Scribd
Upload
63 views19 pages

08 - AWS Cloud Security and Access Management

The document discusses securing access to AWS resources by using AWS Identity and Access Management (IAM) tools like users, groups, roles and policies to control who has access to what. It emphasizes best practices like not using the root user for everyday tasks and creating separate users with restricted permissions for services like GitLab.

Uploaded by

anilrajops
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
63 views19 pages

08 - AWS Cloud Security and Access Management

The document discusses securing access to AWS resources by using AWS Identity and Access Management (IAM) tools like users, groups, roles and policies to control who has access to what. It emphasizes best practices like not using the root user for everyday tasks and creating separate users with restricted permissions for services like GitLab.

Uploaded by

anilrajops
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

AWS Cloud Security &

Access Management
by TWN
No part of this publication may be reproduced, copied, transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of nnSoftware GmbH

Copyright 2023 nnSoftware GmbH. All rights reserved.


TechWorld with Nana is an established name in the DevOps and
Cloud industry, and it stands for the quality trainings helping 1,000s
of engineers acquire the most in-demand skills in this field.

Our mission is enable individual engineers as well as companies to take advantage of the
recent developments in Cloud and DevOps fields, to use technologies and concepts in
order to create efficient, automated, streamlined DevSecOps processes in organisations.

Copyright 2023 nnSoftware GmbH. All rights reserved.


Securing the Deployment Environment
We need to secure the underlying infrastructure, where our container runs
This is the server and the whole infrastructure network (in our case AWS infrastructure)

1. We need to not only secure the 2. But also the access to the services
network and servers itself on the cloud platform

AWS Account Security:


Who has access to what resources?
All security efforts are waisted, if you
don’t have proper access management Users and Permissions

Copyright 2023 nnSoftware GmbH. All rights reserved.


Administration vs Usage
Platforms, like cloud platforms, Kubernetes, GitLab CI server etc. always have 2 aspects

Administration

Configure and set up the platform


Administration has many possibilities of high
impact security misconfigurations
Most important part is Access Management,
managing user access to resources and services
on a platform

Usage

Use platform for its actual purpose

Copyright 2023 nnSoftware GmbH. All rights reserved.


AWS Access Management
Introduction to AWS Access Management
The AWS Service that allows you to manage access to AWS resources is called IAM
It’s a crucial component of AWS security to protect your AWS resources from unauthorized access

Identity and Access Management (IAM)

You do that by creating and configuring IAM users, groups, roles and policies:

Copyright 2023 nnSoftware GmbH. All rights reserved.


Securing AWS Account
Root User
Don’t use ROOT user. Instead create own users for
different purposes with less permissions One ROOT user is created by
default
Delete Access Keys for Root User. Root user should Has full administrative access
not have programmatic access at all! and privileges over all resources
within the AWS account

Configure MFA for all AWS accounts

Attackers with root credentials can do much


more damage than when having restricted
permissions
Multi-Factor Authentication

Second authentication factor


in addition to user name and
password
IAM ROOT User

Root user should not be used for everyday


tasks, even administrative ones

Tasks only root user of an account can perform

Activate IAM access to Billing and Cost Management


Close account
Change account settings
...

Use Root only for such special cases

Copyright 2023 nnSoftware GmbH. All rights reserved.


Administrative User
To administer the AWS account, you should create an administrative
user with less permissions

Then use the admin user to


perform administrative tasks
including access management

Copyright 2023 nnSoftware GmbH. All rights reserved.


IAM Users
There are 2 types of access:

AWS Management Console AWS Command Line Interface

Email and Password Access Key Pair

Select which access to allow for the user

System users, like GitLab CI will need programmatic access

Copyright 2023 nnSoftware GmbH. All rights reserved.


IAM Policies
You manage access in AWS by creating policies and attaching them to IAM identities (the Who)

What is an IAM Policy?

Policy is a set of permissions that define what actions someone (who the policy
is attached to) is able to perform on which resources
You can give permissions on a very granular basis
Ability to limit further with conditions
Policies are stored in AWS as JSON documents

AWS Managed Policies


Standalone policies that are created and
administered by AWS
Includes permissions for many common use cases
Copyright 2023 nnSoftware GmbH. All rights reserved.
IAM Groups
What is an IAM Group?

You can organize users into groups

You can assign policies to the group instead of


individual users, making it easier to manage permissions
for multiple users with similar access needs

Any user, who is part of the group, will inherit the


permission(s)

Copyright 2023 nnSoftware GmbH. All rights reserved.


Password Policy and Credentials Report
There are 2 useful functionalities for AWS administrators

Set up a Password Policy

Access Credentials Report

Copyright 2023 nnSoftware GmbH. All rights reserved.


Create GitLab User to perform CI/CD tasks
Why create a dedicated GitLab User?

Security Best Practice is to only give enough permissions needed by the service to perform its
tasks. Not more.
GitLab needs relevant access to be able to:
interact with AWS ECR repository
deploy to EC2 instance
BUT nothing more!
For that, we want to create own dedicated user that has these restricted permissions

Use GitLab Credentials in CI/CD

Now instead of using Root access keys, we can replace it with the restricted
GitLab access keys

Copyright 2023 nnSoftware GmbH. All rights reserved.


IAM Roles
What is an IAM Role?

Offers a secure way to grant permissions to entities, without the need for long-
term access keys
Roles are often used for services or instances that need to access other
services within the cloud environment

Key aspects of IAM roles:


AWS Identity Assumption

Similar to an IAM user, in that it is an Entities assume roles when they need
AWS identity with permission policies to perform certain actions on resources

No Permanent Credentials Temporary credentials are dynamically generated when the


role is assumed

Copyright 2023 nnSoftware GmbH. All rights reserved.


EC2 can assume role when needed
IAM Roles

Additional Security Layer

Main use case is for AWS resources, but roles can


also be used to delegate access to IAM users

Easily revoke access

Centralized access control

Reduced credential exposure

Copyright 2023 nnSoftware GmbH. All rights reserved.


IAM Roles

Both are identities

Temporary credentials Long-term credentials


Can be consumed temporarily by
trusted entities
There is a list of AWS managed roles

Trust Policy
Roles have trust policy that defines which entities
are allowed to assume the role

Copyright 2023 nnSoftware GmbH. All rights reserved.


IAM Roles

Explain Roles via Hat analogy

Wearing different hats depending on


your role or what you are trying to achieve

Temporarily assume role when needed

Copyright 2023 nnSoftware GmbH. All rights reserved.

You might also like