On pass, deploy Fork repo Commit changes Pull request Automated tests Human approvals On pass, merge Deploy Variant 1: Build-centric Variant 2: Source-centric
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pipeline deployments: IAM meets CI/CD • Choose variant based on: – Experience/comfort with toolchain components. – Model you’re trying to implement. • Tests to consider: – Static inspection (e.g. cfn_nag) – Policy simulation – unit test – Policy simulation – blacklist test – Human review/approval • Objectives: – Reject bad submissions before human inspection. – Over time, increase what can be deployed without human inspection at all. • Remember security of the pipeline (holds powerful IAM privileges)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: AWS Organizations How can I freeze long lived resources (e.g. VPCs)?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved What is AWS Organizations?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Create account hierarchy and apply policies A6 Development Test Production A8A1 A5 A4A3 A2 A9 A7 Root Service Control Policies (SCPs) use the same policy language, but only specify Actions
SCPs are necessary but not sufficient Allow: EC2:*Allow: S3:* Allow: SQS:* Allow: EC2:*Allow: EC2:* SCP IAM permissions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Use cases • Delegated administration: – Situation: Central team responsible for basic account setup and security baseline, downstream teams responsible for all other account management. – Challenge: Need to ensure that security baseline can’t be modified by anyone other than the central team.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution A6 Setup Test Production A8 A1 A5 A4 A3A2 A7 Root Step 1: Create “Setup” OU and “ImmutableInfra” SCP
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Example SCP { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway", "ec2:CreateInternetGateway“, “ec2:DeleteSubnet”, <snip> ], "Resource": "*" } ] } Include mutating actions for all resource types you wish to be immutable.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution A6 Setup Test Production A8 A1 A5 A4 A3A2 A9 A7 Root Step 2: Provision new account, place in Setup OU
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution Step 3: Build desired long lived infrastructure Central Team
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution A6 Setup Test Production A8 A1 A5 A4 A3A2 A9 A7 Root Step 4: Move new account to proper OU (SCP now applies)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution Result: Infrastructure usable, but immutable Central Team X Downstream Team X Root User X
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Honorable mentions • Policy tokenizing: Generic policies, environment specific deployments. • Microsegmentation: Thousands of AWS accounts. • Scoped access: The return of the token vending machine.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

Empfohlen

Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponseAmazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 

Empfohlen

Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponseAmazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...Amazon Web Services
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaAmazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategyAmazon Web Services
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes EverywhereAmazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes EverywhereAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...Amazon Web Services
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategyAmazon Web Services
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes EverywhereAmazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes EverywhereAmazon Web Services
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 

Was ist angesagt? (20)

Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes Everywhere
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud Encryption
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Incident Response - Eyes Everywhere
Incident Response - Eyes EverywhereIncident Response - Eyes Everywhere
Incident Response - Eyes Everywhere
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 

Ähnlich wie The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers That You Can Use Today

The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...Amazon Web Services
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017Amazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Amazon Web Services
 
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...Amazon Web Services
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Amazon Web Services
 
MAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade SecurityMAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade SecurityAmazon Web Services
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by designRichard Harvey
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Amazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkAmazon Web Services
 
Managing Microsoft Workloads on AWS.pdf
Managing Microsoft Workloads on AWS.pdfManaging Microsoft Workloads on AWS.pdf
Managing Microsoft Workloads on AWS.pdfAmazon Web Services
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaAmazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Amazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 

Ähnlich wie The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers That You Can Use Today (20)

The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
Using AWS Management Tools to Enable Governance, Compliance, Operational, and...
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
 
MAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade SecurityMAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade Security
 
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
Enabling Governance, Compliance, and Operational and Risk Auditing with AWS M...
 
Getting started with AWS
Getting started with AWSGetting started with AWS
Getting started with AWS
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Deep dive - AWS security by design
Deep dive - AWS security by designDeep dive - AWS security by design
Deep dive - AWS security by design
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption Framework
 
Managing Microsoft Workloads on AWS.pdf
Managing Microsoft Workloads on AWS.pdfManaging Microsoft Workloads on AWS.pdf
Managing Microsoft Workloads on AWS.pdf
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers That You Can Use Today

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft The 1%: Identity and Governance patterns from the most advanced AWS customers that you can use today Quint Van Deman, Global Business Development Manager, Identity & Directory Services
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Motivations Typically, focus energy getting off start Today, set new yardstick for future By tableatny (BXP135660) [CC BY 2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0)
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Agenda • Advanced policy authoring / development: – Policy unit testing: IAM policy simulator. – Real time IAM monitoring and remediation: AWS Config. – Policy tuning: Harvesting unused permissions. • Advanced IAM deployment / management: – Policy guardrails: Master blacklist policies. – Pipeline deployments: Bringing CI/CD methods to IAM management. • Advanced access management: – Immutable infrastructure: AWS Organizations. • Honorable mentions (if time permits) – Policy tokenizing: Generic policies, environment specific deployments. – Microsegmentation: Thousands of AWS accounts. – Scoped access: The return of the token vending machine. • Q & A
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy unit testing: IAM policy simulator Does my policy result in the effective permissions I intended?
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Does my result match my intent? • Of course it does, why wouldn’t it? – Multiple policy layer mistakes: Organizations SCPs, managed & inline IAM policies, scope down policies, and resource policies (i.e. bucket policies) – Policy semantic rationalization mistakes: Explicit vs. implicit allows/denies, inclusion vs. exclusion. • Be sure with API driven IAM policy simulator: – Codify your intent as a companion artifact to your policy. – Test your policy stand alone and in context with existing policies. – Prevent mistakes before deployment, regression test after deployment. – IAM:SimulateCustomPolicy, IAM:SimulatePrincipalPolicy
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM policy simulation: Example Intent: “I want to create a policy for my advanced DevOps group that allows broad AWS access, except for IAM and AWS CloudTrail. Because this is the production web account, they should also not have access to Amazon WorkSpaces.” Drafted Policy: { "Version": "2012-10-17", "Statement": [ { "NotAction": [ "iam:*", "cloudtrail:*", "workspaces:*" ], "Effect": "Allow", "Resource": "*" } ] }
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM policy simulation: Example #!/usr/bin/python principalstocheck = [ 'arn:aws:iam::123456789012:user/milton', 'arn:aws:iam::123456789012:user/peter' ] actionstocheck = [ 'iam:AddRoleToInstanceProfile', <snip> 'cloudtrail:StopLogging', <snip> 'workspaces:TerminateWorkspaces' ] with open(opts['--policy']) as policy_file: policy = policy_file.read() for principal in principalstocheck: simulationdict = client.simulate_principal_policy( PolicySourceArn=principal,ActionNames=actionstocheck, PolicyInputList=[policy]) evalresults = simulationdict['EvaluationResults'] for evalresult in evalresults: evaldecision = evalresult['EvalDecision'] if (evaldecision == 'allowed'): print ‘Found an allowed action, your policy needs work!’
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM policy simulation: Example Managed policy for AdministratorAccess is also attached
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM policy simulation: Example { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:*", "cloudtrail:*", "workspaces:*" ], "Effect": "Deny", "Resource": "*" } ] } Revised Policy
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Real time IAM monitoring and remediation: AWS Config Does my policy (still) result in the effective permissions I intended?
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved AWS Config: Quick introduction AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. “Flight data recorder for AWS” AWS Config Rules are rules that check those configurations to determine compliance status. “Your micro-checker army”
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM monitoring and remediation: Use cases • “Regression testing” for IAM policies: – Situation: Over time, the number of automated systems and human IAM administrators often increases. – Challenge: Need a mechanism to ensure that the intent of a given policy is still being met within the context of other ongoing IAM policy changes. • Lots of others: – Review another today (no spoilers!) – Even more: SEC311 – How to Automate Policy Validation (Re:Invent 2016) http://bit.ly/2EGwbAU
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM monitoring and remediation: Solution AWS Config Event notifications of IAM changes AWS Lambda Executes policy simulation checks Amazon SNS Notifications of findings (same code from simulate) (human or fully automated)
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM monitoring and remediation: example
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved IAM monitoring and remediation: example Then, an authorized IAM admin attaches a new policy to user peter… and AWS Config responds Initially, all is well
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy tuning: Harvesting unused permissions Working towards least privilege by iterative removal of unused permissions
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Does my policy enforce the principle of least privilege? Perfection Operational Reality CC0 Creative Commons Free for commercial use No attribution required
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection • Start with a close (but likely not perfect) starting point: – Custom, with a specific intent. – Standard, from a selection of pre-crafted policies. – Bounded, with guardrails to make sure we maintain security and compliance. • Iterate, approach #1: Netflix Aardvark & Repokid – Deploy policy, run in prod for period of time (90 days by default). – Analyze permissions using IAM access advisor. – “Repo” unused permissions by layering explicit deny. • Iterate, approach #2: Mining CloudTrail – Deploy policy, run in dev/test for a period of time. – Mine CloudTrail events (userPrincipal, eventSource, eventName). – Revise policy in dev/test based on actual called events. – Deploy policy to prod.
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Netflix OSS http://bit.ly/2EiWr0R Netflix Aardvark & Repokid
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Mining CloudTrail (mapper) #!/usr/bin/python import json, sys for line in sys.stdin: user_data = json.loads(line.strip()) for record in user_data['Records']: if 'awsRegion' in record: region = record['awsRegion'] else: region = 'region_not_found' if ('userIdentity' in record) and ('arn' in record['userIdentity']): arn = record['userIdentity']['arn'] #Transform assumed-role arns to make them more logical for this exercise if ':assumed-role/' in arn: arnnorolesession = arn.split('/')[0] + '/' + arn.split('/')[1] arn = arnnorolesession.replace(':assumed-role/',':role/',1) else: arn = 'arn_not_found' if 'eventSource' in record: eventsrc = record['eventSource'] else: eventsrc = 'eventsrc_not_found' if 'eventName' in record: eventname = record['eventName'] else: eventname = 'eventname_not_found' print ('{0}t{1}t{2}t'.format(arn,eventsrc,eventname)) This is a start, not a solution!
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Mining CloudTrail (reducer) #!/usr/bin/python import sys callsperprincipal = dict() for line in sys.stdin: try: (arn, eventsrc, eventname) = line.strip().split("t") eventcomposite = eventsrc + ':' + eventname except ValueError as e: continue if arn in callsperprincipal: if eventcomposite in callsperprincipal[arn]: # I have already registered this event for this arn, so nothing to do continue else: # I've already seen this arn, but not this event, so append it. callsperprincipal[arn].append(eventcomposite) else: # This is the first time I've seen this arn, so add it to the # callsperprincipal dict with arn as key and list as value eventlist = [eventcomposite] callsperprincipal[arn] = eventlist for arn, eventlist in callsperprincipal.items(): for eventcomposite in eventlist: print ('{0},{1}'.format(arn,eventcomposite)) This is a start, not a solution!
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Mining CloudTrail (steps file) [ { "Type" : "STREAMING", "Name" : "Streaming Program", "ActionOnFailure" : "CONTINUE", "Args" : [ "-files", "s3://<bucket>/Streaming/cloudtraileventsbyprincipalmapper.py, s3://<bucket>/Streaming/cloudtraileventsbyprincipalreducer.py", "-mapper", "cloudtraileventsbyprincipalmapper.py", "-reducer", "cloudtraileventsbyprincipalreducer.py", "-input", "s3://<bucket>/AWSLogs/123456789012/CloudTrail/us-west-2/2018/02/", "-output", "s3://<bucket>/Streaming/TmpOutputX" ] } ] This is a start, not a solution!
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Iterating towards perfection: Mining CloudTrail (results) arn:aws:iam::123456789012:user/michael,dynamodb.amazonaws.com:DescribeGlobalTable arn:aws:iam::123456789012:user/michael,monitoring.amazonaws.com:DescribeAlarms arn:aws:iam::123456789012:user/michael,dynamodb.amazonaws.com:DescribeTable arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListFunctions20150331 arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:GetFunction20150331v2 arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:GetPolicy20150331v2 arn:aws:iam::123456789012:user/michael,logs.amazonaws.com:DescribeMetricFilters arn:aws:iam::123456789012:user/michael,dynamodb.amazonaws.com:ListTables arn:aws:iam::123456789012:user/michael,autoscaling.amazonaws.com:DescribeScalableTargets arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListEventSourceMappings20150331 arn:aws:iam::123456789012:user/michael,sns.amazonaws.com:ListTopics arn:aws:iam::123456789012:user/michael,apigateway.amazonaws.com:GetResources arn:aws:iam::123456789012:user/michael,kms.amazonaws.com:Decrypt arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListAliases20150331 arn:aws:iam::123456789012:user/michael,kms.amazonaws.com:ListAliases arn:aws:iam::123456789012:user/michael,cloudformation.amazonaws.com:DescribeStackResources arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListTags20170331 arn:aws:iam::123456789012:user/michael,sns.amazonaws.com:ListSubscriptions arn:aws:iam::123456789012:user/michael,apigateway.amazonaws.com:GetStages arn:aws:iam::123456789012:user/michael,apigateway.amazonaws.com:GetRestApi arn:aws:iam::123456789012:user/michael,dynamodb.amazonaws.com:DescribeReservedCapacity arn:aws:iam::123456789012:user/michael,lambda.amazonaws.com:ListVersionsByFunction20150331 arn:aws:iam::123456789012:user/michael,autoscaling.amazonaws.com:DescribeScalingPolicies arn:aws:iam::123456789012:user/michael,autoscaling.amazonaws.com:DescribePolicies arn:aws:iam::123456789012:user/michael,ec2.amazonaws.com:DescribeVpcs This is a start, not a solution!
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy guardrails: Master blacklist policies How can I prevent an administrative error from becoming a security incident?
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Final decision =“Deny” (explicit Deny) Yes Final decision =“Allow” Yes No Is there an Allow? 4 Decision starts at Deny 1 Evaluate all applicable policies 2 Is there an explicit Deny? 3 No Final decision =“Deny” (default Deny) 5 • AWS retrieves all policies associated with the user and resource. • Only policies that match the action and conditions are evaluated. • If a policy statement has a Deny, it trumps all other policy statements. • Access is granted if there is an explicit Allow and no Deny. • By default, an implicit (default) Deny is returned. Quick AWS policy enforcement primer
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy guardrails: Use cases • Defense in depth for central IAM administration: – Situation: Most IAM policies are written as whitelists (explicit allows, implicit denies). – Challenge: Implicit denies can be superseded by an explicit allow in a different attached policy. • IAM administration delegation: – Situation: Certain governance scenarios require delegation of IAM administration duties to downstream entities without compromising security or compliance. – Challenge: AWS IAM works on an all or nothing model.
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy guardrails: Solution Step 1: Create master blacklist policy Step 2: Create blacklist attachment function Step 3: Create new AWS Config rule Changes to Roles, Users, Groups, Policies Invoke on event Attach policy to IAM principal Event fires within seconds. Explicit deny always trumps.
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Policy guardrails: Solution • Solution fundamentals: – Event fires within seconds. – Explicit deny trumps any allow in any other policy. • Additional details: – Blacklist must contain denies to protect the attachment mechanism itself. – Lambda function execution role should be limited to attaching the blacklist. – A list of excluded IAM principals can be stored as a Lambda parameter. – Enforce good process around Lambda code deployment. • Also consider: – Time based analysis of iam:ListEntitiesForPolicy. – External check (canary) to monitor operation of attachment mechanism.
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pipeline Deployments: IAM meets CI/CD If infrastructure is code, why can’t identity and access be code too?
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pipeline deployments: IAM meets CI/CD • Observation: – Over time, policy authoring maturity improves. – However, policy deployment maturity sometimes plateaus. • Deployment via CI/CD toolchain: – IAM policies and principals expressed as code. – Use AWS Code* (or toolchain of your choice). – Execute any number of automated or human checks before deployment. – Process rigor enforced by toolchain. • Several possible models: – Central team deploying standardized roles (for humans). – Distributed app teams submitting to centralized toolchain (for execution roles). – Distributed app teams deploying via distributed toolchains (adjacent to code).
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pipeline deployments: IAM meets CI/CD Clone repo Commit changes Build triggered Automated tests Human approvals On pass, deploy Fork repo Commit changes Pull request Automated tests Human approvals On pass, merge Deploy Variant 1: Build-centric Variant 2: Source-centric
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pipeline deployments: IAM meets CI/CD • Choose variant based on: – Experience/comfort with toolchain components. – Model you’re trying to implement. • Tests to consider: – Static inspection (e.g. cfn_nag) – Policy simulation – unit test – Policy simulation – blacklist test – Human review/approval • Objectives: – Reject bad submissions before human inspection. – Over time, increase what can be deployed without human inspection at all. • Remember security of the pipeline (holds powerful IAM privileges)
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: AWS Organizations How can I freeze long lived resources (e.g. VPCs)?
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved What is AWS Organizations?
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Create account hierarchy and apply policies A6 Development Test Production A8A1 A5 A4A3 A2 A9 A7 Root Service Control Policies (SCPs) use the same policy language, but only specify Actions
  • 36. SCPs are necessary but not sufficient Allow: EC2:*Allow: S3:* Allow: SQS:* Allow: EC2:*Allow: EC2:* SCP IAM permissions
  • 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Use cases • Delegated administration: – Situation: Central team responsible for basic account setup and security baseline, downstream teams responsible for all other account management. – Challenge: Need to ensure that security baseline can’t be modified by anyone other than the central team.
  • 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution A6 Setup Test Production A8 A1 A5 A4 A3A2 A7 Root Step 1: Create “Setup” OU and “ImmutableInfra” SCP
  • 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Example SCP { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:AttachInternetGateway", "ec2:CreateInternetGateway“, “ec2:DeleteSubnet”, <snip> ], "Resource": "*" } ] } Include mutating actions for all resource types you wish to be immutable.
  • 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution A6 Setup Test Production A8 A1 A5 A4 A3A2 A9 A7 Root Step 2: Provision new account, place in Setup OU
  • 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution Step 3: Build desired long lived infrastructure Central Team
  • 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution A6 Setup Test Production A8 A1 A5 A4 A3A2 A9 A7 Root Step 4: Move new account to proper OU (SCP now applies)
  • 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Immutable Infrastructure: Solution Result: Infrastructure usable, but immutable Central Team X Downstream Team X Root User X
  • 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Honorable mentions • Policy tokenizing: Generic policies, environment specific deployments. • Microsegmentation: Thousands of AWS accounts. • Scoped access: The return of the token vending machine.
  • 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS