Kickstart Your AWS Journey with GitOps-Driven IAM

# Kickstart Your AWS Journey with GitOps-Driven IAM --- ### Goal ![](https://hackmd.io/_uploads/H1oig5V03.png) --- ### Architecture ![](https://hackmd.io/_uploads/Sk54h0GR3.png) --- ## About me [https://rewanthtammana.com/](https://rewanthtammana.com/) Rewanth Tammana is a security ninja, open-source contributor, independent consultant & SME at Uptycs. Previously, Senior Security Architect at Emirates NBD. Passionate about DevSecOps, Application, and Container Security. Added 17,000+ lines of code to Nmap. Holds industry certifications like CKS, CKA, etc. --- ## About me [https://twitter.com/rewanthtammana](https://twitter.com/rewanthtammana) Speaker & trainer at international security conferences worldwide including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others. --- ## About me [https://linkedin.com/in/rewanthtammana](https://linkedin.com/in/rewanthtammana) One of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. Published an IEEE research paper on an offensive attack in Machine Learning and Security. Also, part of the renowned Google Summer of Code program. --- ### Agenda - Introduction to AWS & IAM - What is GitOps? - Key AWS Services - Walkthrough: GitOps-Driven IAM - Trust Boundaries in Cloud Architecture - Summary & Q&A --- ### Ice Breaker - Quick poll to gauge audience's familiarity with AWS and GitOps --- ### Overview  --- ### Introduction to AWS What is AWS? ![](https://hackmd.io/_uploads/SkgVBKXC3.png) [Reference](https://ourtechplanet.com/amazon-web-services-aws-the-market-leader/list-of-aws-services/) --- ### What is GitOps? ![](https://hackmd.io/_uploads/H1BpSENAh.png) [Reference](https://medium.com/codex/what-is-gitops-d24510475dbf) --- ### Key AWS Services (Part 1) - IAM - Lambda - EventBridge - CloudTrail --- ### IAM ![](https://hackmd.io/_uploads/SkGsrtm0h.png) [Reference](https://www.linkedin.com/pulse/what-iam-identity-access-management-aws-akshat-pattiwar) --- ### IAM Roles ![](https://hackmd.io/_uploads/S1_ZIYQCh.png) --- ### Other IAM related resources * Policies * SCPs - AWS Organization level ![](https://hackmd.io/_uploads/S1pKB4EAn.png) [Reference](https://aws.amazon.com/blogs/storage/managing-access-to-backups-using-service-control-policies-with-aws-backup/) --- ### Lambda ![](https://hackmd.io/_uploads/HyENLVEA2.png) [Reference](https://vticloud.io/en/gioi-thieu-dich-vu-aws-lambda-va-cach-cau-hinh-cho-nguoi-moi-bat-dau/) --- ### EventBridge ![Imgur](https://i.imgur.com/4aHVfTq.png =800x500) [Reference](https://serverlessland.com/serverless/visuals/eventbridge/understanding-event-bus) --- ### Cloudtrail ![](https://hackmd.io/_uploads/B1kPv44Rn.png) [Reference](https://maturitymodel.security.aws.dev/en/1.-quickwins/cloudtrail/) --- ### Key AWS Services (Part 2) - CloudWatch - ECR - S3 --- ### Connecting the pieces ![](https://hackmd.io/_uploads/SkPRdVVRn.png) --- ### Trust boundaries ```graphviz digraph hierarchy { nodesep=1.0 // increases the separation between nodes node [color=Red,fontname=Courier,shape=box] //All nodes will this shape and colour edge [color=Blue, style=dashed] //All the lines look like this Lambda->{Github ECR IAM Organizations Cloudwatch} EventBridge->{Lambda Cloudtrail} Cloudtrail->S3 //{rank=same;ITManager Teacher1 Teacher2} // Put them on the same level } ``` --- ### Walkthrough - Python code to parse IAM info from AWS events & send it to Github - Push the docker image to ECR - Integrating Lambda, EventBridge & other services --- ### Terraform A few sample configurations 👇 --- ### IAM Role for Lambda ```terraform resource "aws_iam_role" "lambda_role" { name = local.role_name assume_role_policy = jsonencode({ Version = "2012-10-17", Statement = [ { Action = "sts:AssumeRole", Effect = "Allow", Principal = { Service = "lambda.amazonaws.com" } } ] }) } ``` --- ### IAM Policy for Lambda ```terraform resource "aws_iam_policy" "lambda_policy" { name = local.policy_name description = "Policy for Lambda function" policy = jsonencode({ Version = "2012-10-17", Statement = [ { Effect = "Allow", Action = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], Resource = "arn:aws:logs:${local.region}:${local.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*" }, { Effect = "Allow", Action = [ "iam:ListPolicies", "iam:ListRoles", "organizations:ListPolicies", "organizations:DescribePolicy" ], Resource = "*" }, { Effect = "Allow", Action = "kms:Decrypt", Resource = "arn:aws:kms:${local.region}:${local.account_id}:key/*" } ] }) } ``` --- ### Demo Time ![Imgur](https://i.imgur.com/xSeoHAz.png) --- ### Quiz Time! - Will this still work if we create these resources in eu-north-1? --- ### Summary - Key Takeaways - Next Steps --- ### Q&A --- ### Additional Resources - Blog link: [Managing AWS IAM in GitOps Style](https://blog.rewanthtammana.com/managing-aws-iam-in-gitops-style) --- ### Thank You! Write to me on: Google: [Rewanth Tammana](https://www.google.com/search?q=rewanth+tammana&oq=rewanth+tammana) Website: [rewanthtammana.com](https://rewanthtammana.com) Twitter: [@rewanthtammana](https://twitter.com/rewanthtammana) LinkedIn: [/in/rewanthtammana](https://linkedin.com/in/rewanthtammana)