AWS Cloud Developer Associate Certification

18.Advanced IAM
Index

  1. STS Overview
  2. IAM Best pratices
  3. Advanced IAM
    1. Best Practices
  4. IAM Policies & S3 Bucket Policies
  5. Granting a User Permissions to Pass a Role to an AWS Service
  6. Directory Services – Overview

STS Overview – Security Token Service

  1. Allows to grant limited and temporary access to AWS resources (up to 1 hour).
  2. AssumeRole: Assume roles within your account or cross account
  3. AssumeRoleWithSAML: return credentials for users logged with SAML
    • SAML- Security Assertion Markup Language 
    •  Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials.
  4. AssumeRoleWithWebIdentity
    1. return creds for users logged with an IdP (Facebook Login, Google Login, OIDC compatible…)
    2. AWS recommends against using this, and using Cognito Identity Pools instead
  5. GetSessionToken: for MFA, from a user or AWS account root user
  6. GetFederationToken: obtain temporary creds for a federated user
  7. GetCallerIdentity: return details about the IAM user or role used in the API call
  8. DecodeAuthorizationMessage: decode error message when an AWS API is denied

Using STS to Assume a Role

  1. Define an IAM Role within your account or cross-account
  2. Define which principals can access this IAM Role
  3. Use AWS STS (Security Token Service) to retrieve credentials and impersonate the IAM Role you have access to (AssumeRole API)
  4. Temporary credentials can be valid between 15 minutes to 1 hour

Cross account access with STS

STS with MFA

  1. Use GetSessionToken from STS.
  2. Appropriate IAM policy using IAM Conditions
  3. aws:MultiFactorAuthPresent:true
  4. Reminder, GetSessionToken returns:
    1. Access ID
    2. Secret Key
    3. Session Token
    4. Expiration date

IAM Best Practices – General

  1. Never use Root Credentials, enable MFA for Root Account
  2. Grant Least Privilege
    1. Each Group / User / Role should only have the minimum level of permission it needs
    2. Never grant a policy with “*” access to a service
    3. Monitor API calls made by a user in CloudTrail (especially Denied ones)
  3. Never ever ever store IAM key credentials on any machine but a personal computer or on-premise server
  4. On premise server best practice is to call STS to obtain temporary security credentials
  5. IAM Roles Best practices
    1. EC2 machines should have their own roles
    2. Lambda functions should have their own roles
    3. ECS Tasks should have their own roles (ECS_ENABLE_TASK_IAM_ROLE=true)
    4. CodeBuild should have its own service role
    5. Create a least-privileged role for any service that requires it
    6. Create a role per application / lambda function (do not reuse roles)
  6. IAM Best Practices – Cross Account Access
    1. Define an IAM Role for another account to access
    2. Define which accounts can access this IAM Role
    3. Use AWS STS (Security Token Service) to retrieve credentials and impersonate the IAM Role you have access to (AssumeRole API)
    4. Temporary credentials can be valid between 15 minutes to 1 hour

Advanced IAM – Authorization Model Evaluation of Policies, simplified

  1. If there’s an explicit DENY, end decision and DENY
  2. If there’s an ALLOW, end decision with ALLOW
  3. Else DENY

IAM Policies & S3 Bucket Policies

  1. IAM Policies are attached to users, roles, groups
  2. S3 Bucket Policies are attached to buckets
  3. When evaluating if an IAM Principal can perform an operation X on a bucket, the union of its assigned IAM Policies and S3 Bucket Policies will be evaluated.


Example 1

  • IAM Role attached to EC2 instance, authorizes RW to “my_bucket”
  • No S3 Bucket Policy attached
  • => EC2 instance can read and write to “my_bucket”

Example 2

  1. IAM Role attached to EC2 instance, authorizes RW to “my_bucket
  2. S3 Bucket Policy attached, explicit deny to the IAM Role
  3. => EC2 instance cannot read and write to “my_bucket”

Example 3

  1. IAM Role attached to EC2 instance, no S3 bucket permissions
  2. S3 Bucket Policy attached, explicit RW allow to the IAM Role
  3. => EC2 instance can read and write to “my_bucket”

Example 4

  1. IAM Role attached to EC2 instance, explicit deny S3 bucket permissions
  2. S3 Bucket Policy attached, explicit RW allow to the IAM Role
  3. => EC2 instance cannot read and write to “my_bucket”

Dynamic Policies with IAM

  1. How do you assign each user a /home/ folder in an S3 bucket?
  2. Option 1:
    1. Create an IAM policy allowing georges to have access to /home/georges
    2. Create an IAM policy allowing sarah to have access to /home/sarah
    3. Create an IAM policy allowing matt to have access to /home/matt
    4. … One policy per user!
    5. This doesn’t scale
  3. Option 2:
    1. Create one dynamic policy with IAM
    2. Leverage the special policy variable ${aws:username}

Inline vs Managed Policies

  1. AWS Managed Policy
    1. Maintained by AWS
    2. Good for power users and administrators
    3. Updated in case of new services / new APIs
  2. Customer Managed Policy
    1. Best Practice, re-usable, can be applied to many principals
    2. Version Controlled + rollback, central change management
  3. Inline
    1. Strict one-to-one relationship between policy and principal
    2. Policy is deleted if you delete the IAM principal

Granting a User Permissions to Pass a Role to an AWS Service

  1. To configure many AWS services, you must pass an IAM role to the service (this happens only once during setup)
  2. The service will later assume the role and perform actions
  3. Example of passing a role:
    1. To an EC2 instance
    2. To a Lambda function
    3. To an ECS task
    4. To CodePipeline to allow it to invoke other services
  4. For this, you need the IAM permission iam:PassRole
  5. It often comes with iam:GetRole to view the role being passed

Can a role be passed to any service?

  1. No: Roles can only be passed to what their trust allows
  2. A trust policy for the role that allows the service to assume the role

Directory Services – Overview

  1. Found on any Windows Serve with AD Domain Services
  2. Database of objects: User Accounts, Computers, Printers File Shares, Security Groups
  3. Centralized security management, create account, assign permissions
  4. Objects are organized in trees
  5. A group of trees is a forest

AWS Directory Services

  1. AWS Managed Microsoft AD
    1. Create your own AD in AWS, manage users locally, supports MFA
    2. Establish “trust” connections with your onpremise AD
  2. AD Connector
    1. Directory Gateway (proxy) to redirect to on premise AD
    2. Users are managed on the on-premise AD
  3. Simple AD
    1. AD-compatible managed directory on AWS
    2. Cannot be joined with on-premise AD

Pages: Page 1, Page 2, Page 3, Page 4, Page 5, Page 6, Page 7, Page 8, Page 9, Page 10, Page 11, Page 12, Page 13, Page 14, Page 15, Page 16, Page 17, Page 18, Page 19, Page 20, Page 21, Page 22, Page 23

Published by

Unknown's avatar

sevanand yadav

software engineer working as web developer having specialization in spring MVC with mysql,hibernate

Leave a comment