Chapter 10 - 03 - Discuss the Insights of Cloud Security and Best Practices - 06_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 AWS IAM: Grant Least Privilege Toimplement more granular access control, begin with minimum O Implement conditional access to restrict privileged access O O O permissions and gradually add permissions as required & - Use the Access Advisor tab to regularly monitor user access Implement resource-based policies to restrict access to specific amazon resources Policy Document Atached Enttes Polcy Versions [— webservices Access Agvisor Croups Permsvions Secunty Crecentials Access ASvisor Lt access | AWS IAM: Grant Least Privilege During the creation of IAM policies, permissions are required only to perform the required tasks. Thus, the policies should be formulated according to the roles of users. Initially, minimum permissions should be provided to ensure security; the permissions can be extended in the future. The action types include list, read, write, permission management, and tagging. For example, if actions are selected from the List and Read access levels, they are used to grant read-only access to the users. An example of the actions of policies and their descriptions are given below. The “service last accessed” data feature can be used to view the data on the Access Advisor tab on the IAM console. The same data can be viewed on the AWS Organizations section of the IAM console if the user is logged in with the credentials of the master account. This information can be used to view the unnecessary permissions to refine them accordingly. The events of an account in AWS CloudTrail Event History can be used to implement further granular permissions. Module 10 Page 1362 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing Dashboard Exam 212-82 Policy Document Attached Entities S Policy Versions ——— Access Advisor. k(essmummwwcp«mmgrmwmwmmmwwes-«euuxcesseo your poicies This tadie 0oes not Inciude actvty in the AWS S30 Paulo and Seoul regions. Learn more Details You can us¢ Note: recent activity usually appears within 4 hours. ACCess AGvisor tracking began on Oct 1, 2015 Groups Users Filter: Roks Service Name | Poucies ANS identty Providers ¢ LastAccessed dentty and Access Management A. Today Amazon Cloudivatch - ~ Today Amazon Elastc MapReduce Account Stanqs & No fiter » - AWNS Security Token Service Today e Today Figure 10.55: Service Permissions Granted to User and When a Service was Last Accessed Dashboard Details ” Groups ALCESS poicies Note l voers Roles PO es Account Settngs Credential Repont Permissions VSO Security Credentials Pr———— Access Advisor ShOws INE SEIVICE PErMISSIONS granted 10 this user and when those Services were Last accessed You This table Goes not Include actvity in the AWS S30 Paulo and Seoul regions. Learmn more recent activity usualy appears within 4 hours ACCess Advisor tracking began on Oct 1, 2015 Filter: No fiter » Service Name ¢ Policies Permissions Last Access AWS Identty and Access Management i AWS Drectory. days. days ag0 Amazon S3 ot Service T oday - AWS Service Catalog cays 290 AWS Service Catalog (User) days a0 Figure 10.56: Viewing Policies Granting Permissions Module 10 Page 1363 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 AWS IAM: Use AWS-managed Policies AWS Managed Policies AWS Accountl AWS Account2 A‘ ’.& < O Group Admins AWS managed policies are standalone policies that are created and administered by AWS O Aws-managed policies are designed to provide permissions for common use cases O P >. Oliver o Vv Mike vX George — Susan Policy PowerUserAccess Role EC2 - App & % X X X a Use AWS-managed policies while designing and creating access olicies ™ vV Vv o £a 2 3 Vv — Role ThirdPartyAccess i Policy AWSCloudTrailReadOnlyAccess AWS IAM: Use AWS-managed Policies Admins need some time to understand the policies and provide them to the employees to perform the required tasks. They need to have a better understanding of the IAM policies, and they should test IAM before implementation. Users also need to be aware of the tasks that they should perform and understand the permissions granted to them. For better understanding, AWS managed policies provide permissions to users and familiarize them with the tasks that they must perform with the granted permissions. AWS managed policies (standalone policies that are created and administered by AWS) helpful until designing and creating access policies. The AWS managed policies provide permissions for many common = Full access AWS managed granting full access IAMFullAccess. = Power-user AWS to a managed use cases: policies define permissions for service administrators service. For example, policies provide without allowing permission management. multiple AmazonDynamoDBFullAccess levels of access to AWS by and services For example, AWSCodeCommitPowerUser and AWSKeyManagementServicePowerUser. = Partial-access AWS managed services. For example, AmazonEC2ReadOnlyAccess. Module 10 Page 1364 policies provide specific levels of access to the AWS AmazonMobileAnalyticsWriteOnlyAccess and Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. - o TER AYUETSECUNILy Technician Virtualization and Cloud Com puting Exam 212-82 ws AWS Accounti 0 :..&