managing users and aws accounts
TRANSCRIPT
Managing users and AWS accounts
Aleksandr Maklakov – [email protected]
Agenda
• Managing AWS account
• Managing IAM users
• Security Best Practices
• Solutions• Questions
Managing AWS accounts
• У кого от 1 до 3 AWS аккаунтов ?
• У кого от 3 до 10 AWS аккаунтов ?
• У кого больше 10 AWS аккаунтов ?
Managing AWS accounts
•Why and When to Create Multiple Accounts?
Managing AWS accounts
• isolation between workloads/departments
• isolation between projects
• minimize blast radius
• optimize costs• environmental lifecycle accounts
• centralize logging account
• centralize publishing account
Managing IAM accounts
• IAM users
• Identity federation (SAML 2.0)
• Directory service (LDAP)
Managing IAM accounts - Security Best Practices
• Lock away your AWS account (root) access keys
• Create individual IAM users
• Use AWS-defined policies to assign permissions whenever possible• Use groups to assign permissions to IAM users
• Grant least privilege
• Configure a strong password policy for your users
Managing IAM accounts - Security Best Practices
• Enable MFA for privileged users• Use roles for applications that run on Amazon EC2 instances• Delegate by using roles instead of by sharing credentials• Rotate credentials regularly• Remove unnecessary credentials• Use policy conditions for extra security• Monitor activity in your AWS account
Solutions
Solutions
Solutions
Solutions
Solutions
AWS Organizations
• Centrally manage policies across multiple AWS accounts
• Control access to AWS services
• Automate AWS account creation and management
• Consolidate billing across multiple AWS accounts
Our solution
Our solution
+• single account, MFA, password policy to manage• native UX with AWS CLI and web console• different cost-centers• individual accounts for scripts• delegating/splitting user management-• some troubles with 3rd party tools• short STS session (1 hour)
The End
• Questions ?
• Comments ?
• Feedback