AWS Security Best Practices: User Management using IAM and Automate using Chef
AWS Security Best Practices: User Management using IAM and Automate using Chef
by Nitheesh Poojary, Six Nines IT, Cloud Architect
This white paper gives insights into the best practices for managing users on the AWS cloud. First, I will cover how efficiently we can manage users in AWS using IAM services and AWS CloudTrail. Next, how we can use Chef to automate the users and SSH key management at OS/System level.
2. Security in AWS
Amazon has designed its cloud platform infrastructure to be highly available and scalable. Amazon Web Services security features also comply with industry standards. AWS data centers are built like fortresses and staffed 24×7, and remote access is permitted strictly according to the principle of least privileged. Amazon has done their part to ensure that Amazon Web Services’ security is up to the challenge in compliance with security best practices and a wide range of IT security standards, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC2, SOC3, FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ISO 27001, ITAR, HIPAA, and Cloud Security Alliance. When you host your application in the cloud, you agree to share responsibilities with AWS. It’s the job of Amazon Web Services Security to take care of host operating systems, visualization layer, network, and physical security. But it’s up to the users to secure anything that they deploy on the top the infrastructure. AWS provides security services like IAM, CloudTrail, VPC, Security Groups, Direct Connect to fine-tune and improve the security of the applications hosted on AWS. Most of the high-level security features offered by AWS costs nothing extra. In this white paper, we will concentrate on two such services; namely IAM and CloudTrail.
3. Managing AWS users using Identity and Access Management (IAM)
Using IAM, you can create users, groups, roles, and user permissions to allow and deny access to AWS resources. IAM enables you to grant unique credentials to every user within your AWS Account, allowing individual access only to the AWS services and resources required. With IAM, you can control who can access which resources. For example, you can create individual users, each with their own username, password, and access keys. You can assign them unique authority over precisely the resources and services they need.
a. Follow the best practices http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
b. Resource Level Tagging: With resource level tagging you can you can set permissions to reboot, start, stop, and terminate specific EC2 instances, S3, and RDS. Always Tag AWS resources based on your environments like (Prod, Dev, QA etc.). For Example, you can make sure that a user can stop, terminate, or restart instances only if the instance has a tag named (QA environment) and she cannot terminate or stop any instances tagged with (Production Environment).
c. Use IAM Multifactor Authentication: Every user created in AWS uses their username and password to access the AWS console. With IAM Multi-factor Authentication (MFA) enabled, a user trying to access any AWS resources will be prompted for normal authentication (username and password), but also for an authentication code available only through their MFA-configured device.
d. Know when your AWS IAM access key was last used: Access keys consist of an access id and secret access key. You need these keys when you want to access AWS services using an API, command line, or SDK. In the AWS IAM console, you can see when these keys were last used. AWS will show you timestamps, regions, and the AWS services that were accessed. AWS IAM console also displays the date and time when an IAM user or root account last accessed the AWS Management Console, forums, Support Center, or Marketplace. Finally, you can Download an access key’s “last used” report for your entire account.
e. Securely giving access to your AWS resources to others: Suppose you use separate AWS accounts for Development and Productions environments. If you need to give access to users or roles in one account to an S3 bucket or Ec2 instances in the other, AWS Cross-Account Access can do it. You establish trust between AWS accounts by creating a new IAM roles and modifying an attached IAM policy by adding the customer account number of the client resource.
f. Use Amazon CloudTrail for getting reports on users actions: CloudTrail provides you with a history of all API calls made against your account resources, including API calls made via the AWS Management Console, SDKs, and command line tools from your users.
1. You can report what actions a user had taken in a particular time frame in a situation where a user tries to access AWS services which he is not authorized to access.
2. You can look for user activities in the CloudTrail console. For better visibility and reports, you can integrate with log management tools such Splunk, Loggly, or SumoLogic.
4. Automating User and SSH-Key Management using Opscode Chef: Working on user management in a cloud environment is one of the biggest challenges faced by organizations. Here I have listed few scenarios of user management:
- Multiple users are working on a project within the company.
- In some cases external vendors are involved, they might be managing thousands of servers for you.
- Actions need to be taken when you relinquish the contract with them.
- An authorized AWS user in your organization quit.
- How do you remove users on all the servers?
- How do you change reset ssh-key?
- What if you lost root user key?
Until now, you might have been managing this kind of scenarios with growing numbers of scripts. As the need to deliver products to market quickly and the numbers of servers continue to grow, we need a consistent, reliable, and secure way to manage the users. More importantly, the solution we choose should be simple and intuitive.
In the scenarios above, configuration management tool Chef comes to our rescue. With Chef, you can build servers quickly and reliably using cookbooks (which are basically recipes, that can perform tasks like installing web servers, updating SSLs, or configuring HA proxy servers).
Amazon EC2 uses public–key cryptography to encrypt and decrypt login information. Public–key cryptography uses a public key to encrypt a piece of data, such as a password, then the recipient uses the private key to decrypt the data. To log in to a Linux instance we need keypair to log in.
5. Step by Step Guide to Automate User Management: In this guide, we creating individual users with separate key pairs and will give certain users “sudo” access.
a. In this method, we are going to use community cookbook “users” for managing users and the sudo cookbook manages admin rights. We are storing user information in Data Bags. It provides a central store for data required to manage users and their respective keys.
b. Add the users and sudo cookbook to metadata.rb. The contents of the metadata.rb file provides hints to the Chef server so that cookbooks are deployed to each node correctly.
c. Create new cookbook called local_os_users and include the recipe in Global Cookbooks.
d. This is how our local_os_users recipe looks like:
e. In the Global Cookbook attribute file, add below contents. Attribute files contain a set of attributes that represent values to be used by the recipes and templates. This basically creates groups for us and searches the database to add users to this group. Any additional groups can be updated in the attribute file.
f. In order to add admin rights update below contents in the same attribute files. This updates groups mentioned to visudo in the system.
g. Create a Data Bag item for each user. You can use Chef console or you can create data_bags from your Chef workstation. Create these data bag items as flat files in the data_bags/users directory with your domainid.json. If ‘Nitheesh’ belongs to dev group we tell our chef to manage, chef ensure his account is created, belongs to that group. Removing user is simple, just update action with remove or lock.
h. Upload the data_bag objects to chef server.
i. Remove/modify/local the users: If you would like to perform actions like remove, modify, lock any user. Edit the individual users data_bags and updated the actions (remove, modify, lock).
6. User Management in AWS using Commercial Software- xceedium: X-Suite is powerful administrative tool that enables users to create, configure, and control AWS infrastructure.
a. It provides seamless integration between Active Directory, LDAP, and Radius.
b. Single sign-on to the AWS Management Console and all EC2 instances AWS are securely vaulted and passed directly between Xsuite and target resources.
c. Provides a complete audit trail with activity logs and full-session, tamper-proof recordings. Alerts generated for attempted policy violations.
e. Proactive responses to violations include blocking prohibited actions, generation of warnings, session termination, and account deactivation.
Provides complete capture and playback capabilities for privileged user sessions, and generates detailed logs of Amazon Web Services Management through API-based interactions. DVR-like playback controls allow auditors and investigators to review everything that happened during a session.
7 . Integrating Active directory users and AWS IAM Users:
AWS IAM supports identity federation. External identities like Active Directory users can access resources in the AWS account without having to create IAM users. With this feature you will not need create IAM users in AWS they can use their AD credentials access AWS resources. When an employee leaves the organizations no need to delete his credentials from AWS IAM.
8. How Integration Between AD FS and AWS Works
1. The flow is initiated when a user browses to the ADFS sample site: (https://Fully.Qualified.Domain.Name.Here/adfs/ls/IdpInitiatedSignOn.aspx) inside his domain. When you install ADFS, you get a new virtual directory named ADFS for your default website, which includes this page.
2. The sign-on page authenticates Bob against AD. Depending on the browser user is using, he/she might be prompted for his AD username and password.
3. Users browser receives a SAML assertion in the form of an authentication response from ADFS.
4. User browser posts the SAML assertion to the AWS sign-in endpoint for SAML (https://signin.aws.amazon.com/saml). Behind the scenes, sign-in uses the AssumeRoleWithSAML API to request temporary security credentials and then constructs a sign-in URL for the AWS Management Console.
5. User browser receives the sign-in URL and is redirected to the console.