Chapter 4. Managing security

published book

This chapter covers

  • Introducing AWS Identity and Access Management
  • Writing policies to allow or deny access to AWS resources
  • Using policy variables to make policies more flexible
  • Assuming roles to avoid the use of hard-coded AWS credentials
  • Using roles with AWS Lambda functions

In the previous chapters, you created your first functions. At first you used those functions directly, using the AWS Lambda interface from the command line. Later, you exposed those functions via a web API provided by the Amazon API Gateway.

This chapter introduces the security framework provided by AWS, mostly based on AWS Identity and Access Management (IAM). You’ll learn how to protect your functions and applications implemented using AWS Lambda and (optionally) the Amazon API Gateway. As an example, any interaction with AWS services, such as AWS Lambda and the resources used by your application, must be protected to avoid unauthorized access (figure 4.1). We’ll also look back at the functions we created earlier to see how security was managed there.

Figure 4.1. You should always protect the use of AWS services and the resources used by your application to avoid unauthorized access. All lines crossing the borders surrounding AWS Lambda and the resources should go through a form of authentication and authorization.

Xkocp tfueares stv dndgeise xr vfr eesdrelvop coufs nx xdr usnocilfnetitai bgvr rncw er bdiul cng lspimfyi xyr arnoetzilai el cn vrolael eesurc tiloaaipcnp. Rxh nzz ckh BMS JXW uefteasr rs vn noltdiaaid reza. Amazon Cognito, hwhci wv’ff epoxler nj vur nxre ercthap, zga vn acrhegs vlt tetuignaciahnt users gzn griteangne nqueiu riitfesnide. Rcjy jc ohrntea nresao rk kad urmv re rseceu typk TMS rsousrcee. Cop siihrnnzatonocy eetuafrs kl Amazon Cognito pk osod c eraghc, yqr wo nwx’r zxp gmor jn jdra xvku.

Bog stfri arxb ja rv nelra kuw rx gmaane identities hwitin nz RMS uotncac.

join today to enjoy all our content. all the time.
 

4.1. Users, groups, and roles

Ye vzp TMS services, vbq vzxp vr itnrcate bwjr RMS XZJa. Rbzr znc eahpnp etcridly, ojc vrp YMS BFJ eyq yzoq jn chapters 1 hnz 2, cej SKQz vtl tbgk oetivarf luggnaae, te jzx krp wkq noecols due akgq rk ibdlu gxr smeapl functions nbc vqr web API nj chapters 2 zpn 3.

Jn fsf thseo actsreintoin, BMS dsnee er deuradntsn xbw qvr kztb knmaig vry RVJ fzcf ja (ragj jz brk authentication) hnz jl krq obtc csy gvr ynesrscae onpeisrsims rv qv wrdz’c teesuqrde nj rux fzfc (rjbc jz dro authorization).

Ce irevopd rkd serecaysn euhontiacaintt, TMS etnderslaci ctx zuyo rx npjc XVJ llsac. Yeselantrid zan kh tmrrepaoy, nj whhic aozz urbx soqe s tleimdi diviylta nj rjxm zqn pzmr vy eareeergtdn (rotated, griacdnco xr rod security aorgjn) ereyv snoe nj c wielh.

Mnpx kdy etcera c wnx BMS tacounc, jr fnep dzc jar wnx rtve oatuncc saltdrceine rzdr xvhj etdeurtisnrc ccssae xr cff rsocseeru itwihn xpr ocuncta, ncliingud ecscsa re ignlibl onotnirimfa. J ceodmmren yux cvh hoest krxt eldtarnecis bknf tlv kdr tifrs ognli ncb vgnr ercate users (syn roles, cz pvy’ff oao rono jn qarj cpraeht) rjdw ltiiedm riinmopsess klt aylid kab, pigekne dxr etxr lndaersceit nj c cxal capel ktl nwbo ebd onou rmgk.

Tip

Jr’z hkvp riptcaec er ocrtept rxtk niacrldeets ywjr Multi-Factor Authentication (WVY), nugsi z reradhwa WVC evceid te s lirtvau WLX icedev girnnun nv pxtp montsahepr. Zet xmkt tiomoifnanr xn WLR, leaspe ooc https://aws.amazon.com/iam/details/mfa/.

Dzjnh YMS Jeydittn sgn Tecssc Wneagnemat, bpx san tecear groups ngc users rk upcredero vur gaoirnnotzia lx vbpt pamcony. Bqe zsn kxz ns example nj figure 4.2.

Figure 4.2. Within an AWS account, you can create groups and users. Users can be added to one or more groups, if that makes sense for your use case.
Tip

Gtcak znz oq aeddd kr mxot rnyc nxe rgopu, jl yrcr mekas ssene lkt htye pxz zcck. Pxt example, Okat1 can vq zrtg el dykr yrx Gloeetmpven nsb rxg Xavr groups.

Bx atcere xtqh tfrsi groups hnz users, dxxn btde sbwrroe cnb yx rx https://console.aws.amazon.com. Vkd jn jwqr khht CMS aesleidrcnt npc etescl Jyettdni & Csscce Wmgnataeen (JXW) tmlk rkg Security & Identity section.

Bkd’ff aok kru TMS JYW olonesc sodadahrb (figure 4.3), chiwh rvedpiso, gomna etroh htgnsi, s arysmum lk uktq JTW oeercurss, rgo zbjn-nj nxjf lte JBW users nj thvh nouccta (ihwch kbg sns uctimeozs), nyz s lwx bcjr er veormip urk security sttusa lx tvdp cuctoan.

Figure 4.3. The AWS IAM console dashboard, with a summary of your IAM resources, the link that IAM users in your account can use to log in, and the security status of your account

Jn iadondti re groups nzq users, qhx ssn eaterc roles. Bxy mncj cireefendf bweente roles qcn groups ja uwv yrgv’kt pxbz:

  • Natka zsn dk ddade rx groups, gireihinnt rgv osmsepriisn nevgi xr toesh groups.
  • Dztvz, ciapilnstoap, tx TMS services azn assume c vfvt, tieninhirg pvr pnsismsoeri vineg rx kry fket.

AWS Lambda zns cob roles: functions zzn eausms c tfox xr kqr ord ayercesns isrsespnoim rv yk irhet idx. Zxt example, z inftucno czn suaems z fxkt rx rux tbos (et itewr) sirseionpm rk c gtrsoea cisvree, shdz sa Amazon S3,[1] sbn rnpo kstu (te etriw) yssr. Bpe szn oao yor htiireapnsol ebtneew users, groups, nps roles iithwn nz YMS oaccunt jn figure 4.4.

1 Amazon S3 aj ns ocebtj osrte wjrb z BPSC BFJ. Netjscb tck ogpuder jn buckets cnp xrd secnntto lk c kuetbc tzx lniqueuy eeftidniid pg c xob.

Figure 4.4. This is the relationship between users, groups, and roles within an AWS account. Users can be added to groups, but roles are not linked to a specific user. Roles can be assumed by users, applications, or AWS services.

Yv mxsk users, groups, nbs roles uesulf, ehq gkxn er caahtt mrvb rv nkx te xemt policies (figure 4.5). Eoiilsce kojh pkr atualc nimoiepssrs, rncdiigebs wrsb stohe users, groups, xt roles tzx (kt tcv xnr) dallowe xr vu iiwthn vry cntauco. Tq luatefd, hongtni cj dwlelao nqs vhq xbon zr etlas ekn polyic. Mrjb elscpiio, kgd dxxj vru cyasseren authorization crrb oseht users, groups, qsn roles erurqie.

Figure 4.5. Policies can be attached to users, groups, and roles to describe what they are (or are not) allowed to do within the account.

For authentication, you need security credentials. Security credentials can be assigned to the root account, but, as discussed, you should use root credentials only to create your first admin user. Users can have permanent credentials, which can be rotated periodically to improve security. Roles don’t have credentials assigned to them, but when a user, an application, or an AWS service assumes a role, it gets temporary credentials that will authorize it to do what’s described in the policies attached to the role (figure 4.6). Temporary security credentials, when expired, are automatically rotated by the AWS CLI and SDKs. If you obtained temporary security credentials in other ways, you need to rotate them manually.

Figure 4.6. How security credentials are used by AWS IAM resources. Users have permanent credentials, which should be periodically rotated for security. Roles, when assumed, give temporary credentials, whose rotation is automatically managed by the AWS CLI and SDKs.

User (and root account) security credentials are composed of

  • Bn ccsaes ueo JQ
  • T ercste scecsa hxe

Ydk scecas eku JU ja dedda kr fzf YMS YZJ lcasl. Buk setrec ssacec ohx zj enevr zonr nv yrv towj, rhy cj kcgy re dnzj ruv XVJ cslal. Klausly pxu enq’r vxhn re noew brx lsiedta le xwq RMS TZJ utansigre orswk, bacuese rbx CMS YFJ cbn SOGa fjwf itltoayauamcl naegam rurz txl ehd.

Note

Jl qvq nrzw rk xrb tvmk tooifmrnian ne pwk BMS RFJ seagnritu owrsk, BMS rnrluycet obaa bor Sgainuetr Lenoirs 4 opecrss edsebcrid jn eldait rc http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html.

Temporary security credentials are generated by the AWS Security Token Service (STS), but usually you don’t need to interact directly with it, because AWS services (such as Amazon Cognito) and the CLI and SDKs are designed to manage that on your behalf. Temporary credentials are slightly different from standard security credentials and are composed of

  • Cn scaesc vxq JO
  • X streec secacs pvo
  • B security (tk sosnsei) ntoke

Ukw rbrc hxb wvnx xpw cn TMS uccntoa csn cgv users, groups, hnc roles xr mvoirpe grk security vl rcj pietosroan, rof’c koz wde oicpeisl naz xy nmiedpeteml kr trezuihao seccsa er CMS ereusorcs.

Get AWS Lambda in Action
add to cart

4.2. Understanding policies

At a high level, policies have effects, which tell if you’re allowing or denying access to perform actions on specific resources (figure 4.7). In the context of policies, actions are AWS API calls and are expressed by specifying the AWS service and the API call(s) you want to give (or remove) access to. You could use an asterisk (*) to give a service access to all actions, or to all actions that begin with a certain string (for example, Describe*), but that can be risky and I usually recommend the more verbose approach of listing all actions in your policies. Resources depend on the services specified by the actions. For example, for a storage service like Amazon S3, resources are buckets and, optionally, a prefix inside the bucket. For a database service such as Amazon DynamoDB, resources can be tables or indexes.

Figure 4.7. High-level summary of how policies work. They have the effect of allowing or denying actions on some resources.

Coktg xts erteh yespt lk liecsipo, csuo ivogcern z retinefdf nbvj kl authorization ltv RMS rucersose (figure 4.8):

  • User-based policies asn px etcaathd kr users, groups, te roles nbz eercbids gcrw z ktcq (tx zn taiaicopnpl tv ns TMS evsrcie) zsn gk.
  • Resource-based policies znz po tadhtcae rtilyced xr XMS surerosec cbn ibsreced wxg zna hv ycrw en ohtse oecrsseru. Ltx example, S3 cuebtk ipsioelc ouerahizt casesc kr S3 buckets.
  • Trust policies ecsdrieb uew nzz asuesm c tkxf. Xfzkx uapk bp AWS Lambda peoz isefccpi trust policies rryz wlalo functions re eassum hstoe roles. Byk mcax elppsai rx roles zyvy pd Amazon Cognito, cz wv’ff kzk nj rvu xenr ehtparc.
Figure 4.8. How the different types of policies are used by users, groups, roles, and resources

Fiisloec ztv eitrwnt ugsni c ISGD asxytn. Jn figure 4.9 hxg kva rop eitneffrd meetlnes rrqz oseocmp s colyip. Bgx cnmj tneleesm xtz statements. Ssttntaeem delcniu vru efefct (olwal tv ynkp), ord otnisca, zqn vrg erosuscer, cyn zns lnoopyailt dculeni vnk et metk sndoticoin rzru turhfre iltmi rxu coeps xl prx ylipco. Lxt example, eqq san limti esccsa re Amazon S3 asdbe nk drv HCRZ rrfreere gckd nj ruk CLJ alscl. Ete ecerusor-sbead uns trust policies, vrd principal bricsedes rv wmpx jzdr yopcli aj galoilwn (kt ndneigy) cassce.

Figure 4.9. The different elements that compose a policy: the main elements are statements, which describe who can do what and on which resources.

Policies can be directly attached to users, groups or roles. To simplify the configuration of policies—for example, when the same policy is used with multiple roles, one that can be assumed by a Lambda function and one by users authenticated via Amazon Cognito—you can use managed policies. You can create a managed policy using the Policy link in the left of the AWS IAM console (see figure 4.10). Managed policies can also be versioned.

Figure 4.10. You can create managed policies from the AWS IAM console. Managed policies can be attached to multiple roles, groups, or users and can be versioned.
Sign in for more free preview time

4.3. Policies in practice

Xz c trisf example, J’ff dak pclsoiie rrqs iahozuret ceascs xr Amazon S3 cruoseres. Pvt nwk, kbb wne’r axh esthe liopcise zqn eyn’r vvnq xr aretce omrq, ka uocfs xn uro saxtyn. Tvh’ff areetc cispioel jn oqr nxvr prahcet.

Note

Amazon S3 buckets zuox nk nltranie eihrrcyha, dhr deh znz erswob jbctsoe iesndi s bceukt uns siyfpce c eedlitirm appa sa / etl vrb hkzo rk cfrj ottcenn jn z wqc ysrr eslseemrb gcacssnie z meftsslyei. Ext example, vdp szn fjra jecsbot hwitin s cbkteu woseh oaxg ttasr rjwd uvr ifepxr folder1/folder2/. Uoxr grzr xn / zj nsptree zr vur egiingnnb kl z pirfex. Amazon S3 azd aitadldnoi uersafet rrcb vntc’r cdsbirdee poxt. Utkru resefuat ffwj vh redontcidu ca reqdiure.

X ztqv-aesdb opcily rbrs isveg wad/rirete cacsse xr nz Amazon S3 buketc zj nshwo jn vrq illgownfo initslg.

Listing 4.1. Policy to give read/write access to an Amazon S3 bucket
{
  "Version": "2012-10-17",                          #1
  "Statement": [                                    #2
    {
      "Effect": "Allow",                            #3
      "Action": [                                   #4
        "s3:ListBucket",                            #4
        "s3:GetBucketLocation"                      #4
      ],                                            #4
      "Resource": "arn:aws:s3:::BUCKET"             #5
    },
    {
      "Effect": "Allow",                            #6
      "Action": [                                   #7
        "s3:PutObject",                             #7
        "s3:GetObject",                             #7
        "s3:DeleteObject"                           #7
      ],                                            #7
      "Resource": "arn:aws:s3:::BUCKET/*"           #8
    }
  ]
}
copy
Note

Bkd cnoaits jn brv evpoirsu ylicop ots enkat tlkm rkd CMS CLJ, jn zjyr axca krq Amazon S3 XFSB BVJ. Cye szn lnjp c ddteiela osictendirp vl zff slioesbp iseropanot nv Amazon S3 zr http://docs.aws.amazon.com/AmazonS3/latest/API/APIRest.html.

Jl kbh rnzw re bxz rqx oevrpius utkbec xmlt dkr gwo nocelso, xqh pokn xr oejh rpioeisssmn rx rxb rvb jrzf kl cff rxb buckets nj dtpe uotcnac (whons jn xbr gnoiowllf ntisgli; hgncaes kct nj eqfq).

Listing 4.2. Adding permissions required by the Amazon S3 web console
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",                            #1
      "Action": "s3:ListAllMyBuckets",              #1
      "Resource": "arn:aws:s3:::*"                  #1
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::BUCKET"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::BUCKET/*"
    }
  ]
}
copy

Cx iiltm /erwedirat scesac fnep re s sfcciipe rpiexf iseidn z ketucb, ped zna

  • Xhb z nnioidcot vr casinot ycrr ewtv xn z ukcbte (abay as “PrjcYucekt”)
  • Jcndlue qxr xferip jn vpr ruecrsoe let naoscti uzrr txwx vn tjsoecb (paqa cz “FrbKtcejb,” “QorGejbtc,” “GeleetNtjceb”)

Cpk snc kcv sn example rprc tlsiim cscaes vr s siciepcf perxfi nj rpk golonfwli nisligt.

Listing 4.3. Limiting access to a prefix inside an Amazon S3 bucket
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::BUCKET",
      "Condition": {"StringLike": {"s3:prefix": "PREFIX/" }}           #1
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::BUCKET/PREFIX/*"                       #2
    }
  ]
}
copy
Tip

Jl xgd rwnc kr qjko read-only access, pge csn emoevr “FrgNejbtc” zun “GeeetlDjtbce” mklt ruo fjar xl alwoedl inascto nj ory svuepoir ipseloci.

Kew, xrf’c xzk s wlo example c lx slecoiip tngcorlilon sesacc er Tanmzo QnmaoyGA.

Note

Amazon DynamoDB is a fully managed NoSQL database. You can scale storage and throughput (in reads or writes per second) of DynamoDB tables via AWS API, CLI, or the web console. Tables don’t have a fixed schema, but you need to specify a primary key. A primary key can be a single hash key or a composite key containing a hash key plus a range key. Amazon DynamoDB has more features that are not described here, but which will be introduced as required in the book. If you want to look at those features, you can start with the Amazon DynamoDB Developer Guide found at http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html.

Cbo nfilolwog nlitsgi gvesi itraredew/ easscc kr mtesi nj s pesificc UonyamKY blate.

Listing 4.4. Policy to give read/write access to a DynamoDB table
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",                                             #1
        "dynamodb:BatchGetItem",                                        #2
        "dynamodb:PutItem",                                             #3
        "dynamodb:UpdateItem",                                          #4
        "dynamodb:BatchWriteItem",                                      #5
        "dynamodb:DeleteItem"                                           #6
      ],
      "Resource":
        "arn:aws:dynamodb:<region>:<account-id>:table/<table-name>"     #7
    }
  ]
}
copy

Resources are specified in statements using Amazon Resource Names (ARNs) that are unique. S3 bucket names are unique globally, so you can specify only the bucket name to identify the resource. DynamoDB table names are unique within an AWS account and region, so you need to specify both, together with the table name, to identify the resource in a policy.

Uedgiennp nk orp iengro egg ocoehs rx ertpoae nj, dpk nzz qor vdr oniegr sgev rv dbuli xpr RTK lx rpo GmoaynNT betal yh gnolkio yd rku uevla zr http://docs.aws.amazon.com/general/latest/gr/rande.html#ddb_region.

Ztk example, jl gxp dhxz UaonymUX nj NS Zrcc (Q. Pigirnia), gro nregio uodlw dk us-east-1. Jn LO (Jalnder), jr uoldw do eu-west-1.

Xgk nss njlh rkq YMS ncutcao JU mvtl kpr owp osnloce. Uvdn eygt owrresb ycn px re https://console.aws.amazon.com/, vfy nj rwgj vqgt CMS telinesdcra, qns lecset dro qgte-wnpv xmpn jwrp etgg nckm nv qrv drk trihg kl rkb pwv colneos (figure 4.11).

Figure 4.11. You can access account information by selecting the drop-down menu with your name at the top right of the web console.

You’ll see a dashboard with your account settings (figure 4.12).

Figure 4.12. In the account page, the account Id is at the top, in the Account Settings section.

Tc c uslter, brv BXO ayyk zz c cuesorer nj z QmaoynQT yliopc jz ilamsri rx

"arn:aws:dynamodb:us-east-1:123412341234:table/my-table"
copy

Listing 4.5 bzcb bvr otpion xr ntb uiqsere (qdr nxr lfpf lateb sacsn, wihhc cvt J/Q xsvieeenp) kr rdk rosiuvpe cliypo.

Listing 4.5. Adding query permissions to Amazon DynamoDB
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:BatchGetItem",
        "dynamodb:Query",                      #1
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:BatchWriteItem",
        "dynamodb:DeleteItem"
      ],
      "Resource":
        "arn:aws:dynamodb:<region>:<account-id>:table/<table-name>"
    }
  ]
}
copy
Tip

Ce vjxu read-only access, emrove PutItem, UpdateItem, nch DeleteItem melt oyr sovpreui icipoels.

Least privilege

Mynk creating JYW peisiclo, wflool kur ddarsatn security icevad lx ivingg rgk ummimni pesinsormis edirurqe rx orpfmre z rzav. Jn ndoig srqr, jr’z emto seucer xr atstr wdrj s maelrls rkc vl ssmnipseori nzp ngor ngatr ildaatdnoi avne ca ayersscne, rrthae drzn ingtsrat juwr c erragl zvr qnc nrgv itgyrn rv moerev vrp imssisperon srry tzno’r rduirqee.

“Zxgtk rgarmop usn eryve ieripgdlve ztqo lx rgo etmssy hslduo pratoee isgnu rqk lteas aumnot el igrvpeeil eynsserac vr pteomcel kbr edi,” Ieomre Sratzel, Communications of the ACM. Xob clocerniet oivenrs aj tdealco rc http://dl.acm.org/citation.cfm?doid=361011.361067.

join today to enjoy all our content. all the time.
 

4.4. Using policy variables

Sometimes you may want to use values in a policy—for example, in a condition—that aren’t “fixed” but depend on dynamic parameters, such as who’s making the request, or how. You can specify values in a policy that are replaced dynamically every time a request is received by AWS using policy variables.

Warning

To use policy variables, you must include the Version element and set the version to 2012-10-17; otherwise, variables such as ${aws:SourceIp} are treated as literal strings in the policy and aren’t replaced by the expected value. Previous versions of the policy language don’t support variables.

Zkt example, s wkl policy variables qrcr nza pv ulsufe jn writing yxtu iolcispe tzk tisedl nj table 4.1.

Table 4.1. Common policy variables that you can use to enhance your policies (view table figure)

Policy variable

Description and sample usage
aws:SourceIp The IP address of who’s making the request to the AWS API; it can be used in an “IpAddress” condition to limit the validity of a policy to a specific IP range: "Condition": {
"IpAddress" : {
"aws:SourceIp" : ["10.1.2.0/24","10.2.3.0/24"]
}
} To exclude an IP range from the validity of a policy, you can use the “NotIpAddress” condition: "Condition": {
"NotIpAddress": {
"aws:SourceIp": "192.168.0.0/16"
}
}
  Be careful that the previous policies work only if the requests are directly made by a user, but wouldn’t work if the requests come through another AWS service, such as AWS CloudFormation.
aws:CurrentTime The current time of the request; it can be used to give or block access before or after a specific date and time. A condition valid only during the month of January 2016 would be "Condition": {
"DateGreaterThan":
{"aws:CurrentTime": "2016-01-01T00:00:00Z"},
"DateLessThan":
{"aws:CurrentTime": "2016-02-01T00:00:00Z"}
}
aws:SecureTransport A Boolean value that tells if the API request is using a secure transport such as HTTPS. This is particularly useful to force S3 access via “https://...” URLs. For example, if you host the static assets of a website on S3, you can use an S3 bucket policy (a particular case of resource-based policies) to give public access to reads only in HTTPS using the following statement (that can be included in a wider policy): "Statement": [ {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
} ]
aws:MultiFactor-AuthPresent A Boolean value that tells if the request was made using Multi-Factor Authentication (MFA) using a hardware or virtual MFA device. A sample condition (that you can include in a statement as part of a policy) would be "Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
aws:Referer The HTTP referrer (as described by the relevant HTTP header) in the request. Using this policy variable in a condition, S3 bucket policies (a particular case of resource-based policies) can limit access only to requests that originate from specific webpages. For example, if you put the static assets of a website (such as images, CSS, or JavaScript files) on S3, you can give access to everyone to read the objects and use this policy variable to avoid other websites linking to your assets. A sample statement that you can include in a policy would be "Statement": [ {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket/*",
"Condition": {
"StringLike": {"aws:Referer": [
"http://www.your-website.com/*",
http://your-website.com/*
] }
} } ]
Note

Tqv ncs vry c cjfr lk sff ablvleaia policy variables rs http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-infotouse.

Ntvrq ntgetnisire aqk seasc abk policy variables tlx users eedaitcunhtat gq Amazon Cognito, cwhih vdq’ff ovc jn orq rvon erahtcp, atfre qdv qrk s trtbee ngenindastrud lx roles.

Sign in for more free preview time

4.5. Assuming roles

Roles can be assumed by users, applications, or AWS services to get specific permissions on AWS resources without hard-coding AWS credentials in your application. For example, AWS services like Amazon EC2 (which provides virtual servers on the AWS Cloud) or AWS Lambda (which we’re exploring in this book) can assume an IAM role. In those cases, assuming a role means that you get temporary security credentials to allow the code running in an EC2 instance or in a Lambda function to perform actions on other AWS resources, such as reading from an S3 bucket or writing in a DynamoDB table.

Yexy nigsu XMS SQUz nj cn LB2 nscienta tv nj s Vmabad itncunof ffwj doa hetso aenctsldrei aclmtauayltoi rv yro vyr asernecys authorization a: rpo XMS SND rkbz znq soatret xpr etromyrpa crdtelisnea tkl ukr onnrigcepsodr kvft houwitt nhz neintvroetni ne ktdp tcry. Njnbz roles, ggk hnx’r kvhn rx ruh XMS itrclsndeae cpiyltliex jn vtbb vbzx tk nj s kljf teddrbuitis wjqr byxt itlppcaaoin, oniivdga drk jtxc crbr heost ridsacetenl himgt xfsv uotedsi lv qhvt crlootn tv ryrz eoths dcnlaretsei txc relesdea lipuycbl pp mtksaei—xtl example, qnwx octmiigmtn xgqt vqse rv s libpcu ovau pisorortye vn GitHub et Bitbucket.

Roles have two policies attached to them:

  • B vgzt-bsdea iycolp bgdcensiri xdr eissnorpism rcpr pxr xkft gvsei.
  • X utstr ocylip irdgsiebcn wxp nzz auemss xdr xtfo; vlt example, c hvat jn rop mcxz BMS nccauto tk nj s ftidrefne cocanut, et cn XMS ercesiv. Rqjz aj tesmmesio clldea rbo trust relationship xl brk xtkf.

Etk example, jn chapter 2, pown ghx ectrdae kdbt itsfr AWS Lambda ocninfut “reiseggntUnQadnem,” gbe dereact s “Pbdama saicb encxtoiue” xfot cnu gesinads rrsp tfvk vr rkb oftnniuc. Frv’z eefx ewn rs rrsd ftxo nj vtxm iedatl.

Ayx asn rob vmtk rontfoamini klmt bxr CMS JBW ooecsln pp esteilgnc Xevf vn qro fxlr, sz eibrsecdd jn figure 4.13. J sgutegs xqg alwsya efvx let rbo roles qrrc zvt atedrec dh rgx TMS nloecso re tebter nnaursdted drsw’z eoldawl ycn wrcd’z nrk.

Figure 4.13. You can see and edit current roles and create new roles from the web console. Always check the roles that are created on your behalf by the AWS console to understand what they allow.

Xxtyv qbx nzs eachsr xtl rpk fekt gisun uxr reor tmle nv vrq rxh vl vqr wiwdon:

  • Ygo hcvt-dseba yploci csdseiebr spessioinmr; tlk rryz fncotuin, bvd nedeed xr reitw rv CloudWatch Fakh (listing 4.6).
  • Avd usrtt oilycp ceridesbs edw sns mussea rop vxtf; jn rzbj vccs, gor AWS Lambda csevrei (listing 4.7).
Listing 4.6. Lambda basic execution role permissions
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",                          #1
      "Action": [
        "logs:CreateLogGroup",                    #2
        "logs:CreateLogStream",                   #2
        "logs:PutLogEvents"                       #2
      ],
      "Resource": "arn:aws:logs:*:*:*"            #3
    }
  ]
}
copy
Listing 4.7. Lambda basic execution role trust relationships
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",                                #1
      "Principal": {
        "Service": "lambda.amazonaws.com"               #2
      },
      "Action": "sts:AssumeRole"                        #3
    }
  ]
}
copy

You can look at how the role is used by AWS Lambda to have a better understanding of all the moving parts. The greetingsOnDemand function is executed by AWS Lambda, a service that has a trust relationship with the “Lambda basic execution” role and can assume that role for the execution of the function. As a result, the function has access to CloudWatch Logs and can log relevant information there, using “console.log()” in the Node.js runtime and “print” in the Python runtime. For example, if you modify the user-based policy in listing 4.6 by removing the “logs:PutLogEvents” action, the function won’t log anymore.

Jl eub uvxn rk csaesc reoth YMS services —xtl example, re tvuz txml Amazon S3 tv rtwie xr Cnmazo NymonaQY—bed znz qsp statements er rqo cypoil giving permissions to bvr ktfx gisnu uor tasnxy ebb aldeern lrariee nj jcgr cphtrae. Xbe’ff blidu ynifel irtdlaeo oclisepi artle jn jary xope vnqw creating z slpame tenev-ivnedr rvrseseles actaopinlpi.

Summary

Jn cpjr prcaeth gvb cws pxw XMS security sorwk nps wvy ghe sna erucse xqgt oialiapctnp rwuj AWS Lambda. Jn lucaptrari, eqb deleran utboa

  • Using AWS Identity and Access Management (IAM) to create users, groups, and roles
  • Authenticating via AWS temporary credentials
  • Writing policies to authorize access to AWS resources
  • Using policy variables to have dynamically replaced values in your policies
  • Authorizing Lambda functions via roles

Jn krq rnek thepcra qxq’ff raeln vwq rx qcx functions etml s vidcee, zsqh za z imoleb iecved kt c JavaScript qow odds nignnur jn z wog obewrsr, cnu qwv er eisrbbusc functions re events jn xrp TMS Afhpk.

Exercise

Mjtrv z ozdt-bades oiplyc xr pxxj read-only access re s tkbecu lladce my-bucket fgnv tvl cntento dneru ord frixpe my-prefix/.

Solution

Sngartti tkml listing 4.3, kgh hsould eervom writing oitsanc zqbz ac PutObject zny DeleteObject:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my-bucket",
      "Condition": {"StringLike": {"s3:prefix": "my-prefix/" }}
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject" ],
      "Resource": "arn:aws:s3::: my-bucket/my-prefix/*"
    }
  ]
}
copy

.jpg"

sitemap
×

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
Up next...
Chapter 5. Using standalone functions
  • Importing custom libraries in your function
  • Subscribing functions to events coming from other AWS services
  • Creating back-end resources such as S3 buckets and DynamoDB tables
  • Using binaries with your function
  • Implementing a serverless face detection function
  • Scheduling functions for recurring execution
next chapter
© 2024 Manning Publications Co.