AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so thank you for being here thank you for spending the time I know it's late I'm gonna try to keep it fun I'm gonna try to keep it exciting for all of you who are like should I stay to the end my favorite most favorite policy that I've been wanting to share with customers for a really long time is at the end and it's really cool so you can also watch on YouTube you later but let's try to get to the end my name is Bridget Johnson I'm a senior manager of product management in AWS identity I mainly work on I am identity and access management and secrets manager and today we're gonna talk about policies and permissions this is what today looks like I'm actually going to go really fast through the policy language this is a little bit higher level course so I'm just gonna cover some basics that I'm gonna use why because I've already given a lot of details in previous talks documentation blog post etc and I want to get to those use cases because those use cases are probably where you need the most help so I'm gonna recap the policy language really quickly then as AWS has grown we have offered more policy types and I want to talk about what those do what are the use cases and how they all work together there will be some quiz answer question answers that I want you to be prepared for and then at the end we're gonna go through a deep dive on specific use cases so how many of you manage more than one AWS account yes good on you and it's hard right and so we want to be able to show you how to create guardrails in your account so we'll do that then we're gonna talk about controlling access to specific regions that was big one this year for a lot of our customers and then we're gonna talk about two new features first permission boundaries that's how to enable developers to create rules safely and then we'll go into tag based permissions and then I'll show you my favorite policy so let's get started oh one more call-out I know this already happened at the top but I wanted to call out the session we work a lot with the automated reasoning group at Amazon in AWS and they do a lot of fantastic things with Policy Analysis so I definitely check that out on YouTube later and then tomorrow Vanguard is a customer that has been using permission boundaries in production at scale for their developers and I really I they have a great use case and something very applicable to what we hear from a lot of customers so take a look at their talk it's gonna be quite interesting recap of I in policy language who here has never seen a policy in AWS you got the right audience so what are ion policies what's the structure and what's the evaluation rule and then I'm gonna try something new on you and this is a way that we talk about permission and policy internally and this is the first time I'm going to share with you a little bit externally and I want to see if it sticks because it usually does when we talk about policy evaluation inside AWS so this is pretty simple what our policies the first part is your job right you do the defining you get to say who should have access to what and you do that by writing policy the second part is my job not really my job personally but AWS is job all right and we do the evaluation for every AWS request that comes in we evaluate can this person call this action on this resource on this time of day from the source IP etc and that's our job okay so you combine those two together and you have access control in AWS and that's what we're all about here today so what does a policy look like we talked about the PARCC model and so we have principal action resource and condition and this obviously comes after in effect which is going to be allow or deny the principal you may not see very often why may you not see it very often mainly because you're attaching policies to principles and I am user or anion wool which means that we know the principle and you don't have to suspect have to specify it now when you're using like a bucket policy which you attach to a resource then you actually are going to want to specify the principle which is the who so principle is the entity that is allowed access action is the type of access that is allowed or denied turns out there's over 4,000 actions in AWS I counted one by one just kidding resource is the Amazon resource name we use Arne's you've probably all seen an arm before to specify which action can act on which resource and then finally condition under what conditions is this true I was looking around at our conditions out there there are some very powerful conditions you can talk about tags is MFA enabled what subnet are you trying to launch this instance in etc um so take a look there's a lot of things you can do here all right policy enforcement so this is how we think about it first and foremost we start at deny I need you all to remember this because when you're trying to debug permissions if there is not an allow that matches it will be denied we do this to be secure by default so if you don't have an allow you started denying then we evaluate all applicable policies this includes policies at the organization policies on I am user and role policies on the resource and even policies in the session itself and we say is there an explicit deny what happens if there's an explicit deny meaning you as the person who's the admin said I do not want to allow anybody at this access denied thank you I heard in the back whose loud awesome alright then we say is there an allow and if there is what happens we get allow that's exactly right you all are kind of awake it's good what happens if there's not an allow yes that's it we go back to our original dist right um so this is really important because the allow must match alright so this is a different way of thinking about it and might help you understand policy evaluation just a little bit more so at the end of the day when there's an allowed or denied decision that's at the bottom middle you have a request and you make a request to AWS and that request says I'm trying to perform this action on this resource at this time of day from this source IP I've authenticated with MFA and I'm passing in a few parameters those are things that you pass in in to your request and then there are some other things that AWS might populate as well it might populate the tags on the resources or anything like that right so that's their context okay that's part one the other part is your job that we talked about earlier you define the policies all right so you might be asking what the heck is in the middle some people think it's crazy foo they call me up Bridgette what is going on I don't understand this some people think it's an alien definitely had things like this you know keep in mind I was limited to the images that they let me put on PowerPoint so that's where we're at some people think it's me that I was cloned and I actually allow or deny every little action it turns out there's a lot of actions in AWS per second but really it's just matching okay and so instead of when you run into the problem of I don't know why it's denied I don't know why I don't have access ask yourself a question what's not matching okay so is it the action that's not matching is it the resource that's not matching do I have some condition that for some reason I didn't pass in the right parameter and that condition is being checked and it's not matching so at the end of the day that's all we're doing is we're saying does the context that's coming in match an allows statement that has been defined in a policy all right there are multiple types of policies in AWS but they all use the same policy language so first inform so we have AWS organizations that allows you to group your accounts and then there's a lot of integrations that are happening and more on the way so cloud trail etc but the cool one is service control policies and I just talked to an instructor who's back there and he teaches service control policies and I thought that was really cool um and you want to use service control policies to put guardrails on your account so you might disable a service or a specific action here I want to call out that service control policies do not grant access you may or may not know this but by default every organization starts with an allow startup star policy that does not mean that all entities in your organization have full access to everything it simply means there are no guardrails and only rely on the I M permissions within the account to control access so the I M permissions you have two parts you have permission policies the permission policies are what you know today inline policies manage policies these actually give the access go allow go launch instances go create buckets go out objects all that sir stuff then recently this year we have permission boundaries permission boundaries say hey forgiven principle we have a maximum permission set so this is gonna allow developers to create roles with only a certain maximum permission which means they can't escalate their privileges next you actually STS that's when you call assume role you get a session you can actually pass in a scope down policy for sessions so where do we see customers using this we see it using it when they're making on-the-fly decision per session so I've seen we have customers who manage a bunch of other accounts for everyone else and they may have a support team and they'll have a federation broker right before they get into AWS that says oh this is an s3 support case okay well scope the policy down from this general role to actually just s3 and you also have AWS services have policy who's ever edited a bucket policy yes that is a resource-based policy and that allows direct cross account access and you see that a lot and then also V PCM point policies that you can control who gets in who uses the endpoint and what they can do through it alright so this is I want to talk about permission boundaries just because it's new this year I'm gonna cover it a couple times because I really wanted to sink in it's a very powerful tool and I am so allows you to scale and delegate your permission management to developer safely it controls the maximum permissions that employee can grant so I'm going to talk about a developer his name's Casey he's my brother I like to say he's a little unruly and tries to break the rules and do some crazy things so he can control his access turns out he's pretty smart and has several security clearances so he's actually not that unruly but we'll use him today so you can imagine say hey Casey you can create roles but you can only create the roles with this maximum permission set so even if Casey were to a star an admin policy to that role that he creates it will not work as admin it'll only get the effective permissions which is in the middle of the permission boundary and the ion policy and we're gonna do demos of this and that's pretty cool actually all right so this is fun how do all these policies work together so here's the logic first you need the service control policy to be allowed and if you are within an account you need either I am to say yes or resource based policies to say yes there's different behavior within an account and across account and really what this comes down to is trust at the end of the day you trust your own account and you don't trust other accounts by default and so if you're trying to access a different account you need both sides you need to count a to say hey I trust you account B and you need to count B to say hey I trust you account a I like to call it the trust hug right you gotta get both sides around okay so this is how it operates within an account so you need iron policies if you're using permission boundary the permission must be allowed in the boundary and it must be allowed in the permission policy if you pass down the scope down policy it must also be allowed in there if you're not using permission boundary you can just do it on the permission policy and same thing with the scope down if you're not using it it doesn't matter so we're going to test your knowledge of this I took away the logic so let's imagine I have a service control policy with allow s3 put object in just an eye on policy would just allow s3 put object what is my answer allowed or denied allowed awesome all right well change it up a little bit so I'm gonna put a permission boundary on and I'm gonna say only allow a/c to read what's my answer denied oh this room got smart all right next one I only have allow s3 put object on the resource policy like on a bucket policy what's the answer oh good all right crazy Casey dropped that CP got access to the master account deleted it by accident what's our answer deny good job all right now we're across accounts so we have account a and account B pretty simple the only thing that happens here is let's imagine the principles are in account a and the resources in account B both sides now have to say yes and allow okay so what's our answer here we have SCP that says allow and only an eye on policy deny right why because the resource based policy doesn't have it across accounts we add it here what happens awesome yes now you love my animations I spend like a whole plane ride to London doing those all right so thank you all for participating that was I got all the right answers from the audience I love that now we're gonna go into specific use cases well because you showed up today tonight at 7:00 p.m. instead of going to the pub crawl you all just got a new job congratulations I realize that this might be a promotion for some of you and it might be a demotion for others but you are now the lead of a central security team at any company of your choosing how about that and your first mission your first day on the job which is gonna be the next 43 minutes of this talk is to prevent developers from reverting settings in your AWS accounts and on board to new teams so the rest of the talk is gonna work like this I'm gonna present you four challenges we have a fifth one at the end but I'm gonna present you four challenges and as I go through the four challenges I want you either write down or mentally think about what tool are you going to use to complete that challenge and then we're actually gonna go through it and we're gonna see policy and you're gonna see some really nerdy policies all right to give you a little background this is your organization you have a master account you have 200 years unicorns and zombies how did I come up with that name I messaged some co-workers and that's what we came up with I guess that's what we talk a lot about you have a production account in a development count in each for today's example I'm actually mainly gonna use the development count for unicorns I realize a lot of you are managing organizations that are a lot larger than this well I can only make you a policy master in 42 minutes so we're gonna keep it small for right now these are the services you're using you have Amazon ec2 to run workloads lambda for service applications secrets manager at a store and rotate your secrets and s3 for content objects I realize most of you are gonna be using more than these throughout your AWS environments but we'll stick with for for now situation number one your team has gone through and set up cloud trail for all your accounts and your company also requires your users to authenticate with existing identity providers you don't run wind so you don't need directory services you don't want to create any other IM users that's your challenge number one so you need to ensure that developers can't turn off cloud trail create users or use directory services alright that's your first challenge take a mental note of what you would use number two you've learned that you can trust your development team to create resources so KC's allowed to launch some instances create some secrets maybe add some objects s3 but you are terrified of creating resources in unapproved regions this was a big one this year right and so your challenge is to ensure that developers can only create resources in approved regions and by the way if you can choose or no if you can determine or predict what I am going to say is the approved region in this example then brownie points do you put it on Twitter or something like that and tell me afterwards we'll see if you can predict okay number three this is new this year you and your developers know their stuff they can create rolls you don't have to be the bottleneck getting more creating every single roll for every single lambda function for every single ec2 instance out there so you want to allow them to do that but you want to make sure that they don't create a bunch of admin roles and just go all crazy in your environment all right so write down what tool you're gonna use for that I've talked about all these tools by the way previously and then finally you have the unicorn team and it got split into two projects the dorky unicorns and the sneaky unicorns how did I come up with dorky and sneaky turns out I read reddit and we launched I am tags and I'm reading as we launched I'm reading the reddit thread and somebody goes great now I can tag my co-workers dorky and I just thought it was hilarious so that's how we got the name and so your challenge is to update your permissions within an account to make sure they don't step on each other's toes so you want unicorns to only be able to create and manage to their own resources with their projects all right now I'm gonna quiz you so to set guard rails across account what tool are you gonna use did somebody say SCP because that's the right answer you were not loud enough control creation of resources to specific regions what are you gonna use not boundaries it's just going to be a simple permission policy enabled developers to create rules safely boundaries yes that was louder awesome and then finally use tags to scale permission management that's also just gonna be a permission policy all right here we go so this is where I'm gonna start demoing stuff I'm gonna be flopping back and forth between I'm conselho command line you name it first ensure developers cannot turn off cloud trail create I'm users or directory service I'm gonna use a service control policy the pro tip here is rely on denies statements when restricting access access by default there's an allow startup star for all SCPs it's a lot easier to basically say hey deny these actions than it is allow a bunch of stuff in whitelist one AWS is constantly launching new services and so you want to be able to move quickly and just put deny on what you don't want and also it's a lot easier to understand and so it reduces some blast radius in case you get it wrong hopefully you won't so this is what the SCP looks like I'm gonna say deny directory service I am create user and stop logging cloud trial stop logging I'm in a demo so first I'm gonna show you the SCP and then I'm going to try to create an IM user I'm gonna try to stop cloud trail and I'm gonna try to list roles and we'll see hopefully my guardrail is anybody from Montana in here No okay my channel is a great state this is going to the Sun Road and I was really happy for guardrails when I was driving on that road I don't know if anybody's driven it I was like oh thank you so let's get started all right I'll try to not I'm gonna give you some context of my demoing white-skinned is my master account in chrome and I'm gonna just pop around an organization's console for you dark skin on where are we on chrome is gonna be an admin in my unicorns dev account this is where I'm just gonna show you a bunch of stuff and then Firefox will actually be the developer and I assume different roles for each challenge so let's go back I am in my master account you can see all of my all of my accounts here and I can do it in the tree view I have my two OU's I have attached the deny unapproved action policy to the root of my account and if you go into this it's the exact same policy that I showed you on the screen but I will prove it to you there we go okay so now I am gonna work on the command line hopefully you can all see it I think that's big enough and I'm gonna work as a admin user so I have startup star on me in the dev account and you know what I'm just gonna show that to you because I want to so this is the role that I'm going to use for the next few commands so you can see here that's my setup I'm gonna try to create a user and I'm using challenge number one admin I've set up all my roles here so you can just know that I'm trying to be an admin so what's gonna happen when I run this command I'm gonna try I'm an admin user I have create I'm gonna try to create a user what's gonna happen deny why my SCP okay that didn't work that's good right I don't want people creating users all right I'm gonna try to turn off this trail reinvent challenge number one trail what's gonna happen right because my SCP okay now I'm just gonna try to list roles I want to see the roles in my account what will happen louder allow why because it wasn't in my SCP which is good I want people to be able to list roles and there's all my roles and my account pretty cool huh so be thinking about what you want to put up there these are things you never want people to try or to do in your environment next challenge ensure your developers can create resources but only in approved regions protip here use the requested region AWS condition will go through the policy but I want to call it one thing here is for this condition key it works for all services that are in a region and that's most of our services there are some services that have global elements to them for example I am is Global s3 list all my buckets that action is gonna be a global action so you have to account for those but it's very few and far between so this is what the policy looks like I say alright you can use secrets manager lambda I called out a couple s3 actions just to keep the policy short and what region did I pick west coast best coast come on team use need some beers or something so that if anybody predicted that go for good job for you but um that's what it looks like and then you're probably wondering about ec2 I call it ec2 separately just because I wanted to talk to the fact that easy to run instances which is your create allows you to authorize against a ton of different resources and parameters and so these are all the ones that they actually do and so you can specify which subnet which instance all that sort of stuff but today I just threw on a condition hey if you're gonna launch an instance you have to do it in the West Coast West Coast West Coast well at least two regions in the West Coast alright let's Oh and then I allowed all the reads and lists as star I don't care if you can list objects in other accounts or in other regions no big deal okay so this is what we're gonna do as the demo I'm going to try to create a secret using secrets manager in the West Region beautiful Mount Rainier there and then I'm gonna try to create one in London love London was there a few weeks ago great city had some amazing cocktails so nothing bad on London just for an example we're gonna not create secrets there alright so what I'm gonna do is I'm Casey I am going to assume role into this other role the challenge - and the challenge to role simply has what I showed you on the slides but I will prove it to you just so you don't think I'm working any policy voodoo so I have the region restriction here it's the same policy I don't know if you can see that it's pretty light same thing here all the run instances stuff and and then the only other thing I added was past role and this was so I could actually test launching ec2 instances or some lambda functions all right so I'm gonna go to secrets manager you notice that I was in Oregon which is a West Coast I'm gonna try to store a new secret I'm gonna pick an arbitrary secret here and then I'm gonna say reinvent is awesome I think I have to actually say day two because I have a secret already name that no click Next and then I'll say my test secret Tuesday storing my secret and I'll just click Next I'm not gonna enable rotation just because arbitrary here's the code I can use if I wanted to retrieve that secret over and over again and I'm allowed to pretty cool right what's gonna happen when I try to do the same thing in London correct so I will show you this it's kind of interesting because you go to London and like I can't even list the secrets so I kind of know that I'm not gonna be able to store it but I'll show you anyway all right will do Pub Crawl missing hey y'all could know I'm missing beer all right and I don't have permission to even enable rotation I'm gonna try to go through I'll try to store it and what's gonna happen fail I had secrets manager star with just that one condition and I cannot create a secret in another region worked you know I can see my notes there we go alright so those two they're pretty good they're pretty you probably all could have done that without my help next one this is my favorite alright so you trust Casey you think he can create his own permissions his own roles to pass into lambda and now you want to just make sure that he doesn't escalate his own privileges he could get lazy or maybe he went on the pub crawl and just didn't know what he was doing after he got home but anyway so the pro tip here is you want to constrain Casey using permission boundaries but you also want to constrain Casey to his own little world and the way to do that is by using either paths and roles or just a naming prefix so today I'm going to do the naming prefix so here are the four parts you need to think about when using permission boundaries first is you need to allow create manage policies this is not a dangerous action you can allow Casey to create all the Manas policies he wants no big deal next is you want to allow create role but only with a specific permission boundary you can think of a permission boundary as a as a setting on a roll or an attribute on a roll and so Casey you can create roles with this naming prefix but hey only with this boundary so that means Casey creates a role with a boundary and then you say oh by the way you can attach manage policies the ones you created at the top there but you can only attach policies to a roll with that boundary meaning he can't just go attach policies to any role in the account and then finally you want to say okay now that you've created your roll that rule has the permissions that you want it to you can pass rolls into lambda or ec2 so this is how the policy looks so first I'm gonna say okay you can create policy and policy versions but only if it starts with unicorns this is me constraining Casey to his little world of unicorns that sounds kind of funny actually next you want to say all right allow create roll but only with a boundary but oh hey also allow attach and detach manage policies but also with that boundary so whenever I say but only that usually screams condition and anytime you're saying oh I want to do this but only screams condition so due condition so you see here I say create roll and then I have a condition string equals and I have a pointer to a managed policy that manage policy is the same manage policy I used in challenge two that provides the region restriction so even if I attach star dot star to this new roll I'm creating it will be it will not be allowed to go create a secret in the London region why because the permission boundary just doesn't allow it and then the resource you just constrain based on the naming convention hey you have to operate in your unicorns world this is how the flow works because there's this little dance between admin and developer that needs to happen to get this up and running so here's what the dance looks like admin me creates a maximum permission in my case this is the region restriction that we just went through so pink policy matters number 2 developer I'm going to call on somebody maybe did one of you who's a developer you get to go create a wall but only with the maximum permission so I'm going to allow that that's me again I'm gonna say hey you in the audience you can go create roles with only this maximum permission then the developer that's you creates the role passes in the pink policy and then whatever green policy you want and this could be a scope down version of what's in the pink policy and then finally you as the developer pass it to lambda so what I'm gonna do for this demo is I'm gonna show you what it's like for the developer to create a role with a boundary and then I'm gonna do that thing that they do on cooking shows were they like have it all set up already so that I can just slide it in we're not gonna do lambda I'm actually gonna do some s3 work from the command line but that role will have a permission boundary then you'll see what it's like here we go do you all want to see the policy do you want me to prove to you the policies somebody said sure okay that made me really excited thank you for for wanting to see my policies so what I did for challenge number three is the same exact thing I have the region restriction so I can't go create resources anywhere else and then I just added what I just showed you so this is the allow create role with the naming and the permission boundary and then the naming convention for create policy I also put some I am like get role conditions in there just they can navigate the console and then I added the pass world permissions as well all right so I'm gonna be Casey I'm gonna switch into challenge number three here I'm gonna go to I am why someone try to create a role okay so I'm gonna roles and I create a rule and I went to be for lambda they permission next I'm gonna click a permission and oh I just needed to read and write some objects s3 I want to show you this policy this is a very general s3 policy it has no region restriction on it whatsoever just says put get object from anywhere okay so I'm going to create Ryung to create this role and when to have some read and write okay go next don't need to tag it I'm going to name it and try to make this fast this unicorns project because Bridgette told me I had to name it with unicorn so I'm gonna do that here we go and then I'm trying to create this for my lambda functions what's gonna happen when I press this button I heard it I just need a louder denied all right let's show does not work I don't have access why don't have access Oh Bridget told me something about that that permission boundary thing okay so I go back permission boundaries hmm which one okay I'm going to use the permission boundary that seems like a good idea and Oh regions that's a big thing this year so I'll type regions up there it is what's my answer Wow and there's my roll if if Casey had tried to pass in a different permission boundary it wouldn't have worked either I could have tested that as well all right so this is when I'm actually going to show you a roll that I already have set up just because I wanted to have everything on the command line ready for you all so you don't have to watch me do some configuration and this is unicorns with boundary so you can see here that's what I created this is the same thing I have the region restrictions and this general s3 read/write so what I'm gonna try to do is I'm going to use the command line and I am going to try to oh I wanted to show you one more thing I have two buckets let's go here in the account one is going to be in the West Coast and one will be in London so I have the fail and I have the success and so I'm going to use the command line and if you can see it I'm gonna try to put object in the success bucket which is in the West in the West Coast and Oregon and I'm gonna try to upload a picture of my horse what will happen its name success so you all better get this one right okay it works but remember I gave that role just general s3 access I should be able to put this object but what's preventing it is the permission boundary or not preventing it this what's allowing it is also the permission boundary and then here we're going to fail I'll try to get to my London bucket and what will happen will get denied access and why because that permission boundary is preventing me from making any call outside of the US West regions alright and then we can just show you pickles because he's cute pretty cool right so that means you can allow this is extremely popular feature because that means you can allow your developers to move quickly you can allow them to create roles for all of their applications and you don't have to watch over them you don't have to approve them each time you can just set a boundary and let them go free all right we're getting close challenge number four so you're still in the same account but the unicorns broke into two different teams dorky and sneaky and they need to manage their own resources and how many people has heard oh I just don't want them stepping on each other's toes I hear this lot I hate feet and I always hear people talk about toes no nobody said I don't want the team stepping on each other's toes okay maybe a little bit alright well I hear it all the time is the product manager fry and so we're going to use tags for this use case and one thing I want you to consider there's a lot more tag based access control happening in AWS and it's extremely powerful it helps you scale your permission management but you need to be careful about what tags you use for authorization why because if you don't control those tags and if people can tag with them or not then somebody could change a tag and automatically get access so be careful about those tags and protect them and we're going to show you how to do that today so three parts for tag based access control one is you need to say ok users you can create tags or better you must tag this resource with this tag when you are creating resources for this you're going to use the request tag ok there were a request tag condition key this is different than the resource tag so next you want to say hey control which existing resources and values developers can tag with so they can modify tags and in this example we'll say ok for all the instances you can change the name name tag you can call it name equals great name equals funny whatever but the project tag must always be dorky and oh wait you can only change the name values on anything that's already tagged project or key and when you create something new this is the first point you must tag it with project equals door key and then finally ok now you've launched everything you've created everything and it already has tags all right now you can manage those resources you can stop and start those instances with that tag so I'm gonna say this again request tag is always the tag you are requesting it is the new tag resource tag is the tag that exists on the resource it is the existing tag so if you're running into some policy foo with tag based access control ask yourself the question do I have the right condition this is what the policy looks like so first I have the run instances which we've already talked about the only thing I removed here is the instance resource why cuz I'm going to control how people label the instance resource using tags and then I say okay KC you can create tags you can create them on anything cuz you're creating new resources but only when you call run instances this is the first permission this is gonna allow KC to create new resources with tags alright but when you call run instances and you're launching an instance type which is that resource right there you must so the part that says you must tag with a project tag that's that string equals request tag project equals door key and then it also must be in the same region now I'm gonna let you pass in other tag keys and values but for all the tag keys that you pass in it must be project or name you don't get to tag with anything else you pass in description doesn't work if you pass in Brigitte is awesome doesn't work right and so that's that condition that says for all values for all the tags that I pass in when I call run instances they must all be in that list if they're not in that list I will get denied access I'm gonna let that sink in a little bit okay so the next one is saying you've launched your instances they have appropriate tags on them but I want you you can change the name tag like I want you to be able to modify some of the tags you can't you just can't modify the project tag so here we go you're allowed to create tags but you can only do it on resources that are already tagged that's that resource tag so that's already tagged project equals door key and oh wait for all the tag keys that you pass in they must be in this list so you can only pass in project or name and if you pass in project it must also be door key okay and the reason I did this was sometimes you might want to manage multiple projects so maybe it's a list it's dorky and sneaky and funny or whatever you want but this basically says hey KC you can tag anything any one of your project resources with nametag and I don't care what you do with it and then finally we have the last one where you say all right I want you to start and stop instances but you can only start and stop your own instances right you can't go turn off people on the Sneaky's team instance and so that's where we use the resource tag why because the resource tag is the existing tag on the resource so you have a bunch of instances they're tagged appropriately and then you can create these general rules based off of it this is what I'm gonna do day I'm gonna launch instances for project equals door key I'm gonna try to launch an instance with project equals sneaky because you know I want to launch a bunch of instances and put it in their cost center I'm gonna modify tags on existing instances play around with that a little bit for you and then I'm gonna manage existing instances start and stop mainly you're already and if you want to call out a command we probably have time to go through that all right so I'm gonna go into challenge number four you all can probably see that I have challenge number five and I do want to show you the challenge number five that I have not five four I'm four ok so the only thing that I have different is I have the door key unicorn project this is the same policy that I just showed you okay I have all the ec2 in the region I have okay you must have all these tag keys I have you can create tags during run instances and you can create your own tags for existing resources and then the only other thing I passed in was this general read-only access just so I can navigate around the ec2 console a little bit alright so I am Casey I don't no longer have access to I am I'm gonna go to the right region here couldn't have gone to London wouldn't have worked oh I picked the wrong one you all need to correct me on this stuff you're not awake Oregon okay so I have an existing resource and it's project equals dorky I'll move this up a little bit for you and I'm gonna try to launch more like this will work yeah all right we'll just show the good case all right that worked great view instances now I have project equals sneaky I'm gonna try to launch more like this will work doesn't work fail if you actually decode that it would tell you why all right so I'm gonna say hey I okay I'm in the dorky project will work okay let's try it I think you're wrong cuz I am awesome nope fail again what do I need to do do you want me to change its name oops try to type that that's good I like the way you called that out will work there you go pretty cool all right what else do you want me to do I'll try to stop this other instance here try to stop it yeah no it doesn't work all right I'm gonna try to give it a name tag also doesn't work this is the get into like this ether of error message so you can play around with it but essentially it's gonna make you launch things with the right tag it's gonna only let you change the name on your own resources and then it's only gonna let you manage your own stuff pretty cool right it gets cooler so challenge number 5 what happened oh I don't know ooh we're having some technical difficulties let's try to escape Oh resume slide show [Music] up there we go okay bonus challenge so who knew that you can now tag I am users and roles few people raised their hand okay oh and I think my managers in the back who just wave um alright so yes you can now tag I am users and roles this is cool you can tag your users dorky if you want you can tag your roles cool if you want you can also say hey you can only do stuff to users and roles tagged with this tag great what's even more cool is you can use that tag as a variable on the right hand side of your policy so you can now say hey KC you must tag resources with your project tag so what does that mean you can create one general policy and just do tag matching you don't have to have a separate policy for door-key you don't have to have a separate policy for sneaky you can do whatever you want and that thing in yellow is gold literally gold no just kidding it helps you use that tag value in a lot of different places so I just talked to a customer today and they're using it in s3 as a in their s3 prefix right so they've named things and then they're putting the tag on a role and they can put that in the policy to grant access very granular access in s3 so I'm gonna show you what this looks like and all I did was find replace so the same policy and I just changed or key to your project tag so now we have the same thing we have hey you can launch instances you pass in project or name but I require you to pass in your project tag same here you can create tags but you can only create tags on existing resources that have your project tag and oh wait if you pass in a proud tag it must also be your project tag and then finally you can only manage instances with your project tag I am excited to see what you all do with this but for right now I am going to show you it live and we will see what it looks like oh that's my next slide oops I just dropped that okay so I'm gonna go over into challenge number five and I'm gonna show you it here cuz y'all want to see my rolls and I want to call out something I just called this policy that I created it's the same permissions roll tag project access and I did that on purpose because it really is just a very general policy which I called out I don't have any door key in here I don't have any let's see go down here did you hear is it I don't have any sneaky in here but what I do have is this tag and I have project equals sneaky and I'm actually gonna change it to door key just because that's and then we'll go back to sneaky I guess I didn't change for my last demo alright so now I'm Casey and I'm going to try to launch more like this will work yes should work there you go now I'm going to try to do some sneaky work let's see we launched a lot of turkey instances in the last minute all right launch more like this what's our answer alright so I am not going to change the tag here where am I going to change it I'm actually going to change it over here oops so this is the tag on the roll and I just turned Casey from dorky to sneaky just like that one tag value and now I'm gonna go back to I'm going to show you the tag just so we all level set here project equals sneaky what's our answer happiness so cool right so what this allows you to do is it allows you to create general policies based on tag value and then just have a bunch of roles that you tag and then you're just matching that's all you're doing we talked about earlier you're just matching it's pretty amazing I'm really excited to see what you all do with this so if you do something cool with putting the project tag in a policy in a condition whether it's an s3 prefix or matching another tag please share it with the world put on Twitter I look there the forums is a great place I'll be really excited to see that thank you all for coming umm these are the things I didn't get to that I would love to have get to if I had another few minutes so principle org ID is a condition you can use it in a resource based policy such as a bucket policy you can say hey deny everyone unless they're from my principle in my organization pretty cool but if you don't do that one thing you should do is turn on the new bucket control features for lockdown in s3 prevents your public bucket access and then second service specific permission documentation who's used the policy editor right okay so you'll see a bunch of selection of actions and resources and what conditions that same information is available to in our documentation it's really easy to navigate and explore so please hit up the actions resources and condition keys for AWS services it's it's my go-to when I'm trying to figure out what permissions I have available to me thank you very much for your time today I really appreciate you all staying all the way almost till 8 o'clock I hope you enjoy your evening go get yourself a beer glass of wine and thank you for learning about policies and please don't forget to fill out your evaluations [Applause]

Info

Channel: Amazon Web Services

Views: 151,160

Rating: undefined out of 5

Keywords: re:Invent 2018, Amazon, AWS re:Invent, Security, Identity, and Compliance, SEC316-R1

Id: YQsK4MtsELU

Channel Id: undefined

Length: 55min 35sec (3335 seconds)

Published: Wed Nov 28 2018