学习目标
- 掌握IAM安全设计的核心原则
- 学习身份和凭证管理最佳实践
- 实施IAM监控和审计机制
- 建立IAM安全事件响应流程
- 掌握IAM合规性要求和实施
IAM安全架构图
6.1 IAM安全设计原则
6.1.1 核心安全原则
import boto3
import json
from datetime import datetime, timedelta
import hashlib
import uuid
def implement_security_principles():
"""
实施IAM安全设计原则
"""
security_principles = {
"least_privilege": {
"principle": "最小权限原则",
"description": "只授予执行任务所需的最小权限",
"implementation_strategies": [
"从拒绝所有开始,逐步添加必需权限",
"定期审查和清理不必要的权限",
"使用权限边界限制最大权限范围",
"实施Just-In-Time访问模式",
"基于实际使用情况调整权限"
],
"best_practices": [
"避免使用通配符权限(*)",
"使用具体的资源ARN而非*",
"定期运行Access Analyzer",
"监控权限使用情况",
"实施权限生命周期管理"
]
},
"defense_in_depth": {
"principle": "深度防御原则",
"description": "实施多层安全控制机制",
"implementation_strategies": [
"组织级SCP + 账户级策略",
"权限边界 + 身份策略",
"网络安全 + 应用安全",
"加密传输 + 加密存储",
"监控 + 告警 + 响应"
],
"security_layers": [
"AWS组织和SCP策略",
"网络访问控制(VPC、安全组)",
"IAM身份和权限管理",
"资源级权限控制",
"应用程序安全控制",
"数据加密和保护",
"监控和审计系统"
]
},
"zero_trust": {
"principle": "零信任原则",
"description": "不信任任何用户或系统,始终验证",
"implementation_strategies": [
"强制身份验证和授权",
"基于上下文的访问控制",
"持续监控和验证",
"最小爆炸半径设计",
"动态权限调整"
],
"verification_factors": [
"用户身份(Who)",
"设备状态(Where)",
"应用程序(What)",
"时间上下文(When)",
"访问行为(How)",
"数据分类(Why)"
]
},
"separation_of_duties": {
"principle": "职责分离原则",
"description": "将关键操作分散给不同的人员或系统",
"implementation_strategies": [
"管理员和操作员角色分离",
"开发和生产环境分离",
"读权限和写权限分离",
"审计和执行功能分离",
"审批和执行流程分离"
],
"separation_examples": [
"数据库管理员不能直接访问应用数据",
"开发人员不能直接部署到生产环境",
"安全团队独立于开发团队",
"审计员独立于被审计系统",
"备份恢复需要双人授权"
]
}
}
print("🔐 IAM安全设计原则:")
for principle_key, principle in security_principles.items():
print(f"\n{principle['principle']}:")
print(f" 描述: {principle['description']}")
if 'implementation_strategies' in principle:
print(" 实施策略:")
for strategy in principle['implementation_strategies']:
print(f" • {strategy}")
if 'best_practices' in principle:
print(" 最佳实践:")
for practice in principle['best_practices']:
print(f" ✓ {practice}")
return security_principles
def create_secure_iam_architecture():
"""
创建安全的IAM架构设计
"""
class SecureIAMArchitecture:
def __init__(self):
self.iam = boto3.client('iam')
self.organizations = boto3.client('organizations')
self.sts = boto3.client('sts')
def design_role_hierarchy(self):
"""设计角色层次结构"""
role_hierarchy = {
"administrative_roles": {
"OrganizationAdmin": {
"description": "组织管理员,管理AWS组织结构",
"permissions": ["organizations:*", "account:*"],
"restrictions": ["不能直接访问工作负载", "需要MFA"],
"assume_conditions": {
"Bool": {"aws:MultiFactorAuthPresent": "true"},
"NumericLessThan": {"aws:MultiFactorAuthAge": "1800"}
}
},
"SecurityAdmin": {
"description": "安全管理员,管理IAM和安全配置",
"permissions": ["iam:*", "config:*", "cloudtrail:*"],
"restrictions": ["不能访问应用数据", "独立于开发团队"],
"assume_conditions": {
"Bool": {"aws:MultiFactorAuthPresent": "true"},
"StringEquals": {"aws:PrincipalTag/Department": "Security"}
}
},
"AuditAdmin": {
"description": "审计管理员,只读访问审计日志",
"permissions": ["*:Get*", "*:List*", "*:Describe*"],
"restrictions": ["只读权限", "不能修改配置"],
"assume_conditions": {
"Bool": {"aws:MultiFactorAuthPresent": "true"}
}
}
},
"operational_roles": {
"DevOpsEngineer": {
"description": "DevOps工程师,管理基础设施",
"permissions": ["ec2:*", "cloudformation:*", "lambda:*"],
"restrictions": ["不能修改IAM", "环境隔离"],
"assume_conditions": {
"StringEquals": {"aws:ResourceTag/Environment": "${aws:PrincipalTag/AllowedEnvironment}"}
}
},
"DatabaseAdmin": {
"description": "数据库管理员,管理数据库资源",
"permissions": ["rds:*", "dynamodb:*"],
"restrictions": ["不能访问应用数据", "只能管理数据库实例"],
"assume_conditions": {
"Bool": {"aws:MultiFactorAuthPresent": "true"}
}
}
},
"application_roles": {
"WebServerRole": {
"description": "Web服务器角色",
"permissions": ["s3:GetObject", "dynamodb:GetItem"],
"restrictions": ["只能访问指定资源"],
"assume_conditions": {
"StringEquals": {"ec2:SourceInstanceARN": "${aws:TokenIssueTime}"}
}
},
"LambdaExecutionRole": {
"description": "Lambda函数执行角色",
"permissions": ["logs:*", "s3:GetObject"],
"restrictions": ["最小化权限"],
"assume_conditions": {
"StringEquals": {"aws:SourceArn": "arn:aws:lambda:*"}
}
}
}
}
return role_hierarchy
def implement_mfa_enforcement(self):
"""实施MFA强制策略"""
mfa_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "DenyAllExceptUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:ChangePassword",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
print("🔐 MFA强制策略:")
print(" - 允许查看账户信息")
print(" - 允许管理自己的密码和MFA设备")
print(" - 拒绝所有其他操作,除非已通过MFA认证")
return mfa_policy
def create_break_glass_procedure(self):
"""创建紧急访问(破玻璃)程序"""
break_glass_config = {
"emergency_role": {
"name": "EmergencyBreakGlassRole",
"description": "紧急情况下的全权限角色",
"permissions": ["*:*"],
"conditions": {
"StringEquals": {
"aws:RequestTag/Emergency": "true",
"aws:RequestTag/RequestedBy": "${aws:username}",
"aws:RequestTag/Reason": "EMERGENCY"
},
"DateGreaterThan": {
"aws:CurrentTime": "${aws:RequestTag/ValidFrom}"
},
"DateLessThan": {
"aws:CurrentTime": "${aws:RequestTag/ValidUntil}"
}
},
"monitoring": {
"cloudwatch_alarm": "EmergencyAccessAlarm",
"sns_notification": "SecurityTeamTopic",
"audit_logging": "EmergencyAccessLogGroup"
}
},
"activation_process": [
"1. 安全团队成员申请紧急访问",
"2. 提供详细的紧急情况描述",
"3. 获得安全主管的批准",
"4. 系统自动创建临时访问令牌",
"5. 所有操作被完整记录和监控",
"6. 紧急情况结束后立即撤销访问"
],
"automatic_controls": {
"max_duration": "4小时",
"automatic_revocation": True,
"real_time_monitoring": True,
"approval_required": True,
"full_audit_trail": True
}
}
print("🚨 紧急访问(破玻璃)程序:")
print(f" 角色名称: {break_glass_config['emergency_role']['name']}")
print(f" 最大持续时间: {break_glass_config['automatic_controls']['max_duration']}")
print(" 激活流程:")
for step in break_glass_config['activation_process']:
print(f" {step}")
return break_glass_config
return SecureIAMArchitecture()
# 实施安全原则
security_principles = implement_security_principles()
# 创建安全架构
secure_arch = create_secure_iam_architecture()
role_hierarchy = secure_arch.design_role_hierarchy()
mfa_policy = secure_arch.implement_mfa_enforcement()
break_glass_config = secure_arch.create_break_glass_procedure()
print("\n📋 角色层次结构示例:")
for category, roles in role_hierarchy.items():
print(f"\n{category.replace('_', ' ').title()}:")
for role_name, role_config in roles.items():
print(f" {role_name}: {role_config['description']}")9/1/25About 10 min