Jump to content

Search the Community

Showing results for tags 'aws iam'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


LinkedIn Profile URL


About Me


Cloud Platforms


Cloud Experience


Development Experience


Current Role


Skills


Certifications


Favourite Tools


Interests

Found 5 results

  1. To enable your workforce users for analytics with fine-grained data access controls and audit data access, you might have to create multiple AWS Identity and Access Management (IAM) roles with different data permissions and map the workforce users to one of those roles. Multiple users are often mapped to the same role where they need similar privileges to enable data access controls at the corporate user or group level and audit data access. AWS IAM Identity Center enables centralized management of workforce user access to AWS accounts and applications using a local identity store or by connecting corporate directories via identity providers (IdPs). IAM Identity Center now supports trusted identity propagation, a streamlined experience for users who require access to data with AWS analytics services. Amazon EMR Studio is an integrated development environment (IDE) that makes it straightforward for data scientists and data engineers to build data engineering and data science applications. With trusted identity propagation, data access management can be based on a user’s corporate identity and can be propagated seamlessly as they access data with single sign-on to build analytics applications with Amazon EMR (EMR Studio and Amazon EMR on EC2). AWS Lake Formation allows data administrators to centrally govern, secure, and share data for analytics and machine learning (ML). With trusted identity propagation, data administrators can directly provide granular access to corporate users using their identity attributes and simplify the traceability of end-to-end data access across AWS services. Because access is managed based on a user’s corporate identity, they don’t need to use database local user credentials or assume an IAM role to access data. In this post, we show how to bring your workforce identity to EMR Studio for analytics use cases, directly manage fine-grained permissions for the corporate users and groups using Lake Formation, and audit their data access. Solution overview For our use case, we want to enable a data analyst user named analyst1 to use their own enterprise credentials to query data they have been granted permissions to and audit their data access. We use Okta as the IdP for this demonstration. The following diagram illustrates the solution architecture. This architecture is based on the following components: Okta is responsible for maintaining the corporate user identities, related groups, and user authentication. IAM Identity Center connects Okta users and centrally manages their access across AWS accounts and applications. Lake Formation provides fine-grained access controls on data directly to corporate users using trusted identity propagation. EMR Studio is an IDE for users to build and run applications. It allows users to log in directly with their corporate credentials without signing in to the AWS Management Console. AWS Service Catalog provides a product template to create EMR clusters. EMR cluster is integrated with IAM Identity Center using a security configuration. AWS CloudTrail captures user data access activities. The following are the high-level steps to implement the solution: Integrate Okta with IAM Identity Center. Set up Amazon EMR Studio. Create an IAM Identity Center enabled security configuration for EMR clusters. Create a Service Catalog product template to create the EMR clusters. Use Lake Formation to grant permissions to users to access data. Test the solution by accessing data with a corporate identity. Audit user data access. Prerequisites You should have the following prerequisites: An AWS account with access to the following AWS services: AWS CloudFormation CloudTrail Amazon Elastic Compute Cloud (Amazon EC2) Amazon Simple Storage Service (Amazon S3) EMR Studio IAM IAM Identity Center Lake Formation Service Catalog An Okta account (you can create a free developer account) Integrate Okta with IAM Identity Center For more information about configuring Okta with IAM Identity Center, refer to Configure SAML and SCIM with Okta and IAM Identity Center. For this setup, we have created two users, analyst1 and engineer1, and assigned them to the corresponding Okta application. You can validate the integration is working by navigating to the Users page on the IAM Identity Center console, as shown in the following screenshot. Both enterprise users from Okta are provisioned in IAM Identity Center. The following exact users will not be listed in your account. You can either create similar users or use an existing user. Each provisioned user in IAM Identity Center has a unique user ID. This ID does not originate from Okta; it’s created in IAM Identity Center to uniquely identify this user. With trusted identity propagation, this user ID will be propagated across services and also used for traceability purposes in CloudTrail. The following screenshot shows the IAM Identity Center user matching the provisioned Okta user analyst1. Choose the link under AWS access portal URL and log in with the analyst1 Okta user credentials that are already assigned to this application. If you are able to log in and see the landing page, then all your configurations up to this step are set correctly. You will not see any applications on this page yet. Set up EMR Studio In this step, we demonstrate the actions needed from the data lake administrator to set up EMR Studio enabled for trusted identity propagation and with IAM Identity Center integration. This allows users to directly access EMR Studio with their enterprise credentials. Note: All Amazon S3 buckets (created after January 5, 2023) have encryption configured by default (Amazon S3 managed keys (SSE-S3)), and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. To use a different type of encryption, to meet your security needs, please update the default encryption configuration for the bucket. See Protecting data for server-side encryption for further details. On the Amazon EMR console, choose Studios in the navigation pane under EMR Studio. Choose Create Studio. For Setup options¸ select Custom. For Studio name, enter a name (for this post, emr-studio-with-tip). For S3 location for Workspace storage, select Select existing location and enter an existing S3 bucket (if you have one). Otherwise, select Create new bucket. For Service role to let Studio access your AWS resources, choose View permissions details to get the trust and IAM policy information that is needed and create a role with those specific policies in IAM. In this case, we create a new role called emr_tip_role. For Service role to let Studio access your AWS resources, choose the IAM role you created. For Workspace name, enter a name (for this post, studio-workspace-with-tip). For Authentication, select IAM Identity Center. For User role¸ you can create a new role or choose an existing role. For this post, we choose the role we created (emr_tip_role). To use the same role, add the following statement to the trust policy of the service role: { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com", "AWS": "arn:aws:iam::xxxxxx:role/emr_tip_role" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] } ] } Select Enable trusted identity propagation to allow you to control and log user access across connected applications. For Choose who can access your application, select All users and groups. Later, we restrict access to resources using Lake Formation. However, there is an option here to restrict access to only assigned users and groups. In the Networking and security section, you can provide optional details for your VPC, subnets, and security group settings. Choose Create Studio. On the Studios page of the Amazon EMR console, locate your Studio enabled with IAM Identity Center. Copy the link for Studio Access URL. Enter the URL into a web browser and log in using Okta credentials. You should be able to successfully sign in to the EMR Studio console. Create an AWS Identity Center enabled security configuration for EMR clusters EMR security configurations allow you to configure data encryption, Kerberos authentication, and Amazon S3 authorization for the EMR File System (EMRFS) on the clusters. The security configuration is available to use and reuse when you create clusters. To integrate Amazon EMR with IAM Identity Center, you need to first create an IAM role that authenticates with IAM Identity Center from the EMR cluster. Amazon EMR uses IAM credentials to relay the IAM Identity Center identity to downstream services such as Lake Formation. The IAM role should also have the respective permissions to invoke the downstream services. Create a role (for this post, called emr-idc-application) with the following trust and permission policy. The role referenced in the trust policy is the InstanceProfile role for EMR clusters. This allows the EC2 instance profile to assume this role and act as an identity broker on behalf of the federated users. { "Version": "2012-10-17", "Statement": [ { "Sid": "AssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxxxxxxxxn:role/service-role/AmazonEMR-InstanceProfile-20240127T102444" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] } ] } { "Version": "2012-10-17", "Statement": [ { "Sid": "IdCPermissions", "Effect": "Allow", "Action": [ "sso-oauth:*" ], "Resource": "*" }, { "Sid": "GlueandLakePermissions", "Effect": "Allow", "Action": [ "glue:*", "lakeformation:GetDataAccess" ], "Resource": "*" }, { "Sid": "S3Permissions", "Effect": "Allow", "Action": [ "s3:GetDataAccess", "s3:GetAccessGrantsInstanceForPrefix" ], "Resource": "*" } ] } Next, you create certificates for encrypting data in transit with Amazon EMR. For this post, we use OpenSSL to generate a self-signed X.509 certificate with a 2048-bit RSA private key. The key allows access to the issuer’s EMR cluster instances in the AWS Region being used. For a complete guide on creating and providing a certificate, refer to Providing certificates for encrypting data in transit with Amazon EMR encryption. Upload my-certs.zip to an S3 location that will be used to create the security configuration. The EMR service role should have access to the S3 location. The key allows access to the issuer’s EMR cluster instances in the us-west-2 Region as specified by the *.us-west-2.compute.internal domain name as the common name. You can change this to the Region your cluster is in. $ openssl req -x509 -newkey rsa:2048 -keyout privateKey.pem -out certificateChain.pem -days 365 -nodes -subj '/CN=*.us-west-2.compute.internal' $ cp certificateChain.pem trustedCertificates.pem $ zip -r -X my-certs.zip certificateChain.pem privateKey.pem trustedCertificates.pem Create an EMR security configuration with IAM Identity Center enabled from the AWS Command Line Interface (AWS CLI) with the following code: aws emr create-security-configuration --name "IdentityCenterConfiguration-with-lf-tip" --region "us-west-2" --endpoint-url https://elasticmapreduce.us-west-2.amazonaws.com --security-configuration '{ "AuthenticationConfiguration":{ "IdentityCenterConfiguration":{ "EnableIdentityCenter":true, "IdentityCenterApplicationAssigmentRequired":false, "IdentityCenterInstanceARN": "arn:aws:sso:::instance/ssoins-7907b0d7d77e3e0d", "IAMRoleForEMRIdentityCenterApplicationARN": "arn:aws:iam::1xxxxxxxxx0:role/emr-idc-application" } }, "AuthorizationConfiguration": { "LakeFormationConfiguration": { "EnableLakeFormation": true } }, "EncryptionConfiguration": { "EnableInTransitEncryption": true, "EnableAtRestEncryption": false, "InTransitEncryptionConfiguration": { "TLSCertificateConfiguration": { "CertificateProviderType": "PEM", "S3Object": "s3://<<Bucket Name>>/emr-transit-encry-certs/my-certs.zip" } } } }' You can view the security configuration on the Amazon EMR console. Create a Service Catalog product template to create EMR clusters EMR Studio with trusted identity propagation enabled can only work with clusters created from a template. Complete the following steps to create a product template in Service Catalog: On the Service Catalog console, choose Portfolios under Administration in the navigation pane. Choose Create portfolio. Enter a name for your portfolio (for this post, EMR Clusters Template) and an optional description. Choose Create. On the Portfolios page, choose the portfolio you just created to view its details. On the Products tab, choose Create product. For Product type, select CloudFormation. For Product name, enter a name (for this post, EMR-7.0.0). Use the security configuration IdentityCenterConfiguration-with-lf-tip you created in previous steps with the appropriate Amazon EMR service roles. Choose Create product. The following is an example CloudFormation template. Update the account-specific values for SecurityConfiguration, JobFlowRole, ServiceRole, LogUri, Ec2KeyName, and Ec2SubnetId. We provide a sample Amazon EMR service role and trust policy in Appendix A at the end of this post. 'Parameters': 'ClusterName': 'Type': 'String' 'Default': 'EMR_TIP_Cluster' 'EmrRelease': 'Type': 'String' 'Default': 'emr-7.0.0' 'AllowedValues': - 'emr-7.0.0' 'ClusterInstanceType': 'Type': 'String' 'Default': 'm5.xlarge' 'AllowedValues': - 'm5.xlarge' - 'm5.2xlarge' 'Resources': 'EmrCluster': 'Type': 'AWS::EMR::Cluster' 'Properties': 'Applications': - 'Name': 'Spark' - 'Name': 'Livy' - 'Name': 'Hadoop' - 'Name': 'JupyterEnterpriseGateway' 'SecurityConfiguration': 'IdentityCenterConfiguration-with-lf-tip' 'EbsRootVolumeSize': '20' 'Name': 'Ref': 'ClusterName' 'JobFlowRole': <Instance Profile Role> 'ServiceRole': <EMR Service Role> 'ReleaseLabel': 'Ref': 'EmrRelease' 'VisibleToAllUsers': !!bool 'true' 'LogUri': 'Fn::Sub': <S3 LOG Path> 'Instances': "Ec2KeyName" : <Key Pair Name> 'TerminationProtected': !!bool 'false' 'Ec2SubnetId': <subnet-id> 'MasterInstanceGroup': 'InstanceCount': !!int '1' 'InstanceType': 'Ref': 'ClusterInstanceType' 'CoreInstanceGroup': 'InstanceCount': !!int '2' 'InstanceType': 'Ref': 'ClusterInstanceType' 'Market': 'ON_DEMAND' 'Name': 'Core' 'Outputs': 'ClusterId': 'Value': 'Ref': 'EmrCluster' 'Description': 'The ID of the EMR cluster' 'Metadata': 'AWS::CloudFormation::Designer': {} 'Rules': {} Trusted identity propagation is supported from Amazon EMR 6.15 onwards. For Amazon EMR 6.15, add the following bootstrap action to the CloudFormation script: 'BootstrapActions': - 'Name': 'spark-config' 'ScriptBootstrapAction': 'Path': 's3://emr-data-access-control-<aws-region>/customer-bootstrap-actions/idc-fix/replace-puppet.sh' The portfolio now should have the EMR cluster creation product added. Grant the EMR Studio role emr_tip_role access to the portfolio. Grant Lake Formation permissions to users to access data In this step, we enable Lake Formation integration with IAM Identity Center and grant permissions to the Identity Center user analyst1. If Lake Formation is not already enabled, refer to Getting started with Lake Formation. To use Lake Formation with Amazon EMR, create a custom role to register S3 locations. You need to create a new custom role with Amazon S3 access and not use the default role AWSServiceRoleForLakeFormationDataAccess. Additionally, enable external data filtering in Lake Formation. For more details, refer to Enable Lake Formation with Amazon EMR. Complete the following steps to manage access permissions in Lake Formation: On the Lake Formation console, choose IAM Identity Center integration under Administration in the navigation pane. Lake Formation will automatically specify the correct IAM Identity Center instance. Choose Create. You can now view the IAM Identity Center integration details. For this post, we have a Marketing database and a customer table on which we grant access to our enterprise user analyst1. You can use an existing database and table in your account or create a new one. For more examples, refer to Tutorials. The following screenshot shows the details of our customer table. Complete the following steps to grant analyst1 permissions. For more information, refer to Granting table permissions using the named resource method. On the Lake Formation console, choose Data lake permissions under Permissions in the navigation pane. Choose Grant. Select Named Data Catalog resources. For Databases, choose your database (marketing). For Tables, choose your table (customer). For Table permissions, select Select and Describe. For Data permissions, select All data access. Choose Grant. The following screenshot shows a summary of permissions that user analyst1 has. They have Select access on the table and Describe permissions on the databases. Test the solution To test the solution, we log in to EMR Studio as enterprise user analyst1, create a new Workspace, create an EMR cluster using a template, and use that cluster to perform an analysis. You could also use the Workspace that was created during the Studio setup. In this demonstration, we create a new Workspace. You need additional permissions in the EMR Studio role to create and list Workspaces, use a template, and create EMR clusters. For more details, refer to Configure EMR Studio user permissions for Amazon EC2 or Amazon EKS. Appendix B at the end of this post contains a sample policy. When the cluster is available, we attach the cluster to the Workspace and run queries on the customer table, which the user has access to. User analyst1 is now able to run queries for business use cases using their corporate identity. To open a PySpark notebook, we choose PySpark under Notebook. When the notebook is open, we run a Spark SQL query to list the databases: %%sql show databases In this case, we query the customer table in the marketing database. We should be able to access the data. %%sql select * from marketing.customer Audit data access Lake Formation API actions are logged by CloudTrail. The GetDataAccess action is logged whenever a principal or integrated AWS service requests temporary credentials to access data in a data lake location that is registered with Lake Formation. With trusted identity propagation, CloudTrail also logs the IAM Identity Center user ID of the corporate identity who requested access to the data. The following screenshot shows the details for the analyst1 user. Choose View event to view the event logs. The following is an example of the GetDataAccess event log. We can trace that user analyst1, Identity Center user ID c8c11390-00a1-706e-0c7a-bbcc5a1c9a7f, has accessed the customer table. { "eventVersion": "1.09", …. "onBehalfOf": { "userId": "c8c11390-00a1-706e-0c7a-bbcc5a1c9a7f", "identityStoreArn": "arn:aws:identitystore::xxxxxxxxx:identitystore/d-XXXXXXXX" } }, "eventTime": "2024-01-28T17:56:25Z", "eventSource": "lakeformation.amazonaws.com", "eventName": "GetDataAccess", "awsRegion": "us-west-2", …. "requestParameters": { "tableArn": "arn:aws:glue:us-west-2:xxxxxxxxxx:table/marketing/customer", "supportedPermissionTypes": [ "TABLE_PERMISSION" ] }, ….. } } Here is an end to end demonstration video of steps to follow for enabling trusted identity propagation to your analytics flow in Amazon EMR Clean up Clean up the following resources when you’re done using this solution: Delete the CloudFormation stacks created in each account to delete the EMR cluster. Delete the EMR Studio Workspaces and environment. Delete the Service Catalog product and portfolio. Delete Okta users Revoke Lake Formation access to the users. Conclusion In this post, we demonstrated how to set up and use trusted identity propagation using IAM Identity Center, EMR Studio, and Lake Formation for analytics. With trusted identity propagation, a user’s corporate identity is seamlessly propagated as they access data using single sign-on across AWS analytics services to build analytics applications. Data administrators can provide fine-grained data access directly to corporate users and groups and audit usage. To learn more, see Integrate Amazon EMR with AWS IAM Identity Center. About the Authors Pradeep Misra is a Principal Analytics Solutions Architect at AWS. He works across Amazon to architect and design modern distributed analytics and AI/ML platform solutions. He is passionate about solving customer challenges using data, analytics, and AI/ML. Outside of work, Pradeep likes exploring new places, trying new cuisines, and playing board games with his family. He also likes doing science experiments with his daughters. Deepmala Agarwal works as an AWS Data Specialist Solutions Architect. She is passionate about helping customers build out scalable, distributed, and data-driven solutions on AWS. When not at work, Deepmala likes spending time with family, walking, listening to music, watching movies, and cooking! Abhilash Nagilla is a Senior Specialist Solutions Architect at Amazon Web Services (AWS), helping public sector customers on their cloud journey with a focus on AWS analytics services. Outside of work, Abhilash enjoys learning new technologies, watching movies, and visiting new places. Appendix A Sample Amazon EMR service role and trust policy: Note: This is a sample service role. Fine grained access control is done using Lake Formation. Modify the permissions as per your enterprise guidance and to comply with your security team. Trust policy: { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com", "AWS": "arn:aws:iam::xxxxxx:role/emr_tip_role" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] } ] } Permission Policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "ResourcesToLaunchEC2", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*::image/ami-*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:capacity-reservation/*", "arn:aws:ec2:*:*:placement-group/pg-*", "arn:aws:ec2:*:*:fleet/*", "arn:aws:ec2:*:*:dedicated-host/*", "arn:aws:resource-groups:*:*:group/*" ] }, { "Sid": "TagOnCreateTaggedEMRResources", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateFleet", "CreateLaunchTemplate", "CreateNetworkInterface" ] } } }, { "Sid": "ListActionsForEC2Resources", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeCapacityReservations", "ec2:DescribeDhcpOptions", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVolumeStatus", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Sid": "AutoScaling", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "*" }, { "Sid": "AutoScalingCloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms" ], "Resource": "arn:aws:cloudwatch:*:*:alarm:*_EMR_Auto_Scaling" }, { "Sid": "PassRoleForAutoScaling", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/EMR_AutoScaling_DefaultRole", "Condition": { "StringLike": { "iam:PassedToService": "application-autoscaling.amazonaws.com*" } } }, { "Sid": "PassRoleForEC2", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::xxxxxxxxxxx:role/service-role/<Instance-Profile-Role>", "Condition": { "StringLike": { "iam:PassedToService": "ec2.amazonaws.com*" } } }, { "Effect": "Allow", "Action": [ "s3:*", "s3-object-lambda:*" ], "Resource": [ "arn:aws:s3:::<bucket>/*", "arn:aws:s3:::*logs*/*" ] }, { "Effect": "Allow", "Resource": "*", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CancelSpotInstanceRequests", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DeleteTags", "ec2:DescribeAvailabilityZones", "ec2:DescribeAccountAttributes", "ec2:DescribeDhcpOptions", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribePrefixLists", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcs", "ec2:DetachNetworkInterface", "ec2:ModifyImageAttribute", "ec2:ModifyInstanceAttribute", "ec2:RequestSpotInstances", "ec2:RevokeSecurityGroupEgress", "ec2:RunInstances", "ec2:TerminateInstances", "ec2:DeleteVolume", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DetachVolume", "iam:GetRole", "iam:GetRolePolicy", "iam:ListInstanceProfiles", "iam:ListRolePolicies", "cloudwatch:PutMetricAlarm", "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms", "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:Describe*" ] } ] } Appendix B Sample EMR Studio role policy: Note: This is a sample service role. Fine grained access control is done using Lake Formation. Modify the permissions as per your enterprise guidance and to comply with your security team. { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEMRReadOnlyActions", "Effect": "Allow", "Action": [ "elasticmapreduce:ListInstances", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListSteps" ], "Resource": "*" }, { "Sid": "AllowEC2ENIActionsWithEMRTags", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "AllowEC2ENIAttributeAction", "Effect": "Allow", "Action": [ "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Sid": "AllowEC2SecurityGroupActionsWithEMRTags", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteNetworkInterfacePermission" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "AllowDefaultEC2SecurityGroupsCreationWithEMRTags", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "AllowDefaultEC2SecurityGroupsCreationInVPCWithEMRTags", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": [ "arn:aws:ec2:*:*:vpc/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "AllowAddingEMRTagsDuringDefaultSecurityGroupCreation", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true", "ec2:CreateAction": "CreateSecurityGroup" } } }, { "Sid": "AllowEC2ENICreationWithEMRTags", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "AllowEC2ENICreationInSubnetAndSecurityGroupWithEMRTags", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "AllowAddingTagsDuringEC2ENICreation", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateNetworkInterface" } } }, { "Sid": "AllowEC2ReadOnlyActions", "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkInterfaces", "ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeSubnets", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "AllowWorkspaceCollaboration", "Effect": "Allow", "Action": [ "iam:GetUser", "iam:GetRole", "iam:ListUsers", "iam:ListRoles", "sso:GetManagedApplicationInstance", "sso-directory:SearchUsers" ], "Resource": "*" }, { "Sid": "S3Access", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetEncryptionConfiguration", "s3:ListBucket", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<bucket>", "arn:aws:s3:::<bucket>/*" ] }, { "Sid": "EMRStudioWorkspaceAccess", "Effect": "Allow", "Action": [ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:DeleteEditor", "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "servicecatalog:SearchProducts", "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:DescribeRecord", "servicecatalog:ListLaunchPaths", "elasticmapreduce:RunJobFlow", "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeCluster", "codewhisperer:GenerateRecommendations", "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryRuntimeStatistics", "athena:GetQueryResults", "athena:ListQueryExecutions", "athena:BatchGetQueryExecution", "athena:GetNamedQuery", "athena:ListNamedQueries", "athena:BatchGetNamedQuery", "athena:UpdateNamedQuery", "athena:DeleteNamedQuery", "athena:ListDataCatalogs", "athena:GetDataCatalog", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata", "athena:ListWorkGroups", "athena:GetWorkGroup", "athena:CreateNamedQuery", "athena:GetPreparedStatement", "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:BatchDeleteTable", "glue:UpdateTable", "glue:GetTable", "glue:GetTables", "glue:BatchCreatePartition", "glue:CreatePartition", "glue:DeletePartition", "glue:BatchDeletePartition", "glue:UpdatePartition", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "kms:ListAliases", "kms:ListKeys", "kms:DescribeKey", "lakeformation:GetDataAccess", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:PutObject", "s3:PutBucketPublicAccessBlock", "s3:ListAllMyBuckets", "elasticmapreduce:ListStudios", "elasticmapreduce:DescribeStudio", "cloudformation:GetTemplate", "cloudformation:CreateStack", "cloudformation:CreateStackSet", "cloudformation:DeleteStack", "cloudformation:GetTemplateSummary", "cloudformation:ValidateTemplate", "cloudformation:ListStacks", "cloudformation:ListStackSets", "elasticmapreduce:AddTags", "ec2:CreateNetworkInterface", "elasticmapreduce:GetClusterSessionCredentials", "elasticmapreduce:GetOnClusterAppUIPresignedURL", "cloudformation:DescribeStackResources" ], "Resource": [ "*" ] }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/<Studio Role>", "arn:aws:iam::*:role/<EMR Service Role>", "arn:aws:iam::*:role/<EMR Instance Profile Role>" ], "Effect": "Allow" }, { "Sid": "Statement1", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/<EMR Instance Profile Role>" ] } ] } View the full article
  2. AWS Identity and Access Management (IAM) Roles Anywhere now provides the capability to define a set of mapping rules, allowing you to specify which data is extracted from your X.509 end-entity certificates. The data that is mapped is referred to as attributes and used as session tags in the IAM policy condition in order to allow or deny permissions. These attributes can be in one of the subject, issuer, or subject alternative name (SAN) fields of the X.509 certificate. View the full article
  3. In the landscape of cloud computing, security is of great concern for both small enterprises and large organizations. AWS Identity and Access Management stands as a pillar and plays a pivotal role by ensuring that enterprises and organizations carry out their daily activities in the cloud environment and always remain secure. In this blog article, we will discuss IAM’s key features and provide a hands-on demo of creating an IAM user, and let the user assume a role. Stay tuned! Understanding AWS IAM AWS identity and access management (IAM) is a service that helps us to securely control access to AWS resources. This is the way that we can authenticate and be authorized to access AWS services. We use the IAM service to control who is authenticated (signed in) and authorized (given permission) to perform any API action on AWS resources. Key Components of AWS Identity and Access Management User: these are identities in the service. they present individuals and entities that interact with the AWS services. IAM allows us to create and manage users, assign unique credentials such as passwords and enables us to define permissions through policies. An IAM root user is the first user you create when you first sign in to your AWS account with your email address and your credit card. The root user has full control of your AWS resources and can perform any action. It is always best practice to avoid using the root user for your daily operations, but instead, create an IAM user and assign administrative privileges. It is also a best practice to provide a second-factor authentication for the root user account. Groups : A group is a way of organizing users. It contains users with similar permissions and job requirements. The main function of a group is not just to organize users but instead to manage permissions for each user individually, we simply assign permission to the group. this simplifies access control and ensures consistency across all users with similar job roles. A user can be a member of up to ten groups. Roles: Roles are another very important part of IAM used to delegate permissions to AWS entities that are not users. Roles are temporary credentials and can be assumed by users, or other AWS services based on defined policies. An IAM role shares similarities with an IAM user as both are AWS identities with permission policies dictating their actions within the AWS environment. Policies: These are JSON documents that define permissions to be performed on an AWS resource. Policies can be attached to users, groups, roles, or even AWS resources to specify what actions users or other entities can perform on these AWS resources. We have Identity-based policies that are attached to AWS entities like IAM. These policies define what actions these entities can perform on AWS resources. We also have resource-based policies. These policies are embedded directly into AWS resources and define what actions can be performed on these resources. If an IAM user has an allow effect to operate on an AWS resource and the resource policy has a deny effect to the specific user, that user will not be able to perform that operation on the AWS resource. Also Read : How to Use IAM for Securing the Access to AWS Resources? With the small overview, let’s now get to some hands-on exercises. We are going to create an IAM user and add the user to a group with no permission to ensure the user has no authorization to perform any action on AWS. We will then create an I AM role and let the user assume the role and gain temporary credentials to perform actions on specified AWS resources. Log in to the console https://aws.amazon.com/console/ as an I am a user with administrative privileges. Then in the search box, type IAM and select it under services. In the IAM console on the left side of the navigation pane, select users then click Create User. In the create user dashboard under user details, give your user a name, I will call my user Bob. We will provide this user with management console access so check the box on Provide user access to the AWS Management Console. We are creating an IAM user so click the radio button on I want to create an IAM user. Scroll down. Under the console password, you can select autogenerate. Then click the button on Users must create a new password at the next sign-in this is recommended. Click next. At this point, you can ensure this user has no permission, and click add user to group. Previously had created a group called the operations group and attached no policies to the group. As you can see. If you don’t have a group, you can go ahead and create one or just click next. Now review leave tags as optional then click create user. User creation is successful. Retrieve the login credentials and log in as the new user. Signing in as the new user Bob in a new browser window. Remember we gave the user permission to change his password during the first login attempt. On clicking sign in. User Bob is prompted with the console page of you must change your password before you continue. Follow the instructions. Copy the old password you copied from the console while creating the user then assign Bob a new password. Remember this is the only permission Bob can perform. After following the login for our new user Bob, we are now in the console as user Bob as you can see. Remember we didn’t assign any permission to this user and his operations group. When Bob tries to access the EC2 console, he gets API errors meaning access is denied. Logged in as user Bob click security groups in the left navigation pane of the EC2 console. We can see we can’t access security groups since credentials could not be validated. We will create a role for full access to EC2 and Bob will now log in and do anything in the EC2 console. Log back in as an Admin user, in the IAM console click roles. Then click Create Role. In the create role dashboard under trusted entity select custom trust policy. Then scroll down in the policy editor, and paste in this code. Remember to change the ARN of your user then click next. Then under add permission select EC2 full access then click next. In the role details under role name, give your role a name. Then leave the description as optional. Review, scroll down, leave tags as optional then click Create role. Our role has been created and you can click on view role to view it. Now having created this role, we will make Bob assume this role and get the I am permission’s to be able to work in the EC2 console. To assume a role, we need the AWS account number and the name of the role. So, copy your AWS account number and the role name to your clipboard. Now logged in back as Bob, go to the top-hand right coner then select the drop-down button as shown below. Then close to the sign-out choose switch role. You will be brought to the switch role dashboard, remember I told you to copy your account ID and role name to your clipboard, so paste them in the required fields below. Display name and display color are optional. Click switch role. As we can see at the top right corner, we have now switched roles and no longer logged in as Bob but logged in as EC2-access-role. Now still logged in as Bob, we can now do whatever we want with the EC2 console. So now let’s try to open the EC2 console if we will still get the API errors. There we go, all the API errors have gone and Bob can go ahead to check security groups and even launch an EC2 instance. So, we get that once you assume a role, you have all the permission assigned to that role. We can always switch back to our previous state. To switch back let’s go again and select the drop-down button at the top right corner then just click switch back role as shown below. By switching back, our user Bob has gone back to his original state where he had no permissions and we can now see all the API errors are back. So that’s it. Clean up. This brings us to the end of this blog article. Conclusion Hope this blog covers the leveraging AWS Identity and Access Management (IAM) which is essential for maximizing cloud security. By optimizing IAM policies and permissions, we can enhance control and authorization, ensuring that only authorized entities access AWS resources. By leveraging AWS IAM best practices, organizations, can maximize security and achieve compliance in the cloud landscape. Thanks for reading and stay tuned for more! If you have any questions concerning this article, please don’t hesitate to reach out to us. Thank you! View the full article
  4. AWS IoT SiteWise is a managed service that makes it easy to collect, store, organize and monitor data from industrial equipment at scale to help you make better, data-driven decisions. View the full article
  5. Amazon SageMaker Studio is the first fully integrated development environment (IDE) for machine learning (ML). It provides a single, web-based visual interface where you can perform all ML development steps required to prepare, build, train and tune, deploy and manage models. Starting today, you can secure the connection from your Amazon Virtual Private Cloud (VPC) to SageMaker Studio using AWS PrivateLink. When using PrivateLink, all the traffic flows entirely within the AWS network without traversing the public internet, thus adding an additional layer of security. View the full article
  • Forum Statistics

    70.4k
    Total Topics
    68.3k
    Total Posts
×
×
  • Create New...