July 5, 2019
One of the most common questions asked during the discussion with customers is, how can I put effective security controls without too much overhead. In this blog post, We highlight three advanced techniques announced in the recent past by AWS to strengthen access control. These are: Controlling access permissions to AWS resources using tags, Delegation of roles using permission boundary and using AWS session manager to access ec2 instances.
This is a new feature that helps simplify permissions management. It allows to control access to AWS resources and is achieved by leveraging conditions in IAM policies based on specific tags or tag values.
Note: Tag-based resource level IAM permissions are supported for specific services only.
The way this works is, you tag IAM principals (users and roles) and then also tag existing resources and/or new resources being created. You then write general permission rules that are based on these tags. This provides fine-grain resource access without having to update policies every time you create something new.
Permission boundaries allow the administrator to delegate permissions to developers safely by defining max permissions developer can apply. This is quite useful in organizations where DevOps teams work with a centralized admin team and they need to move fast without waiting for centralized admin approval for every single permission change. Here is how this works:
[Effect: Allow; Action: dynamoDb:putItem, dynamodb:updateItem; Resource: *; Condition: region=us-east-1]
[Effect: Allow; Action: iam:createRole, iam:attachRolePolicy; Resource: <aws-account-number>:role/pbAppRole*; Condition: iam:PermissionBoundary=<aws-account-number>:policy/myPB]
[Effect: Allow; Action: iam:passRole; Resource: <aws-account-number>:role/pbApp*]
[Effect: Allow; Action: dynamodb:*; Resource: <aws-account-number>:table/pbTable]
In the above example, even though the developer is granted full dynamodb access, effective permissions will be restricted to his table in us-east1 region only.
While best practices recommend avoiding direct access to cloud resources and push for automation as much as possible; in the real world, many of the customers still need ssh access to their instances while they are transitioning to new ways of doing things.
Below are two commonly used patterns to restrict ssh access to ec2:
While bastion host does help isolate access and resources, it comes with additional overhead. It needs to be managed, patched and has a cost associated with it.
Another major issue with SSH is that SSH activity is not logged natively i.e. no audit trail.
AWS last year announced a new service: AWS Session Manager to address these problems. AWS session manager is a browser-based interactive shell and a command-line interface to manage Windows and Linux instances.
Although AWS provides several security capabilities and services to increase privacy and safety, the above-mentioned techniques can assist in strengthening access management in AWS. However, these techniques need to be configured based on the security requirements of the organization.
As one of the leading AWS consulting companies, we offer end-to-end AWS Consulting Services. Connect with our AWS experts to get all inclusive Amazon Web & Cloud Services.
SPEC INDIA, as your single stop IT partner has been successfully implementing a bouquet of diverse solutions and services all over the globe, proving its mettle as an ISO 9001:2015 certified IT solutions organization. With efficient project management practices, international standards to comply, flexible engagement models and superior infrastructure, SPEC INDIA is a customer’s delight. Our skilled technical resources are apt at putting thoughts in a perspective by offering value-added reads for all.