Module 3

Security, Identity, and Access

Management

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 1
Physical & Environmental Security

 Lock your data center.

 Only provide access to those who need it.
 Keep track of access.
 Mount servers on racks with locks.
 Have redundant utilities.
 Build your data center with security in mind.

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
Network Security

 Identification & Authentication

 Firewalls
 Patching
 Virus Protection
 Encryption

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
Shared Responsibility – AWS
Customer
Customer Data
Platform, Applications, Identity and Access Management
Operating System, Network and Firewall Configuration
Client-side Data Encryption
Server-side Encryption Network Traffic Protection
and Data Integrity
(File System and/or Data) (Encryption/Integrity/Identity)
Authentication

Foundation Services
Compute Storage Database Network
AWS

AWS Global Availability Zones Edge

Infrastructure Regions Locations

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
Physical Security

24/7 trained security staff

AWS data centers in nondescript and undisclosed facilities
Two-factor authentication for authorized staff
Authorization for data center access

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 5
Hardware, Software, and Network

Automated change-control process

Bastion servers that record all access attempts
Firewall and other boundary devices
AWS monitoring tools

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
 Certifications and Accreditations

ISO 9001, ISO 27001, ISO 27017, ISO 27018, IRAP (Australia), MLPS Level 3 (China),
MTCS Tier 3 Certification (Singapore) and more …
© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
SSL Endpoints

SSL Endpoints Security Groups VPC

Secure Transmission Instance Firewalls Network Control

Establish secure Configure firewall In your Virtual

communication rules for instances Private Cloud, create
sessions (HTTPS) using Security low-level networking
using SSL/TLS. Groups. constraints for
resource access.
Public and private
subnets, NAT and
VPN support.

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 8
AWS Multi-Tier Security Groups

HTTP
Ports 80 and 443 only
open to the Internet
Bastion
SSH/RDP
Engineering staff have SSH/RDP
access to Bastion Host

All other internet ports blocked by default

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
AWS Identity and Access Management (IAM)

1 2 3

Manage
AWS IAMAWS IAM users Manage AWS IAM roles Manage federated users
and their access and their permissions and their permissions

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 10
AWS IAM Authentication

Authentication
AWS Management Console
IAM User
 User Name and Password

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 11
AWS IAM Authentication

Authentication
AWS CLI or SDK API
IAM User
 Access Key and Secret Key

Access Key ID: AKIAIOSFODNN7EXAMPLE

Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

AWS CLI AWS SDK & API

Java Python .NET

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
AWS IAM User Management - Groups

AWS Account

DevOps Group TestDev Group

User A User B User C User D

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
AWS IAM Authorization

Authorization
Policies:
IAM User IAM Group
 Are JSON documents to
describe permissions.
 Are assigned to Users, IAM Roles

Groups or Roles.

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 14
 AWS IAM Roles - Instance Profiles

Amazon EC2 Amazon S3

1

Create Instance

Application interacts with S3

Select IAM Role

4
2

3 EC2 MetaData Service

App & http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 21
 AWS IAM Roles – Assume Role
Amazon S3

Access Access

IAM Restricted Policy 3 5

2 4

Assigned
Assume Assume
1

IAM User A-1 IAM User B-1

Assigned

1
IAM Admin Policy IAM Admin Role

AWS Account A AWS Account B

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 22
Temporary Security Credentials (AWS STS)
Session
Access Key Id
Secret Access Key Temporary Security Credentials
Session Token
Expiration 15 minutes to 36 hours

Use Cases
Cross account access Mobile Users
Federation Key rotation for Amazon EC2-
based apps
© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
sts:AssumeRole

[optional]
IAM Role Actual Permissions
Permissions Permissions passed with
AssumeRole

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
AWS IAM Federation

IAM federation may be used for federated

access to:
 AWS Management Console
 AWS APIs
Supported Identities: AWS Directory Service Amazon Cognito

 AWS Directory Service

 Microsoft Active Directory
 OpenID Connect (OIDC) such as Amazon
Cognito and Login with Amazon
 SAML 2.0
© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
Amazon Cognito Federation for Mobile Applications

App accessed
User
1

Exchange ID token for

Cognito token

3
Exchange Cognito token Cognito
Redirect for for temporary AWS
authentication and credentials
receive an ID
Mobile Client 4
token 2
AWS STS
5

DynamoDB
Uses the temporary credentials to
Identity access AWS services AWS Region
Provider
(Login with AWS Account
Amazon)

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 26
AWS IAM Federation using SAML 2.0

Identity Provider
(Portal)

Identity Store Client app request 2 4 Portal sends client

(LDAP) to IDP SAML assertion

App calls AssumeRoleWithSAML

5
1 Kinesis
6 AWS STS
User Login AWS returns temporary security
credentials
Client
Application 7
User App uses credentials to access
AWS resource
AWS Region

Corporate Data Center AWS Account

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
Application Authentication

No Support No Support

OS AWS IAM Application

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
AWS IAM Best Practices

Delete AWS account (root) access keys.

Create individual IAM users.
Use groups to assign permissions to IAM users.
Grant least privilege.
Configure a strong password policy.
Enable MFA for privileged users.

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 30
AWS IAM Best Practices (cont.)

Use roles for applications that run on Amazon EC2

instances.
Delegate by using roles instead of by sharing credentials.
Rotate credentials regularly.
Remove unnecessary users and credentials.
Use policy conditions for extra security.
Monitor activity in your AWS account.

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 31
AWS Resource-Based Policies

Are an alternative to IAM and supported by some

services.
Grant cross-account access to your resources.
Use a principal to uniquely identify account in the policy.
Supported AWS services include :
 Amazon S3 Bucket Policy
 Amazon SNS Topic Policy
 Amazon SQS Queue Policy
 Amazon Glacier Vault Policy
 AWS OpsWorks Stack Policy
 AWS Lambda Function Policy

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 32
 © 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved.

This work may not be reproduced or redistributed, in whole or in part, without

prior written permission from Amazon Web Services, Inc. Commercial
copying, lending, or selling is prohibited.

Errors or corrections? Email us at [email protected].

For all other questions, contact us at:
https://aws.amazon.com/contact-us/aws-training/.

All trademarks are the property of their owners.

© 2016 Amazon Web Services, Inc. or its affiliates. All rights reserved. 39