html5-img
1 / 14

AWS Identity and Access Management

Over the past 15 years, so many professionals have been trained on several Administration courses, following unique teaching methodology and excellent lab facility that Technogeeks offers.

Technogeeks
Télécharger la présentation

AWS Identity and Access Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. All the Trainers in Technogeeks are IT Professionals have spent many years in IT Industry and got bundle of skills in their working hours. Our Instructor provides training on real time based scenarios and deliver great knowledge on demanding Technologies, Thats why Technogeeks is one of the best Training institute in Pune. Our Trainers Give the 100% Practical Oriented Training, Provide Hands on Practice and Give the task on live projects where students get the experience to handle the real time problems and get an idea about how to work on real time projects in IT Industry so Technogeeks is the Best Software Training Institute in Pune. www.technogeekscs.com Contact Us: 860-099-8107 Email: contact@technogeekscs.co.in

  2. - Introduction - What is Principal? - Authentication - Authorization Algorithm Policy (Types, Structure, Example) - Exercises - Best Practices - Lab Excercises www.technogeekscs.com AWS Identity and Access Management

  3. - AWS service to implement security. - Allows you to secure AWS services and resources. - Enables you to control, who can do, what in AWS account. - Coarse grained as well as Granular control. - Allows you to leverage user Identities outside of AWS. - It is a free service. IAM - Introduction

  4. - Someone that interacts with AWS resources. - Permanent or Temporary. - Could be human being, a process or application - Types : Root user (Like Linux root or Windows Admnistrator) IAM users (Within AWS) Federated users (Outside of AWS) Groups Roles/Temporary Security tokens Principal

  5. Principal... Root User IAM User Federated Users - Defined within AWS. - Unlimited access - Resembles Unix Root or Windows administrator - Used to create initial Admin Credentials - Must be securely locked down - Defined within AWS. - Identity for an Individual - Persistent until deleted - User-associated policies - Can be associated with Group - Inherits Group permissions • - Defined outside AWS. • - Organizational users • Leverage user directories • LDAP • Active directory - Web/mobile users - Role based access - Temporary credentials

  6. Principal (Group) Account Group: Admins Group: Developers Group: Test User: Bob User: Rob User: Allen User: Susan User: Alex User: Cathy IAM users are organized into Groups Groups are assigned permissions Permissions are automatically inherited by users

  7. Requester . EC2 . IAM User . Federated Interface . SDK . LDAP . AD Authentication AWS STS How Role Works? Role definition & setting up trust relationship with Actor by owner of the role. Actor assumes Role. AWS STS generates temporary security token. Actor uses temporary credentials to access AWS resources. Benefits- - No need to share security credentials - No need to store long term credentials - Use cases -Cross account access -Intra account delegation -Federation web access identities (OIDC) Federation (SAML, Active Directory) Requeter requests for credentails based on role Role & Trust relationship is authenticated by AWS If Authenticated, AWS STS returns temporary credentials Requestor accesses AWS services using temporary credentials

  8. Authentication AWS Management Console User name & Password User name / Password. Password policy. IAM user account Authentication Access Key ID = 20 Chars Access key ID Access Secret Key AWS API Access Key Access Secret Key = 40 Chars IAM user account Authentication Access key ID Access Secret Key Temporary token Temporary Security token + Access Key User or Application Authentication

  9. Authorization...E.g. • Resource – Examples Resource:arn:aws:s3:::my_bucket/* Resource:arn:aws:sqs:us-west-2:account-id:queue1 • All EC2 instances for an account in a region Resource:arn:aws:ec2:us-west-2:account-id:instances/* • Multiple DynamoDB tables [arn:aws:dynamodb:us-west-2:account-id:table/table1, arn:aws:dynamodb:us-west-2:account-id:table/table2] • Principal – Examples Principal:AWS:*.* Principal:{AWS:123456789012} Principal:AWS:arn:aws:iam:123456789012:user/username Principal:{Federated:accounts.google.com} • Specific role Princiap:AWS:arn:aws123456789012:role/rolename • Specific Service Principal:Service:ec2:amazonaws.com • Actions – Examples Action:ec2:StartInstances Action:iam:ChangePassword Action:s3:GetObject Action:[sqs:SendMessage,sqs:ReceiveMessage] Action:iam:*AccessKey* • Conditions Examples • Condition: { DateGreaterThan:aws:CurrentTIme:dd-mm-yyT12:00 DateLessThan:aws:CurrentTime:d-mm-yyT15:00 IpAddress:aws:SourceIp:[CIDR1, CIDR2] }

  10. Authotrization • Policy document format • { “Statement”; [{ “Effect”:<...>, “Principal”:<...>, “Resource”:<...> “Condition”:<...> }] • Decides what actions are permitted for entity • Permissions (authorization) granted via policies • Policy document • JSON/YAML formatted document • PARC model • Statement specifications defines which actions can be performed what Resources can be accessed • Policy types • AWS managed, Customer managed • User based, Resource based • Evaluation Logic • Defaults to explicite deny • Explicite Deny • Explicite Allow

  11. Authorization • All policy statements are cobined Policy1 • Statement:[{ Effect:”Allow”, NotAction:iam:*, Resource:*}]} Combine all policy statements Is there a difference? Explicit Deny found? Deny • Statement::[{ Effect: Allow, Action:*, Resource:*}, { Effect: Deny, Action: iam:*, Resource:*} ] Next Explicit Allow? Policy2 No End of statements? No Yes explicit Allow found? Yes Allow access

  12. Policy – Resource Based • Statement: {Effect: Allow, Principal: {AWS:123456789012}, Action: sqs:SendMessage, Resource: <arn> • Some services allow storing policy with resources • Principal is required • Examples S3 (bucket policy) Amazon Glacier (vault policy) Amazon SNS (topic policy) Amazon SQS (queue policy) Principal is required

  13. Best Practices • MFA Enable MFA for previledged usersUse IAM roles to share access (for delegation) • Sharing Use IAM Roles to share access (other accounts, external customers) • Roles - Use IAM Roles to services for • Root - Lock down Root user. • Users - Create individual users • Permissions - Grant least previledges • Groups -Manage permissions via Groups • Conditions -Restrict previledged access using Conditions • Auditing -Enable AWS CloudTrail service to log API calls • Password -Configure strong password policy • Rotate Rotate security credentials regularly

  14. Lab Excercises • Implement cross account Admin control & access • Limit access to prefix in S3 bucket • Create user & logon • Create Group, Add users • Assign group policy • Rotation of Access Keys • Create a role to access S3 bucket www.technogeekscs.com

More Related