AWS Security Cookbook E-Book

AWS Security Cookbook

Copyright © 2020 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Karan SadawnaAcquisition Editor:Shrilekha InaniContent Development Editor:Pratik AndradeSenior Editor: Arun NadarTechnical Editor:Mohd Riyan KhanCopy Editor:Safis EditingProject Coordinator:Neil DmelloProofreader: Safis EditingIndexer:Tejal Daruwale SoniProduction Designer: Nilesh Mohite

First published: February 2020

Production reference: 1260220

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83882-625-3

www.packt.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Heartin Kanikathottu is an author, architect, and tech evangelist with over 12 years of IT experience. He has worked for companies including VMware, IG Infotech, Software AG, SAP Ariba, American Express, and TCS. His degrees include a B-Tech in computer science, an MS in cloud computing, and an M-Tech in software systems. He has over 10 professional certifications in the areas of the cloud, security, coding, and design from providers such as AWS, Pivotal, Oracle, Microsoft, IBM, and Sun. His blogs on computer science, the cloud, and programming have followers from countries across the globe. He mentors others and leads technical sessions at work, meetups, and conferences. He likes reading and maintains a big library of technical, fictional, and motivational books.

About the reviewers

Sneha Thomas is a senior software engineer with around 10 years of IT experience. She is currently working at Australia and New Zealand Banking Group Limited (ANZ) as a technical lead. She has a master's degree with a specialization in cloud computing and a bachelor's degree in electronics and communications. She has very good knowledge of the AWS cloud as well as many other public clouds. She currently works as a full-stack developer and has worked on various technologies such as Java, Spring, Hibernate, and Angular, along with various web technologies such as HTML, JavaScript, and CSS. She was the reviewer for the book Serverless Programming Cookbook from Packt Publishing. She also likes writing blogs, and her Java blog has a good number of followers.

Michael J. Lewis currently works in the Cloud Enablement practice at Slalom Consulting in Atlanta, Georgia, specializing in AWS and DevSecOps. A computer science major and a U.S. naval submarine veteran with over 25 years' experience in the computer industry, he has been at the forefront of emerging technologies, from the internet boom to the latest trends in serverless and cloud computing. He and his wife Julie reside in Georgia with their three wonderful children.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

AWS Security Cookbook

Dedication

About Packt

Why subscribe?

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Sections

Getting ready

How to do it...

How it works...

There's more...

See also

Get in touch

Reviews

Managing AWS Accounts with IAM and Organizations

Technical requirements

Configuring IAM for a new account

Getting ready

How to do it...

Creating a billing alarm

How it works...

There's more...

See also

Creating IAM policies

Getting ready

How to do it...

Creating policies with the IAM visual editor

Creating policies using the AWS CLI

How it works...

There's more...

See also

Creating a master account for AWS Organizations

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a new account under an AWS Organization

Getting ready

How to do it...

Creating an account and OU from the CLI

Creating and moving an account from the console

How it works...

There's more...

See also

Switching roles with AWS Organizations

Getting ready

How to do it...

Switching as an administrator

Granting permission for a non-admin user to switch roles

Granting permission for a non-admin user to switch roles using the CLI

How it works...

Switching roles between any two accounts

There's more...

See also

Securing Data on S3 with Policies and Techniques

Technical requirements

Creating S3 access control lists

Getting ready

How to do it...

Granting READ ACLs for a bucket to everyone from the console

Granting READ for AWS users using predefined groups from the CLI

Granting public READ for an object with canned ACLs from the CLI

How it works...

There's more...

Comparing ACLs, bucket policies, and IAM policies

See also

Creating an S3 bucket policy

Getting ready

How to do it...

Bucket public access with a bucket policy from the console

Bucket list access with a bucket policy from the CLI

How it works...

There's more...

See also

S3 cross-account access from the CLI

Getting ready

How to do it...

Uploading to a bucket in another account

Uploading to a bucket in another account with a bucket policy

How it works...

There's more...

See also

S3 pre-signed URLs with an expiry time using the CLI and Python

Getting ready

How to do it...

Generating a pre-signed URL from the CLI

Generating a pre-signed URL using the Python SDK

How it works...

There's more...

See also

Encrypting data on S3

Getting ready

How to do it...

Server-side encryption with S3-managed keys (SSE-S3)

Server-side encryption with KMS-managed keys (SSE-KMS)

Server-side encryption with customer-managed keys (SSE-C)

How it works...

There's more...

See also

Protecting data with versioning

Getting ready

How to do it...

How it works...

There's more...

See also

Implementing S3 cross-region replication within the same account

Getting ready

How to do it...

How it works...

There's more...

See also

Implementing S3 cross-region replication across accounts

Getting ready

How to do it...

How it works...

There's more...

See also

User Pools and Identity Pools with Cognito

Technical requirements

Creating Amazon Cognito user pools

Getting ready

How to do it...

How it works...

There's more...

See also

Creating an Amazon Cognito app client

Getting ready

How to do it...

How it works...

There's more...

Customizing workflows with triggers

See also

User creation and user signups

Getting ready

How to do it...

Creating a user by an administrator

Creating a user through self-signup with admin confirmation

Creating a user through self-signup with self-confirmation

How it works...

There's more...

See also

Implementing an admin authentication flow

Getting ready

How to do it...

How it works...

There's more...

See also

Implementing a client-side authentication flow

Getting ready

How to do it...

How it works...

There's more...

See also

Working with Cognito groups

Getting ready

How to do it...

How it works...

There's more...

See also

Federated identity with Cognito user pools

Getting ready

How to do it...

Configuring within the Amazon developer portal

Configuring in Cognito

How it works...

There's more...

See also

Key Management with KMS and CloudHSM

Technical requirements

Creating keys in KMS

Getting ready

How to do it...

How it works...

There's more...

See also

Using keys with external key material

Getting ready

How to do it...

Creating key configuration for an external key

Generating our key material using OpenSSL

Continuing with key creation from the console

How it works...

There's more...

See also

Rotating keys in KMS

Getting ready

How to do it...

How it works...

There's more...

See also

Granting permissions programmatically with grants

Getting ready

How to do it...

How it works...

There's more...

See also

Using key policies with conditional keys

Getting ready

How to do it...

How it works...

There's more...

See also

Sharing customer-managed keys across accounts

Getting ready

How to do it...

Creating a key and giving permission to the other account

Using the key as an administrator user from account 2

Using the key as a non-admin user from account 2

How it works...

There's more...

See also

Creating a CloudHSM cluster

Getting ready

How to do it...

How it works...

There's more...

See also

Initializing and activating a CloudHSM cluster

Getting ready

How to do it...

Initializing the cluster and creating our first HSM

Launching an EC2 client instance and activating the cluster

How it works...

There's more...

See also

Network Security with VPC

Technical requirements

Creating a VPC in AWS

Getting ready

How to do it...

How it works...

There's more...

See also

Creating subnets in a VPC

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring an internet gateway and a route table for internet access

Getting ready

How to do it...

How it works...

There's more...

See also

Setting up and configuring NAT gateways

Getting ready

How to do it...

How it works...

There's more...

See also

Working with NACLs

Getting ready

How to do it...

How it works...

There's more...

See also

Using a VPC gateway endpoint to connect to S3

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring and using VPC flow logs

Getting ready

How to do it...

How it works...

There's more...

See also

Working with EC2 Instances

Technical requirements

Creating and configuring security groups

Getting ready

How to do it...

How it works...

There's more...

See also

Launching an EC2 instance into a VPC

Getting ready

How to do it...

General steps for launching an EC2 instance and doing SSH

Launching an instance into our public subnet

Launching an instance into our private subnet

How it works...

There's more...

See also

Setting up and configuring NAT instances

Getting ready

How to do it...

Adding a route for the NAT instance

How it works...

There's more...

See also

Creating and attaching an IAM role to an EC2 instance

Getting ready

How to do it...

How it works...

There's more...

See also

Using our own private and public keys with EC2

Getting ready

How to do it...

Generating the keys

Uploading a key to EC2

How it works...

There's more...

See also

Using EC2 user data to launch an instance with a web server

Getting ready

How to do it...

How it works...

There's more...

See also

Storing sensitive data with the Systems Manager Parameter Store

Getting ready

How to do it...

Creating a parameter in the AWS Systems Manager Parameter Store

Creating and attaching role for the AWS Systems Manager

Retrieving parameters from the AWS Systems Manager Parameter Store

How it works...

There's more...

See also

Using KMS to encrypt data in EBS

Getting ready

How to do it...

How it works...

There's more...

See also

Web Security Using ELBs, CloudFront, and WAF

Technical requirements

Enabling HTTPS on an EC2 instance

Getting ready

How to do it...

How it works...

There's more...

See also

Creating an SSL/TLS certificate with ACM

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a classic load balancer

Getting ready

How to do it...

How it works...

There's more...

See also

Creating ELB target groups

Getting ready

How to do it...

How it works...

There's more...

See also

Using an application load balancer with TLS termination at the ELB

Getting ready

How to do it...

How it works...

There's more...

See also

Using a network load balancer with TLS termination at EC2

Getting ready

How to do it...

How it works...

There's more...

See also

Securing S3 using CloudFront and TLS

Getting ready

How to do it...

CloudFront distribution with CloudFront default domain

CloudFront distribution with a custom domain and ACM certificate

How it works...

There's more...

See also

Configuring and using the AWS web application firewall (WAF)

Getting ready

How to do it...

How it works...

There's more...

See also

Monitoring with CloudWatch, CloudTrail, and Config

Technical requirements

Creating an SNS topic to send emails

Getting ready

How to do it...

How it works...

There's more...

See also

Working with CloudWatch alarms and metrics

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a dashboard in CloudWatch

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a CloudWatch log group

Getting ready

How to do it...

How it works...

There's more...

See also

Working with CloudWatch events

Getting ready

How to do it...

How it works...

There's more...

See also

Reading and filtering logs in CloudTrail

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a trail in CloudTrail

Getting ready

How to do it...

How it works...

There's more...

See also

Using Athena to query CloudTrail logs in S3

Getting ready

How to do it...

How it works...

There's more...

See also

Cross-account CloudTrail logging

Getting ready

How to do it...

How it works...

There's more...

See also

Integrating CloudWatch and CloudTrail

Getting ready

How to do it...

How it works...

There's more...

See also

Setting up and using AWS Config

Getting ready

How to do it...

How it works...

There's more...

See also

Compliance with GuardDuty, Macie, and Inspector

Technical requirements

Setting up and using Amazon GuardDuty

Getting ready

How to do it...

How it works...

There's more...

See also

Aggregating findings from multiple accounts in GuardDuty

Getting ready

How to do it...

How it works...

There's more...

See also

Setting up and using Amazon Macie

Getting ready

How to do it...

How it works...

There's more...

See also

Setting up and using Amazon Inspector

Getting ready

How to do it...

How it works...

There's more...

See also

Creating a custom Inspector template

Getting ready

How to do it...

How it works...

There's more...

See also

Additional Services and Practices for AWS Security

Technical requirements

Setting up and using AWS Security Hub

Getting ready

How to do it...

How it works...

There's more...

See also

Setting up and using AWS SSO

Getting ready

How to do it...

How it works...

There's more...

See also

Setting up and using AWS Resource Access Manager

Getting ready

How to do it...

How it works...

There's more...

See also

Protecting S3 Glacier vaults with Vault Lock

Getting ready

How to do it...

How it works...

There's more...

See also

Using AWS Secrets Manager to manage RDS credentials

Getting ready

How to do it...

How it works...

There's more...

See also

Creating an AMI instead of using EC2 user data

Getting ready

How to do it...

How it works...

There's more...

See also

Using security products from AWS Marketplace

Getting ready

How to do it...

How it works...

There's more...

See also

Using AWS Trusted Advisor for recommendations

Getting ready

How to do it...

How it works...

There's more...

See also

Using AWS Artifact for compliance reports

Getting ready

How to do it...

How it works...

There's more...

See also

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

AWS Security Cookbook discusses practical solutions to the most common problems faced by security consultants while securing their infrastructure. This book discusses services and features within AWS that can help us to achieve security models such as the CIA triad (confidentiality, integrity, and availability), the AAA triad (authentication, authorization, and availability), and non-repudiation.

The book begins by getting you familiar with IAM and S3 policies; then, it dives deeper into data security, application security, monitoring, and compliance. Over the course of this book, you will come across AWS Security services such as Config, GuardDuty, Macie, Glacier Vault Lock, Inspector, and Security Hub. Lastly, this book covers essential security areas per chapter and progresses toward cloud security best practices and integrating additional security services.

By the end of this book, you will be adept with all of the techniques pertaining to securing AWS deployments along with having help to prepare for the AWS Certified Security – Specialty certification.

Who this book is for

If you are an IT security professional, cloud security architect, or a cloud application developer working on security-related roles and are interested in using the AWS infrastructure for secure application deployment, then this book is for you. This book will also benefit individuals interested in taking up the AWS Certified Security – Specialty certification. Prior knowledge of AWS and cloud computing is required.

What this book covers

Chapter 1, Managing AWS Accounts with IAM and Organizations, covers recipes for working with Identity and Access Management (IAM) users, groups, roles, and permission policies. This chapter also discusses recipes to create and manage multiple user accounts from a single master account using the AWS Organizations service.

Chapter 2, Securing Data on S3 with Policies and Techniques, discusses recipes related to securing Simple Storage Service (S3) data with Access Control Lists (ACLs), bucket policies, pre-signed URLs, encryption, versioning, and cross-region replication.

Chapter 3, User Pools and Identity Pools with Cognito, focuses mostly on application security with Cognito and discusses recipes related to concepts such as user pools, user signups, authentication and authorization flows, and federated identity logins.

Chapter 4, Key Management with KMS and CloudHSM, discusses recipes for managing encryption keys with AWS Key Management Service (KMS), which uses shared Hardware Security Modules (HSMs), as well as CloudHSM, which uses dedicated HSMs for enhanced security.

Chapter 5, Network Security with VPC, discusses recipes to secure your AWS infrastructure by creating Virtual Private Clouds (VPCs). We discuss topics such as public and private subnets, configuring route tables and network gateways, and using security mechanisms such as security groups and Network Access Control Lists (NACLs) to secure incoming and outgoing traffic.

Chapter 6, Working with EC2 Instances, covers additional recipes for securing Amazon Elastic Compute Cloud (EC2) instances, such as launching them into custom VPCs, using security groups, using the Systems Manager Parameter Store, and bootstrapping an EC2 instance with user data. We will also learn to encrypt data in Elastic Block Store (EBS).

Chapter 7, Web Security Using ELBs, CloudFront, and WAF, discusses recipes for securing web traffic and improving availability with different types of load balancers, the CloudFront service, and features such as instance-level TLS termination. We will also learn how to configure and use Web Application Firewalls (WAFs) within AWS.

Chapter 8, Monitoring with CloudWatch, CloudTrail, and Config, covers recipes to help us in troubleshooting, achieving compliance and accountability, and more through continuous monitoring, alerting, and regular auditing. We will learn about services such as CloudWatch, CloudTrail, Config, and Simple Notification Service (SNS).

Chapter 9, Compliance with GuardDuty, Macie, and Inspector, discusses recipes related to checking for compliance and notifying us about non-compliance. We will learn about services, such as GuardDuty, Macie, and Inspector, that use machine learning and advanced algorithms to help us to check compliance.

Chapter 10, Additional Services and Practices for AWS Security, discusses additional services and features that you can use to secure your AWS infrastructure, such as Security Hub, Single Sign-On (SSO), Resource Access Manager, Secrets Manager, Trusted Advisor, Artifact, and S3 Glacier vaults. We will also learn how to use additional security products from AWS Marketplace.

To get the most out of this book

You will need a working AWS account for practicing the recipes within this book.

You should already have some basic knowledge of AWS services such as IAM, S3, EC2, and VPC.

Basic knowledge of cloud computing, computer networking, and IT security concepts can help you to grasp the contents of this book faster.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

Support

tab.

Click on

Code Downloads

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub athttps://github.com/PacktPublishing/AWS-Security-Cookbook. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available athttps://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781838826253_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Verify that our testuser user can now list the files in the S3 bucket."

A block of code is set as follows:

"Condition": { "StringEquals": { "s3:x-amz-acl": [ "public-read" ] }}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

"Condition": { "StringEquals": {

"s3:x-amz-acl"

: [ "public-read" ] }}

Any command-line input or output is written as follows:

aws iam attach-group-policy \

--group-name testusergroup \

--policy-arn arn:aws:iam::135301570106:policy/MyS3ListPolicyCLI \

--profile awssecadmin

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Go to the Organizeaccounts tab."

Sections

In this book, you will find several headings that appear frequently (Getting ready, How to do it..., How it works..., There's more..., and See also).

To give clear instructions on how to complete a recipe, use these sections as follows.

Getting ready

This section tells you what to expect in the recipe and describes how to set up any software or any preliminary settings required for the recipe.

How to do it...

This section contains the steps required to follow the recipe.

How it works...

This section usually consists of a detailed explanation of what happened in the previous section.

There's more...

This section consists of additional information about the recipe in order to make you more knowledgeable about the recipe.

See also

This section provides helpful links to other useful information for the recipe.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Managing AWS Accounts with IAM and Organizations

The security of an application or a platform is generally considered as providing authentication, authorization, integrity, and confidentiality. Availability and accounting are two other aspects of security that are often overlooked. The Confidentiality, Integrity, and Availability (CIA) model and Authentication, Authorization, and Accounting (AAA) model are two popular models related to cloud security. CIA is generally referred to as the CIA triad. Apart from these, we should also consider non-repudiation while securing our application or platform.

In this chapter, we will learn about the AWS Identity and Access Management (IAM) service, the primary service in AWS for managing users, groups, roles, and permissions. We will learn how to write security policies. We will also discuss using the AWS Organizations service to create multiple accounts from within a single master account. We can use the AWS Organizations service to switch between the associated accounts without logging out of AWS, which helps to work with multiple accounts easily. We will also discuss core security concepts related to the cloud.

This chapter will cover the following recipes:

Configuring IAM for a new account

Creating IAM policies

Creating a master account for AWS Organizations

Creating a new account under an AWS Organization

Switching roles with AWS Organizations

Technical requirements

We need a working AWS account to practice the recipes within this chapter. We should install and configure the AWS Command-Line Interface (CLI) in our local machine. It's assumed that you have basic knowledge of S3.

The code files for this book are available at https://github.com/PacktPublishing/AWS-Security-Cookbook. The code files for this chapter are available at https://github.com/PacktPublishing/AWS-Security-Cookbook/tree/master/Chapter01.

Configuring IAM for a new account

IAM is the primary service in AWS for managing access to AWS services. IAMis a universal service and is not region-specific. After creating an AWS account, we should do some basic IAM configuration in order to secure our AWS account. IAM provides a checklist for these activities. Though not part of this checklist, we will also provide an account alias and create a billing alarm.

Getting ready

We need a newly created AWS account to complete all the steps in this recipe. Our IAM dashboard should look as follows. Even if you do not have a new account, you can still follow this recipe and verify whether everything has been configured correctly:

You need to install an authenticator app on your mobile if you are planning to set up multi-factor authentication (MFA) using a virtual MFA device. Google Authenticator is one popular option. You can also use a YubiKey U2F security key, any U2F-compliant device, or a hardware MFA device.

How to do it...

Follow these steps on a new IAM dashboard. If your account isn't new, verify whether everything has been configured correctly:

Give a unique and meaningful

alias for the account within the IAM users sign-in link.

This is not a security requirement, but it makes it easier for our IAM users to log in to our account. By default, the account ID is used. Next, we will follow the IAM security checklist and make all the fields of the checklist green.

Activate MFA on our root account. Expand the

Activate MFA

checklist item and click on

Manage MFA

:

On the MFA selection page, select

Virtual MFA device

and click

Next

. You may select other options if they're applicable:

AWS will now provide a QR code.

Scan the QR code using an authenticator app (installed in the

Getting ready

section) and enter two successful token keys to activate it.

After MFA has been activated, we will need to provide a token from this app, along with a username and password,

to log in to the AWS console

.

Create a user after expanding the

Create Individual IAM Users

checklist. We can also use the left menu item to go to the

Users

page.

Provide a username by using the option to add the user to a group.

Create a group.

Assign some policies to the group.

Expand the checklist item for the password policy and set a decent password policy.

Go back to the IAM dashboard and check that all the checkmarks are green:

Now, let's create a billing alarm.

Creating a billing alarm

In this section, we will set up a billing alarm that will let us know when we exceed a set limit:

Go to your billing dashboard from the drop-down menu next to your account name on the upper-right corner of the screen:

From the billing dashboard, click on

Billing preferences

, select the

Receive Billing Alerts

checkbox, and click

Save preferences

:

Go to the CloudWatch service dashboard and click on

Billing

on the left. From the

Billing alarm

page, click on

Create alarm

. On the

Create alarm

page, provide our usage limit and an email for sending notifications:

How it works...

IAM is the AWS service that helps us manage the identity of users within AWS in order to verify their identity (authentication) and their permissions to AWS services (authorization).

IAM has four core concepts:

Us

ers

:

A

user can be created in IAM and given the necessary permissions to access AWS resources.

Groups

:Users can be added to groups. Permissions can now be given to groups instead of individual users. This is a recommended best practice.

Policies

:Policies are JSON documents that define the permissions for users or groups.

Roles

:Roles are generally used for giving users temporary permissions to access an AWS service. For example, we can attach a role with S3 permissions to an EC2 service.

The IAM dashboard provides a set of checklist items to keep our account secure. It is good practice to keep them all green. The first checklist item checks whether we have active access keys for our root account that can be used for programmatic access. The root account is the account that we log into using the primary email and has access to everything in our account. It is good practice to use root for creating other accounts and then use those accounts for our day-to-day activities.

The next checklist item checks whether we have enabled MFA for our root account. MFA will enforce an additional level of authentication, apart from the username and password, using tokens from a virtual or hardware MFA device.The next two checklist items make sure that we create at least one user and a group. The last checklist item is for setting a password rotation policy for our account.

Finally, we also set up a billing alarm. Though not part of the IAM checklist, it is good practice to set a billing alarm. This will trigger an alarm and let us know when we exceed the set limit.

There's more...

Let's quickly go through some important concepts related to IAM and security:

Authentication

is the process of verifying a user's identity with a username and password, or credentials such as the access key and the secret access key.

There are primarily two types of access credentials in AWS for authenticating users:

Access key ID and secret access key

: This is used for programmatic access, and is used with AWS APIs, CLI, SDK, and any development tools.

Username and password

: For managing console access.

Authorization

is the process of checking whether a user has the right permissions to perform an action and is usually defined using the permission's policies.

Confidentiality

is done to make sure the data that's sent from the source is not read by anyone in between. This can be made possible using cryptography.

Data integrity

is done to make sure the data has come from the right person and has not been tampered in between. This is also generally made possible

using cryptography.

Availability

makes sure the service can be used when it is needed.

Accounting

helps us identify the responsible parties in case of a security event.

Non-repudiation

prevents a user from denying an activity.

Cryptography comes to our aid here.

The

AWS shared responsibility model

defines the responsibilities of AWS and its customers in securing our solutions on the AWS cloud. In summary, it states that the security of the cloud, for example, securing the global infrastructure, hardware, networking, and so on is AWS's responsibility; while security in the cloud

, for example,

updates and security patches for the servers we provision, protecting credentials and keys, and so on is the customer's responsibility.

AWS IAM supports

Payment Card Industry Data Security Standard

(

PCI-DSS

) compliance. This is an information security standard required for organizations that handle credit cards.

See also

You can read more about the AWS shared responsibility model here:

https://aws.amazon.com/compliance/shared-responsibility-model

.

This book does not cover AWS basics beyond the security domain. If you are new to AWS, you can read about cloud computing, AWS basics, and CLI configurations here:

https://cloudmaterials.com/en/book/getting-started-cloud-computing-and-aws

.

Creating IAM policies

In this recipe, we will learn how to create IAM policies from the Management Console, as well as the AWS CLI. We will create an IAM policy for an S3 bucket.

Getting ready

We need a working AWS account with the following resources configured:

A user with no permissions and a user with administrator permissions. Add these users to two groups. We should configure CLI profiles for these users. I will be calling the users and their CLI profiles

testuser

and

awssecadmin

and the groups

awstestusergroup

and

awssecadmingroup

, respectively.

An S3 bucket with default permissions.

I will be using a bucket name of

awsseccookbook

. S3 bucket names are globally unique. Therefore, select an available name and replace my bucket with your bucket name wherever applicable.

Check the contents of the S3 bucket from the CLI using

testuser

and verify that it has no permissions:

How to do it...

First, we will create IAM policies from the Management Console using the IAM policy editor. Then, we will create the same policy from the AWS CLI.

Creating policies with the IAM visual editor

We can create a policy using the IAM visual editor as follows:

Log in to the console as an administrator and go to the IAM dashboard.

Click on

Policies

from the left sidebar.

Click on

Create Policy

. This will provide us with a visual editor:

We can also click on the JSON tab and enter the JSON directly if we have already created the policy JSON.

Set the

Service

to S3.

Select

ListBucket

under

Actions

.

Under

Resources

, select

Specific

, click on

Add ARN

, and enter our bucket's ARN in the format

arn:aws:s3:::<bucket_name>

.

Under

Request conditions

, click

Add condition

and add a condition, as follows, with an EPOCH time from the future (we can find many online tools that do the time conversion for us):

Click Add.

Click

Review Policy

.

Provide a name (for example,

MyS3ListPolicy

), add a description (for example,

My S3 ListPolicy

), and click

Create Policy

.

Verify the policy that was generated from the

JSON

tab:

Click on

Groups

from the left sidebar of the IAM dashboard and go to our

testuser

group. Click on

Attach Policy

and attach the policy we created in the previous step.

Verify this by running the

s3 ls

command from the command line with the

testuser

profile name (the same command from the

Getting ready

section). We should see a successful response, as follows:

Now, let's look at how to create policies using the AWS CLI.

Creating policies using the AWS CLI

In this section, we will create a policy with the JSON we generated in the previous recipe. If you are following along from the previous section, detach the current policy from the group (or user) and confirm that the testuser user cannot list the contents of the bucket. Let's get started:

Create a file called

my-s3-list-bucket-policy.json

with the following JSON policy:

{

"Version"

:

"2012-10-17"

,

"Statement"

:

[ {

"Sid"

:

"MyS3ListBucketPolicy"

,

"Effect"

:

"Allow"

,

"Action"

:

"s3:ListBucket"

,

"Resource"

:

"arn:aws:s3:::awsseccookbook"

,

"Condition"

:

{

"DateLessThan"

:

{

"aws:EpochTime"

:

"1609415999"

} } } ]}

The preceding policy will only allow access if the current EPOCH timestamp is less than the EPOCH timestamp represented by the value of aws:EpochTime. The value of 1609415999 in the preceding policy denotes Thursday, 31 December 2020 11:59:59 GMT. We can use one of the free EPOCH time converters available online to generate an EPOCH time corresponding to a date we want to test the policy with.

Create the policy using the

create-policy

subcommand:

aws iam create-policy \

--policy-name MyS3ListPolicyCLI \

--policy-document file://resources/my-s3-list-bucket-policy.json \

--profile awssecadmin

This should return the policy's details, along with its ARN:

Attach the policy to the group using the

attach-group-policy

subcommand while providing the policy ARN from the previous command:

aws iam attach-group-policy \

--group-name testusergroup \

--policy-arn arn:aws:iam::135301570106:policy/MyS3ListPolicyCLI \

--profile awssecadmin

Verify that our

testuser

user can now list the files in the S3 bucket:

How it works...

In this recipe, we created an IAM policy from the console and the CLI. IAM policies are JSON documents and follow a structure that is followed by most policy types within AWS, with the exception of access control lists (ACLs), which are XML-based.

The policy document is composed of statements that are added as arrays to the Statement element. A Statement element for an IAM policy may contain the following subelements:

Sid

is the statement ID, which is optional. This can be used to provide a description of the policy.

Effect

specifies whether we want to allow or deny access to a resource. The supported values are

Allow

and

Deny

.

Action

specifies the permission or permissions (

s3:ListBucket

) for which this statement has been applied:

We can also specify * to denote any action.

Resource

specifies the ARN of the resource (for example, S3 bucket) that the statement is applied to. For S3 buckets, ARN should follow the following format:

arn:aws:s3:::<bucket_name>/<key_name>

. We can use a comma to separate multiple values. We can specify

*

to denote any resources.

Condition