Noam Dahan
@noamdahan.bsky.social
Cloud security researcher at CrowdStrike, European Universities Debating Champion (for my sins). My 5th grade teacher said I was disruptive.
But wait! There is a perpetual!
December 5, 2024 at 12:29 PM
But wait! There is a perpetual!
Thank you so much, I've registered on the waiting list for the Tata Steel 3-round, hopefully spots open up :)
December 3, 2024 at 9:41 PM
Thank you so much, I've registered on the waiting list for the Tata Steel 3-round, hopefully spots open up :)
1. No longer secretly
2. Odds reduced by me posting this
2. Odds reduced by me posting this
November 19, 2024 at 11:47 PM
1. No longer secretly
2. Odds reduced by me posting this
2. Odds reduced by me posting this
Really nice (are we writing answers in comments or no, what's the verdict #chesspunks?)
November 18, 2024 at 10:15 PM
Really nice (are we writing answers in comments or no, what's the verdict #chesspunks?)
RCPs apply to every request directed at a resource in the account. So we can implement the policy we wanted.
Not only that, we can set trust boundaries for IAM roles (e.g. only directly exempted accounts can AssumeRole into our org's identities). More here:
github.com/aws-samples/...
/fin
Not only that, we can set trust boundaries for IAM roles (e.g. only directly exempted accounts can AssumeRole into our org's identities). More here:
github.com/aws-samples/...
/fin
![VS Code screenshot:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceOrgIdentities",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::AwesomeCats-af4v81b2",
"arn:aws:s3:::AwesomeCats-af4v81b2/*"
],
"Condition": {
"StringNotEqualsIfExists": {
"aws:PrincipalOrgID": "<my-org-id>",
"aws:PrincipalAccount": [
"<load-balancing-account-id>",
"<fin-space-account-id>",
"<third-party-account-a>",
"<third-party-account-b>"
],
"aws:ResourceTag/dp:exclude:identity": "true"
},
"BoolIfExists": {
"aws:PrincipalIsAWSService": "false"
}
}
}
]
}](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:m76pqh5glrkcipnlx5vocvri/bafkreidljhygvynifizgak5kik3izpcdtxkeb3wceufsfr2emlhxwciz2y@jpeg)
November 15, 2024 at 11:02 AM
RCPs apply to every request directed at a resource in the account. So we can implement the policy we wanted.
Not only that, we can set trust boundaries for IAM roles (e.g. only directly exempted accounts can AssumeRole into our org's identities). More here:
github.com/aws-samples/...
/fin
Not only that, we can set trust boundaries for IAM roles (e.g. only directly exempted accounts can AssumeRole into our org's identities). More here:
github.com/aws-samples/...
/fin
So identities coming from outside don't "see" an authorizer which is aware of the SCPs.
It follows, that SCPs can only be used to limit identities coming from within the org itself (and our cool kittens cannot be defended by them).
However- fear not - RCPs are here to save the day! 🦸♀️
It follows, that SCPs can only be used to limit identities coming from within the org itself (and our cool kittens cannot be defended by them).
However- fear not - RCPs are here to save the day! 🦸♀️
November 15, 2024 at 11:02 AM
So identities coming from outside don't "see" an authorizer which is aware of the SCPs.
It follows, that SCPs can only be used to limit identities coming from within the org itself (and our cool kittens cannot be defended by them).
However- fear not - RCPs are here to save the day! 🦸♀️
It follows, that SCPs can only be used to limit identities coming from within the org itself (and our cool kittens cannot be defended by them).
However- fear not - RCPs are here to save the day! 🦸♀️
You can't because SCPs only affect principals in the organization itself, the reason has to do with the internal implementation of IAM, more about that: www.youtube.com/watch?v=YMj3...
Simplifying slightly, a request is authorized by the principal's account, and by the resource, so...
Simplifying slightly, a request is authorized by the principal's account, and by the resource, so...
AWS re:Inforce 2022 - AWS Identity and Access Management (IAM) deep dive (IAM301)
YouTube video by AWS Events
www.youtube.com
November 15, 2024 at 11:02 AM
You can't because SCPs only affect principals in the organization itself, the reason has to do with the internal implementation of IAM, more about that: www.youtube.com/watch?v=YMj3...
Simplifying slightly, a request is authorized by the principal's account, and by the resource, so...
Simplifying slightly, a request is authorized by the principal's account, and by the resource, so...
So now, you might be thinking to yourself: I have an awesome idea for an SCP - I would like for only users from my organization to be able to access my bucket "AwesomeCats-af4v81b2" (Group #3 - this is where you can start paying attention :)). Well, unfortunately, you can't do that with an SCP. Why?
a picture of a cat with the words cool undercover cats on it
Alt: a picture of a cat putting on sunglasses with the words cool undercover cats on it
media.tenor.com
November 15, 2024 at 11:02 AM
So now, you might be thinking to yourself: I have an awesome idea for an SCP - I would like for only users from my organization to be able to access my bucket "AwesomeCats-af4v81b2" (Group #3 - this is where you can start paying attention :)). Well, unfortunately, you can't do that with an SCP. Why?
For example: say I only want identities to be able to create resources in eu-north-1, I can use an SCP. It's an IAM policy that applies to every principal in the org, but can only limit permissions, never grant them.
A talk I gave about SCP strategy at fwd:cloudsec: www.youtube.com/watch?v=oomo...
A talk I gave about SCP strategy at fwd:cloudsec: www.youtube.com/watch?v=oomo...
A Year of NO building organizational IAM guardrail policies that work - Noam Dahan
YouTube video by fwd:cloudsec
www.youtube.com
November 15, 2024 at 11:02 AM
For example: say I only want identities to be able to create resources in eu-north-1, I can use an SCP. It's an IAM policy that applies to every principal in the org, but can only limit permissions, never grant them.
A talk I gave about SCP strategy at fwd:cloudsec: www.youtube.com/watch?v=oomo...
A talk I gave about SCP strategy at fwd:cloudsec: www.youtube.com/watch?v=oomo...
Group 1, you got a high five :)
Group 2, Let's learn about RCPs! Group 3, we're going to get to that soon.
Before we understand RCPs, we have to understand SCPs (Service Control Policies) first. SCPs are the guardrails of IAM policies, they set up ground rule for what everyone can and can't do.
Group 2, Let's learn about RCPs! Group 3, we're going to get to that soon.
Before we understand RCPs, we have to understand SCPs (Service Control Policies) first. SCPs are the guardrails of IAM policies, they set up ground rule for what everyone can and can't do.
November 15, 2024 at 11:02 AM
Group 1, you got a high five :)
Group 2, Let's learn about RCPs! Group 3, we're going to get to that soon.
Before we understand RCPs, we have to understand SCPs (Service Control Policies) first. SCPs are the guardrails of IAM policies, they set up ground rule for what everyone can and can't do.
Group 2, Let's learn about RCPs! Group 3, we're going to get to that soon.
Before we understand RCPs, we have to understand SCPs (Service Control Policies) first. SCPs are the guardrails of IAM policies, they set up ground rule for what everyone can and can't do.