AWS re:Invent 2022 - Harness power of IAM policies & rein in permissions w/Access Analyzer (SEC313)
AWS re:Invent 2022 - Harness power of IAM policies & rein in permissions w/Access Analyzer (SEC313)
Explore the power of IAM policies and discover how to use IAM Access Analyzer to set, verify, and refine permissions. Learn advanced skills that empower builders to apply fine-grained permissions across AWS. This session dives deep into IAM policies and explains IAM policy evaluation, policy types and their use cases, and critical access controls. With a walkthrough of the permissions lifecycle, learn about tools that can help you set, verify, and refine permissions to guide you along your least privilege journey. Also, see a demo of IAM access controls and IAM Access Analyzer tools and learn about use cases and best practices.
Learn more about AWS re:Invent at https://go.aws/3ikK4dD.
Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4
ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.
#reInvent2022 #AWSreInvent2022 #AWSEvents
Content
0.12 -> - Welcome, everyone, to re:Invent.
2.04 -> I'm so excited to be back on stage
4.02 -> talking about permissions
again, my favorite topic,
7.26 -> little bit of Pickles,
little bit of policies.
10.29 -> Today is all about harnessing
the power of IAM policies,
14.67 -> and reining in those permissions
with Access Analyzer.
17.7 -> I will let you know that this title came
19.47 -> with a group effort.
20.4 -> A lot of people wanted to chip in
22.26 -> because of the horse theme I usually have,
24.81 -> and obviously all the permissions talk.
27 -> My name is Brigid Johnson.
28.32 -> I'm the GM of IAM Access Analyzer,
30.33 -> and I'm excited to spend
the next hour with you.
33.45 -> This is what it looks like.
34.71 -> First, we're gonna talk about
the power of the permissions,
38.7 -> and we're gonna go through
what are those permissions,
41.07 -> what are those access controls?
42.75 -> Then we're gonna dive
into policy evaluation
46.08 -> and give you a framework
of how all these policies
48.96 -> work together to either
allow or deny access.
52.02 -> There's gonna be some policy
examples along the way.
54.72 -> And just to keep you on your toes,
56.37 -> there's gonna be some pop quizzes.
58.53 -> And then we're gonna go over
conditions really quickly.
61.26 -> Not as much as last year 'cause
that content is on YouTube,
63.99 -> but I will review it.
65.64 -> And then we have reining and permissions,
67.95 -> what every customer wants to do.
69.72 -> How do we tighten those permissions?
71.67 -> How do we shrink wrap those permissions?
72.99 -> How do we get rid of what we don't need?
74.88 -> And so we'll talk about
the permission life cycle,
77.13 -> and setting permissions,
verifying those permissions.
80.01 -> I'm gonna take a little bit of a detour
81.9 -> and do a roles deep dive so
you can really understand
84.9 -> what roles are and how to use 'em.
86.85 -> And then we'll do refining
permissions as well.
90.27 -> I'm gonna try to do some live demos today,
92.07 -> but we'll see how it goes.
95.67 -> All right, the power of AWS permissions.
99.3 -> So this is what we hear from customers.
101.52 -> All of you all sitting in the audience,
103.23 -> the conversations I have.
105.24 -> Teams need the flexibility
to explore and innovate.
109.38 -> They need the agility to move fast.
111.24 -> This is where you need access.
113.7 -> But central teams gotta
prevent those dangerous
116.61 -> and powerful actions.
118.38 -> And teams need to own their own security.
121.02 -> And the business needs to be accountable
122.61 -> for the security posture.
124.35 -> And this is what we hear, right?
127.53 -> And this is not all in the same direction.
129.51 -> Some is, hey, we gotta have security,
131.85 -> and some is, have all the access you want.
134.52 -> And so how do we strike
that right balance?
137.28 -> Well, when it comes to permissions in AWS,
139.47 -> it's all about who can access what.
143.22 -> So when we talk about the who,
these are your identities,
146.46 -> either your human identities
or your machine identities.
150.42 -> These are your developers,
your business analysts,
152.82 -> maybe some data scientists,
maybe third party contractors.
156.39 -> And then you obviously
have your applications
158.16 -> that are running in the cloud.
160.47 -> Then you have the what.
162.45 -> These are your resources,
163.98 -> your buckets, your lambda
functions, your step functions,
166.65 -> your batch jobs, your secrets,
168.96 -> and growing, and growing, and growing.
170.7 -> By the way, if you haven't
checked out Resource Explorer,
173.73 -> it launched a few weeks ago.
175.92 -> Unclear on the date,
177.09 -> but it will actually let you
explore all of your resources.
180.18 -> It's very powerful.
181.83 -> I was clicking around it the other day.
183.12 -> It was great.
184.2 -> And then in the middle
you have can access,
186.27 -> and that's my favorite part.
187.35 -> That's why we're here today.
188.73 -> And those are the permissions,
189.84 -> and that's how you connect
your who with your what.
194.37 -> So when it comes to permissions,
196.29 -> it's a shared security model.
197.7 -> So let's talk about our
roles and responsibilities.
200.52 -> What is the job of AWS,
202.2 -> my job, the job of all the teams at AWS,
205.11 -> and all the systems that provide AWS?
207.84 -> Well, we provide robust access controls.
210.87 -> These are your policies.
212.16 -> These are your block public accesses.
214.74 -> These are your sharing mechanisms.
217.26 -> You get to set those controls, by the way.
219.75 -> Our job is also to enforce,
221.97 -> and this is the cool part.
223.29 -> For every request made to AWS,
225.877 -> AWS based on your specifications,
gives a yes or no answer.
230.19 -> We enforce all the requests.
233.1 -> Our job is also to give you guidance
235.44 -> because we know permissions,
237.33 -> and we're gonna guide you
to set the right ones.
240.54 -> But what is your job?
242.25 -> Your job is to establish
those access controls
244.92 -> based on your needs and your requirements.
249.24 -> And that's where this permission
life cycle really helps is,
253.17 -> hey, start with a data perimeter.
255.24 -> Start with something
around your organization.
257.73 -> If you're not using organization,
259.35 -> definitely use organizations
for multi account management.
262.68 -> There's a lot of functionality there.
264.81 -> And then you can set your permissions,
266.73 -> verify they're right,
and refine them further.
269.16 -> And this is the life cycle
270.75 -> of how you get to the right permissions.
274.65 -> All right, so access controls.
276.57 -> These are the robust access
controls I mentioned.
279.12 -> What types are there?
280.56 -> Well, we have our policies.
282.51 -> These either grant or restrict access.
285.57 -> Some examples might
include identity policies
287.88 -> attached to roles
289.14 -> or service control policies
attached to your organization,
291.93 -> and those restrict access.
293.79 -> Then you have your restrictions.
295.77 -> Sometimes we have single
sharp tools that say,
298.35 -> block this access.
299.43 -> So one example is actually
block public access with S3.
304.5 -> And then there are service
specific access controls.
307.29 -> And these are like AMI
sharing, RDS sharing,
310.2 -> Resource Access Manager,
311.85 -> and these help you share access
to your resources as well.
316.71 -> All right, so when it comes to policies,
319.8 -> we all have heard hopefully
of the PARC model,
324.3 -> P for principal.
325.8 -> These are who can perform the access.
329.82 -> A for action.
331.23 -> This is the type of access
that is allowed or denied.
334.47 -> These are determined by AWS.
336.99 -> There are lots of services,
which you see in the first part,
340.17 -> Secrets Manager,
341.49 -> and lots of actions which
you see in the second part,
343.98 -> getSecret.
345.96 -> R for resource.
347.52 -> What resource is the action acting on?
350.76 -> And usually that is arn that's in there.
353.76 -> You can see that the
secret is called Pickles.
356.7 -> And then then there's a condition.
358.14 -> And there's a lot of conditions.
359.61 -> And so this access is allowed,
362.1 -> but only if these conditions are met.
364.38 -> So when you think of conditions,
365.73 -> and I'll repeat this a few times today,
367.56 -> always think about, but only if.
372.99 -> All right, so what are the
policy types we have to work with
376.89 -> and what are their use cases?
378.75 -> Service control policies,
these are at your organization,
381.78 -> organizational unit, or your account.
384.96 -> They restrict access only.
387.87 -> You cannot grant access at that level.
390.87 -> So you can use this to restrict
powerful actions and say,
394.68 -> hey, nobody can touch networking
controls except for admin.
398.58 -> Permission boundary, these
also only restrict access.
402.45 -> It doesn't grant access.
404.4 -> Permission boundaries
operate within an account,
406.95 -> and it's very helpful if you wanna say,
409.32 -> hey developers, you can create roles,
412.08 -> but only if they have this boundary.
414.63 -> And that boundary is essentially
the maximum permissions
417.72 -> you want to allow them
to be able to grant.
421.74 -> So they can't just grant
star dot star everywhere.
425.01 -> Then you have the IAM permission policy,
427.59 -> this is the policy attached to the role.
429.42 -> I'm only gonna talk about roles today
430.83 -> because that's all you should be using.
433.325 -> And these can grant or deny access,
436.32 -> and you would specify the actions
438.33 -> and the resources under which conditions.
440.49 -> Scope down policies are
per session of the role,
444.3 -> and they also only restrict access.
446.76 -> And so for example, in my teams,
449.13 -> we actually use scope down policies
450.513 -> when we're performing a
pretty powerful action.
453 -> So we write the policy for the role
455.52 -> that has specific access,
457.26 -> but then we scope it down even further
459.09 -> when we're trying to just
do that one powerful action.
462.27 -> Resource based policies,
463.47 -> your most famous is your
bucket point policy,
465.48 -> your access point policy.
467.37 -> These grant or deny access
directly to the resource.
470.52 -> Really good for cross account access.
472.89 -> And then VPC endpoint policies
that grant or deny access
476.34 -> through the endpoint.
478.14 -> That's a lot of policies.
479.43 -> Fun, huh?
481.14 -> All right, so with all those policies,
483.48 -> how do we actually enforce?
486.09 -> Well, it comes down to two parts.
489.36 -> There is the context.
491.28 -> There are the policies that are evaluated,
493.32 -> those I just reviewed.
495.12 -> The context is generated by the
service that you're calling.
498.81 -> And so you'll see this is the service.
500.7 -> This is, are you logged in with MFA?
502.86 -> What action are you trying to call?
504.18 -> What resource are you
trying to call it on?
506.73 -> And a lot of stuff, right?
508.89 -> And then there are the policies.
511.44 -> And then IAM says, is there a match?
514.29 -> Is there a match with an allow.
516.21 -> Based on the policies and
the context I'm given,
519.09 -> is there a match?
520.53 -> And if there is a match
with an allow specified,
523.23 -> then you get allow.
524.25 -> If there is not a match, you get it denied
526.59 -> because we deny by default.
528.87 -> Now if there's a match
for a deny statement,
531.27 -> then you're denied, okay?
533.25 -> So always think about this is how policies
535.47 -> and permissions work in AWS.
536.82 -> There's a context.
538.08 -> That's your request, and that's
what the service provides,
541.5 -> and then the policies that are evaluated.
543.48 -> And then it's a simple, is there a match?
548.1 -> So this is an example context.
552.06 -> Secrets Manager is the service,
554.52 -> and getSecret is the action.
556.08 -> You have your resource,
557.64 -> and then you have things
like the principal account,
559.92 -> the PrincipalOrg, was MFA
present, the time SourceIP,
565.44 -> tags on the principal,
tags on the resource.
570.66 -> That's all in the context.
572.79 -> And then there's a policy over there,
574.62 -> and it says, allow Secrets
Manager getSecret on any secret
579.54 -> but only if the ResourceTag
project equals Pickles.
584.01 -> Pickles is my horse.
584.843 -> You're gonna see that word a lot today,
587.88 -> Right, and so we see that there's a match.
590.43 -> There's a match for the action.
591.81 -> There's a match on resource
'cause we have a star,
594.15 -> and it matches to that.
595.71 -> And there's a match on the condition.
599.34 -> So access is allowed.
601.92 -> So pop quiz time.
603.03 -> Ooh.
604.11 -> Which one doesn't belong?
606.12 -> Allow, maybe allow, deny.
611.1 -> Pickles really wants to know.
613.47 -> What is it?
614.303 -> Two, yes.
615.45 -> Yes, there are only two options.
618.03 -> You are either allowed or you are denied.
620.67 -> There is no in between.
623.85 -> All right.
625.83 -> So this is a framework to help you
628.8 -> think about policy evaluation.
631.89 -> And essentially the way to
think about this diagram
634.08 -> is you are trying to get a
path to the session principal,
638.55 -> the thing on the far right.
641.16 -> And we start by denying all.
644.13 -> It's denied by default.
645.63 -> And the way to actually allow access,
648 -> you can only do it in two
places, is the resource policy,
652.02 -> and that resource policy can allow access
654.84 -> to the account principal,
655.95 -> which can then go through to the session
657.81 -> as long as nothing blocks it,
659.97 -> or the role principal,
or the session principal.
663.3 -> And then you have the identity policy
665.43 -> if you have an allow there
that also can give it.
668.46 -> And then for cross account,
just know that you need both.
671.67 -> You need both the
resource and the identity
674.64 -> if you're working across accounts.
677.4 -> An explicit deny in any of
those white lines across
681.87 -> where you see the path go through
684.18 -> will always override an allow.
686.67 -> So if you find a deny at the first stage
689.13 -> or right at the session
policy, it will override.
694.17 -> But let me tell you what
you actually start with.
696.39 -> Before you change any policy,
before you allow something,
699.69 -> before you deny something,
before you attach anything,
703.02 -> this is what you start with.
705.54 -> The SCP of the organization
actually has an allow.
708.78 -> Now remember, SCPs only restrict access.
711.72 -> So this allow just says,
713.07 -> hey, listen to the
permissions in the account.
716.49 -> So if you change nothing,
all it's saying is,
718.47 -> go listen to the
permissions in the account.
721.53 -> Then your resource policy
and your identity policy,
725.19 -> there's an implicit deny 'cause
there's no access, right?
728.43 -> There's no allow statement;
there's nothing in there.
730.53 -> And so it's an implicit deny.
732.72 -> The permission boundary is not attached,
734.79 -> and so it's not applicable.
736.35 -> And then the session policy
actually does have an allow,
740.76 -> and that just says, hey, if
you don't put anything in here,
743.46 -> go listen to the permissions of the role.
749.13 -> So if you do nothing, you're
still denied by default, right?
752.22 -> 'Cause we can't get a path to allow
754.29 -> from that session policy.
757.2 -> All right, so we're gonna go
through a series of examples,
759.72 -> and I'm just gonna change
things for each one.
763.41 -> And then at the end I'm gonna,
765.54 -> I threw together just
a demo so you can see
767.31 -> some of the condition keys in action,
769.65 -> and we'll try to do that.
771.87 -> The identity, in this example,
774.21 -> we're gonna have Pickles,
775.71 -> and Pickles organization is at the barn.
778.14 -> He lives and works at the barn.
780.33 -> He doesn't work very hard,
781.163 -> but he works at the barn.
783 -> I am Brigid, and I work at Amazon.
786.84 -> I am in a different organization.
788.46 -> So I do not have a job at the barn.
790.2 -> I could, but I don't.
791.94 -> So in this example we have Pickles.
795.12 -> He's in the account one
at the barn organization,
798.66 -> and he is allowing
Secrets Manager getSecrets
801.72 -> on Pickles treats.
803.46 -> So because that's an allow on that thing,
806.58 -> we have a path to allow.
809.28 -> I haven't changed any SCP.
810.84 -> I haven't put a permission boundary on.
813.54 -> I haven't changed the session policy.
815.28 -> So Pickles can eat the apples.
816.9 -> That's good.
817.733 -> We want 'em to eat apples, right?
819.45 -> Okay, next example.
823.62 -> I said, hey Pickles, you
are now denied access.
828.9 -> And Brigid, I have a
role in my organization,
832.28 -> in my Amazon organization,
834.72 -> that says I am allowed to
getSecrets, the Pickles treats,
839.46 -> as long as it's only from
the barn organization.
842.19 -> So I can't go get treats from Vegas.
844.59 -> I have to go to the barn
to get those treats.
847.83 -> The resource policy is also
allowing Pickles and Brigids
852.12 -> to get those treats.
854.31 -> So in this scenario, am
I allowed to eat apples?
864.69 -> I actually am allowed to eat apples
867.09 -> because both the resource policy
869.493 -> and my policy in my organization
872.01 -> have allowed me to go get the apples.
873.9 -> But Pickles, on the other hand, he can't
875.79 -> because he has a deny,
and that deny kicked in.
878.28 -> Even though the resource
policy said he could,
880.86 -> I said he couldn't 'cause that's his role.
883.53 -> - [Audience Member] Question.
884.363 -> - We're not taking questions.
885.36 -> We'll do it at the end, sorry.
886.707 -> (Brigid laughs)
I did forget to mention that.
889.74 -> I will stand outside
890.76 -> and answer all the
questions that you want,
893.1 -> but we wanna keep this
question for you for right now
896.16 -> so we can get through it.
899.61 -> Okay, so next example.
902.67 -> I gave Pickles back his access on his role
906.54 -> to eat the apples.
909.57 -> I still have the ability
to eat the apples.
912.87 -> The resource policy also says
914.94 -> Pickles and Brigid can eat the apples.
917.1 -> So whether it's within the
same account or cross account,
920.01 -> the resource policy says we're allowed.
922.14 -> But the SCP is on the
organization of the barn,
926.64 -> and it says deny Secrets
Manager getSecret.
929.4 -> Nobody can call Secrets Manager getSecret.
933.48 -> All right, now keep in mind,
934.98 -> SCPs apply to all of the
principals in the organization.
938.82 -> So they apply to all principals
in the barn organization,
942.78 -> not the Amazon organization.
944.88 -> So in this example, I
am allowed to eat apples
948.287 -> 'cause the resource policy has said yes,
951.12 -> and the principal policy in
my organization has said yes,
954.12 -> but Pickles has a deny attached to him,
956.64 -> and that's coming from
the SCP for the barn
960.54 -> 'cause he's part of the barn.
962.07 -> If I started working at the barn,
963.87 -> I would no longer be
able to get those apples.
969.21 -> All right.
970.68 -> Hopefully this is helping you understand
972.36 -> how these things work together.
975.48 -> And our last example,
977.52 -> Pickles is allowed to eat the apple,
980.85 -> get the apples, the treats.
982.95 -> I am allowed to get the treats.
985.2 -> I have updated my resource policy.
987.9 -> My resource policy says, hey,
990.6 -> people can come and eat these treats,
992.4 -> Brigid and Pickles can,
994.89 -> but only principals that are
in the barn organization.
998.49 -> I added a condition.
1000.62 -> So access is only granted if it's allow,
1003.53 -> if they're in the barn organization.
1006.08 -> And I turn the SCP back to allow everybody
1008.48 -> in the barn organization
to use Secrets Manager.
1011.9 -> All right, so in this
scenario, Pickles is allowed,
1016.4 -> but Brigid is now not.
1018.08 -> Why?
1018.913 -> 'Cause I don't work at the barn.
1020.78 -> I am in the Amazon organization.
1023.48 -> So my PrincipalOrgID is
Amazon, not the barn.
1029.21 -> Okay, so I'm just gonna show you
1033.35 -> essentially how PrincipalOrgID
works in a few buckets
1037.64 -> just because I thought it would be fun.
1039.65 -> Okay, so I have, this is my test account,
1045.13 -> and there are some buckets in here.
1047.42 -> One of them is public,
1049.01 -> and this is full of pictures of Pickles.
1050.9 -> So it is intended to be public.
1053.06 -> And then I have some other buckets.
1056 -> And so one of them is the apples bucket.
1060.98 -> And you can see in this
that I have trusted Pickles
1065.9 -> from Amazon and Pickles from the barn,
1067.52 -> but I added this condition.
1071.33 -> Oh no, can I do that?
1074.3 -> Okay, it's gonna be really hard
1075.53 -> when I go to the command line.
1077.24 -> I don't know how to do that.
1078.38 -> Does somebody know how to do that?
1079.61 -> Oh, ooh, that worked.
1081.23 -> I did it, great.
1083.12 -> Okay, so here's the fun part.
1087.08 -> I'm gonna try to get access
from the public bucket,
1091.37 -> and this is Pickles treats for all.
1092.84 -> This is my public bucket.
1093.8 -> So what's our answer?
1100.16 -> Maybe if it's fast enough to go.
1105.08 -> Well, it will be yes,
because it's public, right?
1110.3 -> And I can do that either
from inside the barn
1112.88 -> or from outside the barn.
1115.64 -> And I have downloaded it as Pickles one.
1118.28 -> And so just because everybody wants to see
1120.08 -> more pictures of Pickles,
this is him taking nap.
1121.85 -> There you go, all right.
1123.44 -> Okay, now we're at our apple bucket.
1125.87 -> So do you want me to like
show you the policy again?
1128.21 -> I have some trusted accounts,
1129.47 -> but I also trust both
the Amazon and barn roles
1133.13 -> that I'm using right now.
1134.75 -> And I say, hey, you can
get object and put object
1137.177 -> as long as you're in this organization.
1140.03 -> So when I use my Pickles role
1142.25 -> that's from inside the barn
org, what's gonna happen?
1149.9 -> Yes, we're granted access, right?
1151.79 -> Because the condition is met.
1153.86 -> My PrincipalOrgID is the barn org.
1156.71 -> What happens when I try to access it
1158.42 -> from outside the organization?
1162.5 -> Allowed or denied, folks?
1164.63 -> There you go, denied.
1166.31 -> All right, and I did get access denied.
1172.07 -> And just for fun, not sure if
everybody wants to see this,
1176.66 -> but he's got a messy mouth.
1178.43 -> There we go.
1179.9 -> Okay, so going back to my slide deck,
1184.49 -> just wanna show you that in action.
1185.69 -> And there were some other
things I can set up,
1187.43 -> but that's a really
important condition key
1190.7 -> to do when you're using
resource based policies.
1193.31 -> So PrincipalOrgID is your friend.
1197.84 -> All right, pop quiz time.
1200.33 -> Christmas pop quiz.
1202.19 -> Elf.
1203.593 -> I think Pickles and Elf in this.
1204.426 -> Use SCPs to restrict
access to which principals?
1209.3 -> All root users, all users, roles,
1213.08 -> and root users in my organization,
1215.42 -> all roles in any organization,
or roles named Pickles?
1220.37 -> What's the answer?
1222.11 -> Two, yes, that is correct.
1224.81 -> SCPs apply to all users, roles,
1228.38 -> and root users within your organization.
1231.02 -> You can set SCPs at the
org level, the OU level,
1234.5 -> or for in an individual account,
1236.18 -> but you do this all with organizations.
1239.45 -> All right, so now we've gone
through policy evaluation
1243.41 -> and enforcement.
1245.18 -> I did wanna go into conditions.
1246.89 -> So conditions can be a very,
very good friend of yours.
1251.03 -> And like I said,
conditions are but only if.
1254.51 -> And with conditions, there are
three parts that you define.
1257.87 -> One is the condition operator,
1260.33 -> and this is the type of
operator used to compare
1264.2 -> the key and the value.
1265.88 -> So this is the context and the
value that's in the policy.
1270.519 -> And so string equals, string like,
1275.15 -> there's a choice, there's a list of them.
1277.28 -> You don't get to define your own operator.
1279.35 -> Those are AWS defined.
1281.87 -> Pro tip here.
1282.703 -> If you are using any, if you
don't have any wild cards,
1285.65 -> if you know the value of
your condition key in value,
1289.13 -> then use string equals.
1290.81 -> Don't you string like.
1292.88 -> All right, the condition key.
1294.8 -> These are also defined by AWS.
1297.41 -> These are predefined keys,
1299.03 -> and they look up the value in the context.
1301.97 -> So do you remember the
context I showed you
1303.95 -> back in the slide when we had secrets?
1306.98 -> That's like PrincipalOrgID, the MFA,
1311.33 -> I forget what its name.
1312.163 -> But is MFA set, the ResourceTag.
1315.68 -> Those are all on the left
side of that context,
1318.83 -> and it's basically a lookup value.
1321.5 -> You cannot put a wild card in these.
1322.82 -> That's the pro tip there.
1324.89 -> The value is on the right hand side,
1326.96 -> and this is what you set.
1328.46 -> And this is based on your
permission requirement.
1331.16 -> Maybe you want it to be
PrincipalIsAWSService to be true,
1334.85 -> Maybe you want your ResourceTag
to always be Pickles,
1338.51 -> or maybe you want the ResourceTag
1340.58 -> to just match the principal tag.
1343.67 -> The pro tip here is most
condition keys are single valued.
1350.9 -> There are very few multi
valued condition keys.
1354.11 -> So if you see policies
that say for all values,
1356.66 -> for any values, go check yourself.
1359.15 -> There's also a lot of checks
and policy validation as well,
1362.57 -> but most of the condition keys you operate
1364.88 -> will have just a string equals,
or string like, or a bool,
1368.75 -> and then your key, which is AWS defined,
1371.3 -> and the value, which is you defined.
1373.85 -> I go in way into this last year's talk.
1376.73 -> So if you wanna learn more,
1377.84 -> you can definitely check that out.
1380.84 -> So with conditions, how do
you get them to work together?
1384.11 -> If you need an or,
1386.06 -> you need to put them
in separate statements.
1390.08 -> And so if you need this
condition to be met
1392.3 -> or this condition to be met,
1394.04 -> separate them out into
two different statements.
1396.8 -> If you want them all to
be met at the same time,
1399.2 -> then you need to put them
all together in their and/id
1403.73 -> in the single statement,
1405.2 -> and that's the permission
boundary, the called via first,
1408.23 -> and the RequestTag in this policy example.
1411.38 -> Now the RequestTag has
a few values specified
1414.68 -> on the right hand side.
1416.36 -> This is still a single
valued condition key,
1419.84 -> but we're saying, hey,
the value could be Pickles
1423.5 -> or Bubbles.
1424.55 -> The name of my next horse, by the way.
1426.23 -> I haven't bought it yet, but.
1428.63 -> And so that's how they work together.
1431.18 -> So when you're thinking about this,
1432.83 -> always think or is multiple statement,
1435.11 -> and is the same statement,
1436.4 -> and anything on the right
side that's a list is or.
1441.56 -> All right, noteworthy condition keys.
1443.42 -> This slide every year keeps getting harder
1445.19 -> and harder to make because
we keep adding some.
1447.53 -> So that's why go be best
friends with condition.
1451.01 -> You have your fan favorites,
which is ResourceTag,
1453.7 -> RequestTag.
1454.533 -> ResourceTag is always the tag
1456.2 -> that already exists on the resource.
1459.08 -> The RequestTag is the tag
you are requesting to add
1463.61 -> to a resource or remove.
1465.92 -> This can really help with
tag based access control
1468.95 -> or attribute based access control.
1470.84 -> We're seeing more customers
that start to adopt this
1473.27 -> because they want their tagging posture,
1476.69 -> both just for cost as well
as for permission management
1479.87 -> to use tags and operate
based on those attributes.
1484.73 -> New, since I've stood up on this stage,
1487.82 -> ResourceOrgID and ResourceAccount,
1491.3 -> these are what you would
specify in an identity policy.
1494.78 -> And you would say, hey Pickles,
1497.9 -> you can only access resources
in your organization,
1501.35 -> in your barn org,
1503.6 -> or you can only access
resources in your account.
1506.21 -> This is really good for, I don't know,
1508.76 -> reading data or writing data to places.
1512.15 -> You wanna make sure that
it's all staying within.
1514.88 -> Then you have PrincipalOrgID,
which we talked a lot about.
1517.43 -> PrincipalArn is really
good if you're writing a
1520.4 -> deny everybody except this principal.
1523.37 -> So deny everyone except
this networking role
1526.37 -> that we use to make networking changes.
1529.19 -> And then PrincipalIsAWSService
is one of my favorites
1532.28 -> because you can just say,
1534.32 -> you're allowed as long as the
Principal is an AWS service,
1537.35 -> kind of granting access to the services
1539.3 -> to act on your behalf or to
deny and work with source AP.
1546.8 -> All right, so resource condition examples.
1550.49 -> This is a deny.
1551.9 -> And so we say deny S3, and
then you have your arn.
1556.01 -> And then when the ResourceOrgID
1558.53 -> does not match the PrincipalOrgID.
1560.9 -> And so you can use, and this
is an interesting policy tool,
1566.66 -> is you can use a context key as a variable
1569.45 -> in the right side of the policy.
1572.72 -> And so this is very
helpful to control access
1575.69 -> in your identity based
policies or in your SCPs.
1581.6 -> All right, that was a lot.
1583.37 -> So we talked about the
robust access controls.
1586.1 -> We talked about evaluation
and enforcement.
1588.98 -> Now we're gonna get into the guidance
1591.02 -> and reining in those permissions.
1593.96 -> All right, reining in those permissions.
1596.99 -> So I wanna remind you all that
least privilege is a journey.
1601.28 -> I have a lot of customers
come up up to me and tell me,
1604.4 -> I just wanna get least privilege.
1605.42 -> I just need it.
1606.253 -> I need it now.
1607.49 -> And it has to be a journey, right?
1609.71 -> Because you're exploring in AWS.
1611.66 -> You're building.
1612.493 -> You're trying new things.
1614.03 -> And so what happens is,
1615.53 -> is you need to give
developers some freedom
1618.05 -> to try things out.
1619.4 -> I've actually, in my teams,
had a lot of engineers tell me,
1622.857 -> "Hey Brigid, we can reduce cost,
or we can make this faster,
1625.61 -> or let's just try this out
1627.62 -> and see if we can reduce operations,"
1629.18 -> because they had the ability to explore
1631.85 -> in their dev accounts
in smaller environments.
1635.78 -> Okay, so that's great.
1637.28 -> But then as you go up to production,
1638.9 -> you're gonna need to
tighten those permissions
1640.55 -> 'cause that's where your critical data is.
1642.23 -> That's where your algorithms are stored.
1644.553 -> That's where business really
happens is in production.
1647.9 -> And so that's why it is a journey.
1650.06 -> And so we see people start
a little bit broader,
1652.67 -> and then when they know
more, they tighten.
1656.45 -> And so that is the getting
to the right permissions.
1660.17 -> So I do recommend that everyone
start with a data perimeter.
1663.98 -> There's a ton of workshops
and a ton of material on that,
1666.95 -> and that's what you would wanna establish
1668.39 -> around your organization.
1669.65 -> And that's basically like, let's
keep things within the org.
1672.65 -> And then you set permissions
for human developers,
1678.11 -> and human roles, and machine roles,
1680.69 -> and then you verify that
they're match your intent,
1682.85 -> and then you refine them further.
1686.69 -> All right, let's dive
into setting permissions.
1689.54 -> I get this question a lot,
and it's an interesting one.
1692.63 -> Who actually applies the permissions?
1695.3 -> And this has evolved over the years.
1698.39 -> I started working in identity in 2014,
1701.27 -> and at that point in time
there wasn't organizations.
1705.53 -> And so what we found was there
were central security teams
1708.8 -> that were setting every
single policy and permission.
1711.68 -> And how that's evolved
over the time is that
1715.55 -> central security teams
now establish guardrails.
1719.72 -> They verify the permissions
and the permission practices,
1723.26 -> they provide templates and tools
1725.21 -> and really help developers
get up and going.
1727.73 -> But it's really the engineering teams
1729.95 -> that are actually
setting those permissions
1732.47 -> for those workloads, for those systems.
1735.95 -> And it's their job to establish
the fine grain permission.
1738.68 -> And so when you think about
how to run permissions
1741.74 -> in your organization,
1743.42 -> think about how to shift it
more and more towards them,
1746.06 -> giving them tools, giving them validation,
1748.88 -> giving them alerts when it's not right.
1750.68 -> And then how do they
know when to refine it?
1755.45 -> And so when we talk about
setting permissions,
1757.43 -> there's three modes that you can choose.
1759.68 -> The AWS managed mode, this
is when you're exploring.
1763.97 -> This is when you get started.
1765.62 -> You're gonna use some defaults,
1767.12 -> you're gonna use some templates,
1768.5 -> probably a little bit broader.
1770.39 -> Then you have your tools to right size.
1773.27 -> These are policy generation,
using customized templates,
1780.11 -> and these are all tools as well.
1781.82 -> And then you have your DIY mode.
1783.29 -> We all know that you all
love writing JSON by hand
1786.02 -> in a text editor.
1787.07 -> That's probably your favorite thing to do.
1789.08 -> And so, but as you author those policies,
1792.56 -> we do help you out with a
little bit of policy validation.
1796.58 -> So AWS managed mode, three
things to just point out.
1800.84 -> AWS managed policies, these
are to help you get started.
1804.71 -> They are service default.
1806.48 -> I'm going to recommend that
you don't stay there, okay?
1810.5 -> Once, you can use 'em to get started,
1812.3 -> but then go rein them in.
1815.39 -> So get started.
1817.7 -> Be like, okay, I got 'em working.
1819.26 -> And now you can kinda rein
it in and get more specific.
1824.543 -> AWS Cloud Development
Kit CDK, it's growing.
1827.84 -> If you haven't checked it
out, I highly recommend it.
1829.64 -> My engineering teams actually love it.
1832.31 -> But they have predefined configurations
1835.58 -> and predefined permissions
1836.84 -> that work with your infrastructure.
1838.82 -> So that would all be
infrastructure permissions.
1841.46 -> And then SAM serverless connectors.
1843.23 -> So as you go into the serverless world,
1845.42 -> you can connect resources to
make sure they talk together.
1847.91 -> And these are purpose-built policies
1849.77 -> that are very specific
to help you do that.
1854.96 -> All right, policy generation.
1857.48 -> So with policy generation,
1860.24 -> Access Analyzer will actually
generate a policy for you.
1863.567 -> And so you would run your application.
1865.55 -> You request a policy from Access Analyzer.
1868.19 -> Access Analyzer gets to work.
1869.66 -> You can go get a coffee
or talk to your friends,
1872.27 -> and then you get to customize it further.
1874.4 -> What is new this year is we now provide
1876.98 -> action level permissions
for 140 different services.
1881.69 -> So if you haven't checked
out Policy generation lately,
1884.93 -> I highly recommend that you do it.
1887.75 -> It really helps you get started
1889.43 -> and get closer to fine grain
1891.11 -> than just using broad permissions.
1893.39 -> And we're gonna demo it here today.
1895.34 -> So we have a CloudFormation
template and some roles,
1900.2 -> and I'm gonna pop around
and show you some stuff.
1903.53 -> I'm gonna use this trick
like they do in cooking shows
1905.63 -> where like things are already generated,
1907.25 -> or baked, or whatever.
1910.22 -> So here we go.
1912.98 -> So I have a CloudFormation stack
1915.5 -> that I called PicklesBarnBroad,
1917.81 -> and it has a DynamoDB table,
a secret, and a bucket,
1921.74 -> nothing too exciting.
1923.6 -> And the only thing you need to
know is that I ran this a lot
1926.3 -> yesterday actually with a role called
1929.27 -> Pickles CFN Broad Role.
1930.98 -> I made it very obvious.
1931.94 -> I wouldn't normally name a role that,
1933.41 -> but I made it super
obvious that it was broad.
1935.21 -> And you can see that it was broad
1937.94 -> because I have it attached with all this
1941.6 -> read, write, full access
stuff, manage policies.
1946.01 -> All right, I'm gonna go in and say,
1947.54 -> hey, I wanna scope down that role.
1949.64 -> And so I generated a policy yesterday,
1951.71 -> and I'm just gonna show it to you
1952.97 -> just so in case the demo fails,
1954.83 -> you know that it actually did work.
1956.93 -> And you can kinda see that
it did its job yesterday
1960.2 -> and created a formed policy.
1962.51 -> But you wanna see that in action.
1963.86 -> So I'm gonna cancel out of that.
1967.61 -> And I'm actually gonna generate a policy.
1969.08 -> So I'm gonna click generate.
1971.66 -> I'm gonna generate a new policy.
1974.87 -> And I'm gonna pick the last day.
1977.36 -> I just created this role yesterday,
1978.77 -> so I was hanging out doing that.
1980.677 -> That's what people do
in Vegas, create roles.
1983.96 -> That's my trail.
1986.39 -> I'm gonna say all regions,
just to make sure.
1989.42 -> I read everything in US West too
1991.13 -> 'cause West Coast best coast, why not?
1993.89 -> And I have this service role already used,
1996.23 -> and then I just click generate.
1998.6 -> And what's gonna happen is
we'll go back to the console,
2002.62 -> and it's gonna generate a policy.
2005.14 -> Now, because this will take a little bit,
2007.99 -> and I like to show you something exciting,
2010.81 -> I have done this yesterday.
2012.64 -> And so this is my role
that I created yesterday.
2015.67 -> Pickles CFN Fine Grained Role.
2018.82 -> And you can tell that it has
a fine grained permission.
2021.85 -> And this is the policy that was generated,
2025.54 -> and then I specified
specific resources within it,
2029.62 -> and I said U.S. West two,
2031.57 -> and I gave it Pickles name to
create the bucket, et cetera.
2036.91 -> All right, I'm actually
gonna run the CloudFormation
2039.22 -> with this role, the fine grained role,
2041.23 -> just to show you that it still works.
2043.54 -> And what this did was
it took my broad role
2046.447 -> and all the run I did with the broad role,
2049.69 -> and Access Analyzer went
and found all the actions
2054.34 -> and generated a policy.
2055.54 -> And I took that policy, I
specified some resources,
2058.45 -> I created a new role with that policy,
2060.22 -> and now I'm gonna run it again essentially
2062.29 -> with the same stack,
different resource names
2064.9 -> so we have consistency there.
2070.09 -> Pickles, fine grained
2073.57 -> And then.
2078.097 -> I use FG for fine grained.
2081.31 -> And we'll do some carrots right now.
2084.49 -> My key.
2087.07 -> And then I'm gonna choose
this fine grained role,
2090.76 -> and I'm gonna run it, and
we're gonna hope that it works.
2096.27 -> And so this create is in progress.
2098.08 -> So this is, essentially
so you can see it go,
2103.69 -> and you can see it's creating the things
2105.73 -> that it needs to create.
2107.02 -> Meanwhile, this is still working.
2109.45 -> It says the policy generation is going on.
2113.05 -> I'm hoping that it will
take a little bit of time,
2115.72 -> or not that much time.
2119.56 -> But we can go back and
check some things out.
2126.73 -> All right, so while that is going on,
2132.4 -> yeah, I haven't created
a policy for this one
2134.5 -> because it's already fine grained.
2135.7 -> And we can show you, I can
show you the policy here.
2138.52 -> And all of these actions,
2140.119 -> this is what Access Analyzer came up with.
2143.41 -> I did not find any of these on my own.
2145.63 -> Now you might, I created the
stack and deleted the stack.
2149.2 -> So if you're working with confirmation,
2150.37 -> you might not wanna give
it delete permissions.
2152.41 -> You could remove that.
2155.17 -> That will give you some delete protection,
2156.61 -> especially for that DynamoDB table there.
2158.59 -> That's another thing that you can do.
2160.81 -> And you can see here that
I have successfully created
2164.29 -> the Pickles Barn Fine Grained.
2166.99 -> All right, I'm gonna let this run,
2168.82 -> and I'm gonna come back
to it for our next demo
2172.45 -> just so we can keep on.
2173.56 -> Oh, it finished just
as I was gonna go back.
2176.14 -> Awesome.
2176.973 -> Okay, so this is the generated policy,
2180.34 -> and you just click next,
2182.32 -> and it gives you a
summary of what was found.
2184 -> You can add other stuff if you want.
2186.46 -> And you click next.
2187.36 -> And here's the kicker.
2189.4 -> You get a policy with all
these beautiful actions,
2192.13 -> and where you can specify
resource controls,
2194.71 -> it gives you a resource template.
2196.84 -> And so I'm gonna actually fill
in these resource templates,
2200.23 -> and I'm gonna copy/paste
just for demo's sake.
2202.69 -> But if you wanna use resource
constraints with naming,
2206.71 -> like if you want things
to be named with Pickles,
2208.96 -> or whatever your favorite animal
is named, you can do that.
2214.15 -> And so I'm just going through
both for the Dynamo, the KMS.
2221.11 -> I had a create bucket that was run.
2223.84 -> Notice the delete bucket's not there
2224.997 -> 'cause CloudFormation won't
do that, which is good.
2229.6 -> And you saw before, if I do control Z,
2233.98 -> oops, that these errors
pop up at the bottom.
2236.38 -> We'll show policy validation in a second,
2238.18 -> but you can actually see
where you don't have it.
2242.26 -> There we go.
2243.16 -> And now I have no more
errors, and I just click next.
2246.73 -> And I can name my policy something fun
2249.97 -> like re:Invent Demo Wednesday.
2254.95 -> And then this will actually create
2257.38 -> and attach it to the role.
2259.69 -> So this would be my broad role,
2262 -> and I would go and then delete
2265.18 -> these broad AWS managed policies,
2267.46 -> and I would have a nice
fine grained policy
2270.79 -> for my broad role.
2272.95 -> All right, so if you have
broad roles out there,
2275.56 -> and these are especially good
for CloudFormation templates,
2277.99 -> any workloads.
2278.823 -> Last year I demoed Lambda functions.
2281.89 -> Go out there and at
least generate a policy,
2284.35 -> and it will get you started.
2285.82 -> You can always add conditions later.
2287.17 -> You can always add more resources.
2289.06 -> All right, so let's go to our next step.
2292.9 -> Back to the slides please.
2296.38 -> There we go.
2299.08 -> Policy validation.
2300.19 -> So who has written a
policy in the IAM console
2303.43 -> or the S3 console?
2305.38 -> Oh, that's a lot of people.
2307.09 -> So you've all used
policy validation, right?
2310.12 -> Policy validation is really powerful.
2312.1 -> It's one of my favorite
tools that we provide.
2314.35 -> And what it does does is it
provides you actionable guidance
2317.11 -> to author secure and functional policy.
2319.87 -> We have four types of findings that pop up
2323.8 -> as you author policies.
2325.42 -> Security findings.
2326.74 -> So these would be things that
we think you should change
2329.47 -> to make more secure.
2330.97 -> Errors, these are your missing actions,
2333.7 -> or your misspelled actions,
your commas, all of that.
2337.36 -> General warnings.
2338.41 -> This would just be to
conform to best practices.
2341.14 -> Some of these would be
like duplicate actions.
2343.03 -> And then suggestions.
2345.01 -> And so you can look at all four.
2347.29 -> If you are time constrained,
2348.73 -> please look at security and errors
2350.83 -> because security is gonna make
sure that policy is secure,
2353.14 -> and errors are gonna make
sure that it's functional.
2355.81 -> All right, and with Access Analyzer,
2358.66 -> we have your back with over 100 checks,
2361.96 -> and we're constantly adding more.
2363.76 -> Now what's the cool part
about the policy validation
2366.04 -> is actually we're bringing it
to where you author policies.
2369.52 -> So you have identity.
2371.77 -> We run this as you author
policies in the IAM console,
2376.15 -> in bucket policies in the S3 console.
2378.52 -> We just launched role trust
policies in the IAM console.
2382.09 -> So if you're showing role trust policies,
2385.06 -> there's a Terraform integration
out there somewhere.
2387.82 -> And then unlimited
possibilities with the API.
2390.64 -> What we are seeing customers
do is we're seeing them
2395.08 -> put it into their CI/CD pipelines.
2398.41 -> We're seeing them run it continuously
2400.18 -> on their policies as well.
2403.03 -> All right, so I'm gonna demo again,
2405.34 -> and I'm gonna, I have a
pretty not great policy,
2408.85 -> and we're gonna use policy
validation to fix it up for me.
2412.93 -> All right, so I'm gonna
go back to policies,
2418.48 -> and I'm gonna create a new policy
2420.25 -> just to show you what it's like.
2422.17 -> And these are for all of
you JSON folks out there.
2425.65 -> And I am going to...
2431.913 -> I need my bad policy.
2436 -> Here we go.
2437.95 -> There we go.
2439.63 -> All right, so this is policy.
2443.11 -> And you can see, whew,
2444.91 -> four errors and three security warnings.
2447.67 -> Which one should I tackle first?
2450.52 -> Errors?
2451.353 -> Okay.
2452.186 -> I'll tackle the errors first
just because somebody said it.
2454.9 -> All right, invalid action.
2456.64 -> IAM ListPicklesPolicy.
2460.21 -> Probably not valid.
2462.67 -> IAM ListPicklesRoles, also not valid.
2465.82 -> Okay, so I got rid of two.
2466.78 -> And you can see it's a progression.
2468.28 -> It always looks at it.
2470.32 -> Arn region not allowed.
2471.85 -> Okay, well it's a role,
so it's a global resource.
2474.1 -> So we actually don't specify a region.
2477.16 -> So there we go.
2478.03 -> And then invalid condition key.
2479.83 -> Oh, Pickles is no longer great.
2484.81 -> Alright, so we got rid of the errors.
2486.01 -> That's wonderful.
2486.843 -> But look at these security warnings.
2488.17 -> So this is one of my favorite is PassRole.
2490.45 -> My favorite checks, by the way.
2492.07 -> PassRole with star.
2494.08 -> That most likely you have an
admin role in your account,
2496.84 -> or a very powerful role in your account.
2498.25 -> And if you grant PassRole with star,
2500.38 -> you're essentially allowing
people to pass that
2502.39 -> to a Lambda function,
2503.56 -> and you see two instance or whatever,
2505.15 -> and then use all the
permissions in the account,
2507.28 -> which you don't want.
2508.113 -> So you wanna be able to
pass only specific roles.
2511.63 -> So I'm actually gonna say,
hey, Brigid can only pass roles
2515.89 -> that start with Pickles.
2518.02 -> Let's move it down there.
2520.06 -> This is what I was talking about
2521.59 -> with multi value condition keys.
2523.69 -> Most condition keys are
gonna be single valued,
2525.94 -> which means you don't need the
for all values or any value.
2529.42 -> So I'm going to delete this
2531.13 -> and just rely on that string equals,
2533.59 -> which will match that condition key
2535.99 -> with the condition
values that you specify.
2538.66 -> And now I have no security
warnings, no errors,
2541.09 -> no warnings, and no suggestions.
2542.62 -> My policy should be in pretty good shape.
2545.74 -> All right, back to the slides, please.
2550.81 -> Policy validation, go check it out.
2552.37 -> Pop quiz.
2553.36 -> Which advice should you not follow?
2556.15 -> So this is a not question.
2558.4 -> Use policy validation
as you author policies.
2561.22 -> Integrate policy validation
in your CI/CD pipelines.
2563.89 -> Keep policy check ideas to yourself.
2567.43 -> And pay close attention to
security warnings and errors.
2570.61 -> What's the answer?
2573.55 -> All right, the one you
should not do is three.
2577.54 -> Please do share policy
check ideas with us.
2580.78 -> They come in all the time,
2581.95 -> and we're actually
adding them quite often.
2584.38 -> And so, please, please do share.
2587.17 -> It would be great.
2589 -> Pickle says so.
2592 -> All right, so we have set our permissions.
2593.98 -> We are well on our way.
2594.94 -> And now we are going
to verify permissions.
2597.58 -> So what do you wanna look
for when you inspect?
2600.01 -> You wanna look for public
and cross account access
2603.1 -> 'cause you wanna know who's coming in
2604.36 -> and out of your account and who can.
2606.4 -> And you wanna look for
access to add permissions.
2609.19 -> So like I said, IAM
PassRole, putBucketPolicy,
2613.51 -> attachpolicy on star, and then Lambda.
2617.23 -> You can actually add
permissions with Lambda,
2619.27 -> and you can create a function URL,
2620.92 -> and that function URL
could be public as well.
2623.74 -> So please make sure you're
looking at these things.
2626.68 -> This list is not comprehensive.
2628.513 -> There's probably a lot more.
2630.13 -> If I had a bigger slide I would
add a lot more to this list,
2632.95 -> but these are my top picks.
2635.23 -> So check them out.
2636.76 -> All right, IAM roles,
you should be using them.
2640 -> So they work.
2642.16 -> This is how.
2644.83 -> You create a role with access
2646.21 -> to take actions in your account.
2648.07 -> You specify the entities of the role
2650.59 -> from the identity providers.
2652.51 -> The entities call AWS STS.
2655.24 -> I hope you are all very
familiar with that service.
2657.91 -> It's a very, very great service.
2661.12 -> And that means the entity
can assume the role.
2664.6 -> STS verifies that the entity
is allowed to assume the role.
2668.05 -> This is all in the trust policy.
2670.3 -> And then the entity uses the credentials
2672.22 -> to make AWS requests.
2674.38 -> And as they make those requests,
2675.67 -> all those requests are
enforced based on the policies
2678.88 -> that are in your account,
attached to your role, et cetera.
2681.34 -> Why are roles so powerful?
2684.46 -> Well, they have temporary credentials.
2686.14 -> They have fine grain access
2689.44 -> to control what the roles can do,
2691.51 -> fine grain permissions
once they're assumed,
2693.91 -> They're auditable in CloudTrail.
2695.26 -> You can see a bunch of information.
2697.39 -> And my favorite part is that
services use these as well.
2701.14 -> So you have service-linked
roles and all that.
2703 -> This is how access is done in AWS.
2707.47 -> So types of roles.
2709.48 -> Service-linked roles,
2710.68 -> these are roles that services
use to act on your behalf.
2715.12 -> With these roles, no one
can change the trust policy,
2718.45 -> and nobody in your account can
change the permission policy.
2723.07 -> If you are using an AWS
service that uses a SLR,
2727.57 -> it is okay to say, hey,
Brigid can create that SLR
2732.97 -> because she can't define
the permissions on it.
2734.443 -> It's all defined by the service.
2736.42 -> So one SLR is actually
IAM Access Analyzer.
2739.15 -> We continuously monitor the
resources in your account
2741.82 -> for public and cross account access.
2743.2 -> We have a service-linked role.
2744.7 -> It says trust IAM Access Analyzer,
2746.62 -> and it allows us to list resources.
2749.41 -> So you can allow your
engineers to create those.
2752.17 -> Service roles are roles
that AWS services assume
2756.04 -> to perform actions on your behalf,
2757.78 -> but you specify the trust policy,
2759.64 -> you specify the permissions in it.
2762.04 -> This is when you're using EC2, Lambda.
2764.32 -> Like we don't know the permissions.
2766.42 -> You wanna make sure
you're using this role,
2769.21 -> and specify the service
in the trust policy,
2773.11 -> and don't combine a bunch together.
2775.09 -> You really wanna make
sure you've isolated it.
2777.64 -> Federation roles are when you
have a human assuming a role
2783.28 -> that is an identity.
2784.42 -> So you link it up, you
trust an identity provider.
2787.33 -> Application roles are for your
2789.08 -> application to access resources.
2791.05 -> So you might have an application
running on something.
2793.63 -> Then you would need to
assume a role as well.
2797.05 -> Or third party applications
use roles as well.
2799.12 -> There's a lot of third
parties out there in the expo,
2801.22 -> and if you integrate
them with your account,
2803.2 -> they should have a role.
2804.73 -> You would wanna set the ExternalID.
2806.917 -> And this is a trusted, unique identity,
2808.6 -> and you wanna make sure
that your third party
2810.49 -> is actually making sure it's unique
2812.56 -> so that when you trust that third party,
2814.57 -> you know that it's for your account.
2816.97 -> And then IAM roles anywhere.
2818.44 -> This is what you would use
if you're trying to get
2821.29 -> short term credentials for
your on premises entities.
2824.59 -> So these are non-cloud
entities to gain access to AWS.
2831.25 -> All right, trust policies,
you have your effect.
2833.44 -> We all know, allow or deny.
2835.24 -> You have your principal.
2836.26 -> This can be an account,
federated, or service.
2840.22 -> Those are your three options.
2842.17 -> Then you have the different actions.
2844.48 -> There are more actions here,
2845.53 -> but these are some that I called out.
2847.24 -> Based on the type of role
something you're doing,
2849.25 -> you're either gonna assume role,
2850.45 -> that'll be a direct cross
account, or to a service,
2853.09 -> assume role SAML, or assume
role with web identity.
2856.51 -> Those last two are federation.
2858.55 -> And then if you wanna set source identity,
2861.76 -> you can allow them to do that.
2862.84 -> That's on the assume role call as well.
2865.21 -> And then look at the
conditions that you can have
2867.88 -> in a trust policy because this is where
2870.46 -> you wanna be able to get really specific.
2872.98 -> So the audience for SAML,
you want that to be specific.
2875.71 -> You don't wanna just trust all the SAML.
2879.46 -> And same thing with ExternalID,
2881.26 -> if you're using an external
partner or third party partner.
2885.52 -> And so, and RequestTag,
2887.08 -> that could be a tag that
you bring in as well.
2891.25 -> All right, so here is
a trust policy example.
2894.61 -> And we call this out because
some people wanna trust GitHub.
2898.87 -> And so you would say,
hey, I'm a principal,
2902.32 -> and what entity do I trust?
2903.49 -> I trust GitHub.
2905.62 -> Probably not a good idea
just to trust all of GitHub.
2908.23 -> You wanna get specific.
2909.52 -> And so you say, all right,
2910.63 -> well, what do you trust them to do?
2912.1 -> They can assume with web
identity into my account.
2915.31 -> What conditions must be met?
2917.53 -> Well, you want the subject
to be from a specific repo,
2921.37 -> and you want the audience,
2922.96 -> which for the GitHub integration
is STS, amazonAWS.com.
2928.33 -> But right here, the
conditions really matter.
2930.58 -> Because if not, it's a pretty broad access
2933.4 -> of who can assume this role, right?
2935.11 -> It's just trusting GitHub.
2939.82 -> And so as you inspect your roles,
2941.53 -> you're gonna be looking at trust policies.
2943.12 -> But what else can you look at?
2944.68 -> You wanna look at public
and cross account findings
2947.14 -> for your roles.
2947.973 -> That's an Access Analyzer.
2949.75 -> Policy validation for trust policies,
2952.12 -> which I'll demo here in a second.
2953.89 -> Role last used,
2954.82 -> if you do not have a role
that you have not used,
2957.25 -> it will show up, get rid of it.
2959.62 -> Marie Condo it.
2961.36 -> CloudTrail will show you that their,
2964.54 -> who's assumed the role,
their source identity,
2966.64 -> like a lot of information
about that role assumption
2968.89 -> for each event.
2970.21 -> And then Amazon dDtective has
the ability to show you about
2973.87 -> who has chained roles together.
2976.15 -> So one role assuming another
role to assuming another role.
2979.48 -> So these are all tools to
help you inspect roles.
2983.26 -> All right, pop quiz on roles.
2985.45 -> To grant access to a third party partner,
2988.09 -> you should allow full admin access,
2991.84 -> rely on SourceIP restrictions,
2993.91 -> use the same role for
multiple third parties,
2996.58 -> or use an ExternalID condition.
2999.34 -> Four, I saw so many good.
3000.69 -> You guys are getting so good at this.
3001.523 -> This is awesome, yeah.
3003.78 -> So once again, Pickles
says, use an ExternalID.
3006.42 -> And I would ask your third party partner
3009 -> to make sure how they treat
and manage their ExternalIDs
3013.05 -> and that they're actually setting
them as unique identities.
3017.04 -> All right, so I talked
about verifying public
3019.41 -> and cross account access.
3020.94 -> Access Analyzer.
3023.07 -> Who has it turned on?
3025.56 -> No.
3026.7 -> Would love some more hands.
3027.9 -> Okay, got some more.
3028.733 -> It took a while.
3029.566 -> All right, that's good.
3031.23 -> And so you can turn on Access
Analyzer for your account
3034.71 -> or organization.
3037.83 -> It is three clicks, I think.
3040.68 -> I didn't count specifically,
but it's short.
3043.2 -> And it's free, free of charge.
3046.74 -> So go turn it on.
3047.67 -> What happens?
3048.63 -> We continuously monitor
and review access controls
3051.9 -> across 14 resource types.
3054.24 -> We added seven this year,
3057.39 -> RDS and some others that
are skipping my brain.
3060.72 -> But go check out the
new seven that we added
3062.79 -> to bring us to 14.
3065.34 -> The kicker here is that
3066.42 -> we don't just look at resource policies.
3068.19 -> We actually look at all
of the resource controls
3070.83 -> on the resource.
3072.18 -> So if there's a service
specific sharing mechanism,
3074.88 -> if there's block public access,
we bring that all together.
3078.36 -> It is powered by automated reasoning
3080.88 -> to determine public or
cross account access.
3084.39 -> We generate findings for you.
3085.92 -> You can review and verify.
3088.29 -> And then you basically can verify
3089.94 -> if they match your intent or not.
3093.75 -> So I mentioned automated reasoning.
3095.19 -> I talked about this last night,
but I wanna review it here.
3097.92 -> What is it?
3098.753 -> Reasoning is the process of applying logic
3101.67 -> to build new conclusions.
3103.05 -> So when we talk about automated reasoning,
3105.15 -> we can reason about an
infinite number of paths.
3107.7 -> And why is that?
3109.2 -> Because we can turn AWS into math.
3111.99 -> We can also turn a universal
statement into math,
3114.99 -> and then we can send it through a solver
3117.33 -> to determine is there a path to public,
3119.97 -> is there a path to cross account access?
3122.7 -> And this gives us a comprehensive analysis
3124.83 -> of external access.
3126.63 -> And that's essentially how we've
brought automated reasoning
3128.94 -> into Access Analyzer to
make sure your findings
3131.88 -> tell you if there's a path to public,
3133.71 -> if there's a path to cross account.
3136.74 -> All right, so I'm gonna go
and play with some roles
3140.19 -> in this demo here.
3142.56 -> So we're gonna inspect some things,
3144.27 -> and I'm just gonna kinda show you,
3145.89 -> pop around and show you
some stuff in my account.
3148.86 -> All right, here we go.
3153.03 -> All right, if we can, there we go.
3156.06 -> Okay, so I have, here
we go, a GitHub role.
3161.37 -> And I wanna show you
the trust relationship.
3163.83 -> This is pretty broad.
3165.63 -> I'm gonna edit this.
3167.58 -> And you can see already that
policy validation down here
3171.36 -> told me that it was broad.
3174.24 -> It's missing,
3175.44 -> and you can see it's missing
the sub at the bottom.
3178.59 -> And so I will go and fix that.
3181.11 -> And that's just one that
I wanted to show you,
3183.12 -> even though I showed you the policy.
3184.89 -> But if you happen to forget, don't worry.
3186.84 -> Policy validation has your back.
3189.39 -> And so I can kinda look at that.
3191.79 -> The other thing, and I have
a suggestion here as well,
3194.19 -> but I'm gonna pop over here.
3196.56 -> The other thing is I have this
3201.66 -> role that I've basically trusted from
3204.18 -> one of my management accounts.
3206.73 -> And here's my trust policy.
3207.93 -> Here's my management account.
3212.61 -> And the policy's pretty good,
3214.53 -> but I want to preview access.
3216.45 -> I wanna see who can actually access this.
3218.52 -> I have Access Analyzer set
up in my account already,
3220.8 -> which I'll show you in a second.
3222.42 -> And I can actually see
who has access right now
3226.5 -> based on the policy that is in this thing.
3230.1 -> And you can see it's this account,
3232.2 -> and it's there as well.
3233.52 -> Now, if I were to modify this policy
3236.97 -> and trust a new account,
what would happen?
3241.82 -> Well, I'm gonna preview access again.
3246.72 -> My findings aren't up to date.
3247.71 -> The council told me.
3248.543 -> That was so nice with them.
3252.03 -> Right, and so I had an existing one
3253.86 -> that's already in my account,
3255.54 -> but I have a new one.
3256.47 -> If I were to save this policy,
this finding would show up.
3260.49 -> All right, so that's
just a little bit about
3262.98 -> how to use it in real time
as you're editing policies
3267.51 -> to go through and see what
new findings you would have.
3270.72 -> And you can play around
with conditions and all that
3272.94 -> and preview access before.
3275.22 -> Now, I wanna go,
3277.02 -> and I'm gonna actually
look at Access Analyzer,
3281.13 -> and I'm gonna see all my findings.
3282.51 -> And you can see that I have findings here
3284.94 -> for that GitHub role
because it was pretty broad.
3287.52 -> I haven't resolved that one yet.
3289.35 -> And the finding here says
3291.69 -> there's cross account access to this.
3293.97 -> If you think a finding is intended,
3295.8 -> like I actually do trust this account,
3298.38 -> it's my farm management
account in my organization,
3301.32 -> then I can actually archive,
create some archive rules.
3303.63 -> And you can see I already
have a few archive rules,
3306.51 -> archive findings here.
3307.95 -> And you can define your
archive rules as well.
3312.09 -> And so this is how as you're
building out your roles,
3314.85 -> you can really see who has access.
3317.37 -> You can go look at your
cost account access,
3319.23 -> refine it further,
3320.4 -> and then try it before you
buy it with preview access.
3325.11 -> All right.
3328.08 -> Let's go back to the slide.
3330.06 -> So if you haven't checked
out Access Analyzer,
3332.34 -> one, enable it,
3333.84 -> and then two, make sure
you go and use the console.
3336.48 -> It's also available via API
if you wanna preview access
3339.87 -> before you save a trust
policy or on the command line.
3343.77 -> All right, the last part,
refining permissions.
3348.48 -> So you want to remove
anything you don't use.
3351.75 -> You wanna identify and safely
remove unused permissions
3354.78 -> and make sure everything's all clean,
3356.25 -> just like Pickles getting a bath.
3358.35 -> What can you do to use this?
3359.94 -> You can use role last used.
3361.62 -> That will tell you the last
time that role was used.
3364.14 -> If it hasn't been used in
a long time, delete it.
3368.43 -> It does not bring you joy anymore.
3370.89 -> Access key last use,
3372.09 -> definitely if it hasn't been
used in last, in a while,
3376.11 -> a lot of customers are saying 90 days,
3378.6 -> some are saying 120
years, probably too much.
3382.35 -> Password last used,
3383.34 -> this is only if you're
logging in with a console
3385.89 -> for an IAM user, but
you can at least see it.
3388.05 -> A lot of customers are going in
3389.28 -> and cleaning up their IAM users
and trying to reduce them.
3392.25 -> So these are the tools that
you have to help with that.
3394.86 -> And then for each role, you grant access,
3398.46 -> and you would wanna look
at what services they used
3400.89 -> and what actions they used.
3403.263 -> And you can do that for each role as well
3404.94 -> and remove anything that hasn't been used.
3407.1 -> And so I'm just gonna go poke around
3408.99 -> in my production account.
3410.28 -> We find that a lot of customers use
3411.96 -> the last access information
in their production account
3414.72 -> because those have been
running for a while.
3416.79 -> And they're like, okay,
what can we trim down?
3420.09 -> And so I'll go over to my prod account
3424.38 -> in my temp organization, and
then show you what is there.
3431.58 -> All right, flip to the screen.
3435.12 -> I am using Identity Center, by the way.
3437.22 -> So if you all don't have
an identity provider,
3440.7 -> or you have an identity provider
and you wanna sync it up,
3442.74 -> I really recommend doing account sign in
3445.83 -> with Identity Center.
3447.27 -> You can actually specify your
own policies and all that now.
3450.93 -> So take a look if you haven't.
3454.14 -> So I have a Lambda function
that I've been running.
3457.77 -> It's called Pasture Audit.
3459.66 -> It's been running a few times,
3461.1 -> and I have a role for it that I'm gonna.
3466.29 -> Here, and it's also called Pasture Audit.
3469.26 -> And I'm just gonna show
you what this looks like.
3476.01 -> And so here are my permissions.
3477.15 -> I have a broad policy attached to it.
3479.13 -> That's actually from last year.
3481.2 -> And then in Access Advisor,
I have granted access.
3486.93 -> And you can see all these
things were used yesterday.
3488.97 -> So I probably wanna keep all of these,
3491.61 -> but you can go in and
see like S3 specifically.
3494.82 -> Look at all these actions
that haven't been accessed.
3496.8 -> There's actually only one that was.
3498.93 -> And so I can go in and refine that.
3501.24 -> And yes, we are working on getting more
3503.64 -> action last to access.
3504.75 -> So, but today there's EC2, IAM, and S3,
3508.587 -> and I believe one more.
3510.48 -> So if you're trying to refine permissions,
3512.52 -> you can go in and actually see
3513.9 -> if they have been accessed or not.
3516.6 -> All right, so I was able to kinda look,
3518.55 -> and I could wean down my
policy further if I wanted,
3521.31 -> but this is where people
use things in production.
3524.88 -> All right, go back to the slides.
3526.02 -> We'll finish up here.
3529.35 -> You're all so eager to go
3531 -> and refine access to your policies.
3533.58 -> It's exciting.
3534.57 -> All right, so what do you
take back to your teams?
3536.46 -> One, use the right
permission for the right job.
3540.24 -> Harness the power of policies,
especially conditions.
3543.99 -> Restrict public and cross account access.
3545.88 -> Identify it.
3546.75 -> Verify that it's actually what you intend.
3548.79 -> If not, remediate it.
3550.53 -> Restrict password access.
3552.69 -> Of course, enable Access
Analyzer, IAM Access Analyzer.
3556.62 -> Validate your policies as you author,
3558.66 -> as you turn them into code.
3561.51 -> We got you.
3562.59 -> And then use policy generation.
3564.36 -> And we're seeing a lot of people
use policy generation with
3568.5 -> like just to get started,
and then they copy paste it
3571.35 -> or take it from the command line,
3572.7 -> and then put it in their
infrastructure's code as well.
3575.88 -> All right, these are my
favorite permission resources.
3578.73 -> The one on the top right,
3580.35 -> this seems to be very popular talk
3581.88 -> that I somehow cannot
do better than myself,
3585.15 -> but becoming an IAM policy
expert in 60 minutes or less.
3590.13 -> That's a talk from 2018.
3591.66 -> It still stands.
3592.493 -> It talks about permission
boundaries, SCPs,
3594.15 -> all that good stuff.
3595.56 -> A lease privilege journey, IAM
policies and Access Analyzer.
3598.47 -> That was last year I believe.
3600.12 -> Yeah, 2021.
3601.86 -> And then how to use trust policies.
3603.63 -> We talked a lot about
trust policies today,
3605.37 -> and verifying them,
3606.57 -> and all the conditions and what scenarios.
3608.55 -> This blog was, helped me build the slides
3611.4 -> 'cause it goes through all
of the different examples
3613.65 -> and gives you really robust
explanations of how things work.
3617.91 -> And then service authorization reference,
3620.07 -> every service, action, what
actions you can specify for,
3625.23 -> or sorry, which resources you
can specify for which actions,
3628.14 -> and what conditions you
can specify for those.
3630.66 -> That is all on that page.
3633.06 -> It is one of the most
used pages that I use
3635.61 -> to write my policies.
3637.47 -> And thank you for being here.
3639 -> Thank you for coming.
3639.833 -> Thank you for learning about policies.
3641.22 -> Please do submit your survey.
3644.19 -> I do look at them every
year to try to improve.
3647.49 -> It's been a pleasure
being here with you today.
Source: https://www.youtube.com/watch?v=x-Kh8hKVX74