1. AWS Meister Series Reloaded
～IAM & Consolidated Billing～
Jan. 30th 2012
Akio Katayama（ @c9katayama ）
Solutions Architect in Japan SA Team
- Translated by Kenta Yasukawa -

2. Web Seminar
AWS Meister Series Reloaded
 Up-to-date materials from the Meister Series in Japanese
 New contents and New speakers!
 New services will be introduced!
Join at (Japanese) :
http://aws.amazon.com/jp/event_schedule/

3. Agenda
IAM Overview
IAM Operations & Configuration
Identity Federation
Consolidated Billing Overview
How to use Consolidated Billing
Closing Remarks
Copyright © 2011 Amazon Web Services

4. IAM Overview

5. ＩＡＭ（AWS Identity and Access
Management)
For AWS User Authentication and Access Policy
Management
 Creating users and groups for different AWS operations
 Applying access policies such as “allowing to launch EC2
instances” and “allowing to write to an S3 bucket”
User/Group management
 Each user is authenticated and applied a different access
policy
 Each group may have a different access policy
 Each group may have multiple users
• Users in a group inherit the access policy of the group
Developers O&M

6. ＩＡＭ（AWS Identity and Access
Management)
Various authentication token issued for each user
 Access key and Secret key
 For authentication upon use of SDKs
 Security Certificate (X.509)
 For authentication upon operations such as AMI-tools
 Login password for AWS management console
 Multi-Factor Authentication (MFA) device
 For providing additional level of security for
management console
Developers AWS O&M

7. How IAM Works Authorizes every request from API
and Management Console
All Administrator group
operations
granted
All S3
Developer group
operations
granted
S3 Read-
only access O&M group
granted

8. Use Cases
Improving Security
 IAM User can be easily invalidated
Backup-only User
 Taking Snapshots with a user with only EBS snapshot
permission granted
 Wrong operations cannot stop EC2 instances
Assigning different S3 buckets to users
 Partitioned access for S3 for an account
Business Management User
 Creating IAM User(s) who can only access billing
information

9. IAM Operations and
Configuration

10. Operations and Configuration
Two Ways for Managing Users and Groups
 AWS Management Console
 IAM API
”Access Policy Language” for describing policies
 JSON format

11. Management Console
Select “IAM”
User/Group
management

12. Access Policy Language
{
"Statement": [
{
"Effect": "Allow",
"Action": [
" s3:ListBuckets ",
" s3:Get ＊ "
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:SourceIP": [“176.32.92.49/32“]
}
}
}
]
}

13. Access Policy Language
{
"Statement": [
{
"Effect": "Allow",
"Action": [
" s3:ListBuckets ",
" s3:Get ＊ "
],
"Resource": [
"*" Access is granted or rejected
], according to the statement
"Condition": {
"StringEquals": {
"aws:SourceIP": [“176.32.92.49/32“]
}
}
}
]
}

14. Access Policy Configuration
{
“Allow” for granting access
"Effect": "Allow",
“Deny” for rejecting
"Action": [
" s3:ListBuckets ", Specifies target operations
" s3:Get ＊ " * Wildcard is allowed
],
"Resource": [ Specifies target resources with
"*" Amazon Resource Name (ARN)
], * Wildcard is allowed
"Condition": {
"StringEquals": {
"aws:SourceIP": Specifies condition to enable this
[“176.32.92.49/32“] policy
}
}
} This example means
“If the request is from 176.32.92.49, S3 ListBuckets
and Get related oprations would be allowed”

15. Action & Resource
“Action” specifies right for operations, e.g.
 RunInstances
 AttachVolume
 CreateBucket
 DeleteObject
“Resource” specifies right for targets of operations,
e.g.
 EC2 Instances
 EBS Volumes
 S3 Buckets
 S3 Objects

16. Support for Action/Resource
AWS Services Action Resource
IAM
Amazon CloudFront
Amazon CloudWatch EC2 does not support
Amazon EC2 Resource and thus
Amazon ElastiCache controlling access to
Amazon Elastic MapReduce each EC2 instance
Amazon RDS
and/or EBS volume is
Amazon Route 53
not supported
Amazon S3
Amazon SES
Amazon SimpleDB
Amazon SNS
Amazon SQS
Amazon VPC
Auto Scaling
AWS CloudFormation
AWS Elastic Beanstalk
Elastic Load Balancing
DynamoDB

17. Available Condition Statements
Text String
 StringEquals,StringNotEquals, StringEqualsIgnoreCase
 StringNotEqualsIgnoreCase,StringLike,StringNotLike
Number
Date
Boolean
IP Address
 IpAddress
 NotIpAddress

18. Condition Statement
"Condition" : {
"DateGreaterThan" : {
"aws:CurrentTime" : "2009-04-16T12:00:00Z"
AND
},
"DateLessThan": {
"aws:CurrentTime" : "2009-04-16T15:00:00Z"
},
AND "IpAddress" : {
"aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
} OR

19. Policy Configuration on Management Console
Choosing from
templates
Creating with Policy
Generator
Manual editing for
policies

20. Policy Generator

21. Logic for Granting or Rejecting Access
Multiple Conditions are Allowed for a Policy
 Each user or group may have different conditions
 Contradicting conditions may be configured
All access is denied by default (Default to Deny)
 Access is granted only if an “Allow” condition matches
 If a “Deny” condition matches, access is denied
(Explicit Denial)
 Default to Deny < Allow < Explicit Denial
Group’s Statement Group’s Statement
Deny
Allow Allow
(Explicit Denial
User’s Statement User’s Statement
No matching
(Default to Deny)
Allow
Decides to Allow Decides to Deny

22. User based and Resource based
Besides Users and Groups, Policies can be Assigned to
Resources
E.g. S3 Buckets and SQS queues can be applied
policies
 Configuring a bucket to be only accessible from a certain
IP address(es)
User based
Resource based

23. Cross-Account Access
Granting Access from an AWS account to Another
1. Configure the following policy to Account A’s bucket
{
"Statement" : {
"Effect":"Allow",
"Principal" : {
"AWS":“<AWS Account B’s account number>"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::mybucket/*"
}
}
2. Create User1 in Account B and grant access to
“mybucket”
 User1 will be granted to access mybucket
3. Unless explicitly allowed, User2 cannot access mybucket

24. Use of Management Console with IAM User
Use Dedicated URL for IAM users that belong to an
AWS account
Friendly name can be configured with “Account Alias”
 First come, First served –basis as same as S3 buckets
Created Account Alias
Dedicated URL

25. Limitations
Each AWS Account can have
 Up to 100 Groups
 Up to 5000 Users
 1 User can belong up to 10 groups
 Contact AWS support team to increase the limits

26. Identity Federation

27. Identity Federation
Feature to link the authentication system in a
company/organization and AWS authentication
E.g. Granting access to S3 for users authenticated
with LDAP
Users authenticated with the federated authentication
(Federated Users) are issued Temporary Security
Credentials for AWS

28. Temporary Security Credentials
Temporal authentication information for AWS
 A set of Time-limited Authentication Token
Each Federated User gets:
 Access Key
 Secret Key
 Session Token
Expiration Timer for issued credential is configurable
 12 hours by default
 From Minimum 1 hour to Maximum 36 hours
 No way to extend or shorten the timer once issued
8

29. Metaphor with Hotel…
AWS Account’s IAM User Temporary Security
Access Key ID Credentials

30. IAM Permission Hierarchy
Permissions Example
All operations Action: *
Effect: Allow
possible Resource: *
AWS Account
(implicit)
Permissions granted Action: [‘s3:*’,
‘sts:Get*’]
for User/Group Effect: Allow
IAM User
Resource: *
Determined when the Action: [ ‘s3:Get*’ ]
Temporary Effect: Allow
credential is issued Resource:
Security
Credentials ‘arn:aws:s3:::mybucket/*’

31. Use Cases
Mobile Applications
 Issuing Temporary Security Credential for each
authenticated mobile application user
 The user can upload files directly to S3
 Secure because the credential has expiration date
Temporal Access Permissions
 Creating applications which can upload files to S3 for a
limited period
 Applications which can launch EC2 instances for a limited
period
Different Access Policies for users in an organization
 Creating S3 bucket for each user
 Giving different rights to different groups

32. How Identity Federation Works
Use in Web Applications
Company/Organization
Temporary Credential
Issuing Service

33. How Identity Federation Works
Use in Mobile and Client Applications
Company/Organization
Temporary Credential
Issuing Service

34. How to Use Identity Federation Federation Token
Get
from application by
final String userId = request.getParameter("userId");
final String password = request.getParameter("password");
using API
// Performs certain authentication in organization specific way
executeLDAPAuthentication(userId,password);
AWSCredentials credentials = new BasicAWSCredentials(IAM User ID, Password);
// SecurityToken Client
AWSSecurityTokenService securityTokenService =
new AWSSecurityTokenServiceClient(masterCredentials);
GetFederationTokenRequest req = new GetFederationTokenRequest();
req.setName(userId);
// Setting S3 Read only policy
req.setPolicy(“{”Statement“: [{”Effect“: ”Allow“,”Action“:
["s3:Get*","s3:List*"],"Resource":
"*"}]}");
// Getting Temporary Security Credentials
GetFederationTokenResult result = securityTokenService.getFederationToken(req);
Credentials cs = result.getCredentials();
String tempAccessId = cs.getAccessKeyId();
String tempSecretkey = cs.getSecretAccessKey();
String sessionToken = cs.getSessionToken();
16

35. Limitations
Support for Temporary Users (As of Jan. 2012）
CloudFront S3
CloudWatch SimpleDB
DynamoDB(API Only) SQS
EC2 SNS
ElastiCache ELB
RDS Route53

36. Logon to Management Console
Dedicated URL for Temporary Users
 https://signin.aws.amazon.com/federation
Steps for Logon
 Access to:
• /federation?Action=getSigninToken&SessionType=js
on&Session={“sessionId”:””, ”sessionKey”:””,
“sessionToken”:””}
 Token for logon is returned in response to the above
request
 Redirected to:
• /federation?Action=login&SigninToken=<Token>&De
stination=<Management Console URL>

37. How Identity Federation Works
Company/Organization
Temporary Credential
Issuing Service
Encrypts Token

38. Consolidated Billing

39. Consolidated Billing
AWS bills for multiple accounts can be consolidated
Single payment for multiple accounts
All AWS fees are
Billing Account charged to this
account
Sub Account
Sub Account

40. Benefits
Centralized Billing Management
Possible to check each account’s usage breakdown,
e.g.
 Each section
 Each project
Amount for Traffic and Stored Data used by all
accounts is aggregated
 Volume discount is applied for the aggregated amount
Reserved Instance (RI) is flexibly applied
 E.g. If a RI purchased by an account is not used, the
discount would be automatically applied to another
account

41. Process to Apply
Decide the billing
account
Approve at sub-accounts
by checking Emails
Create sub-accounts
(And/or use existing
accounts)
Notify sub accounts
from the billing account Consolidation
(Send Email from the Established
dedicated web page)

42. Process to Apply
Logon with the billing account and choose “Consolidated
Billing”

43. Process to Apply
Send a request to each sub account

44. Process to Apply
Send a request to each sub account
Email address of the
sub account

45. Process to Apply
Sub account receives an Email from AWS

46. Process to Apply
Approve the request at Sub account

47. Process to Apply
Consolidated Billing Established

48. After Consolidation
Billing account gets additional field for sub accounts

49. Closing Remarks

50. Closing Remarks
IAM enables detailed access policy control for AWS
operations
Improved Security by creating different users and
giving different policies
Identity Federation with authentication systems in a
company or organization
Consolidated Billing enables
 Centralized Billing Management
 Checking breakdown for different accounts
 More chances for volume discount

51. Q&A
Copyright © 2011 Amazon Web Services

52. Thank You For Joining
Copyright © 2011 Amazon Web Services