THE WALL built with IAM

Transcript

1. 1 © 2024 Japan Digital Design, Inc. THE WALL built

   with IAM Yuta Kimi Senior Solution Architect Japan Digital Design, inc. JAWS PANKRATION 2024

2. 2 © 2024 Japan Digital Design, Inc. Welcome to IAM

   swamp Generated by Titan Image Generator G1

3. 3 © 2024 Japan Digital Design, Inc. Yuta Kimi Senior

   Solution Architect Japan Digital Design, inc. A member of MUFG Working for Financial Services Industry Living near Himeji Castle in Japan My Girl Fin-JAWS AWS user community for financial services Security & Identity since 2024

4. 4 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Why build

   the wall ? Why? Confidential data Internal Threats External Threats Perimeter for data protection

5. 5 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Why build

   the wall ? Why? Confidential data Coarse-grained controls to prevent critical accidents as ”Guardrail” Developers Of course, fine-grained permissions is important as a prerequisite

6. 6 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Why build

   with IAM ? Why? All data exists in VPC? VPC Difficult to create perimeter with ONLY network control Outside customer VPC

7. 7 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Why build

   with IAM ? Why? IAM can inspect ”request context” Principal AWS Services IAM Inspect Authorize Request context Actions/Operations --------- Resources --------- Principal … Request

8. 8 CONFIDENTIAL © 2024 Japan Digital Design, Inc. How build

   the wall ? How? Confidential data aws:PrincipalOrgPaths aws:ResourceOrgPaths External principals External resources Building with global condition context keys “…OrgPaths”

9. 9 CONFIDENTIAL © 2024 Japan Digital Design, Inc. What is

   “OrgPaths” ? What? ”OrgPaths” represents AWS Organizations entities as text Organization ID: o-a1b2c3d4e5 Root ID: r-1eh2 OU ID: ou-1eh2-z9y8x7w6 Organizations path : o-a1b2c3d4e5/r-1eh2/ou-1eh2-z9y8x7w6 AWS Organizations Paths

10. 10 CONFIDENTIAL © 2024 Japan Digital Design, Inc. What is

    “aws:ResourceOrgPaths” ? What? Principal Request “aws:ResourceOrgPaths” ensures where the resource belongs Organization ID: o-a1b2c3d4e5 Root ID: r-1eh2 OU ID: ou-1eh2-z9y8x7w6 Account ID: 123456789012 This resource belongs o-a1b2c3d4e5/r-1eh2/ou-1eh2-z9y8x7w6

11. 11 CONFIDENTIAL © 2024 Japan Digital Design, Inc. What is

    “aws:PrincipalOrgPaths” ? What? Principal Request “aws:PrincipalOrgPaths” ensures where the principal belongs Organization ID: o-a1b2c3d4e5 Root ID: r-1eh2 OU ID: ou-1eh2-z9y8x7w6 Account ID: 123456789012 This principal belongs o-a1b2c3d4e5/r-1eh2/ou-1eh2-z9y8x7w6 Resource

12. 12 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Production data

    is taken out externally Risk scenario Corporate Organizations Root OU Production OU Development OU Confidential data Not for production Internal principal External Organizations External resource Leakage to non-production environment Leakage to external

13. 13 CONFIDENTIAL © 2024 Japan Digital Design, Inc. The wall

    built around the production OU Control Corporate Organizations Root OU Production OU Development OU Confidential data Not for production Internal principal External Organizations External resource THE WALL

14. 14 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Untrusted resources

    are inspected with SCP Implementation Organization ID: o-xxxx Root ID: r-xxxx Production OU ID: ou-xxxx OUs / Accounts FullAWSAccess (AWS managed) Deny untrusted resources policy SCPs "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "ForAllValues:StringNotLike": { "aws:ResourceOrgPaths": "o-xxxx/r-xxxx/ou-xxxx/*" }, "StringNotEquals": { "aws:ResourceAccount": [ "123456789012", "987654321098" ] } }

15. 15 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Untrusted resources

    are inspected with SCP Implementation Organization ID: o-xxxx Root ID: r-xxxx Production OU ID: ou-xxxx OUs / Accounts FullAWSAccess (AWS managed) Deny untrusted resources policy SCPs "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "ForAllValues:StringNotLike": { "aws:ResourceOrgPaths": "o-xxxx/r-xxxx/ou-xxxx/*" }, "StringNotEquals": { "aws:ResourceAccount": [ "123456789012", "987654321098" ] } }

16. 16 CONFIDENTIAL © 2024 Japan Digital Design, Inc. Untrusted resources

    are inspected with SCP Implementation "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "ForAllValues:StringNotLike": { "aws:ResourceOrgPaths": "o-xxxx/ r-xxxx/ou-xxxx/*" }, "StringNotEquals": { "aws:ResourceAccount": [ "123456789012", "987654321098" ] } } Deny actions for resources outside of the production OU External accounts not to be exceptionally denied (= trusted external accounts)

17. 17 CONFIDENTIAL © 2024 Japan Digital Design, Inc. The wall

    built around the production OU Control Corporate Organizations Root OU Production OU Development OU Confidential data Not for production Internal principal External Organizations External resource THE WALL External resource Trusted account

18. 18 CONFIDENTIAL © 2024 Japan Digital Design, Inc. The advantage

    of “OrgPaths” Advantage Design with Ops in Mind Policy updates must not be required even if new production accounts are added

19. 19 CONFIDENTIAL © 2024 Japan Digital Design, Inc. The advantage

    of “OrgPaths” Advantage "Effect": "Deny", "Action": "s3:*", "Resource": "*", "Condition": { "ForAllValues:StringNotLike": { "aws:ResourceOrgPaths": "o-xxxx/ r-xxxx/ou-xxxx/*" }, "StringNotEquals": { "aws:ResourceAccount": [ "123456789012", "987654321098" ] } } No maintenance required Maintain only exceptions

20. 20 © 2024 Japan Digital Design, Inc. Unfortunately, no time

    left to talk about “aws:PrincipalOrgPaths”…

21. 21 © 2024 Japan Digital Design, Inc. “…OrgPaths” condition keys

    are awesome! Conclusion

22. Thank you. 22 © 2024 Japan Digital Design, Inc.