Amazon AWS Security Concepts

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

Internal

Overview

Read this first:

Understanding and Getting Your Security Credentials

AWS Account

https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html

The AWS Account is identified by a 12 digit account ID or an alias. There's no mention of "account name" in AWS documentation. Each AWS account has associated a special sign-in identity that has complete access to all AWS services and resources in the account, called AWS account root user. Each AWS account has its own billing and subscriptions to AWS products. Each AWS account has its own IAM users, groups and roles. To create an AWS account, go to http://aws.amazon.com, and then click Sign Up. For more details see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html. It is a common practice to keep different environments separated from each other by using different AWS accounts, one per environment. This approach helps with resource isolation.

Account ID

https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

The AWS Account ID is a 12-digit number, which uniquely identifies an AWS account.

The AWS account ID is reported on command line by:

aws sts get-caller-identity

The sign-in page URL has the following format by default:

https://<Account_ID>.signin.aws.amazon.com/console/

Account Alias

A reason to introduce an account alias is to give a friendly name to the sign-in page. If an alias is created, then the sign-in page can also be accessed at:

https://<Account_Alias>.signin.aws.amazon.com/console/

The AWS account can have only one alias. If a new alias is created, the new alias overwrites the previous alias, and the URL containing the old alias stop working. The account alias must be unique across all AWS products. It must contain only digits, lowercase letters and hyphens.

The account alias can be obtained with list-account-aliases IAM CLI operation.

AWS Account Root User

The AWS Account Root User

The AWS account root user is the special, unique sign-in identity that has complete access to all AWS services and resources in the AWS account.

AWS services require that you provide credentials when you access them. The console requires your password. You can create access keys for your AWS account to access the command line interface or API. However, it is not recommended to access AWS using the credentials for your AWS account root user. Use an IAM user, which is an authenticated identity associated with a person, system, or application who can use AWS products, each with individual security credentials, all controlled by and billed to a single AWS account. The IAM user is provisioned with IAM.

Cross-Account Delegation Access

Cross-Account Delegation Access

IAM (AWS Identity and Access Management)

IAM Concepts

AWS Identity and Access Management is a web service that enables AWS customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, the AWS account root user can can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access, and delegate these privileges to other IAM users. In fact, it is recommended practice that AWS account root user creates a corresponding IAM user, which is then used for administrative activities, thus making unnecessary logging in as AWS account root user.

Without IAM, organizations with multiple users and systems must either create multiple AWS accounts, or employees must all share the security credentials of a single AWS account. Also, without IAM, you have no control over the tasks a particular user or system can do and what AWS resources they might use. IAM addresses this issue by enabling organizations to create multiple IAM users.

IAM allows granting different permissions to different people for different resources.

IAM allows generation of credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other AWS resources, such as S3 buckets or DynamoDB tables.

IAM allows multi-factor authentication (MFA) for the AWS account root user and other individual accounts.

IAM, like many other AWS services, is eventually consistent. IAM achieves high availability by replicating data across multiple servers within Amazon's data centers around the world. If a request to change some data is successful, the change is committed and safely stored. However, the change must be replicated across IAM, which can take some time. Such changes include creating or updating users, groups, roles, or policies.

IAM Identifiers

Friendly Name

Also see path, below.

IAM ARN

IAM Unique ID

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids

When IAM creates a user, user group, role, policy, instance profile or server certificate, it assigns to each resource a unique ID, with standard prefixes:

Prefix Resource Type
ABIA AWS STS service bearer token
ACCA Context-specific credential
AGPA IAM Group
AIDA IAM User
AIPA Amazon EC2 instance profile
AKIA Access key
ANPA Managed policy
ANVA Version in a managed policy
APKA Public key
AROA IAM Role
ASCA Certificate
ASIA Temporary (AWS STS) access key IDs

IAM Identities

An IAM identity is a IAM user, a group of users or a role. IAM identities get permission policies attached to them, and the permissions specified in these policy define what kind of access the identity has for a specific AWS resource.

The IAM identity of a user making an AWS CLI call is reported on command line by:

aws sts get-caller-identity
{
    "UserId": "AIXXXXXXXXXXXXXXXXXXX",
    "Account": "999999999999",
    "Arn": "arn:aws:iam::999999999999:user/test-user"
}

IAM User

IAM User

An IAM user is an entity with an authenticated identity associated with a person, system, or application who can use AWS products, each with individual security credentials, all controlled by and billed to a single AWS account. With IAM, each user is allowed to do only what they need to do as part of the user's job.

AWS account root user (ovidiu@acme.com)
 └─ IAM Users
     └─ ofeodorov

When a new user is created, its IAM unique ID is prefixed by "AIDA".

IAM User Operations

IAM Group

IAM Group

An IAM Group is a collection of IAM users, whose main purpose is to define permissions for multiple users. When a new group is created, its IAM unique ID is prefixed by "AGPA".

IAM Group Operations

IAM Role

IAM Roles

An IAM role is an IAM identity that associates specific permission policies, which ultimately translate to specific permissions, for a set duration of time, to another entity. When a new role is created, its IAM unique ID is prefixed by "AROA".

An IAM Role can be conceptually thought of as a set of temporary credentials. It is also important to understand that there can be just one role in effect at a time - a single set of security credentials. There is not such a thing as multiple roles at the same time.

The entities an IAM role can be associated with are IAM users, application code running on an EC2 instance that needs to perform actions on AWS resource, an AWS service that needs to act on a resource on a user's account to provide its features, users from a corporate directory who use identity federation with SAML, etc.

A role works by issuing keys that are valid for short durations, making them a more secure way to grant access. The role does not have standard long-term credentials such as a password or long-lived access keys associated with it. The role provides the entity assuming it temporary security credentials for the role session.

A role contains:

  • one (or more) permission policies, which tell what individual permissions the role has, what resources can be accessed and what actions can be performed on these resources.
  • the "trust relationship", which consists of one and only one trust policy that says what trusted entities can assume this role.

From this perspective, an IAM role is similar to an IAM user, in that it is an IAM identity with permission policies that determine what the identity can and cannot do in AWS and also what trusted entities can assume this identity. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

Roles can be used to delegate permissions to an AWS service to carry out actions in behalf of the logged in user, to enable application code running in EC2 to access and modify resources, to grant access to users from another AWS account or to enable federated sign-in.

AWSIAMRole.png

Assuming a Role

How do I assume an IAM role using the AWS CLI?
Switching to an IAM Role (AWS CLI)

An entity can assume a role. "Assuming a role" means that the credentials the entity interacts with AWS resources change. When the role is assumed, the role issues temporary security credentials that can be used to access resources or call AWS services. This is a security best practice, which consists in using short term credentials.

The role carries a policy that grants the entity the permission to assume the role.

More practical details on how a role can be assumes are available in the Operations page:

Assuming an IAM Role

Role Attributes

Roles can be created programmatically as part of CloudFormation stacks, by using the resource type AWS::IAM::Role. A role has the following attributes, which can be declared as "Properties":

RoleName

Represents the physical ID of the role. If not specified in the CloudFormation template, a name will be generated: if the role is declared by a "thalarion" stack, then, after successful creation, the role's physical ID will be "thalarion-CodeBuildServiceRole-A479B6WNRHSSG". It is a String between 1 and 6 character, that must match the following pattern: [\w+=,.@-]+

Path

The path to the role, which will become part of the friendly name.

AssumeRolePolicyDocument

Declares the trust policy that grants an entity permission to assume this role. The policy specifies which entities (for example service) are allowed to assume the role.

Policies

The list of permission policies implied by the role.

Trust Policy

An IAM role, and in general an IAM identity, has one, and only one trust policy. The trust policy specifies what entities can assume the identity - a trust relationship defines who can assume a role. This can be visually inspected in the AWS IAM Console, selecting a role shows its Trusted entities in a dedicated column.

When a role is created with AWS Console, the trust policy is created automatically and it can be customized afterwards.

In the trust policy example below, the entity that can assume (sts:AssumeRole) the role with this trust policy is the "ec2.amazonaws.com" service, but the trust policy can contain more than one principals (AWS account, IAM user, IAM role, federated user or assumed-role user). More details about the content of the "Principal" section are available in the Trusted Entity section, below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": { 
          "Service": "ec2.amazonaws.com",
          "AWS": [
             "arn:aws:iam::123456789012:root",
             "arn:aws:iam::999999999999:user/some.user"
          ]
       },
      "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
    }
  ]
}

Trusted Entity

AWS JSON Policy Elements: Principal

The trusted entity is defined in the "Principal" section Trusted entities can be:

  • an AWS account, declared as "arn:aws:iam:999999999999:root" in the Principal section of the trust policy.
  • an IAM User, declared as "arn:aws:iam::999999999999:user/example-username" in the Principal section of the trust policy.
  • an identity provider

If the entity that eventually needs to assume the role is different from the entities listed in the "Principal" section, there must be at least one principal there that allows the end recipient to assume the role. For more details, see Creating a Role to Delegate Permissions to an IAM User.

If the Principal element contains the ARN for a specific IAM role or user, then that ARN is transformed to a unique principal ID when the policy is saved. This helps mitigate the risk of someone escalating their permissions by removing and recreating the role or user. The unique principal ID is not normally seen in the console because there is also a reverse transformation back to the ARN when the trust policy is displayed. However, if the the role or user is deleted, then the principal ID appears in the console because AWS can no longer map it back to an ARN. Therefore, if you delete and recreate a user or role referenced in a trust policy's Principal element, you must edit the role to replace the ARN.

Trust Policy Operations

AWS Service Role

An AWS Service Role is a role that a service assumes to perform actions in a user's account, on the user's behalf. The service role must include all permissions required for the service to access the AWS resources it needs. Service roles provide access only within user's account and cannot be used to grant access to services in other accounts. A service role works if the user who attempts to use it has the permissions to pass it (iam:PassRole).

AWS Service Role for an EC2 Instance

Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
IAM Roles for Amazon EC2

An application running on an EC2 instance needs AWS credentials to interact with any AWS services via API calls. A crude way to address this problem is to give the application access to AWS credentials (passwords or keys), by storing those credentials directly within the EC2 instance. This poses problems: credential management, secure transmission of those credentials - it's best not to be done that way.

The recommended alternative is to give the EC2 instance a special service role, via a mechanism named instance profile. The service role can then be assumed by the application running on the EC2 instance, allowing it to perform actions. The role is assigned to the EC2 instance when it is launched. Applications running on that instance can retrieve role-supplied temporary security credentials and perform actions that the role allows. The temporary credentials are rotated automatically, so the developers do not have to manage credentials and do not have to worry about long-term security risks.

The sequence of operations required to set up and use an EC2 service role is:

Instance Profile
Using Instance Profiles

An instance profile is a container for one and only one EC2 service role, and it is used to pass information about this role to the EC2 instance when it starts. An instance profile can contain only one IAM role, though a role can be included in multiple instance profiles. The existing role can be removed from the instance profile, and a different role can be added to it. This kind of change propagates across all AWS through eventual consistency:

{
  "Path": "/",
  "InstanceProfileName": "my-instance-profile",
  "InstanceProfileId": "BIPAIOJX2D4X5IJ3RBOZ8",
  "Arn": "arn:aws:iam::000000000000:instance-profile/my-instance-profile",
  "CreateDate": "2018-06-29T12:54:14Z",
  "Roles": [
    {
      "Path": "/",
      "RoleName": "my-ec2-role",
      "RoleId": "BROAIARHQAIPLH2K2UOO8",
      "Arn": "arn:aws:iam::000000000000:role/service-role/my-ec2-role",
      "CreateDate": "2018-06-29T12:54:14Z",
      "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
        {
           "Effect": "Allow",
           "Principal": {
              "Service": "ec2.amazonaws.com"
            },
          "Action": "sts:AssumeRole"
        }
        ]
       }
     }
   ]
}

The instance profile mechanism is needed because an application running on an EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, an additional step is needed to assign an AWS role and its associated permissions, and this step is the creation of the instance profile.

IAM console provides transparent management of the instance profile. However, if CLI or API are involved, the instance profile must be first created, then associated with the EC2 instance in two separate steps.

The instance profile is one of the credential providers in the credential provider chain.

An instance profile can be granted cross-account delegation access via an IAM policy.

Instance Profile Operations

Granting a User Permissions to Pass a Role to an AWS Service

Granting a User Permissions to Pass a Role to an AWS Service

To pass a role and implicitly its permissions to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, the user must be granted the iam:PassRole permission, either directly, or to one of its roles or groups.

AWS Service-Linked Role

Role Session

The role session has a maximum duration, which can be configured in the AWS console from the role UI.

IAM Role Operations

Permission Policy

Policies and Permissions

An IAM identity has a set of permission policies, which specifies what permissions the identity has. In other words, the permission policy specifies what resources can be accessed and what actions can be performed on these resources.

Permission policies can get associated with IAM identities (IAM Roles, IAM Users, IAM Groups) or with AWS resources.

The policies control what actions an entity can perform, on which resources, and under what conditions. Most policies are stored in AWS as JSON documents. AWS supports six types of policies:

  1. identity-based policies
  2. resource-based policies
  3. permissions boundaries
  4. organizations service control policies (SCPs)
  5. access control policies (ACLs)
  6. session policies

Types of Permission Policies

Identity-Based Policies

Identity-based policies are JSON permissions policy documents that can be attached to an identity (user, group, role) and grant permissions to that identity, hence the name. Identity-based policies can be:

  1. managed policies
  2. inline policies

Managed Policies

A managed policy is a standalone identity-based policy that can be attached to multiple users, groups, and roles in an AWS account. There are two types of managed policies:

AWS Managed Policies

Managed policies that are created and managed by AWS. They can be quickly visually identified by their icon:

AWSManagedPolicy.png

The ARN of a policy that is managed by AWS is:

 arn:aws:iam::aws:policy/PolicyName

AWSManagedPolicies.png

Customer Managed Policies

Customer managed policies are managed policies create and manage by users in an AWS account. Customer managed policies provide more precise control over policies than AWS managed policies. IAM policy can be created and edited in a visual editor or by creating the JSON policy document directly. Once created, policies are referenced by their ARNs. The ARN of a customer-managed policy is:

 arn:aws:iam::AWS-account-number:policy/PolicyName
Customer Managed Policy Example

A permission policy is a collection of permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": ["elasticloadbalancing:*"],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::kubernetes-*"
      ]
    }
    ...
  ]
}
Customer Managed Policies Operations

Inline Policies

Policies created by users and that are embedded directly into a single user, group, or role. In most cases, inline policies usage is not recommended:

Managed Policies and Inline Policies

Resource-Based Policies

Difference between Identity-Based Policies and Resource-Based Policies

Identity-Based Policies and Resource-Based Policies

IAM Permissions Boundaries

Service Control Policies (SCPs)

Access Control Policies (ACLs)

Session Policies

Permission

A permission is a piece of information that specifies what kind of access the bearer of the permission has a specific AWS resource. A permission is associated with an IAM identity, a role for example, via permission policies. AWS evaluates the permission present in the policy when a principal entity (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Permissions for an action are valid regardless of the method that is used to perform the operation on a resource. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API.

The JSON rendering of an individual permission is similar to:

{
  "Effect": "Allow",
  "Action": [
    "ec2:AttachVolume",
    "ec2:CreateSnapshot",
    ...
  ],
  "Resource": "*"
}

The permission consists of an "effect" ("Allow" or "Deny"), an action, such as "ec2:AttachVolume", and a list of resources permission applies to. Optionally, the permission may include a "condition".

Action

Note that the actions are sometimes referred to as "permissions", which implies that the action is part of a formal permission construct associated with the entity requiring it.

API Access Key

https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

Each IAM user has a set of API access keys. These keys are needed when the user attempts to make programmatic calls to the AWS backend, using Amazon EC2 CLI tools or the AWS SDK for Java. The keys are used to sign the calls. The user can create, modify, view and rotate these access keys.

An access keys consists of two items:

  1. an Access Key ID (example AKIAIOSFODNN7EXAMPLE))
  2. a Secret Access Key (example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY)

When creating an access key, IAM returns the access key ID and the secret access key. The secret access key is only accessible at the time it was created. If the secret access key is lost, the corresponding access key must be deleted and recreated. What is the relationship between Access Key ID and Secret Key?

The access keys can be managed here: https://console.aws.amazon.com/iam/home?#security_credential by navigating to Users → username → My security credentials → AWS IAM credentials → Access keys for CLI, SDK, & API access.

For details on how access keys can be set in the local environment, see Setting AWS Credentials below.

AWS Credentials

User ID

The "User ID" associated with the entity that is making the call is returned by:

aws sts get-caller-identity

Access Key ID

Secret Access Key

Secret Key ID

Session Token

Credentials Profile

Credential Providers

https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html

When an AWS client (CLI, SDK) needs credentials, they use a provider chain to look for credentials in a number of different places, in this order (first matching is used): command-line options, environment variables, AWS credentials file, CLI configuration files and instance profiles.

TODO

Credential Provider Operations

Setting AWS Credentials

Setting AWS Credentials

AWS CLI Configuration Files

AWS CLI Configuration Files

MFA Multi Factor Authentication

Instance Access Key Pairs

Amazon AWS uses public-key cryptography to secure the login to instances. The instance has no password - you use a key pair to access your instance securely. The key pairs are provisioned either via the web interface or with Amazon CLI tools. During the provisioning process, the keys pairs are named. When the instance is created, you need to specify the name of the key pair to use to protect access to it: Amazon will install the public certificate in ~/.ssh/authorized_keys when creating the instance, and then you need to provide the private key of the pair to your ssh client when logging into the instance.

External reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

This is the procedure to create a key pair.

Security Group

Security Group

Temporary Security Credentials

Temporary Security Credentials

AWS provides a mechanism through which temporary credentials are provided to authenticated users with proper permissions. This allows the users to make API calls against AWS accounts they do not really have an IAM user for - hence no proper AWS access key, provided that the account allows cross-account delegation access.

Temporary security credentials is how IAM roles work: assuming a role means issuing temporary security credentials unique to that role, that allow the entity assuming the role to perform the actions and access the resources allowed by the role. This is achieved by making an API call to AWS Security Token Service STS:AssumeRole. The service returns a temporary access key ID, a secret key and a security token that can then be used to sign future API calls. Also see cross-account delegation access.

Temporary Security Credentials for EC2 Instances

Temporary Security Credentials for EC2 Instances

AWS Security Token Service (STS)

AWS Security Token Service

Instance Metadata Service Version 2 (IMDSv2)

Instance Metadata Service Version 2 (IMDSv2)