AWS re:Inforce 2019: Scale Permissions Management in AWS w/ Attribute-Based Access Control (SDD350)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

now when I don't know what signal I get oh maybe that's a countdown oh the countdown just started we're good okay thank you everyone for coming yet put those headsets on I'm gonna try really hard not to yell in your ear this is very awkward for me to see everybody with headsets alright can I just get a fist pump four policies will fist pump yes yes okay so that's exciting part I didn't know I had it now I know you really a little bit are listening my name is Bridget Johnson I am a senior manager in AWS identity you may know me from reinvent I've done a bunch of policy talks on ion policies so today we're gonna dig into one angle of that I'm really happy to be here at this inaugural event like how cool you're gonna always get to say that you made it to the first reinforce so I'm pretty excited okay this is the next hour for you so we're gonna do a permissions review how many of you you can raise your hands because you can still hear me and I can still see you and have used written and ion policy I am roll all that sort of stuff okay good that is exactly what I wanted the permission review is light so I'm kind of gonna expect by the end that you know some policy stuff because we're gonna see some JSON it's gonna be great and we're gonna do some demos it'll be a lot of fun then I'm going to introduce a back so this is using attributes to scale your permissions management and I'll talk a little bit about the model and how to think through it then I'll talk about the steps to implementing and applying a back in your organization and then we'll round up with some best practices that you can take back to your organization and as you start thinking about a back and permissions at scale you can go check against those best practices all right I can see all the colors so if anybody switches colors I'm gonna be slightly offended and I might kick you out just kidding you can stay but all right permissions review so I talked to a lot of customers and I tend to talk to security professionals they tend to talk to central security team CIO CTOs all that and this is what I hear all the time hey we want to give developers freedom we want them to be agile we want them to go move and build as fast as they can right you don't know what they're working on they could be working on healthcare products or getting you know you're streaming content out but they got to go build and they got to go build fast and then there's always this but but we want to ensure that they don't do anything dangerous or we want to prevent those dangerous actions or we want to make sure that we always have an admin role that we can control the account with and a little bit of cost control so this is where we're talking about hey first go set up permission guardrails there's a movie I just did on that there's a couple other people talking about permission guardrails with a Tobias organizations check it out but the second part of that is once you have those permission guardrails set up into place then you need to allow some general access that's still granular based on your attributes and that's where this part comes in so it always comes down to who has access to what does this sound familiar to oh not if like you've always gotten the who has access to what okay so the who I put on here work force users and that's a little too specific but essentially the who can be an application it could be a developer anybody doing data analysis in today's examples I'm just going to talk about users they're humans they're easy to depict on slides so just know that but no the same models can apply to applications and then your what the what is AWS resources these are your buckets these are your cloud watch alarms your lambda functions your secrets and secrets manager fun fact there's over 300 resource types in AWS right and so that's a lot of what that you gotta control and the permissions the part in the middle that connects it all together and that permission is very important because that says every request one of those resources make sure that I have explicitly allowed access and so that's what we're going to talk about today we're going to talk about that red box okay so when you talk about that red box there's two parts to it first is your job your job I'm assuming that you've all dealt with some I own policies you have access to kind of do permissions your job is to specify you define which entities are allowed to perform which actions on specific actions on specific resources under specific conditions another fun fact there's over 4,000 actions in AWS so we get granular we're really good at granular and that's awesome and so you can specify a bunch of permissions there the next part is my job literally I sit there and for every AWS request I say yes no yes no yeah I'm just kidding I don't do that I would not be here today there's a lot of requests in AWS but it is a WSS job right and so that is for every request that comes in is that we evaluate based on the policies that you set and we either allow or deny access there's no middle ground it's either yes or no so that's a little bit of your review and as we've thought about this this is the model that we have had historically in the cloud and even on-premise asan instances etc is you have your identities and you grant explicit act access to a set of permissions right so you might have a user who is the database administrator and they would have database administrator or the network administrator or a developer and maybe your network administrator is also your developer and so you would not combine the two you would say oh you're also allowed to have this role so this is role based access control and role based access control this is what it looks like and this is what you may be used to and it kind of formed from early on there was ackles right it was point-to-point and then eventually okay that doesn't work because that doesn't scale so let's create these permission sets and you give you assign people permission sets based on it and so with Auerbach you grant user specific permissions by assigning a collection of roles so they could have one or they could have multiple right who's an admin that gets to a set gets assigned like tons of roles and different as a guy yeah this guy's like oh yeah that's me yeah I hear ya and then you can create a distinct role for a unique permission combination okay we get that all right new things need to go together maybe two teams start working together you create a new combo policy or permission set when you need to update permissions you go to that permission set and you add the permission okay and that's the part that I'm betting a bunch of people in the audience get stuck doing a lot of right you are constantly adding permissions every new resource that's created you got it out of permission and then to determine access you go to that permission set that little box in the middle and you say oh this is this is what they have access to with this model there are parts that are not as enjoyable as you scale right for every new resource you have to go update a policy if you want granular permissions that becomes cumbersome and so what the industry and even years ago people started to talk about a back using attributes to scale permissions management and we have it and it's it's it's very cool and it's something better that you can start implementing in AWS and it helps with scale a lot so this is what it is you use attributes and then you combine them with general permission rules that scale with your organization and we're going to go through that model so before I go to the model I want to make sure we're all aligned on attributes okay so it can be a key such as PII compliance or it can be a key such as pickles that's a project name maybe or it can be production that is a key or you can put it as a key and value pair so that might be hey user ID equals our alien friend there's not very many icons I get to use so aliens are gonna be developers in this presentation or you have team equals unicorn on project pickles and this is your instance over here or your project pickles environment development and created by our alien friends so you can see some similarities but the keys and the values are a little bit different so that's what it is and so when I say a key or an attribute this is what I mean it can be defined by your identity provider in some cases so like an iamb we have a pretty common one like user name or it can be one that you provide which is custom and in AWS the custom ones that you're gonna find our tags whose that were tagged a resource yes all right we love us some tags so good okay so this is this is a back with instead of multiple lines you're gonna have one simple line right and so you have on your left these are your identities and they have attributes and today I just made them colors to make this slide pretty easy and that's on your left and on your right you have resources guess what those also have attributes and then the middle becomes a really simple rule based on matching is this the same as that allow different doesn't work and so you can write some really general rules that allow you to match so let's talk about these attributes a little bit today those are your IM users and I am roles in AWS and those attributes those tags are your tags on the I am users and I am roles that's really powerful so today you'll see that I go to a role I'll tag it project equals pickles you're gonna understand why pickles is the thing in my brain in just a second and then you'll get access to a project equals pickles in the future yes I just mentioned in the future you will be able to pass attributes through from your identity provider using the sam'l assertion and put them in your wool session somebody's fist pumping I love that and those are then put in your permission context and you can write the same policies from that what that does for you is that makes your identity provider the source of truth so if you have attributes on your identity provider then start thinking about which ones you're going to want to pass through and require because you can then write permission rules for AWS resources so as you think as you look at my demo today I'm going to show you the tags on roles but imagine what you could do if that same tag that I'm referencing is from your identity provider and for those of you who run some custom broker stuff there's a lot of power you can do by inserting things that you get from maybe a DynamoDB table or somewhere as well so it's an option all right so you can kind of start seeing how we're scaling right because now your job is not updating policy but your job is just making sure the attributes are great and then all the permissions take care of themselves in scale so what are the benefits of a BAC so permission scale with innovation and it enables developers to build right and I'm going to show you at the end of my demo is once they have these permissions they go create resources their team can modify resources they can modify the resource you don't have to touch the policy in between and that gives you a lot of freedom as an administrator as well also teams move fast permissions apply automatically they don't have to create something and then wait for it because it's all based on their attributes and attributes are really quick to change the other thing is that powerful is that granular permissions are possible without requiring a permission update every single time right and so there's always this tension of okay you have too much access or not enough access etc and so what you can do is based on attributes and it's pretty granular because it's resource and identity specific but you don't have to update a policy and list and arn every single time and then finally to understand who has access to what you would audit the attributes and those are pretty locked down in most organizations and so that's where your identity provider will eventually come into play so I'm going to read these sentences I don't typically read slides but I'm going to read them because I'm gonna emphasize a certain word in every sentence and I want you to pick up on it and the reason I'm saying this is because I think you all have something in your mind about using tag based off but there's a there's a power that comes between when you actually have identity tags as well so one grant developers read and write access to their project resources require developers to assign their project to new resources grant developers read access to resources that are common to their team manage only the resources that I own right I didn't put in project pickles I didn't put in cost Center one two three four I didn't put in any specific attribute what I did is I referred to the identities attribute and this is where the power of matching comes into play and that's that's that's what a BAC is all about and so realize that then you can create these in policy form you create one of them and you can attach it to different roles and eventually you can touch it to the same role and then the the identities come through with their attributes and it just applies based on attributes okay so you're like all right Bridgette I got this I got the attributes on the identities I got the attributes on the resources and there's matching how do I put that in my organization how is that going to play out okay there are five steps I will tell you that but the first three are a little bit like set it and forget it so whenever you think of the first three steps of a back please think of rotisserie chicken like I need you to all think about chicken in this moment I don't know if anyone's seen that reinforce all about rotisserie chicken so one two and three I'm gonna play the admin for a little while and then I'll switch over and be the alien but I'm gonna be this woman with a bun and so the first step is go create your identities with access control attributes I'm naming them access control attributes for a reason because these are the attributes you will use for access control I understand there's a ton of other different types of attributes I'll talk about that in best practices number two is you're going to require attributes for new resources this means every time are a little alien developer friend goes and creates a new resource that resource during creation gets an attribute this could be their project or cost center both I don't care and then finally we're gonna set permissions based on attributes so this is the management of those resources they've created the resource with an attribute then they get to go maybe they get to go delete their own secrets or they get to go delete their own instances or restart their own instances etc that's all management okay then I'm gonna put on my developer hat and as we're going to go have some fun so I'll be a developer all going to be alien and I'm gonna go create new resources and then I'm gonna switch over to another role and I will be able I'm gonna play around with resources and you can see that I can only play around with my resources I can't play around with those and we'll we'll just have some fun there all right so this is my demo setup so team pickles pickles is my horse if nobody knew that now you know he's a pretty great horse I you know he lives out in the country with his friend copy and I go ride him a few times a week he's great so love pickles team bubbles well you can all understand what that is I also love champagne two should not be combined and so those are the two teams that we got going the two projects that's why then I'm in a demo Secrets Manager so secrets manager is an incredible service it allows you to turn your long-term credentials into short-term credentials because we should all be working towards putting short-term credentials everywhere and so with it you can set up rotation you can manage you can control access you can audit a lot of power in here and the plus side is is anything than AWS that has a long term credential such as an already AZ database they've already set up rotation for you and so it's really easy to configure that and so you're not using post-it notes all the time and whatnot so if you haven't checked that out I really highly recommend that you do all right so that's setup okay step one this is we're just going to go create the role right and the only reason I'm going to show you this is so I can show you where to put the tags but essentially I'm gonna I'm going to create a role for project pickles and I'm gonna tag it with project equals pickles and costs enter one two three four I'm actually not gonna create the bubbles role because it's the same steps but I do have a bubbles role on my account and project egos bubbles cost Center 2048 if you are I'm gonna give you one second where do you think I got 2048 from yes I'm addicted to that game I play it all the time I got 2048 the other day if you haven't checked it out it's a great mindless game and it really inspires innovation not really but it's fun so demo steps I'm gonna create just the first role just for a time fake and I'm pretty sure you all know how to create the role so here we go um one thing to point out in chrome I'm an admin I'm the woman with the bun in Firefox I am a developer I'm the alien so that should make things pretty easy for you all right so this is my account I'm in that zombies account it's in an organization and I'm gonna go create a role so I'm going to create a role for another account just because it's a little bit easier copy that over imagine you can assume role that's how I have something up I'm actually not going to add any permissions right now because we're gonna add permissions later because I want to walk through the policies with you but I am going to add tags so we'll do project is pickles and cost Center is one two three four next we'll do a review and we'll do project pickles and just today's date because I've done this demo already today so I'm going to add a one just because I practice which is good this grants access to project pickles alright so we're just going to create the roll so that's all you would do that is you have setup the attributes on that roll and I'll just show you here that they come up right there down at the bottom we have our things you can add more if you want but those are the two that we're using for access control today all right so that was the admin step one here we go if I get if I go faster then I get to play at the end so next I'm going to create a policy that says for all the new resources that that role creates they must tag the resource with the project of the role that created the resource so in that role that I just created it would be project pickles and same thing with the cost center so I'm gonna I'm not gonna create the policy I'm actually just going to show you it I've already staged it and then we'll attach it and we'll go from there so project cost Center and then the other thing is is I want my developer to be able to tag with a couple other things actually or remove created by but application and stage are there so we'll play with that a little bit so this is a policy that's there so I'm going to spend some time here so this is on the create action so when I create a secret one is I must those are the string equals okay I must pass in a request tag for project and the value must be my project if there is one thing you take away from this session is is that you can use the AWS principle tag as a variable on the right hand side of policies you can use this in arns if you name your resources you can use this in conditions and you can definitely use it to compare tax so that's one thing I want you to take away the other thing I want you to take away is this condition key right here we're quest tag when you read the word request that is a new tag that is being applied it is different than a resource tag I will show you resource tag next so this also says and you must pass in cost Center and it must be the value of your cost Center no way around it I cannot create a secret with cost Center 2048 I cannot give that cost to another team because my cost Center is one two three four and oh by the way you can pass another tag keys you can pass in project and cost Center but you also get created by an application so I'm gonna play around with application towards iam ok let's do this I think that's all yeah that's step three we'll go this up three next so I want to show you the policy that I've already created just because it's faster so this is create secrets with required tags and I'm just gonna edit the JSON so you can see and I have the same policy here and then the only other thing I gave at the end was list secret so list api's typically don't filter based on tags because they're used for the console to go and list all your resources all it does is give you the the name it doesn't give you any metadata or anything about it so just know that that's usually required for console usability okay and I will the next step that you would do is you would attach to the role that you just created okay all right so now I have this role which I'll update every now and then because we have a couple policies and you can see that I can create tags with four required tags I'm not going to go play with the tags yet because I want to show you about managing all right we are on to step three this is the third step of the Senate and forget it process I am going to say oh you can manage secrets with the same project tag as the role and so there's a couple parts to this management one is going to be yep you can rotate you can delete you can get the value of the secret all that sort of stuff but there's also the management of oh you want to be able to mess with some of the other tax so I want the developer to be able to add application blue or application green or yellow because we love yellow today but I don't want them to delete the project tag or the cost center tag and so let's look at those policies so can we get a fist pump for JSON yeah yeah all right love it okay so this is all about management and this is this this is very simple right hey you can do all of these actions you can describe the secret you can get the secret value you can change the value of the secret you can rotate the secret all these things only if I like bend down here the resource tag so that is the tag that exists on the resource request tag new tag you're requesting on a resource resource tag the resource that exists on the tag and then once again equals the principal tag only manage resources with these tags so that's step one so if I am on project pickles I create a new a new secret with all of my project tagged pickles and costing are one two three four great then I can go and I can rotate it if I want to immediately all right this is the other policy so you want people to be able to tag their resources and you need this permission to actually create the resource with attack and we allow very granular tagging permissions so first says hey you can tag a resource but only if that resource has an existing tag resource tag with my project tag okay so I can't touch any I couldn't touch a bubble's tag I couldn't touch any other teams tat or resource secret sorry then I say alright but if you pass in a tag key I need it to be one of these for all right and oh wait if you pass in so string equals if exists if you pass in project the value must be your project and if you pass in cost Center the value must be cost Center okay so there's one more layer to this and this is what do you allow for UNTAC do I want them to untag the cost Center no because the billing team would come yell at me do I want them to untag project no because that's my access control tag right but I don't care if they mess around with application so allow untag for any secret tag with my project tag and oh wait the only key that I can pass in is application so I'm gonna go attach all these policies to my new role and then we're gonna go play and have some fun all right so I will just show you the policies here let's just go with custom and manage project secrets so this is the first one where essentially I can you can kind of see it here on the console as I can do all these things but only if it's with the principle tag okay so I'm going to attach that to our new [Music] role glad that everything's working and the other one I'm gonna go look at is June is manage project secrets and we'll look at this one to show you I always give less secrets like I did and then oh I just showed you that one sorry about that clicked on the wrong one managed secret tags okay and you can see here and we'll look at the JSON can you all see that yeah we have the same things all right and then I'll just attach it to the new one that we created all right so the only other thing that I'm going to attach here today which I'll show you is I want to be able to rotate because rotating secrets and secrets manager is a little bit more fun and so I have granted access if you can see it to invoke this my rotation function which you can see right here because the secrets manager uses lambda so I'm going to just attach that to what I got here okay now I'm gonna do a little bit of a sneaky move which I'm going to show you the role that I created this one it's the same role this is the role I already have set up with switch role and everything in Firefox so it's the same thing all the all the same permissions all the same policies you can attach that to pickles roll bubbles roll etc so now I am the admin and I have set up everything so now we get to go be developers and developers get to move fast and they get to innovate and go create all the secrets they want and rotate so I'm gonna be an alien developer I'm gonna essentially assume that role that I just showed you I did that whole like baking show thing where the like they put all the ingredients together and then they like put it in the oven and then it comes out like two seconds later a full cake yeah I just have that set up just so you don't have to watch me switch role and everything I'm gonna go create a new secret I'm gonna use the role to manage secrets for other secrets that have already been tagged with pickles I'm gonna try to touch bubbles secrets and then I'm actually gonna switch over to bubbles and show you everything okay and then I might go rogue and put in some random tags and see what's going on with application and playing that okay we're gonna have some fun all right I am in the Seekers management console this is my pickles deth here we're gonna store in your secret okay I cannot list a bunch of other stuff that's good I'm just gonna store a really quick key value pair so my secret is reinforced I'm gonna go next and secret reinforced this is the reinforced secret I don't know if I can add that okay I'm actually not gonna put any tags on this guy or a girl and I'm not gonna enable rotation I'll go to the bottom what's gonna happen give me a thumbs up for pass a thumbs down for fail somebody asks a question no yeah all right we're getting a thumbs down failed to create secret I couldn't do it okay let's try again hmm I remember my admin telling me something about this cost center so I'm gonna do somebody else's cost center I don't want this bead billed to me gonna work correct failed again I can do this all day but let's actually do the things that we're supposed to do so project is pickles this would still fail if I left it at 2048 and I'll do that once again I'm not enabling rotation pretty simple demo I missed or well unexpected error that's not good and I guess you're all right my demo is not working should I go back its previous previous I think we're good if not I'll just move on alright um well now I got it they didn't get an author but we will try again hello world am I good yeah okay thank you the secret is for pickles next next oops where'd my tags once you before hmm I practice demo like five times alright so something's not working here but no worries it should work so I will I did used to create a baby I don't have secret lists secrets I'm in Oregon okay let's go secret stab sorry about that the only thing I can think of is that I'm in ok so let's go and assume role in bubbles maybe that won't work so we're gonna have some fun today but I guess we're just gonna have errors so I can list secrets so this is the bubbles roll I can show you the bubbles roll here everything's there and I can go into here and you can see that I can see everything cost Center project bubbles cost Center 2048 etc and I'm gonna go play with the tags so I'm gonna try to remove this tag will work correct failed somebody canceled I am now gonna actually try to edit the application will work yeah okay success on your move all right I am going to try to create a secret with bubbles now let's see if it works store a new secret and we'll do a back demo 625 and I'll just use this all over I'm gonna do next this secret or bubbles this time project and I won't do fail cases because you've seen enough fail cases for me today cost Center 2048 next I'm not enabling rotation next go through also cool thing you can get the sample code for your thing store and that worked so I don't know is going on before but that makes sense so now everytime bubbles creates a secret it's tagged that way and so you can kind of see in here oh this is all that now if I'm bubbles I won't be able to see anything with pickles so this is something that I don't have permission to even list describe do anything I can't do anything for that I could go in here and I should be able to well the bubbles roll doesn't have the lambda on it but let's go play here see what happens maybe I just needed to Rio after I put my computer to sleep there we go and let's rotate the secret because I can rotate it awesome rotates perfectly great and let's try to look at a bubble's tag it doesn't work so you can see how I'm flipping between bubbles and pickles all the way through but I can only access the things that I have access to and pickles land and that's the same policy working for both of those roles that I keep switching back and forth from up here and that goes through all that or all the other stuff will I be able to let's see I'm pickles will I be able to edit this to blue yep does anybody want me to try anything I know you can't like you can shout it out awkwardly with your headphones on but okay alright so that's I don't know why I was failing before but now we got it working with I think I just had to re off something about the connection so that is how it works and that means that like if you let somebody else assume the pickles role they would have a sign oh the other thing we can do oh let's do this okay now I want to have fun let's change the tag what do you think okay so what we can do here is I'm actually going to go to the roles of pickles and I'm gonna change the tag this is risky behavior because this is two bubbles all right what do you think am I gonna be able to go hang out with bubble secrets think so it's all there I can I can view it I'm not going to show you but I can see all the tags I can see all the data fall there can I see pickles Oh shouldn't be able to see pickles might be cached let's try this one that's bubbles well maybe that demo doesn't work across centers one two three four pickles let me go there and go back man I supposed to have some fun there you go it was just cash for a little bit in the console cool y'all get it it's all about the attributes see I changed the attribute on that on that role and it changed the permissions it took a little bit while at a proper gate but it worked there I was probably working too fast okay let's go back to the presentation all right so I've done the whole setup admin set it and forget it I became the developer I played around just showed you where I messed up a couple times changing policy and tags do you have to you know they take a little bit but I was moving too fast that's fine and now we're gonna talk about best practices so there are five of them that I'm going to share with you today and of those five these are the ones I want you to take back your organization I actually want you to care about the first one the most okay so you've probably all operated in AWS for a while and you could tag things and well one of our principal engineers likes to call it willy-nilly tags but you tagged them left right up and down with everything you want start thinking about which tags you are going to use for access control and do not mix these with other types of tags like cost allocation tags or description tags or whatever seriously think about which tags you're going to use for access control and start planning that out and making sure that everyone has the appropriate permissions to tag on create with them like I just demonstrated as well as not mess with those tags that brings me to my second point only approve entities or identities humans should be able to update a tag I am NOT going to allow people to just Oh secrets manager create tag for all resources or untagged for all resources that means they could go kill my project tag that means they could change the value of tags which means they could gain access to it so be very careful about who gets to change the values and that what tags are on resources all right third one is tag everything during creation so permissions apply automatically okay so you want to make sure that everything like I said when I created it when I eventually got it to create with bubbles those were okay bubbles is actually going to create resources with that tag and then anybody who was operating with bubbles on the tag on their role could go and then play with it for is rely on attributes to grant permissions to manage resources this allows you to scale right this allows you to only put that one line that says hey if it matches let it through if it doesn't match don't go through and and that's what you want for managing permissions and then finally periodically audit those attributes people do it all the time with their identity providers or even their tags on resources so spend some time when you go through and audit and find the things in between okay last thing I want to call out is one if you want some more information about this my reinvent talk become a policy master in 60 minutes or less this talks through permission guardrails it talks through a back it talks through a bunch of other permission boundaries all that service specific permissions documentation so one thing I didn't talk about today was that there is a growing number of services that support tab on create and tag based off all those things are required to do a back and so you can go to this page is the page I visit most in the docs and you can say okay I'm trying to do something in secrets manager right and oh does their create secret support tags or request tag resource tag you look for those two conditions and you can see see it's it's split up by service and you can see what's been updated and then finally somebody actually just published a blog on the AWS security blog all about implementing a back they didn't necessarily call it a back we're working on that but and it's all about principle tags and using principle tags to grant access so I want to thank you for your time today I will be over in this corner answering questions once I break down my laptop and everything and then one thing I did have to say sorry follow a device identity that's where you're going to see all the stuff on a back and permissions and all that's our stuff and if you want to you can follow me on Twitter Bijan so 5y thank you and finally I do read these I read every single comment that comes through because it's the only way we improve our content so you can put in there hey our demo didn't work but you know I did a live demo I could have given you a video but anyway it was fun I had a good time hands on keyboard type of thing so please submit the survey thank you [Applause]

Info

Channel: Amazon Web Services

Views: 11,086

Rating: undefined out of 5

Keywords: AWS, Amazon Web Services, Cloud, cloud computing, AWS Cloud, AWS re:Inforce, AWS re:Inforce 2019, security, identity, compliance, cloud security, AWS security, cloud security community, learning conference, Detective Controls, Infrastructure Security, Data Protection, Incident Response, Governance, Risk, Compliance, security best practices, Security Deep Dive, AWS re:Inforce 2019 Sessions, Session, SDD350-R, Brigid Johnson, 300 - Advanced

Id: Iq_hDc385t4

Channel Id: undefined

Length: 45min 21sec (2721 seconds)

Published: Wed Jun 26 2019