managing users and aws accounts

Managing users and AWS accounts

Aleksandr Maklakov – maklaud@zeoalliance.com

Agenda

• Managing AWS account

• Managing IAM users

• Security Best Practices

• Solutions• Questions

Managing AWS accounts

• У кого от 1 до 3 AWS аккаунтов ?

• У кого от 3 до 10 AWS аккаунтов ?

• У кого больше 10 AWS аккаунтов ?

Managing AWS accounts

•Why and When to Create Multiple Accounts?

Managing AWS accounts

• isolation between workloads/departments

• isolation between projects

• minimize blast radius

• optimize costs• environmental lifecycle accounts

• centralize logging account

• centralize publishing account

Managing IAM accounts

• IAM users

• Identity federation (SAML 2.0)

• Directory service (LDAP)

Managing IAM accounts - Security Best Practices

• Lock away your AWS account (root) access keys

• Create individual IAM users

• Use AWS-defined policies to assign permissions whenever possible• Use groups to assign permissions to IAM users

• Grant least privilege

• Configure a strong password policy for your users

Managing IAM accounts - Security Best Practices

• Enable MFA for privileged users• Use roles for applications that run on Amazon EC2 instances• Delegate by using roles instead of by sharing credentials• Rotate credentials regularly• Remove unnecessary credentials• Use policy conditions for extra security• Monitor activity in your AWS account

Solutions

Solutions

Solutions

Solutions

Solutions

AWS Organizations

• Centrally manage policies across multiple AWS accounts

• Control access to AWS services

• Automate AWS account creation and management

• Consolidate billing across multiple AWS accounts

Our solution

Our solution

+• single account, MFA, password policy to manage• native UX with AWS CLI and web console• different cost-centers• individual accounts for scripts• delegating/splitting user management-• some troubles with 3rd party tools• short STS session (1 hour)

The End

• Questions ?

• Comments ?

• Feedback