⏱️Starting now! ⏱️ @AWSIdentity – presenting our session SEC316 with Brigid @bjohnso5y on Access Control Confidence. 💪⚡ I will be live tweeting the highlights! 
@AWSIdentity @bjohnso5y Access control is a journey towards least privilege. Brigid is going to share with us how to make it a confident one.
@AWSIdentity @bjohnso5y Access control confidence. Brigid breaks it down into three parts – permission guardrails, attribute-based access control, and reining in permissions using analytics.
@AWSIdentity @bjohnso5y Brigid said we are going to get nerdy with some JSON policies in the next hour! Can’t wait! 😂
@AWSIdentity @bjohnso5y Quick review of #AWSIAM permissions – two parts: Your job is specification. AWS’s job is enforcement.
@AWSIdentity @bjohnso5y Moving on to permission guardrails. Pro-tip: use service control policies for common restrictions across your organization. Including restricting regions and powerful actions.
@AWSIdentity @bjohnso5y 📹 Live Demo! 📹 Brigid demonstrates how someone with full access cannot 🛑 create a resource in an unapproved region. Why? Because the SCP she enabled. Pro-tip use the RequestRegion condition key.
@AWSIdentity @bjohnso5y Live Demo! Brigid demonstrates how someone with full access cannot create a resource in an unapproved region. Why? Because the SCP she enabled. Pro-tip use the RequestRegion condition key!
@AWSIdentity @bjohnso5y Moving to Brigid’s favorite topic: fine-grained permissions at scale with attribute-based access control, aka ABAC!
@AWSIdentity @bjohnso5y Brigid breaks down ABAC. Attributes on users, attributes on resources, and a policy to match say “allow access if they match.” Permissions automatically apply, no policy updates required!
@AWSIdentity @bjohnso5y Lots of tools in your ABAC toolbox including principal tags, session tags, resource tags, tag policies, and IAM policies. Pro-tip is to use ${PrincipalTag/tag-key} as variable in your policies.
@AWSIdentity @bjohnso5y She’s diving into session tags, a new IAM feature. “With session tags your identity no longer goes poof 💨 when you federate into AWS. Your IdP becomes the source of truth for access control in AWS.”
@AWSIdentity @bjohnso5y 📹 Live Demo! 📹 Brigid shows how a user from @pingidentity federates in to AWS with attributes and creates and manages workloads with their project tag.
@AWSIdentity @bjohnso5y @pingidentity We are seeing project #pickles 🐴 in action! Who knew horses and access control could go so well together.
@AWSIdentity @bjohnso5y @pingidentity 🚶♀️Moving on to reining in permissions using analytics. Our tools 🛠️ include role and access key last used, service last used, and the new access analyzer!
@AWSIdentity @bjohnso5y @pingidentity Brigid says to channel your inner Marie Kondo. Find roles and permissions that don’t bring you joy, say thank you 🙏, and then let them go.
@AWSIdentity @bjohnso5y @pingidentity 📹 Live Demo! 📹 Brigid is finding a lot of roles and permissions in her account that don’t bring her joy.
@AWSIdentity @bjohnso5y @pingidentity Here we go with IAM Access Analyzer! Certainty, comprehensive, and continuously monitors for cross account access.
@AWSIdentity @bjohnso5y @pingidentity 📹 Live Demo again! 📹 Using access analyzer to find permissions with broad access and then scope them down. Pro-tip use the principalOUPath condition key.
@AWSIdentity @bjohnso5y @pingidentity That’s a wrap 🎁! Check out all the new access control functionality recently launched and tune into YouTube for the whole talk. Thanks for listening, for your time, and have a great #reinvent! @bjohnso5y
@AWSIdentity @bjohnso5y @pingidentity And That’s a wrap 🎁! Check out all the new access control functionality recently launched and tune into YouTube for the whole talk. Thank you for listening, for your time, and have a great #reinvent!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
