AWS Security
AWS Account
- Each AWS account comes with a root user
- This account i used when operating on management console
- Through console others users can be created with required permissions
- AWS Account is the basket for all resources you own: EC2 instances, CloudFormation stacks, IAM users, and so on
AWS Account Access
- as root access -> password + accesskey
- as normal user -> password + accesskey
- as AWS resource -> API/CLI request from that EC2 instance
Identity and Access Management Service
- Provides everything for authentication and authorization with AWS API
- Every request you make to AWS API goes through IAM to check whether the request is allowed
- IAM controls who can do what in your AWS account
IAM Service
Authentication in IAM is done with users or roles
Authorization is done by policies
| Root user | IAM User | IAM role | |
|---|---|---|---|
| Can have password | Always | Yes | No |
| Can have access key | Yes * | Yes | No |
| Can belong to group | No | Yes | No |
| Can be associated with an EC2 instance | No | No | Yes |
* not recommended
Differences between root user, IAM user and IAM role
Policies for authorization
- Policy is defined as JSON
- Contains one or more statements
- A statement can allow or deny specific action on specific resources
- Overview of all actions for EC2 resource
{
Version: '2012-10-17',
Statement: [{
Sid: '1',
Effect: 'Allow',
Action: ['ec2:*'],
Resource: ['*']
}]
}every EC2 action
allows
every EC2 action
Policies for authorization
- If you have multiple statements that apply to same action, deny overrides allow
{
Version: '2012-10-17',
Statement: [
{
Sid: '1',
Effect: 'Allow',
Action: ['ec2:*'],
Resource: ['*']
},
{
Sid: '2',
Effect: 'Deny',
Action: ['ec2:TerminateInstances'],
Resources: ['*']
}
]
}above policy allows all EC2 actions except terminating instances
{
Version: '2012-10-17',
Statement: [
{
Sid: '1',
Effect: 'Deny',
Action: ['ec2:*'],
Resource: ['*']
},
{
Sid: '2',
Effect: 'Allow',
Action: ['ec2:TerminateInstances'],
Resources: ['*']
}
]
}above policy denies all actions including ec2:TerminateInstances
AWS Resource
- have Amazon Resource Name (ARN)
arn:aws:ec2:us-east-1:878533158213:instance/i-3dd4f812Service
Region
AccountID
Resource Type
Resource
Managed policy
If you want to create policies that can be reused in your account. There are 2 types:
- AWS managed policy - A policy that is maintained by AWS. eg., policies that grant admin rights
- Customer managed - Could be policy that represents roles in your organization.
Inline policy
A policy that belongs to a certain IAM role, user, or group. The inline policy can't exist without the IAM role, the user, or the group.
Two types of policies:
- Policy is created once and reused for multiple principles (users, roles or groups)
- Standalone object
Managed Policy
- Policy is created for specific user, group or role
- Inline object
Inline Policy
Roles for Authentication for AWS resource
AWS Resource Authentication
- Each AWS API request from AWS resource (eg. EC2)
- Will be authenticated with the roles attached
- By default EC2 has no roles attached; hence no API calls are allowed
Policy Language
- Provides authorization
- Two facets:
- Specification: Defining access policies
- Enforcement: Evaluating policies
Policy Specification basics
- JSON-formatted documents
- Contain a statement (permissions) that specifies:
- which action an principle can perform
- which resources can be accessed
{
"Statement": [
"Effect": "allow|deny",
"Principle": "principle",
"Action": "action",
"Resource": "arn",
"Condition": {
"condition": {
"key": "value"
}
}
]
}you can have multiple statements and each statement is comprised of PARC
Principle Action Resource Condition
PARC + E
Principle
- An entity that is allowed or denied access to a resource
- Indicated by an Amazon Resource Name (ARN)
- With IAM policies, the principle element is implicit (i.e, user, group or role attached)
<!-- everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- specific account or accounts -->
"Principal": {"AWS":"arn:aws:iam::1234567:root"}
<!-- individual IAM user -->
"Principal": {"AWS":"arn:aws:iam::1234567:user/username"}
<!-- federated user (using web identity federation) -->
"Principal": {"Federated": "www.amazon.com"}
"Principal": {"Federated": "graph.facebook.com"}
<!-- specific role -->
"Principal": {"AWS":"arn:aws:iam::1234567:role/rolename}
<!-- specific service -->
"Principal": {"Service":"ec2.amazonaws.com"}Action
- Describes the type of access that should be allowed or denied
- Can be find in docs
- Statement must include Action or NotAction element
<!-- EC2 action -->
"Action": "ec2:StartInstances"
<!-- IAM action -->
"Action": "iam:ChangePassword"
<!-- s3 action -->
"Action": "s3:GetObject"
<!-- specify multiple values -->
"Action": ["sqs:SendMessage", "sqs:ReceiveMessage"]
<!-- use wildcards (* or ?) as part of the action name -->
"Action": "iam:*AccessKey"
<!-- this would cover, for e.g, CreateAccessKey, DeleteAccessKey etc -->Resource
- The object or objects that are being requested
- Statements must include either a Resource or a NotResource element
<-- S3 Bucket -->
"Resource": "arn:aws:s3:::my_corporate_bucket/*"
<-- SQS queue -->
"Resource": "arn:aws:sqs:us-west-2:12345678:queue1"
<-- Dynamo table -->
"Resource": "arn:aws:dynamodb:us-west-1:12345678:table/books_table"
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:12345678:instance/*"Conditions
- Optional criteria that must evaluate to true for the policy to evaluate as true
- Can contain multiple policies
Cognito
- Service that enables you to create unique identities for your user
- and authenticate them
- using either your own user pools
- or by using federated identity
AWS Security
By Madhan Ganesh L
AWS Security
- 1,189
