CS/클라우드컴퓨팅
9. Security
호프
2023. 12. 3. 17:45
IT Security
Access Control
Permissions
- Permissions are needed to give users specific acess to data and resources that are need for their job role
- define type of access
- Read-only access
- Modify access
- Delete access
Principle of Least Privilege
- Grant only the minimal privileges needed to a user
- Start with a minimum set of permissions, and grant additional permissions as necessary
Identity and Access Management
- Organizations can have thousands of users that require different levels of permissions to various data sources.
- So, Organization should use an identity and access management tool to govern user access and permissions (ex. IAM tool)
Authentication and Authorization
- Authentication: prove their identity
- Authorization: determining whwat permissions a user should be gratned
Layers of Security
- There are four main layers of security for protecting a data center
Perimeter Layer
- AWS data center physcical security begins at the perimeter layer
- Security guards, fencing, security feeds, intrusion detection technology ..
Environment Layer
- Dedicated to environmental considerations from site selection and construction to operations and sustainability
- Mitigate environmental risks: carefully choose their data center locations to mitigate environmental risks
- High availability and performance: Multi-AZ
- AWS business continuity testing: simulate different scenarios
- Energy saving
Infrastructure Layer
- Data center building an the equipment and systems that keep it running
- Backup power equipment, HVAC system, fire suppression equipments ..
Data Layer
- Most critical point of protection because it is the only area that holds customer data
- Even though protecting your data is ultimately your responsibility in the cloud, AWS takes extra precautions to protect the media.
- Storage devices are decommissioned by using the National nstitute of Standards and Technology techniques to destroy customer data.
- AWS is audited by external auditors to confirm that established rules needed to obtain security certifications are followed.
- AWS servers can notify employees of any attempts to remove data. In the unlikely event of a breach, the server is automatically disabled.
AWS Shared Responsibility Model
AWS Shared Responsibility Model
- AWS has a shared responsibility model that outlines the security responsibilities of AWS and the customer.
- designed to help relieve the customer's operational burden
- Customers are responsible for the security of everything that they create and put IN the AWS cloud.
- AWS manages the security OF the cloud, specifically the physical infrastructure
- physical security of data centers
- hardware and software, network, virtualization infrasturcutre
Shared Responsibility Examples
| Responsibility | Amazon S3 | Amazon EC2 | Amazon VPC |
| Customer | - Bucket access policy - Data encryption - File delete protection - User access |
- Patching guest OS - Security group - Encrypting volumes - IAM assignment - User access |
- Security roup - Network ACL - Configuring for public or private access - User access |
| AWS | Protecting the infrastructue to run the services including: - Hardware - Software - Networking - Physical facilities |
||
AWS IAM
AWS Identity and Access Management(IAM)
- AWS service that let you control user access to services in the AWS cloud.
- free service
Using IAM
Multi-Factor Authentication (MFA)
- MFA is an extra layer of protection that you can require to authenticate a user that is logging in to your AWS account.
- More than one authentication factor is checked before access is granted.
IAM Identity Center
- help you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications.
- 사용자의 신원을 안전하게 생성하고 연결하며, AWS 계정과 애플리케이션 간의 액세스를 중앙 집중적으로 관리하는 도구
Options for Using IAM
- AWS Management Console
- AWS Command Line Interface (CLI)
- AWS Software Development Kit (SDK)
IAM Use Cases
1. Apply detailed permissions
- create and apply permissions based on user attributes by using attribute-based access control
2. Manage per-account and application access
- manage per-account identities
- provide multi-accouont access and application assignments across AWS
3. Establish organization-wide guardrails on AWS
- provide the ability to establish organization-wide and preventative guardrails on AWS
4. Set, verify, and right-size permissions
- set, verify, and right-size user permissions in accordance with the least privilege principle policy
IAM Entities
IAM User
IAM Users
- IAM user represents a specific person or service that uses IAM to interact with AWS
- When creating an IAM user, it has no permissions by default.
- You can manage IAM user permission by creating IAM policies and attaching them to the IAM user.
- IAM users can access AWS resources through the AWS Management Console or programmatically
IAM Credential Types
- AWS Management Console: with user name and password
- Programmatic access: with access key
- Access key = access key ID + secret key
- Each user can have two active access keys: userful when you need to rotate the user's access keys or revoke permissions.
Root User
- When you first create an AWS account, you access your account as the AWS account root user
- Complete access to all AWS services and resources in the account
- AWS strongly recommends that you don't use root account credential for day-to-day interactions with AWS
IAM Policy
IAM Policy
- IAM policies are JSON documents that you attach to entities(users, groups, or roles) to control permissions.
- Entity can have more than one policy attached to it
- All policies are evaluated, and the result is always is either allowed or denied
- When there is a conflict, the most restrictive policy applies.
Policy Example
{
"Version": "2012-10-17", # 정책 언어의 버전 LTS: 2012-10-17 버전 사용 권장
"Id": "AWS-Practice-Permission", # 정책의 ID (선택)
"Statement": [
{
"Sid": "FirstStatement", # Statement의 ID (선택)
"Effect": "Allow", # 정책에서 액세스를 허용하는지 또는 거부하는지 여부
"Action": ["iam:ChangePassword"], # 정책이 허용하거나 거부하는 작업 목록
"Resource": "*" # 작업이 적용되는 리소스 목록, 리소스 기반 정책을 생성하는 경우 선택 사항 -> 이 요소를 포함하지 않으면 작업이 적용되는 리소스는 정책이 연결된 리소스가 된다. (일부 상황에서만 필요)
},
{
"Sid": "SecondStatement",
"Effect": "Allow",
"Principal": { # 리소스 기반 정책을 생성하는 경우 액세스를 허용하거나 거부할 계정, 사용자, 역할 또는 페더레이션 사용자를 표시해야 한다. (일부 상황에서만 필요)
"AWS": ["arn:aws:iam:12345678912:root"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
},
{
"Sid": "ThirdStatement",
"Effect": "Allow",
"Action": [ "s3:List*", "s3:Get*" ],
"Resource": [ "arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*" ],
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} # 정책에서 권한을 부여하는 상황을 지정 (선택)
},
{
"Effect": "Deny",
"Action": [ "s3:List*", "s3:Get*" ],
"NotResource": [ "arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*" ],
},
]
}- Effect: specifies whether the statement results in an allow or an explicit deny
- Action: specific actions that will be allowed or denied
- Resource: specify the objects that the statement covers using Amazon Resource Name (ARN)
- NotResource: ensure that users can't use any resources specified
Identity-Based Policy
- permission policies that you can attach to an identity, such as an IAM user, role, or group
- control what actions that identity can perform, on which resources, and under what conditions
- AWS-managed policies: policies that are created and managed by AWS
- Customer-managed policies: policies taht you create and manage in your AWS account
- Inline policies: policies that you create and manage and that are embedded directly into a single user, group or role
Resource-Based Policy
- permission policies attached to a resource such as S3 bucket or KMS key (Bucket policy, KMS policy..)
- specify who can access the resource and what actions they can perform on it
- defined inline only
- define the policy on the resource itself instead of creating a separate IAM policy document that you attach
Conflicting Policies
- Implicit deny: default
- Explicit allow: overrides implicit deny
- Explicit deny: overrides explicit allow
IAM Group
IAM Group
- IAM groups can help you manage users that have the same permissions.
- IAM group is a collection of IAM users
IAM Role
IAM Role
- Roles can be used to provide permissions to users or services so that you don’t have to attach security credentials to the principle.
- IAM role is an identity with permission policies, without any credentials
- intended to be used by anyone who needs it for a short term access
- IAM role is an IAM entity you can create in your accouont that has specific permissions: you can attach an IAM policy to the role
- When a user or services assumes the role, it inherits the role's permissions temporarily
- After the role is returned, the user or service no longer has access to the permissions that the role provided
IAM Roles Trust Policy
- Users and services don't automaticaly have access to roles -> need to be configured in the trust policy fo the role
- Trust Policy is a JSON policy document where you define the principals that you trust to assume the role
- principal is an entity in AWS that can perform actions and access resources
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
Use Case for Roles
- Roles for IAM user: you don't have to share long-term security credentials for each user
- 여러 IAM 사용자에게 장기적인 보안 자격 증명을 공유하지 않고도 특정 권한을 제공하고 싶을 때 사용
- Roles for AWS services: services can perform actions in your AWS account on your behalf
- Roles for external users: if you already manage user identities outside of AWS, you can use IAM roles to grant users access to AWS