CHCon SARAH WALKER – IAM CONFUSED: A DEEP DIVE INTO PERMISSIONS, https://2019.chcon.nz/talks/sarah/
One of the hardest things to understand in the world of cloud computing has to be AWS’ IAM – what is a role? what is a policy? how do I keep my engineers away from production systems? how do permission boundaries even work?? The aim of this talk is to try and give some practical examples to help security teams understand whats going on, and how to use this to keep their infrastructure running smoothly and safely.
- Groot and the Guardians of the Galaxy (too many short animation loops on the slides though)
- Allow all the Avengers to use their stuff sometimes
- But not Spiderman, because Sony ...
- AWS documentation is sometimes incomplete and wrong
- AWS 'managed policies', ditto
- Third party tools: Netflix Aardvark, Salesforce Policy Sentry
- Principals can have permissions to take action on Resources
- Resources can also have permissions to grant actions to Principals
- Any explicit Deny trumps all other permissions