[REPORT] Building effective IAM policies #AWSreInvent #SEC305

[REPORT] Building effective IAM policies #AWSreInvent #SEC305

Clock Icon2023.12.07

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

I participated in the Builders' Session for creating IAM policy, so this is report on that session.

Overview

image

Anyone who builds on AWS should understand how to build effective IAM policies. In this session, learn the requirements for security controls and walk through the construction of IAM policies that implement those controls. See which policy types are most appropriate for each control, and walk away with some real-life examples of IAM policies that you can take back to your organization.

Report

Agenda

image

Since there are four scenarios prepared, we will create IAM policies to implement controls. After creating them, we will return to the group and discuss each scenario.

This time, we will launch Cloud9 and test the IAM policies created using the Assessment tool.

image

This tool will return results when executed after creating policies.

Set up

At first, install the tool to evaluate the created policies.

Open 'AWS Cloud9' in the management console and access the environment prepared for this session.

image

Download and install the tool.

$ curl 'https://static.us-east-1.prod.workshops.aws/public/a8b77c64-5ab8-49a3-8751-ba7d5351e107/assets/eval_policy-0.0.33-py3-none-any.whl' --output eval_policy-0.0.33-py3-none-any.whl
pip install eval_policy-0.0.33-py3-none-any.whl

Scenario 1 Allow access to resources for all principals within the organization

Policy

Create a policy allowing s3:GetObject for all principals to all objects in a specific bucket.

Values ​​used in policies

  • AWS Organizations organization ID: o-123456
  • Bucket name: MY-BUCKET
  • Account: 111111111111
  • Action: s3:GetObject
Created policy
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::MY-BUCKET/*",
        "Condition": {
            "StringEquals": {
                "aws:PrincipalOrgId": "o-123456"
            }
        }
    }]
}

After creating the policy, executing a command allows you to evaluate the created policy.

$ eval-policy --step 1 --policy policy1.json

image

This was done relatively quickly.

Scenario 2 Protecting platform resources with Service Control Policies

Policy

Create a Service Control Policy to deny the execution of all actions on resources with a tag where the key is team and the value is admin. Only principals with the tag key of team value of admin should be allowed to perform any actions on tagged resources.

Values ​​used in policies

  • Tag on resources to protect: Key: team Value: admin
  • Tag on principals that are exempt: Key: team Vaue: admin
  • Resource: all resources
  • Action: all actions
Created policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/team": "admin"
                },
                "StringNotEquals": {
                    "aws:PrincipalTag/team": "admin"
                }
            }
        }
    ]
}

image

Scenario 3 Limit the types of EC2 instances that can be launched with identity-based policies

Policy

If the instance type is 't3.small', allow launching EC2 instances. Create an IAM policy that denies launching instances for any other instance types.

Values ​​used in policies

  • Allowed instance type: t3.small
  • Action: ec2:RunInstances
Created policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceType": "t3.small"
                }
            }
        }
    ]
}

image

This was a familiar policy content, so I was able to create it quickly. In the session, they introduced how to write policies similar to the ones in the screenshot.

image

Scenario 4 Prevent untrusted principals from using an AWS service as a confused deputy

Policy

Create a policy to enable an SNS topic to receive notifications from an S3 bucket.

We need to allow the AWS service principal s3.amazonaws.com to publish messages to the SNS topic. We need to prevent other AWS accounts from using the s3.amazonaws.com service as a confused deputy to publish messages to your topic.

Values ​​used in policies

  • Service: s3.amazonaws.com
  • Action: sns:Publish
  • Region: us-east-1
  • Topic name: MyTopic
  • Account that the SNS topic is in: 111111111111
  • Account that you want to receive notifications from: 111111111111
  • S3 bucket that you want to receive notifications from: MY-BUCKET
Created policy
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Service": "s3.amazonaws.com"
        },
        "Action": "sns:Publish",
        "Resource": "arn:aws:sns:us-east-1:111111111111:MyTopic",
        "Condition": {
            "ArnEquals": {
                "aws:SourceArn": "arn:aws:s3:::MY-BUCKET"
            },
            "StringEquals": {
                "aws:SourceAccount": "111111111111"
            }
        }
    }]
}

image

Conclusion

I decided to participate because I thought it would be a good opportunity to relearn IAM. I tried to create it while looking at the hints, but it was quite difficult. I'm glad I participated as they introduced IAM policies through practical scenarios.

Resources

image

Share this article

facebook logohatena logotwitter logo

© Classmethod, Inc. All rights reserved.