Security Demonstrations¶

The security demonstrations are aimed to get hands-on experience around:

Basic IAM role and user authorization
Evaluating cross-account access management
Integrating with third-party identity providers
Deploying encryption strategies for data at rest and data in transit
Developing a strategy for centralized security event notifications and auditing

Basic demonstrations¶

Define users and groups with IAM¶

See summary on IAM. Better to define user and do not use root user. User can be created using CloudFormation or CDK. See cdk samples and the aws-remote-svc-access-from-k8s repository to demonstrate remote service access from k8s..

IAM Role to trust a user to access AWS Service like EC2¶

A user has no access to any of AWS services, but can login to the AWS console. The demo aims to show how to add an IAM role, trusting an IAM user, and defining a policy to get full access to EC2 service. When user switches to the new role in the AWS console, the security context changes.

Manual demonstration

Create a user in IAM (named Julie): authorize access to the AWS console, with custom password, and no other permissions.

Add a role named EC2FullAccessRole, with a trusted relationship for the created user as principal: iam:user...:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::4....:user/Julie"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Add the permission for the user to get EC2 full access via the managed policy: AmazonEC2FullAccess

So now the user will be able to assume the role.

Login in a private web browser session, using IAM user option on the AWS account the user belongs to, and the newly created user.
Go to the EC2 service, we should get API errors like below:
Switch Role from the AWS console, user top right menu, and select the role:
Should now see the EC2 console without any error.

Using CDK to create users and policies¶

The cdk in labs/cdk/iam-user creates the Julie user, role, the EC2 permission policy, then we can use the same step as above to login to the console and assume the role

How it was built

Jumpstart the cdk

cdk init sample-app --language python

Modify the iam_user_stack.py by adding a user, a role, and attach amazon policy.

 user = iam.User(self,
                    "Julie",
                    user_name="Julie",
                    password=SecretValue.unsafe_plain_text("Passw0rd!")
                    )

    role = iam.Role(self,"EC2FullAccess",
                    role_name="EC2FullAccess",
                    description="A role to allow user to do EC2 work",
                    assumed_by=user,
                    managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2FullAccess")])

cdk synth and cdk deploy
Execute the same demo to login Julie user and access to EC2.

Advanced Demonstrations¶

See the product IAM tutorials and IAM workshops like Refining IAM Permissions Like A Pro.

Cross Accounts authorization¶

The IAM tutorial, Delegate access across AWS accounts using IAM roles, demonstrates how to create a role to establish trust with another account and define what actions trusted entities can take:

Create a S3 bucket in Production account
Create a policy to control access to the S3 bucker
Create a role in Production account with this policy attached and as a trusted relationships the Account A
Create a policy in the Account A for user to assume the role defined in Production account

See the SDK code to do the same thing but for a role so an application can act on S3 bucket on another account in labs/security/sts-demo

Then, modify a user group policy to control which IAM users can access the role. As a result, developers from the Development account can make updates to the production bucket in the Production account by using temporary credentials.

Attribute-based access control¶

The attribute based access control uses tags to control access to resources for 2 projects, using different groups of user (dev, qas). See the labs/security/iam folder for cdk to do the same tutorial.

Cross Accounts authorization¶

This is a common use case, where a main account A can read DynamoDB table and put message to SQS queue in a second account B, the owner of the queue.

Create a second account.

Create a SQS and define an Amazon SQS policy that specifies both accounts as Principal

"Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::<account_id_owner_queue>:root",
      "arn:aws:iam::<account_id_client_queue>:root"
    ]
  },
  "Action": "SQS:*",
  "Resource": "arn:aws:sqs:us-west-2:<account_id_owner_queue>:MyQueue"
}

Test to send and receive message from the owner account
Login to the client account (via STS token while using from a remote computer/laptop)

Specify the SQS client to use queue and id of the specified account

sqs = boto3.resource('sqs')
queue = sqs.get_queue_by_name(QueueName='MyQueue',QueueOwnerAWSAccountId="account_id_owner_queue")
response = queue.send_message(MessageBody='Hello from client app')

Use the AWS console, SQS console to look at the messages

Other samples¶

AWS Organizations playground: a repo to play with cross accounts access control using Organizations.