, 22 tweets, 15 min read
My Authors
Read all threads
⏱️Starting now! ⏱️ @AWSIdentity – presenting our session SEC316 with Brigid @bjohnso5y on Access Control Confidence. 💪⚡ I will be live tweeting the highlights!
@AWSIdentity @bjohnso5y Access control is a journey towards least privilege. Brigid is going to share with us how to make it a confident one.
@AWSIdentity @bjohnso5y Access control confidence. Brigid breaks it down into three parts – permission guardrails, attribute-based access control, and reining in permissions using analytics.
@AWSIdentity @bjohnso5y Brigid said we are going to get nerdy with some JSON policies in the next hour! Can’t wait! 😂
@AWSIdentity @bjohnso5y Quick review of #AWSIAM permissions – two parts: Your job is specification. AWS’s job is enforcement.
@AWSIdentity @bjohnso5y Now we are snapping for the least privilege poem. I feel inspired!
@AWSIdentity @bjohnso5y Moving on to permission guardrails. Pro-tip: use service control policies for common restrictions across your organization. Including restricting regions and powerful actions.
@AWSIdentity @bjohnso5y 📹 Live Demo! 📹 Brigid demonstrates how someone with full access cannot 🛑 create a resource in an unapproved region. Why? Because the SCP she enabled. Pro-tip use the RequestRegion condition key.
@AWSIdentity @bjohnso5y Live Demo! Brigid demonstrates how someone with full access cannot create a resource in an unapproved region. Why? Because the SCP she enabled. Pro-tip use the RequestRegion condition key!
@AWSIdentity @bjohnso5y Moving to Brigid’s favorite topic: fine-grained permissions at scale with attribute-based access control, aka ABAC!
@AWSIdentity @bjohnso5y Brigid breaks down ABAC. Attributes on users, attributes on resources, and a policy to match say “allow access if they match.” Permissions automatically apply, no policy updates required!
@AWSIdentity @bjohnso5y Lots of tools in your ABAC toolbox including principal tags, session tags, resource tags, tag policies, and IAM policies. Pro-tip is to use ${PrincipalTag/tag-key} as variable in your policies.
@AWSIdentity @bjohnso5y She’s diving into session tags, a new IAM feature. “With session tags your identity no longer goes poof 💨 when you federate into AWS. Your IdP becomes the source of truth for access control in AWS.”
@AWSIdentity @bjohnso5y 📹 Live Demo! 📹 Brigid shows how a user from @pingidentity federates in to AWS with attributes and creates and manages workloads with their project tag.
@AWSIdentity @bjohnso5y @pingidentity We are seeing project #pickles 🐴 in action! Who knew horses and access control could go so well together.
@AWSIdentity @bjohnso5y @pingidentity 🚶‍♀️Moving on to reining in permissions using analytics. Our tools 🛠️ include role and access key last used, service last used, and the new access analyzer!
@AWSIdentity @bjohnso5y @pingidentity Brigid says to channel your inner Marie Kondo. Find roles and permissions that don’t bring you joy, say thank you 🙏, and then let them go.
@AWSIdentity @bjohnso5y @pingidentity 📹 Live Demo! 📹 Brigid is finding a lot of roles and permissions in her account that don’t bring her joy.
@AWSIdentity @bjohnso5y @pingidentity Here we go with IAM Access Analyzer! Certainty, comprehensive, and continuously monitors for cross account access.
@AWSIdentity @bjohnso5y @pingidentity 📹 Live Demo again! 📹 Using access analyzer to find permissions with broad access and then scope them down. Pro-tip use the principalOUPath condition key.
@AWSIdentity @bjohnso5y @pingidentity That’s a wrap 🎁! Check out all the new access control functionality recently launched and tune into YouTube for the whole talk. Thanks for listening, for your time, and have a great #reinvent! @bjohnso5y
@AWSIdentity @bjohnso5y @pingidentity And That’s a wrap 🎁! Check out all the new access control functionality recently launched and tune into YouTube for the whole talk. Thank you for listening, for your time, and have a great #reinvent!
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Michael Chan

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!