SlideShare a Scribd company logo

SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management (IAM)

Amazon Web Services
Amazon Web Services

The landscape of IT and data security has changed vastly since the advent of the cloud. Savvy technology leaders know that they must have visibility and control over their environment to fully leverage their cloud investments. Tools like IAM offer teams indispensable tools to proactively manage and protect their cloud environment. Join CloudCheckr CEO Aaron Newman to learn tips for effective and secure cloud deployments that you can implement today, including: How to address requirements of the AWS Shared Responsibility Model Why anticipating internal and external threats are crucial for mitigating security risks in the cloud IAM overview and how it helps ensure secure and compliant deployments Features and policies, as well as how to apply them to users and groups Advice for leveraging IAM roles to mitigate potential security risks Best practices for using IAM to configure user permissions, and other important considerations This session is brought to you by AWS Summit Chicago sponsor, CloudCheckr.

Related slideshows

Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
 
Using AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your CloudUsing AWS Organizations to Ensure Compliance in Your Cloud
Using AWS Organizations to Ensure Compliance in Your Cloud
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - Keynote
 
1 of 24
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Aaron Newman, Co-Founder & CEO, CloudCheckr July 26, 2017 Secure Your Cloud Investment Mastering AWS Identity and Access Management (IAM)
What and why AWS Identity and Access Management (IAM)? 10 IAM Best Practices Using CloudCheckr to monitor best practices Agenda
• It's all about reducing attack surface and eliminating risk • Humans are the weak link in most security systems • Poor use of IAM is (one of) the biggest security weakness Why do we need IAM best practices? IAM Best Practices
The Worst Security Vulnerability
Department of Defense data discovered on an AWS server that was left unprotected "Sensitive government information from an American defense contractor was recently found without password protection on an AWS server. It was free for anyone to access — no password required." The information was housed in a publicly accessible Amazon S3 cloud storage “bucket.” https://thenextweb.com/security /2017/05/31/department- defense-data-discovered- unprotected-amazon-server/ Timely Real-World Example
http://flaws.cloud Security researcher publishing tutorial on how not to use Amazon S3 wrong More Examples
More Examples (Continued)
Lots of Guides and Standards for IAM
Use Federated Access from Outside of AWS Use the same identity management system you use for everything else in your organization. https://aws.amazon.com/iam/ details/manage-federation/ Best Practice #1
Use IAM roles not accounts IAM access keys are just waiting to be leaked Examples: Cross-account roles, instance roles, etc.… When using IAM cross-account roles don’t forget about the confused deputy problem: https://en.wikipedia.org/wiki/Confus ed_deputy_problem Best Practice #2
Rotate all IAM access and secret access keys on a regular basis Set a policy for how often Policy can vary based on situation Wait to see how hard it is to actually accomplish https://aws.amazon.com/blogs/ security/how-to-rotate-access- keys-for-iam-users/ Best Practice #3
Don't leak your AWS access keys Pushing Access Keys to GitHub is a common accident What to Do If You Inadvertently Expose an AWS Access Key https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws- access-key/ https://wptavern.com/ryan- hellyers-aws-nightmare-leaked- access-keys-result-in-a-6000- bill-overnight Best Practice #4
Delete Stale or Unused Access Keys If an IAM access key is not being used, delete it More complicated deleting root access keys Create a policy around aging of stale or unused 90 day? 365 day? Look at AWS method generate-credential-report Best Practice #5
Set IAM Password Policies Account by Account setting Nine Password Policy Options Minimum password length Require at least one uppercase letter Require at least one lowercase letter Require at least one number Require at least one nonalphanumeric character Allow users to change their own password Enable password expiration Prevent password reuse Password expiration requires administrator reset http://docs.aws.amazon.com/IA M/latest/UserGuide/id_credenti als_passwords_account- policy.html Best Practice #6
Do not grant permissions to IAM users, grant to IAM groups and assign users to groups Managing user permissions is complex Control permissions on groups Assign users to groups Best Practice #7
Find unused IAM accounts Attack surface that doesn’t need to be there User left organization? Is a default password still on the account? Set your organizational policy on how long is unused or stale Best Practice #8
Find accounts with permissions they don't actually need Principle of least privileges Use IAM Access Advisor tab Revoke what you don’t need Best Practice #9
Monitor All IAM Activity AWS CloudTrail records each time the AWS API is called • Currently supports most AWS services • You have to enable it in every account/region Conveniently everything in AWS goes through the API • Even actions in the AWS Management Console go through the API CloudTrail writes files into an Amazon S3 bucket • Near real-time (every five minutes) • Files are in JSON format Best Practice #10
Leveraging AWS data – AWS CloudTrail, AWS Config, Amazon VPC Flow Logs, CloudWatch logs, DBR, and more metrics Providing complete transparency – into 1 or across 1000s of AWS accounts Automating security, configuration, and activity monitoring and alerting Continuous monitoring of configurations, resources and permissions Active optimization, sophisticated allocation, and simplified invoicing for enterprise cloud cost management Monitoring, Reporting, & Optimization Enterprise Security & Cost Management from CloudCheckr
Security & Compliance Cost Management Utilization & Performance Availability DevOps Platform Services Infrastructure 450+ Best Practice Checks
Sample IAM Best Practice Checks
Stale IAM Users Configuration Options
Try CloudCheckr Free for 14 Days Questions?
Thank you! For more, stop by Booth 500

More Related Content

SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management (IAM)

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Aaron Newman, Co-Founder & CEO, CloudCheckr July 26, 2017 Secure Your Cloud Investment Mastering AWS Identity and Access Management (IAM)
  • 2. What and why AWS Identity and Access Management (IAM)? 10 IAM Best Practices Using CloudCheckr to monitor best practices Agenda
  • 3. • It's all about reducing attack surface and eliminating risk • Humans are the weak link in most security systems • Poor use of IAM is (one of) the biggest security weakness Why do we need IAM best practices? IAM Best Practices
  • 4. The Worst Security Vulnerability
  • 5. Department of Defense data discovered on an AWS server that was left unprotected "Sensitive government information from an American defense contractor was recently found without password protection on an AWS server. It was free for anyone to access — no password required." The information was housed in a publicly accessible Amazon S3 cloud storage “bucket.” https://thenextweb.com/security /2017/05/31/department- defense-data-discovered- unprotected-amazon-server/ Timely Real-World Example
  • 6. http://flaws.cloud Security researcher publishing tutorial on how not to use Amazon S3 wrong More Examples
  • 8. Lots of Guides and Standards for IAM
  • 9. Use Federated Access from Outside of AWS Use the same identity management system you use for everything else in your organization. https://aws.amazon.com/iam/ details/manage-federation/ Best Practice #1
  • 10. Use IAM roles not accounts IAM access keys are just waiting to be leaked Examples: Cross-account roles, instance roles, etc.… When using IAM cross-account roles don’t forget about the confused deputy problem: https://en.wikipedia.org/wiki/Confus ed_deputy_problem Best Practice #2
  • 11. Rotate all IAM access and secret access keys on a regular basis Set a policy for how often Policy can vary based on situation Wait to see how hard it is to actually accomplish https://aws.amazon.com/blogs/ security/how-to-rotate-access- keys-for-iam-users/ Best Practice #3
  • 12. Don't leak your AWS access keys Pushing Access Keys to GitHub is a common accident What to Do If You Inadvertently Expose an AWS Access Key https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws- access-key/ https://wptavern.com/ryan- hellyers-aws-nightmare-leaked- access-keys-result-in-a-6000- bill-overnight Best Practice #4
  • 13. Delete Stale or Unused Access Keys If an IAM access key is not being used, delete it More complicated deleting root access keys Create a policy around aging of stale or unused 90 day? 365 day? Look at AWS method generate-credential-report Best Practice #5
  • 14. Set IAM Password Policies Account by Account setting Nine Password Policy Options Minimum password length Require at least one uppercase letter Require at least one lowercase letter Require at least one number Require at least one nonalphanumeric character Allow users to change their own password Enable password expiration Prevent password reuse Password expiration requires administrator reset http://docs.aws.amazon.com/IA M/latest/UserGuide/id_credenti als_passwords_account- policy.html Best Practice #6
  • 15. Do not grant permissions to IAM users, grant to IAM groups and assign users to groups Managing user permissions is complex Control permissions on groups Assign users to groups Best Practice #7
  • 16. Find unused IAM accounts Attack surface that doesn’t need to be there User left organization? Is a default password still on the account? Set your organizational policy on how long is unused or stale Best Practice #8
  • 17. Find accounts with permissions they don't actually need Principle of least privileges Use IAM Access Advisor tab Revoke what you don’t need Best Practice #9
  • 18. Monitor All IAM Activity AWS CloudTrail records each time the AWS API is called • Currently supports most AWS services • You have to enable it in every account/region Conveniently everything in AWS goes through the API • Even actions in the AWS Management Console go through the API CloudTrail writes files into an Amazon S3 bucket • Near real-time (every five minutes) • Files are in JSON format Best Practice #10
  • 19. Leveraging AWS data – AWS CloudTrail, AWS Config, Amazon VPC Flow Logs, CloudWatch logs, DBR, and more metrics Providing complete transparency – into 1 or across 1000s of AWS accounts Automating security, configuration, and activity monitoring and alerting Continuous monitoring of configurations, resources and permissions Active optimization, sophisticated allocation, and simplified invoicing for enterprise cloud cost management Monitoring, Reporting, & Optimization Enterprise Security & Cost Management from CloudCheckr
  • 20. Security & Compliance Cost Management Utilization & Performance Availability DevOps Platform Services Infrastructure 450+ Best Practice Checks
  • 21. Sample IAM Best Practice Checks
  • 22. Stale IAM Users Configuration Options
  • 23. Try CloudCheckr Free for 14 Days Questions?
  • 24. Thank you! For more, stop by Booth 500