AWS IAM

Principal Type

• AWS Account (root)
• IAM User
• Federated User
  • Web Federated User (Login with Amazon, Cognito, Facebook, Google)
  • SAML federated user
• Assumed Role
• Role assigned to EC2 instance
• Anonymous

Credentials

• Login Profile (username, password)
• Access Keys
  • API: ListAccessKeys for a given user
    • CreateDate
    • Status (Active/Inactive)
  • Start with "AKIA..."
• X.509
  • Required by certain EC2 CLI tools and AMI bundle (instance store) tools
  • Rarely used
• CloudFront key-pair
• Temporary Access Keys
  • Generated by STS
  • Start with "ASIA..."
  • Must be accompanied by "Session Token"

Role

• Can be assumed by various entities
• 2 Policies
  • Trust - "who can assume the role?"
    • e.g. other AWS account
  • Access - "what can principal do?"
    • (e.g. "can upload to S3")
• Does not have credentials associated
• Use cases
  
  • Role for IAM user in other AWS account I own
    • IAM user from other AWS account can access (e.g. cross-account for AWS accounts I own)
  • Role for IAM user for Third Party company that performs a service (e.g. Skeddly)
    • ExternalId should be part of policy condition to prevent "confused deputy" attack
  • Role for AWS service
    • EC2 (Instance Profile), Data Pipeline, Elastic Transcoder, OpsWorks
    • Alternative: Service Linked Role
  • Role for Identity Federation

Service Linked Role

• Supported by subset of AWS Services (called Linked Services)
  • Lex
  • ElasticBeanstalk
• AWS manages permission necessary for the Linked Service to work (managed policy)
  • Impossible to remove rqeuired permissions 
• Trust policy (who can assume the role) cannot be modified
  • Only Linked AWS Service can assume

Identifiers

• Each entity has unique ID (e.g. "AIDAJQABLZS4A3QDU576Q")
  
  • Can be used to disambiguate
• Friendly Name (e.g. "jsmith", "Administrators", "CloudWatchPolicy"
• Paths - can be used to indicate division/deparment
  • No semantics attached (e.g. users with the same path do not share group)

Policy Elements

• Version  (optional) - language version 
• Id (optional) - required for some AWS services (e.g. SQS, SNS)
• Statatement (mandatory) - main element
  • Sid (optional) - sub-identifier if Id is used
    • For IAM policy basic alphanumeric string
    • Some services may require it to be unique     
  • Effect
    • allow
    • deny
  • Principal
    • IAM Role Trust Policy - entity who can assume the role
    • Resource Based Policy - entity who can access the resource
      • e.g. S3, SQS, SNS, Glacier, KMS
    • IAM User/Group - not required (implicit - "entity to which the policy is attached to")
  • NotPrincipal - use for exceptions with deny (whitelisting)
  • Action
  • Resource
  • NotResource
  • Condition
    • Multi-key values are OR'ed
    • Conditions are AND'ed with each other (i.e. you must satisfy all off them)
      • e.g. MFA required AND Source IP

Policy Variables

• Generalizes policy so that it can apply to mulptiple entities (e.g. IAM users)
  

  • ${aws:username}

  • Use Case: home folders in S3
• Use cases
  
  • Resource
  • Condition 
    • String Operators: StringEquals, StringLike, StringNotLike, etc.
    • ARN operators: ArnEquals, ArnLike, etc.
• Variables
  • aws:username, aws:userid, aws:UserAgent, aws:SourceIp, aws:principalType, etc.

Policy Conditions

• Optional element
• Operators
• Keys 
  • Global
    • aws:CurrentTime
    • aws:EpochTim
    • aws:TokenIssueTime
  • Service specific
    • S3 (examples)
      • s3:x-amz-acl
        • on PUT must specify canned permisions
      • s3:x-amz-server-side-encryption
        • on PUT must specify the header (i.e. encrypt)
      • s3:x-amz-storage-class
        • on PUT enfore storage class
    • EC2 (examples)
      • ec2:Region
      • ec2:InstanceType

Policy Evaluation

• Deny overrides Allow

Effective Permissions (privilege escalation)

• PutUserPolicy (I can modify my own priviliges)
• CredentialCreation (requesting temporary credentials)
• PassRole (I can launch my own instance - pass it a high privilege role and get temporary credentials out of it)

Policy Simulator

• Tool to test policies (existing or new)
  • Does the user have access to action on a resource
    • Explains why he he is allowed/denied access

Decoding Authorization Message

• Details about authorization failure (403)
• Can be decoded with STS (sts:DecodeAuthorizationMessage)

Misc

• Resource-specific policy vs. Tag based policy
  • Resource - very fine grained control
  • Tag based - logical group (e.g. for a project)

References

• http://blog.celingest.com/en/2014/02/19/practical-aws-resource-management-using-iam-roles/
• https://www.youtube.com/watch?v=WUQNeMhkaco&list=WL&index=2
• https://www.youtube.com/watch?v=debJ3o5w0MA&index=3&list=WL