AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services: Enabling and
securing your cloud journey
Quint Van Deman
Business Development Manager, AWS Identity
Amazon Web Services
S E C 2 0 3

Calibration

Disambiguation
Identity
Securely manage the identities,
resources, and permissions for your
cloud workloads
Our scope for today
AWS Identity and Access
Management (IAM)
(the service)
Authenticates and authorizes
AWS APIs
Includes
(the subject)

Identity – our definition for today
Identity
management
Access
management
Resource
management

Our metaphor
AWS
Infrastructure
Application
Builders
Operators
Users
AWS
CLI

Our backdrop: “typical” journey to AWS
TIME
VALUE

What we hear from customers
Enable the business to innovate
Agility to move fast
Give developers freedom
Prevent dangerous actions
Accountable for security posture
Cost-effective solutions
Goal: Enable you to build foundation quickly while maintaining your
desired security and governance posture
Business needs Security requirements

Likely first questions
• How many AWS accounts do I need?
• How do I govern my AWS accounts?
• How do I provide access into those accounts?
• What permissions do my users have in those accounts?
• How do I keep all of my AWS resources organized and segmented?

AWS identity services
Application
Infrastructure
AWS platform
AWS Organizations

Introducing AWS Organizations
Govern access to AWS
services, resources, and
Regions
Central governance and management for multiple
AWS accounts
Configure AWS services
across multiple AWS
accounts
Automate AWS
account creation
and management
Consolidate billing across
multiple AWS accounts

Primer: AWS accounts
What really is an AWS account?
• A container for AWS resources
• A clear isolation boundary for:
• Administration
• Network access
• Permissions/resource sharing
You can have any number of AWS accounts you wish (within limits).
One account designated as the master account, others are member accounts.

Manage global resources at scale
Customer-defined
keyand a value on
AWS assets
Centralized servicefor
managing multiple
accounts
Asecurity and
management
boundary within an
organization

What AWS accounts do I need?
AWS opinionated views, solutions, and services

What AWS accounts do I
need?
Common options:
• Per environment (dev, test, prod)
• Per business unit per environment
• Per app per environment
• Per app per region per environment
Seek a reasonable balance:
• Isolation vs. maturity
• Evolve over time
Refining your own opinion

AWS Organizations: Governing AWS accounts
AWS Organizations
Service control
policies
Service control
policies
us-east-1
us-west-2
ap-south-1
AWS account

AWS Organizations: Managing AWS accounts
AWS Artifact AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service
AWS Firewall Manager AWS License Manager AWS Resource
Access Manager
AWS Service Catalog AWS SSO
AWS Services natively integrated with AWS Organizations
More coming!

Next: Account access

Application
Infrastructure
AWS platform
AWS Organizations AWS SSO

Introducing AWS SSO
Centrally manage single sign-on access to multiple AWS
accounts and business applications for your workforce
Centrally manage
access to multiple
AWS accounts
Easy to enable
and use
Use your choice of
existing or cloud-
native identities
Provide AWS SSO
access to business
applications

AWS SSO: Your choice of identity store
AWS CloudCorporate data center
Active
directory AWS Directory Service AWS SSO
Users &
groups
Option 1: Use corporate identities by connecting to
and existing directory
AWS Cloud
AWS SSO
Users &
groups
Option 2: Create users in AWS SSO

AWS SSO: Define permission sets
Master account
Member acct 1 Member acct N
Uses AWS Organizations to retrieve your list and
structure of accounts
Define permissions using standard syntax and
tools
Definitions and policies automatically deployed
and maintained in member accounts

AWS SSO: Assign permission sets
Master account
Select users or
groups
Select desired
permission set
Grant access to one AWS
account, an OU, or the
entire organization

AWS SSO: User experience
End user authenticates
Permission sets they’ve
been granted
Options for console or
CLI/API access
Access other business
applications

What permissions do I give my users?
Least privilege is a journey,
not a starting point.

Application
Infrastructure
AWS platform
AWS Organizations IAMAWS SSO

Introducing IAM
Securely manage access to AWS services and resources
Authenticate and
Authorize AWS APIs
Specify policy-based
permissions
Provide fine-grain
access controls for
AWS actions and
resources
Provide short-term
credentials for
humans, machines,
and applications

IAM policy basics
PARC model:
• Principal – Who
• Action – Can access
• Resource – What
• Condition – Under what cond.
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Development“
}
}
} ]
}
P

Attribute-based access control (ABAC)
“If the tag on the principal matches the tag on the
resource, allow, otherwise deny.”
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Development“
}
}
} ]
}
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": “${aws:PrincipalTag/Department}“
}
}
} ]
}

Short-term credential basics
Macro pattern 1:
Trust-based exchange
Macro pattern 2:
AWS-delivered credentials
Source credential
Time-bound
credentials returned
Assuming a role through
preestablished trust
AWS compute service
Provide identity by passing a
role
Time-bound credentials
delivered and rotated

Further exploration
Understanding IAM primitives: Understanding IAM policy:
AWS re:Invent 2018: A Practitioner’s
Guide to Securing Your Cloud (Like an
Expert) (SEC203-R1)
AWS re:Invent 2018: Become an
IAM Policy Master in 60 Minutes
or Less (SEC316-R1)

AWS account
AWS account
SAML federation into IAM
AWS account
SAML federation for the AWS
Management Console, APIs, and CLI
Self-paced
workshop materials
Achieve the same core result as AWS SSO, more “assembly level”

It doesn’t depend
So you want to manage access for a whole
bunch of users into a whole bunch of roles
in a whole bunch of AWS accounts?
Based on features available as of May 2019; will
change based on future launches

Cloud builders: ready to get building!
AWS account
VPC
Amazon RDS
Amazon EC2
Application
“Control plane” – AWS APIs
(creating, terminating, etc.)
Builder
Operator
DBA
“Data plane” – VPC connections
(SSH, RDP, database clients, etc.)

• How do I centrally authenticate users connecting to operating systems?
• How do I control which users can connect to which instances?
• How do I manage DBA access into relational database engines?
• How do I manage service accounts (non-interactive users)?

Application
Infrastructure
AWS platform
AWS Organizations Directory ServiceIAMAWS SSO

Introducing: AWS Directory Services
Managed Microsoft Active Directory in the AWS Cloud
Easily migrate your
directory-dependent
workloads by leveraging a
managed service
Provide infrastructure
access management
without syncing identity
data
Use actual Microsoft
Active Directory integrated
with other AWS services and
applications

Establishing Active Directory in AWS
AWS CloudCorporate data
center
Active
Directory AWS Managed AD
Users &
groups
LDAP,
Kerberos,
Referrals
Trust
Option 1: AWS Managed AD with Trust Option 2: AD Connector with Service Principal
center
Active
Directory AD Connector
Users &
groups
LDAP,
Kerberos
Service
Princ
Option 3: Stand alone AWS Managed AD
AWS Cloud
AWS Managed AD
Users &
Groups
Option X: Combinations of the above
Option 4: AD on Amazon EC2 with replication
center
Active
Directory
Self-managed ADUsers &
groups
Replication

Leveraging Active Directory in AWS
center
Active
Users &
groups
LDAP,
Kerberos,
Referrals
Trust
Amazon EC2
(Windows/Linux)
Amazon RDS for SQL Server
Amazon WorkSpaces
Amazon Chime Amazon WorkDocs Amazon WorkMail
Amazon QuickSight Amazon Connect
Amazon FSx
VPC AWS Managed Applications
Windows
application
Operator
access
End-user access
Domain
join
Provisioning

It doesn’t depend
Operator access to
Amazon EC2 op
system
Operator access to
Amazon RDS SQL
server
End-user access to
AWS managed
applications
Amazon FSx End-user access
to apps on
Amazon EC2
Managed AD w/2-way trust
Managed AD w/1-way trust
AD Connector
AWS Managed AD (stand alone)
Self managed AD on EC2
Choosing the right option to extend AD domain services into AWS
Current as of May 2019; always consult documentation for latest information

Further exploration
AWS Managed AD deep dive:
AWS re:Invent 2018: AWS Directory Service
for Microsoft Active Directory Deep Dive
(WIN303-R1)

Identity “for the infrastructure”: Future steps
Traditional Utopia
• Domain joining

• How do I securely connect to AWS APIs from my infrastructure components?
• How do I manage and deploy application credentials for connecting to
relational databases?

Deeper look: IAM roles for AWS compute services
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by policy
attached to role
Your code
Operating
system
Amazon EC2
instance
AWS resources
Also works with AWS Lambda & Amazon ECS
Permissions
Role
Temporary
security credential
AWS SDKs
Amazon DynamoDB
Amazon Kinesis
Amazon S3

AWS Secrets Manager
Your code
Operating
system
Amazon EC2
instance
AWS resources
Permissions
Role
Temporary
security credential
AWS SDKs
Amazon DynamoDB Amazon Kinesis
AWS Secrets Manager
VPC
Amazon RDS
DBA
AWS CloudFormation
Authorized call to
Secrets Manager DB creds
loaded
DB creds
returned
Connection
established
Safe
rotation
Combo provides a reliable, secure, auto-rotating solution for all credentials

Applications: Ready for end users!
AWS account
VPC
Amazon RDS
Amazon EC2
Application Resource access:
Relational databases
Builder
Operator
DBA
API access:
AWS servicesAmazon S3
AWS Secrets Manager
End user

• How do I add sign-up and sign-in to my applications easily?
• How do I add support for standards like OIDC or SAML?
• How do I control access to business applications for my workforce?

Application
Infrastructure
AWS platform
AWS Organizations Directory ServiceIAM Amazon CognitoAWS SSO

Introducing Amazon Cognito
Simple and secure user sign-up, sign-in, and access control for
web and mobile apps
Offload undifferentiated
identity heavy lifting
Provide advanced
security for your apps
and users
Use standards-based
authentication
Use your choice of
existing or cloud
native identities

Amazon Cognito: Flexible and fully managed application
identity
Extensible AuthN & AuthZ:
AWS
Lambda
Amazon
ALB
Amazon
API Gateway
Built-in UI for applications
SPAWebAndroidiOS
Out-of-the-box support for
open standards
SAML OAuth2 OIDC
Flexible and scalable API & SDK support
AWS SDKs
IonicVue
AngularNode JS React
iOS Android
MFACompromised Password
DB
Secure & available
Adaptive
Auth
99.9% SLA
Google Facebook Amazon
Out-of-the-box support for
social federation
Amazon Cognito

Amazon Cognito
Get AWS credentials
Access AWS services
Authenticate 1
Redirect/ Post
back
Access serverless backend
Federating
IdP
IdP Token
CUP TokenCUP Token
CUP Token
AWS STS
AWS STS
User pool tokens are used to
access backend resources
Identity pools provide AWS
credentials to access AWS
services
User pools authenticate users
and returns standard tokens
2
3
4
56
Amazon Cognito
Amazon API Gateway AWS Lambda
Amazon Cognito
Amazon DynamoDB Amazon S3

Further exploration
Serverless authentication and
authorization session
Serverless authentication and
authorization workshop

Revisiting where we got ahead of ourselves, part 1
AWS CloudCorporate data center
Active
Users &
groups
LDAP,
Kerberos,
Referrals
Trust
VPC
Custom SAML-
enabled
application
End-user access
AWS SSO
Custom SAML-
enabled
application
Internet
SaaS
application
AWS SSO
user portal
AWS SSO: end-user access to business applications

Revisiting where we got ahead of ourselves, part 2
center
Active
Users &
groups
LDAP,
Kerberos,
Referrals
Trust
Amazon EC2
(Windows/Linux)
Amazon WorkSpaces
Amazon Chime Amazon WorkDocs Amazon WorkMail
Amazon QuickSight Amazon Connect
VPC AWS managed applications
Windows
application
End-user access
Directory Services: end-user access to windows applications and AWS-
managed applications

Application
Infrastructure
AWS platform
AWS Organizations Directory ServiceIAM Amazon CognitoAWS SSO
Identity and
access
management
for your apps
& APIs
Actual Microsoft
Active Directory
as a managed
service on the
AWS Cloud
Fine-grained
access
management
for AWS
resources
Manage single
sign-on (SSO)
access to
multiple AWS
accounts and
business
applications
Central
governance and
management
for multiple
AWS accounts

Thank you!
Quint Van Deman
@AWSIdentity on Twitter
Find me on LinkedIn

AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit

Similaire à AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit