AWS re:Inforce 2024
Iam Policy Power Hour Iam304

Title: AWS re:Inforce 2024 - IAM policy power hour (IAM304)

Insights:

  • Session Structure: The session is structured like a workout, with segments such as warm-up, balance training, resistance training, cross-account training, agility training, interval training, and recovery.
  • IAM Policies Overview: Emphasis on understanding IAM policies, the shared security model, and the importance of robust access controls.
  • Policy Enforcement: AWS enforces access controls for every request, ensuring that access is only granted when explicitly allowed.
  • Policy Creation and Maintenance: Users are responsible for creating, maintaining, and refining access controls based on business needs.
  • Demo Focus: The session includes five live demos showcasing various aspects of IAM policies, including Secrets Manager and service control policies (SCPs).
  • PARC Model: Policies are structured around the PARC model (Principal, Action, Resource, Condition) to define access controls.
  • Types of Policies: Different types of policies include service control policies (SCPs), permission boundaries, VPC endpoint policies, identity policies, and resource-based policies.
  • Cross-Account Access: Cross-account access requires both identity and resource policies to grant access, emphasizing the need for precise policy configurations.
  • Security and Development Collaboration: Central security teams set guardrails and standards, while developers apply fine-grained permissions and remediate broad access.
  • Data Perimeter: Establishing a data perimeter involves ensuring trusted identities access trusted resources from expected networks.
  • Policy Verification Tools: Tools like AWS Managed Policies, policy generation, and validation help in creating and verifying policies.
  • Automated Reasoning APIs: New APIs (check no new access, access not granted, check no public access) help verify policies in CI/CD pipelines.
  • Access Analyzer: IAM Access Analyzer helps identify external and unused access, providing insights into security posture.
  • Policy Recommendations: New feature for generating policy recommendations to remove unused access, simplifying policy management.

Quotes:

  • "The only thing I'm going to ask you to do right now is a little fist pump for policies."
  • "My sole job is to provide robust access controls so you get to define who can access what under what conditions."
  • "A deny will always win. And so every time you're like, oh, it's denied, think about the context, think about the policies, and only if there's an allow statement will access be granted."
  • "For cross-account access, both, if you have like a, think of a hotel room with two shared hotel rooms, some people get, both of those doors have to open for access to flow through."
  • "You establish those guardrails, and then developers, you can allow them to kind of start a little bit broader, play, explore, especially in those development environments."
  • "We don't like that nobody likes public access and so some it has some use cases but in my world we don't like it."
  • "If you do one thing today, you can go turn this on for an org or an account free of charge, go turn it on."
  • "If they haven't been used, you not need them they do not bring you joy get rid of them."
  • "Make sure you put on confused deputy controls. These would be that source account ID or source org ID. Make sure it's coming from your organization."
  • "I'm glad you're as passionate about I am policies as I am."
I Dont Always Do Appsec Testing but When I Do Its in Production Aps324 SIdentify and Solve Security Risks Faster with Application Signals Cfs223