site-logo

JAWS PANKRATION 2024

site-logo
HomeNewsTimetableCfPCommitteePromotionFollow UpPrivacy Policy

THE WALL built with IAM

Lv300

Lv300

8/24/2024 15:40 (UTC)
Session Info

I explain that how to create a sustainable data boundary using IAM.

I pursue "THE WALL" for data that is financial industry grade robust but does not interfere with development and operations.

In the cloud, traditional data boundaries that rely solely on network will not work. You need to inspect the request context with condition keys such as "aws:ResourceOrgPaths".

The key point is "Design with Ops in mind". The configuration change process for IAM will also be discussed. Welcome to IAM swamp!

Yuta Kimi

Yuta Kimi

- AWS Community Builders -

- AWS User Community Leaders -

Session Category
Security
Identity and compliance
AWS Services
IAM
Session Materials
Session Archive
Session Summary (by Amazon Bedrock)
    The speaker, Yuta Kimi from Japan Digital Design, discusses creating "walls" in AWS to protect confidential data within organizations. These walls aim to prevent data leakage from both external and internal threats. The concept of "walls" refers to critical accident prevention controls, similar to guardrails. The speaker explains why IAM (Identity and Access Management) is used to create these walls, as not all data exists within VPCs (Virtual Private Clouds) in AWS. The presentation focuses on two IAM global condition context keys: aws:ResourceOrgPaths and aws:PrincipalOrgPaths. These keys allow for examining which AWS organization and Organizational Unit (OU) resources and principals belong to, respectively. The speaker outlines a risk scenario where confidential data in the production environment needs protection from external leakage and from being accessed by non-production environments within the company. To implement this wall, a policy is applied to the production OU using aws:ResourceOrgPaths. The policy denies actions on resources outside the production OU while allowing exceptions for trusted external accounts. The speaker emphasizes the importance of "design with ops in mind," creating sustainable policies that don't require frequent updates as the organization grows. The use of aws:ResourceOrgPaths with wildcards allows for automatically including new OUs and accounts under the production OU without policy maintenance. The presentation concludes by highlighting the power and usefulness of OrgPaths in creating effective and sustainable IAM policies for data protection in AWS environments.

Back

©JAWS-UG (AWS User Group - Japan). All rights reserved.