AWS Identity and Access Management and Consolidated Billing
1. AWS Meister Series Reloaded
~IAM & Consolidated Billing~
Jan. 30th 2012
Akio Katayama( @c9katayama )
Solutions Architect in Japan SA Team
- Translated by Kenta Yasukawa -
2. Web Seminar
AWS Meister Series Reloaded
Up-to-date materials from the Meister Series in Japanese
New contents and New speakers!
New services will be introduced!
Join at (Japanese) :
http://aws.amazon.com/jp/event_schedule/
5. IAM(AWS Identity and Access
Management)
For AWS User Authentication and Access Policy
Management
Creating users and groups for different AWS operations
Applying access policies such as “allowing to launch EC2
instances” and “allowing to write to an S3 bucket”
User/Group management
Each user is authenticated and applied a different access
policy
Each group may have a different access policy
Each group may have multiple users
• Users in a group inherit the access policy of the group
Developers O&M
6. IAM(AWS Identity and Access
Management)
Various authentication token issued for each user
Access key and Secret key
For authentication upon use of SDKs
Security Certificate (X.509)
For authentication upon operations such as AMI-tools
Login password for AWS management console
Multi-Factor Authentication (MFA) device
For providing additional level of security for
management console
Developers AWS O&M
7. How IAM Works Authorizes every request from API
and Management Console
All Administrator group
operations
granted
All S3
Developer group
operations
granted
S3 Read-
only access O&M group
granted
8. Use Cases
Improving Security
IAM User can be easily invalidated
Backup-only User
Taking Snapshots with a user with only EBS snapshot
permission granted
Wrong operations cannot stop EC2 instances
Assigning different S3 buckets to users
Partitioned access for S3 for an account
Business Management User
Creating IAM User(s) who can only access billing
information
10. Operations and Configuration
Two Ways for Managing Users and Groups
AWS Management Console
IAM API
”Access Policy Language” for describing policies
JSON format
13. Access Policy Language
{
"Statement": [
{
"Effect": "Allow",
"Action": [
" s3:ListBuckets ",
" s3:Get * "
],
"Resource": [
"*" Access is granted or rejected
], according to the statement
"Condition": {
"StringEquals": {
"aws:SourceIP": [“176.32.92.49/32“]
}
}
}
]
}
14. Access Policy Configuration
{
“Allow” for granting access
"Effect": "Allow",
“Deny” for rejecting
"Action": [
" s3:ListBuckets ", Specifies target operations
" s3:Get * " * Wildcard is allowed
],
"Resource": [ Specifies target resources with
"*" Amazon Resource Name (ARN)
], * Wildcard is allowed
"Condition": {
"StringEquals": {
"aws:SourceIP": Specifies condition to enable this
[“176.32.92.49/32“] policy
}
}
} This example means
“If the request is from 176.32.92.49, S3 ListBuckets
and Get related oprations would be allowed”
15. Action & Resource
“Action” specifies right for operations, e.g.
RunInstances
AttachVolume
CreateBucket
DeleteObject
“Resource” specifies right for targets of operations,
e.g.
EC2 Instances
EBS Volumes
S3 Buckets
S3 Objects
16. Support for Action/Resource
AWS Services Action Resource
IAM
Amazon CloudFront
Amazon CloudWatch EC2 does not support
Amazon EC2 Resource and thus
Amazon ElastiCache controlling access to
Amazon Elastic MapReduce each EC2 instance
Amazon RDS
and/or EBS volume is
Amazon Route 53
not supported
Amazon S3
Amazon SES
Amazon SimpleDB
Amazon SNS
Amazon SQS
Amazon VPC
Auto Scaling
AWS CloudFormation
AWS Elastic Beanstalk
Elastic Load Balancing
DynamoDB
17. Available Condition Statements
Text String
StringEquals,StringNotEquals, StringEqualsIgnoreCase
StringNotEqualsIgnoreCase,StringLike,StringNotLike
Number
Date
Boolean
IP Address
IpAddress
NotIpAddress
18. Condition Statement
"Condition" : {
"DateGreaterThan" : {
"aws:CurrentTime" : "2009-04-16T12:00:00Z"
AND
},
"DateLessThan": {
"aws:CurrentTime" : "2009-04-16T15:00:00Z"
},
AND "IpAddress" : {
"aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
} OR
19. Policy Configuration on Management Console
Choosing from
templates
Creating with Policy
Generator
Manual editing for
policies
21. Logic for Granting or Rejecting Access
Multiple Conditions are Allowed for a Policy
Each user or group may have different conditions
Contradicting conditions may be configured
All access is denied by default (Default to Deny)
Access is granted only if an “Allow” condition matches
If a “Deny” condition matches, access is denied
(Explicit Denial)
Default to Deny < Allow < Explicit Denial
Group’s Statement Group’s Statement
Deny
Allow Allow
(Explicit Denial
User’s Statement User’s Statement
No matching
(Default to Deny)
Allow
Decides to Allow Decides to Deny
22. User based and Resource based
Besides Users and Groups, Policies can be Assigned to
Resources
E.g. S3 Buckets and SQS queues can be applied
policies
Configuring a bucket to be only accessible from a certain
IP address(es)
User based
Resource based
23. Cross-Account Access
Granting Access from an AWS account to Another
1. Configure the following policy to Account A’s bucket
{
"Statement" : {
"Effect":"Allow",
"Principal" : {
"AWS":“<AWS Account B’s account number>"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::mybucket/*"
}
}
2. Create User1 in Account B and grant access to
“mybucket”
User1 will be granted to access mybucket
3. Unless explicitly allowed, User2 cannot access mybucket
24. Use of Management Console with IAM User
Use Dedicated URL for IAM users that belong to an
AWS account
Friendly name can be configured with “Account Alias”
First come, First served –basis as same as S3 buckets
Created Account Alias
Dedicated URL
25. Limitations
Each AWS Account can have
Up to 100 Groups
Up to 5000 Users
1 User can belong up to 10 groups
Contact AWS support team to increase the limits
27. Identity Federation
Feature to link the authentication system in a
company/organization and AWS authentication
E.g. Granting access to S3 for users authenticated
with LDAP
Users authenticated with the federated authentication
(Federated Users) are issued Temporary Security
Credentials for AWS
28. Temporary Security Credentials
Temporal authentication information for AWS
A set of Time-limited Authentication Token
Each Federated User gets:
Access Key
Secret Key
Session Token
Expiration Timer for issued credential is configurable
12 hours by default
From Minimum 1 hour to Maximum 36 hours
No way to extend or shorten the timer once issued
8
29. Metaphor with Hotel…
AWS Account’s IAM User Temporary Security
Access Key ID Credentials
30. IAM Permission Hierarchy
Permissions Example
All operations Action: *
Effect: Allow
possible Resource: *
AWS Account
(implicit)
Permissions granted Action: [‘s3:*’,
‘sts:Get*’]
for User/Group Effect: Allow
IAM User
Resource: *
Determined when the Action: [ ‘s3:Get*’ ]
Temporary Effect: Allow
credential is issued Resource:
Security
Credentials ‘arn:aws:s3:::mybucket/*’
31. Use Cases
Mobile Applications
Issuing Temporary Security Credential for each
authenticated mobile application user
The user can upload files directly to S3
Secure because the credential has expiration date
Temporal Access Permissions
Creating applications which can upload files to S3 for a
limited period
Applications which can launch EC2 instances for a limited
period
Different Access Policies for users in an organization
Creating S3 bucket for each user
Giving different rights to different groups
32. How Identity Federation Works
Use in Web Applications
Company/Organization
Temporary Credential
Issuing Service
33. How Identity Federation Works
Use in Mobile and Client Applications
Company/Organization
Temporary Credential
Issuing Service
34. How to Use Identity Federation Federation Token
Get
from application by
final String userId = request.getParameter("userId");
final String password = request.getParameter("password");
using API
// Performs certain authentication in organization specific way
executeLDAPAuthentication(userId,password);
AWSCredentials credentials = new BasicAWSCredentials(IAM User ID, Password);
// SecurityToken Client
AWSSecurityTokenService securityTokenService =
new AWSSecurityTokenServiceClient(masterCredentials);
GetFederationTokenRequest req = new GetFederationTokenRequest();
req.setName(userId);
// Setting S3 Read only policy
req.setPolicy(“{”Statement“: [{”Effect“: ”Allow“,”Action“:
["s3:Get*","s3:List*"],"Resource":
"*"}]}");
// Getting Temporary Security Credentials
GetFederationTokenResult result = securityTokenService.getFederationToken(req);
Credentials cs = result.getCredentials();
String tempAccessId = cs.getAccessKeyId();
String tempSecretkey = cs.getSecretAccessKey();
String sessionToken = cs.getSessionToken();
16
35. Limitations
Support for Temporary Users (As of Jan. 2012)
CloudFront S3
CloudWatch SimpleDB
DynamoDB(API Only) SQS
EC2 SNS
ElastiCache ELB
RDS Route53
36. Logon to Management Console
Dedicated URL for Temporary Users
https://signin.aws.amazon.com/federation
Steps for Logon
Access to:
• /federation?Action=getSigninToken&SessionType=js
on&Session={“sessionId”:””, ”sessionKey”:””,
“sessionToken”:””}
Token for logon is returned in response to the above
request
Redirected to:
• /federation?Action=login&SigninToken=<Token>&De
stination=<Management Console URL>
37. How Identity Federation Works
Company/Organization
Temporary Credential
Issuing Service
Encrypts Token
39. Consolidated Billing
AWS bills for multiple accounts can be consolidated
Single payment for multiple accounts
All AWS fees are
Billing Account charged to this
account
Sub Account
Sub Account
40. Benefits
Centralized Billing Management
Possible to check each account’s usage breakdown,
e.g.
Each section
Each project
Amount for Traffic and Stored Data used by all
accounts is aggregated
Volume discount is applied for the aggregated amount
Reserved Instance (RI) is flexibly applied
E.g. If a RI purchased by an account is not used, the
discount would be automatically applied to another
account
41. Process to Apply
Decide the billing
account
Approve at sub-accounts
by checking Emails
Create sub-accounts
(And/or use existing
accounts)
Notify sub accounts
from the billing account Consolidation
(Send Email from the Established
dedicated web page)
50. Closing Remarks
IAM enables detailed access policy control for AWS
operations
Improved Security by creating different users and
giving different policies
Identity Federation with authentication systems in a
company or organization
Consolidated Billing enables
Centralized Billing Management
Checking breakdown for different accounts
More chances for volume discount