identity round robin workshop permissions boundaries · 2020. 7. 8. · © 2018, amazon web...
TRANSCRIPT
![Page 1: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/1.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Identity Round Robin WorkshopPermissions BoundariesName, Title
![Page 2: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/2.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Analogy – giving the keys to your teenager
• Car keys give a lot of power: drive fast, drive anywhere and even drink and drive.
• You can set rules: don’t speed, don’t go beyond 20 mile range, etc, but that is trust based.
• You can only use detect controls to verify compliance (check odometer, see if they got a speeding ticket or got into an accident.)
![Page 3: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/3.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Analogy – giving the keys to your teenager
• Some auto makes have special keys and programming options that allows you to let them drive but they are restricted by your settings.
• Their ability in the car (drive fast, blast the radio or even spin the tires) is the intersection between their desire and your settings.
![Page 4: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/4.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Analogy – giving the keys to a developer
• In the same way you can give the keys to a developer (ability to create user or roles) and all the power that comes with that.
• The developer can attach an identity-based policy with full admin rights (their desire) to the role but they must also attach a permissions boundary (like the auto restriction settings).
• Effective permission of the role is the intersection of the two.
![Page 5: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/5.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• Intro & basics• Demo• Permission categories• Permissions boundary mechanism• Resource restrictions
Agenda
![Page 6: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/6.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Controls the maximum permissions that a user and/or role can have, but does not itself provide any permissions (necessary but not sufficient).
Mechanism to delegate the permission to create users and/or roles while preventing privilege escalation or unnecessarily broad permissions.
What are permissions boundaries?
![Page 7: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/7.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Before• Certain IAM policy actions (e.g.
PutUserPolicy, AttachRolePolicy) are essentially full admin-like permissions.
• Doing any form of self-service permissions management wasnon-trivial.
IAM Delegated Administration
Now• Administrators can grant these full
admin-like permissions, but specify a “permissions boundary.”
• Allows developers to create principals for their applications and attach policies, but only within the boundary.
Before and After Permissions Boundaries
![Page 8: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/8.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• Developers that need to create roles for Lambda functions
• Application owners that need to create roles for EC2 instances
• Admins that need to be able to create users for particular use cases
• Any others?
Use cases
![Page 9: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/9.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Permissions boundary basics
![Page 10: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/10.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Permissions boundaries – workflow
Requirement: users and roles created by delegated admins must
have a permissions boundary
Ability: can create users and roles that have permissions
boundaries attached
Admins Delegated admins
“Bound” IAM users and roles
Create delegated admins Create “bound” users & roles Users and roles restricted by permissions
boundaries
Result: Permissions boundary restrict the permissions of the
users and roles
Restricted resources
Permissions for resources restricted
Permissions of the roles attached to resources like Lambda functions
are limited by the permissions boundary
Lambda Function Role
PermissionsRole
Permissions
![Page 11: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/11.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Permissions boundaries – workflow
Requirement: users and roles created by delegated admins must
have a permissions boundary
Ability: can create users and roles that have permissions
boundaries attached
Admins(Build phase)
Delegated admins(Verify phase)
“Bound” IAM roles
Create delegated admins Create “bound” users & roles Role restricted by permissions boundaries
Result: Permissions boundary restrict the permissions of the
role
Restricted resources
Permissions for resources restricted
Permissions of the roles attached to resources like Lambda functions
are limited by the permissions boundary
Lambda Function Role
PermissionsRole
Permissions
![Page 12: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/12.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
An IAM condition context key
"Condition": {"StringEquals": {"iam:PermissionsBoundary":"arn:aws:iam::ACCOUNT_ID:policy/permissionboundary"}
}
![Page 13: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/13.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
… applied to principal creation actions (users and roles)
"Effect": "Allow","Action": ["iam:CreateRole"],"Resource": ["arn:aws:iam::ACCOUNT_ID:role/path/"],"Condition": {"StringEquals":
{"iam:PermissionsBoundary": "arn:aws:iam::ACCOUNT_ID:policy/permissionboundary"}
}
![Page 14: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/14.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
IAM Delegated Administration – User side
# Step 1: Create role and attach permissions boundary$ aws iam create-role –role-name roleforlambda–assume-role-policy-document file://Role_Trust_Policy_Text.json–permissions-boundary arn:aws:iam::<ACCOUNT_NUMBER>:policy/department_a/boundary_1
# Step 2: Create identity-based policyNo change
# Step 3: Attach identity-based policyNo change
Create role for a Lambda function
End user experience
![Page 15: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/15.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
IAM Delegated Administration – User sideDemo• User requirements:
• Lambda function that reads from an S3 bucket• Lambda function must have an IAM role to access the bucket• Role must be created with the correct permissions
• Company requirements: • Policies attached to the role must not allow privilege escalation or unneeded permissions• Don’t get in the way of the user
Admin Delegated admin
Create: Policy for a user (plus read only policies)Permissions boundary policyUser
Lambda function
Lambda function restricted by permissions
boundary
Lambda Function Role
PermissionsCreate:Policy for a roleRoleLambda function
![Page 16: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/16.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Permission categories
![Page 17: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/17.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Categories
VPC Endpoint policies
Role Trust policy
GrantsGuardrails
Permission categories
Organization SCPs
IAM user and role permissions
boundaries
Session policies
Identity-based policies
Resource-based policies
Access controls lists (ACLs)
![Page 18: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/18.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Categories
VPC Endpoint Policies
Role Trust Policy
GrantsGuardrails
Permission categories
Organization SCPs
IAM user and role permissions
boundaries
Session Policies
Identity-based policies
Resource-based policies
Access controls lists (ACLs)
Things that set the maximum permission
Things that can be used to give permission
![Page 19: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/19.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Categories
VPC Endpoint Policies
Role Trust Policy
GrantsGuardrails
Permission categories
Organization SCPs
IAM user and role permissions
boundaries
Session Policies
Identity-based policies
Resource-based policies
Access controls lists (ACLs)
![Page 20: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/20.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Categories
VPC Endpoint policies
Role Trust policies
GrantsGuardrails
Permission categories
Organization SCPs
IAM user and role permissions
boundaries
Session Policies
Identity-based policies
Resource-based policies
Access controls lists (ACLs)
Which services?
![Page 21: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/21.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Categories
VPC Endpoint Policies
Role Trust Policy
GrantsGuardrails
Permission categories
Organization SCPs
IAM user and role permissions
boundaries
Session policies
Identity-based policies
Resource-based policies
Access controls lists (ACLs)
![Page 22: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/22.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Categories
VPC Endpoint policies
Role Trust Policy
GrantsGuardrails
Permission categories
Organization SCPs
IAM user and role permissions
boundaries
Session policies
Identity-based policies
Resource-based policies
Access controls lists (ACLs)
![Page 23: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/23.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Categories
VPC Endpoint policies
Role Trust policies
GrantsGuardrails
Permission categories
Organization SCPs
IAM user and role permissions
boundaries
Session policies
Identity-based policies
Resource-based policies
Access controls lists (ACLs)
Where does “S3 block public access” fall?
![Page 24: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/24.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
But, it’s just a an IAM policy right?
![Page 25: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/25.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
But, it’s just a managed IAM policy right?
IAM role
IAM policy
Identity-based policy “slot”
Identity-based policy
Before Permissions Boundaries were launched
![Page 26: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/26.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
But, it’s just a managed IAM policy right?
IAM role
IAM policy
Identity-based policy “slot”
Identity-based policy
Permissions boundary
Permissions boundary “slot”
After Permissions Boundaries were launched
![Page 27: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/27.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
But, it’s just an IAM policy right?Identity-based policy slot
Permissions boundary slot
![Page 28: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/28.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Presentation questions
• What is the condition context key used for permission boundaries?
• How does a permission boundary differ from a standard IAM policy?
• What are some permission boundary use cases?
![Page 29: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/29.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Permissions boundary mechanism
![Page 30: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/30.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Categories
VPC Endpoint policies
Role Trust policy
GrantsGuardrails
Permission categories
Organization SCPs
IAM user and role permissions
boundaries
Session policies
Identity-based policies
Resource-based policies
Access controls lists (ACLs)
Permissions boundaries attached to users and
roles
Permission policies attached to users and
roles
![Page 31: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/31.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
1. Authenticate the principal
2. Determine which policies apply to the request
3. Evaluate the different policy types that apply which affect the order in which they are evaluated.
4. Allow or Deny the request
Everything after authentication
![Page 32: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/32.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Policy evaluation – Venn diagrams
Resulting permission
Permissions boundary
Identity-based policies
![Page 33: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/33.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Policy evaluation – the archery analogy
API Request
![Page 34: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/34.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
API request trying to hit the target
API Request
![Page 35: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/35.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Two types of barriers
Explicit deny
Explicit deny
Allow
All other policies
![Page 36: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/36.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Allow example
API Request
Allow Allow
Request allowed
Identity-basedpolicy
Explicit deny
Permissionsboundary
Request: s3:GetObject
![Page 37: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/37.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Allow example
API Request
Allow Allow
Request allowed
Identity-basedpolicy
Explicit deny
Permissionsboundary
Request: s3:GetObject
![Page 38: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/38.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Effective permissions – scenario 1
Identity-based policyPermissions boundary
Request: s3:GetObject / bucket name: example1
{"Version": "2012-10-17","Statement": [
{"Effect": "Allow","Action": [
"logs:CreateLogGroup","logs:CreateLogStream”,"logs:PutLogEvents”
],"Resource": "arn:aws:logs:*:*:*"},{"Effect": "Allow","Action": ["s3:GetObject"],"Resource”:"arn:aws:s3:::example1/*"}
}
{"Version": "2012-10-17","Statement": [
{"Effect": "Allow","Action": [
"logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents",
],"Resource": "*"}
]}
![Page 39: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/39.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Allow example
API Request
Allow Allow
Identity-basedpolicy
Explicit deny
Permissionsboundary
Request: s3:GetObject
Request denied
![Page 40: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/40.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Effective permissions – scenario 2
Identity-based policyPermissions boundary
Request: s3:GetObject / bucket name: example1
{"Version": "2012-10-17","Statement": [
{"Effect": "Allow","Action": [
"logs:CreateLogGroup","logs:CreateLogStream”,"logs:PutLogEvents”
],"Resource": "arn:aws:logs:*:*:*"},{"Effect": "Allow","Action": ["s3:GetObject"],"Resource”:"arn:aws:s3:::example1/*"}
}
{"Version": "2012-10-17","Statement": [
{"Effect": "Allow","Action": [
"logs:CreateLogGroup","logs:CreateLogStream","logs:PutLogEvents","s3:*"
],"Resource": "*"}
]}
![Page 41: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/41.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Allow example
API Request
Allow Allow
Identity-basedpolicy
Explicit deny
Permissionsboundary
Request: s3:GetObject Request
allowed
![Page 42: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/42.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
All of the obstacles
PermissionsboundarySCPs Session
PolicyEndpoint
PolicyExplicit
deny
Identity-basedpolicy
Resource-basedpolicy
API Request
![Page 43: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/43.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Resource Restrictions
Goal: carve out a space for the delegated admins to be able to modify resources without impacting other resources.
Paths are preferred but require the CLI. Naming (e.g. department1*) can also be used.
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-paths
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns
![Page 44: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/44.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Resource Restrictions - examples
Resource restriction using paths: "Resource": "arn:aws:iam::123456789012:role/department1/*"Example role: arn:aws:iam::123456789012:role/department1/role1
Resource restriction using names: "Resource" : "arn:aws:iam::123456789012:policy/development-users*"Example policy: arn:aws:iam::123456789012:policy/development-users-policy1
![Page 45: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/45.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Pathing Walled Garden
AWS Account
Web Admins
Create policies and roles:/department1/perm*
Webadmins Role
Policies: /department1/permpolicy-alpha
Roles: /department1/permrole-alpha
Create policies and roles:/department2/perm*
Webadmins Role
Policies: /department2/permpolicy-alpha
Roles: /department2/permrole-alpha
Application Admins
![Page 46: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/46.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Permissions Boundary WorkshopOverview
![Page 47: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/47.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Workshop
AWS Account
Web Admins
Lambda function Lambda Role
Shared Resources
Application Admins
Webadmins Role
![Page 48: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/48.jpg)
Workshop
The round is broken down into a BUILD and VERIFY phase.
BUILD (60 min): First each team will carry out the activities involved in the BUILD phase.
VERIFY (30 min): Each team will carry out the VERIFY activities as if they were part of the web admin team.
![Page 49: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/49.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Workshop
Click on Overview, read through this, then click on Build and run the CloudFormation template:https://identity-round-robin.awssecworkshops.com/permission-boundaries/
Use: US East (Ohio)us-east-2
Permissions boundariesBuild Phase (60 min)
![Page 50: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/50.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Workshop
Click on Verify:https://identity-round-robin.awssecworkshops.com/permission-boundaries/
Permissions boundariesVerify Phase (15 min) Swap credentials with another team
Use: US East (Ohio)us-east-2
![Page 51: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/51.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Final Q & A
![Page 52: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/52.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
End of workshop questions
• What is the risk of implementing permissions boundaries without resource restrictions?
• Can the same IAM policy be used as both a permissions boundary and a Identity-based policy?
• Is one resource restriction method preferred over the other?
![Page 53: Identity Round Robin Workshop Permissions Boundaries · 2020. 7. 8. · © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark](https://reader035.vdocument.in/reader035/viewer/2022063014/5fd0d0a71e7cb3638f360db5/html5/thumbnails/53.jpg)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• The mechanism at the policy level is just a condition context key
• Supported only for user and roles
• Not all IAM actions support the condition context key
• It’s just a managed policy
• The user or role can do only the actions allowed by both the attached identity-based policies and the permissions boundary
• Resource restrictions should also be used
Summary