all the trainers in technogeeks n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
AWS Identity and Access Management PowerPoint Presentation
Download Presentation
AWS Identity and Access Management

Loading in 2 Seconds...

play fullscreen
1 / 14

AWS Identity and Access Management - PowerPoint PPT Presentation


  • 2 Views
  • Uploaded on

Over the past 15 years, so many professionals have been trained on several Administration courses, following unique teaching methodology and excellent lab facility that Technogeeks offers.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'AWS Identity and Access Management' - Technogeeks


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
all the trainers in technogeeks

All the Trainers in Technogeeks are IT Professionals have spent many years in IT Industry and got bundle of skills in their working hours. Our Instructor provides training on real time based scenarios and deliver great knowledge on demanding Technologies, Thats why Technogeeks is one of the best Training institute in Pune. Our Trainers Give the 100% Practical Oriented Training, Provide Hands on Practice and Give the task on live projects where students get the experience to handle the real time problems and get an idea about how to work on real time projects in IT Industry so Technogeeks is the Best Software Training Institute in Pune.

www.technogeekscs.com

Contact Us: 860-099-8107

Email: contact@technogeekscs.co.in

aws identity and access management

- Introduction

- What is Principal?

- Authentication

- Authorization

Algorithm

Policy (Types, Structure, Example)

- Exercises

- Best Practices

- Lab Excercises

www.technogeekscs.com

AWS Identity and Access Management
iam introduction

- AWS service to implement security.

- Allows you to secure AWS services and resources.

- Enables you to control, who can do, what in AWS account.

- Coarse grained as well as Granular control.

- Allows you to leverage user Identities outside of AWS.

- It is a free service.

IAM - Introduction
principal

- Someone that interacts with AWS resources.

- Permanent or Temporary.

- Could be human being, a process or application

- Types :

Root user (Like Linux root or Windows Admnistrator)

IAM users (Within AWS)

Federated users (Outside of AWS)

Groups

Roles/Temporary Security tokens

Principal
principal 1
Principal...

Root User

IAM User

Federated Users

- Defined within AWS.

- Unlimited access

- Resembles Unix Root or

Windows administrator

- Used to create initial Admin

Credentials

- Must be securely locked

down

- Defined within AWS.

- Identity for an Individual

- Persistent until deleted

- User-associated policies

- Can be associated with Group

- Inherits Group permissions

  • - Defined outside AWS.
  • - Organizational users
    • Leverage user directories
      • LDAP
      • Active directory

- Web/mobile users

- Role based access

- Temporary credentials

principal group
Principal (Group)

Account

Group:

Admins

Group:

Developers

Group:

Test

User:

Bob

User:

Rob

User:

Allen

User:

Susan

User:

Alex

User:

Cathy

IAM users are organized into Groups

Groups are assigned permissions

Permissions are automatically inherited by users

how role works

Requester

. EC2

. IAM User

. Federated

Interface

. SDK

. LDAP

. AD

Authentication

AWS STS

How Role Works?

Role definition & setting up trust relationship with Actor by owner of the role.

Actor assumes Role.

AWS STS generates temporary security token.

Actor uses temporary credentials to access AWS resources.

Benefits-

- No need to share security credentials

- No need to store long term credentials

- Use cases

-Cross account access

-Intra account delegation

-Federation

web access identities (OIDC)

Federation (SAML, Active Directory)

Requeter requests for credentails based on role

Role & Trust relationship is authenticated by AWS

If Authenticated, AWS STS returns temporary credentials

Requestor accesses AWS services using temporary credentials

authentication
Authentication

AWS Management Console

User name & Password

User name / Password.

Password policy.

IAM user account Authentication

Access Key ID = 20 Chars

Access key ID

Access Secret Key

AWS API

Access Key

Access Secret Key = 40 Chars

IAM user account Authentication

Access key ID

Access Secret Key

Temporary token

Temporary Security token

+

Access Key

User or Application Authentication

authorization e g
Authorization...E.g.
  • Resource – Examples

Resource:arn:aws:s3:::my_bucket/*

Resource:arn:aws:sqs:us-west-2:account-id:queue1

  • All EC2 instances for an account in a region

Resource:arn:aws:ec2:us-west-2:account-id:instances/*

  • Multiple DynamoDB tables

[arn:aws:dynamodb:us-west-2:account-id:table/table1,

arn:aws:dynamodb:us-west-2:account-id:table/table2]

  • Principal – Examples

Principal:AWS:*.*

Principal:{AWS:123456789012}

Principal:AWS:arn:aws:iam:123456789012:user/username

Principal:{Federated:accounts.google.com}

  • Specific role

Princiap:AWS:arn:aws123456789012:role/rolename

  • Specific Service

Principal:Service:ec2:amazonaws.com

  • Actions – Examples

Action:ec2:StartInstances

Action:iam:ChangePassword

Action:s3:GetObject

Action:[sqs:SendMessage,sqs:ReceiveMessage]

Action:iam:*AccessKey*

  • Conditions Examples
  • Condition:

{

DateGreaterThan:aws:CurrentTIme:dd-mm-yyT12:00

DateLessThan:aws:CurrentTime:d-mm-yyT15:00

IpAddress:aws:SourceIp:[CIDR1, CIDR2]

}

authotrization
Authotrization
  • Policy document format
  • {

“Statement”; [{

“Effect”:<...>,

“Principal”:<...>,

“Resource”:<...>

“Condition”:<...>

}]

  • Decides what actions are permitted for entity
  • Permissions (authorization) granted via policies
  • Policy document
    • JSON/YAML formatted document
    • PARC model
    • Statement specifications defines

which actions can be performed

what Resources can be accessed

    • Policy types
      • AWS managed, Customer managed
      • User based, Resource based
  • Evaluation Logic
    • Defaults to explicite deny
    • Explicite Deny
    • Explicite Allow
authorization
Authorization
  • All policy statements are cobined

Policy1

  • Statement:[{

Effect:”Allow”,

NotAction:iam:*,

Resource:*}]}

Combine all policy statements

Is there a difference?

Explicit Deny found?

Deny

  • Statement::[{

Effect: Allow,

Action:*,

Resource:*},

{

Effect: Deny,

Action: iam:*,

Resource:*}

]

Next

Explicit Allow?

Policy2

No

End of statements?

No

Yes

explicit Allow found?

Yes

Allow access

policy resource based
Policy – Resource Based
  • Statement:

{Effect: Allow,

Principal: {AWS:123456789012},

Action: sqs:SendMessage,

Resource:

<arn>

  • Some services allow storing policy with resources
  • Principal is required
  • Examples

S3 (bucket policy)

Amazon Glacier (vault policy)

Amazon SNS (topic policy)

Amazon SQS (queue policy)

Principal is required

best practices
Best Practices
  • MFA

Enable MFA for previledged usersUse IAM roles to share access (for delegation)

  • Sharing

Use IAM Roles to share access (other accounts, external customers)

  • Roles - Use IAM Roles to services for
  • Root - Lock down Root user.
  • Users - Create individual users
  • Permissions - Grant least previledges
  • Groups -Manage permissions via Groups
  • Conditions -Restrict previledged access using Conditions
  • Auditing -Enable AWS CloudTrail service to log API calls
  • Password -Configure strong password policy
  • Rotate

Rotate security credentials regularly

lab excercises
Lab Excercises
  • Implement cross account Admin control & access
  • Limit access to prefix in S3 bucket
  • Create user & logon
  • Create Group, Add users
  • Assign group policy
  • Rotation of Access Keys
  • Create a role to access S3 bucket

www.technogeekscs.com