Upgrade to Pro — share decks privately, control downloads, hide ads and more …

THE WALL built with IAM

THE WALL built with IAM

The slides for my session in JAWS PANKRATION 2024
The presentation focuses on IAM global condition context keys: "aws:ResourceOrgPaths" and "aws:PrincipalOrgPaths".
“…OrgPaths” condition keys are awesome!

Session URL: https://jawspankration2024.jaws-ug.jp/ja/timetable/TT-40/

---------
JAWS PANKRATION 2024の登壇資料です。
IAMのグローバル条件コンテキストキー "aws:ResourceOrgPaths" と "aws:PrincipalOrgPaths" についてお話しました。
“…OrgPaths”シリーズはいいぞ!というお話です。

セッション情報のURL: https://jawspankration2024.jaws-ug.jp/ja/timetable/TT-40/

Yuta Kimi

August 26, 2024
Tweet

More Decks by Yuta Kimi

Other Decks in Technology

Transcript

  1. 1 © 2024 Japan Digital Design, Inc. THE WALL built

    with IAM Yuta Kimi Senior Solution Architect Japan Digital Design, inc. JAWS PANKRATION 2024
  2. 2 © 2024 Japan Digital Design, Inc. Welcome to IAM

    swamp Generated by Titan Image Generator G1
  3. 3 © 2024 Japan Digital Design, Inc. Yuta Kimi Senior

    Solution Architect Japan Digital Design, inc. A member of MUFG Working for Financial Services Industry Living near Himeji Castle in Japan My Girl Fin-JAWS AWS user community for financial services Security & Identity since 2024
  4. 4 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Why build

    the wall ? Why? Confidential data Internal Threats External Threats Perimeter for data protection
  5. 5 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Why build

    the wall ? Why? Confidential data Coarse-grained controls to prevent critical accidents as ”Guardrail” Developers Of course, fine-grained permissions is important as a prerequisite
  6. 6 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Why build

    with IAM ? Why? All data exists in VPC? VPC Difficult to create perimeter with ONLY network control Outside customer VPC
  7. 7 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Why build

    with IAM ? Why? IAM can inspect ”request context” Principal AWS Services IAM Inspect Authorize Request context Actions/Operations --------- Resources --------- Principal … Request
  8. 8 CONFIDENTIAL © 2024 Japan Digital Design, Inc. How build

    the wall ? How? Confidential data aws:PrincipalOrgPaths aws:ResourceOrgPaths External principals External resources Building with global condition context keys “…OrgPaths”
  9. 9 CONFIDENTIAL © 2024 Japan Digital Design, Inc. What is

    “OrgPaths” ? What? ”OrgPaths” represents AWS Organizations entities as text Organization ID: o-a1b2c3d4e5 Root ID: r-1eh2 OU ID: ou-1eh2-z9y8x7w6 Organizations path : o-a1b2c3d4e5/r-1eh2/ou-1eh2-z9y8x7w6 AWS Organizations Paths
  10. 10 CONFIDENTIAL © 2024 Japan Digital Design, Inc. What is

    “aws:ResourceOrgPaths” ? What? Principal Request “aws:ResourceOrgPaths” ensures where the resource belongs Organization ID: o-a1b2c3d4e5 Root ID: r-1eh2 OU ID: ou-1eh2-z9y8x7w6 Account ID: 123456789012 This resource belongs o-a1b2c3d4e5/r-1eh2/ou-1eh2-z9y8x7w6
  11. 11 CONFIDENTIAL © 2024 Japan Digital Design, Inc. What is

    “aws:PrincipalOrgPaths” ? What? Principal Request “aws:PrincipalOrgPaths” ensures where the principal belongs Organization ID: o-a1b2c3d4e5 Root ID: r-1eh2 OU ID: ou-1eh2-z9y8x7w6 Account ID: 123456789012 This principal belongs o-a1b2c3d4e5/r-1eh2/ou-1eh2-z9y8x7w6 Resource
  12. 12 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Production data

    is taken out externally Risk scenario Corporate Organizations Root OU Production OU Development OU Confidential data Not for production Internal principal External Organizations External resource Leakage to non-production environment Leakage to external
  13. 13 CONFIDENTIAL © 2024 Japan Digital Design, Inc. The wall

    built around the production OU Control Corporate Organizations Root OU Production OU Development OU Confidential data Not for production Internal principal External Organizations External resource THE WALL
  14. 14 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Untrusted resources

    are inspected with SCP Implementation Organization ID: o-xxxx Root ID: r-xxxx Production OU ID: ou-xxxx OUs / Accounts FullAWSAccess (AWS managed) Deny untrusted resources policy SCPs "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "ForAllValues:StringNotLike": { "aws:ResourceOrgPaths": "o-xxxx/r-xxxx/ou-xxxx/*" }, "StringNotEquals": { "aws:ResourceAccount": [ "123456789012", "987654321098" ] } }
  15. 15 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Untrusted resources

    are inspected with SCP Implementation Organization ID: o-xxxx Root ID: r-xxxx Production OU ID: ou-xxxx OUs / Accounts FullAWSAccess (AWS managed) Deny untrusted resources policy SCPs "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "ForAllValues:StringNotLike": { "aws:ResourceOrgPaths": "o-xxxx/r-xxxx/ou-xxxx/*" }, "StringNotEquals": { "aws:ResourceAccount": [ "123456789012", "987654321098" ] } }
  16. 16 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Untrusted resources

    are inspected with SCP Implementation "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "ForAllValues:StringNotLike": { "aws:ResourceOrgPaths": "o-xxxx/ r-xxxx/ou-xxxx/*" }, "StringNotEquals": { "aws:ResourceAccount": [ "123456789012", "987654321098" ] } } Deny actions for resources outside of the production OU External accounts not to be exceptionally denied (= trusted external accounts)
  17. 17 CONFIDENTIAL © 2024 Japan Digital Design, Inc. The wall

    built around the production OU Control Corporate Organizations Root OU Production OU Development OU Confidential data Not for production Internal principal External Organizations External resource THE WALL External resource Trusted account
  18. 18 CONFIDENTIAL © 2024 Japan Digital Design, Inc. The advantage

    of “OrgPaths” Advantage Design with Ops in Mind Policy updates must not be required even if new production accounts are added
  19. 19 CONFIDENTIAL © 2024 Japan Digital Design, Inc. The advantage

    of “OrgPaths” Advantage "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "ForAllValues:StringNotLike": { "aws:ResourceOrgPaths": "o-xxxx/ r-xxxx/ou-xxxx/*" }, "StringNotEquals": { "aws:ResourceAccount": [ "123456789012", "987654321098" ] } } No maintenance required Maintain only exceptions
  20. 20 © 2024 Japan Digital Design, Inc. Unfortunately, no time

    left to talk about “aws:PrincipalOrgPaths”…