Contenu connexe Similaire à AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit (20) Plus de Amazon Web Services (20) AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services: Enabling and
securing your cloud journey
Quint Van Deman
Business Development Manager, AWS Identity
Amazon Web Services
S E C 2 0 3
2. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Calibration
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Disambiguation
Identity
Securely manage the identities,
resources, and permissions for your
cloud workloads
Our scope for today
AWS Identity and Access
Management (IAM)
(the service)
Authenticates and authorizes
AWS APIs
Includes
(the subject)
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Identity – our definition for today
Identity
management
Access
management
Resource
management
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Our metaphor
AWS
Infrastructure
Application
Builders
Operators
Users
AWS
CLI
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Our backdrop: “typical” journey to AWS
TIME
VALUE
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What we hear from customers
Enable the business to innovate
Agility to move fast
Give developers freedom
Prevent dangerous actions
Accountable for security posture
Cost-effective solutions
Goal: Enable you to build foundation quickly while maintaining your
desired security and governance posture
Business needs Security requirements
9. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Likely first questions
• How many AWS accounts do I need?
• How do I govern my AWS accounts?
• How do I provide access into those accounts?
• What permissions do my users have in those accounts?
• How do I keep all of my AWS resources organized and segmented?
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services
Application
Infrastructure
AWS platform
AWS Organizations
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing AWS Organizations
Govern access to AWS
services, resources, and
Regions
Central governance and management for multiple
AWS accounts
Configure AWS services
across multiple AWS
accounts
Automate AWS
account creation
and management
Consolidate billing across
multiple AWS accounts
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Primer: AWS accounts
What really is an AWS account?
• A container for AWS resources
• A clear isolation boundary for:
• Administration
• Network access
• Permissions/resource sharing
You can have any number of AWS accounts you wish (within limits).
One account designated as the master account, others are member accounts.
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Manage global resources at scale
Customer-defined
keyand a value on
AWS assets
Centralized servicefor
managing multiple
accounts
Asecurity and
management
boundary within an
organization
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What AWS accounts do I need?
AWS opinionated views, solutions, and services
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What AWS accounts do I
need?
Common options:
• Per environment (dev, test, prod)
• Per business unit per environment
• Per app per environment
• Per app per region per environment
Seek a reasonable balance:
• Isolation vs. maturity
• Evolve over time
Refining your own opinion
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Organizations: Governing AWS accounts
AWS Organizations
Service control
policies
Service control
policies
us-east-1
us-west-2
ap-south-1
AWS account
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Organizations: Managing AWS accounts
AWS Artifact AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service
AWS Firewall Manager AWS License Manager AWS Resource
Access Manager
AWS Service Catalog AWS SSO
AWS Services natively integrated with AWS Organizations
More coming!
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Next: Account access
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services
Application
Infrastructure
AWS platform
AWS Organizations AWS SSO
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing AWS SSO
Centrally manage single sign-on access to multiple AWS
accounts and business applications for your workforce
Centrally manage
access to multiple
AWS accounts
Easy to enable
and use
Use your choice of
existing or cloud-
native identities
Provide AWS SSO
access to business
applications
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS SSO: Your choice of identity store
AWS CloudCorporate data center
Active
directory AWS Directory Service AWS SSO
Users &
groups
Option 1: Use corporate identities by connecting to
and existing directory
AWS Cloud
AWS SSO
Users &
groups
Option 2: Create users in AWS SSO
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS SSO: Define permission sets
Master account
Member acct 1 Member acct N
Uses AWS Organizations to retrieve your list and
structure of accounts
Define permissions using standard syntax and
tools
Definitions and policies automatically deployed
and maintained in member accounts
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS SSO: Assign permission sets
Master account
Select users or
groups
Select desired
permission set
Grant access to one AWS
account, an OU, or the
entire organization
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS SSO: User experience
End user authenticates
Permission sets they’ve
been granted
Options for console or
CLI/API access
Access other business
applications
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What permissions do I give my users?
Least privilege is a journey,
not a starting point.
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services
Application
Infrastructure
AWS platform
AWS Organizations IAMAWS SSO
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing IAM
Securely manage access to AWS services and resources
Authenticate and
Authorize AWS APIs
Specify policy-based
permissions
Provide fine-grain
access controls for
AWS actions and
resources
Provide short-term
credentials for
humans, machines,
and applications
29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM policy basics
PARC model:
• Principal – Who
• Action – Can access
• Resource – What
• Condition – Under what cond.
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Development“
}
}
} ]
}
P
30. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Attribute-based access control (ABAC)
“If the tag on the principal matches the tag on the
resource, allow, otherwise deny.”
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Development“
}
}
} ]
}
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": “${aws:PrincipalTag/Department}“
}
}
} ]
}
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Short-term credential basics
Macro pattern 1:
Trust-based exchange
Macro pattern 2:
AWS-delivered credentials
Source credential
Time-bound
credentials returned
Assuming a role through
preestablished trust
AWS compute service
Provide identity by passing a
role
Time-bound credentials
delivered and rotated
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Further exploration
Understanding IAM primitives: Understanding IAM policy:
AWS re:Invent 2018: A Practitioner’s
Guide to Securing Your Cloud (Like an
Expert) (SEC203-R1)
AWS re:Invent 2018: Become an
IAM Policy Master in 60 Minutes
or Less (SEC316-R1)
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS account
AWS account
SAML federation into IAM
AWS account
SAML federation for the AWS
Management Console, APIs, and CLI
Self-paced
workshop materials
Achieve the same core result as AWS SSO, more “assembly level”
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
It doesn’t depend
So you want to manage access for a whole
bunch of users into a whole bunch of roles
in a whole bunch of AWS accounts?
Based on features available as of May 2019; will
change based on future launches
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cloud builders: ready to get building!
AWS account
VPC
Amazon RDS
Amazon EC2
Application
“Control plane” – AWS APIs
(creating, terminating, etc.)
Builder
Operator
DBA
“Data plane” – VPC connections
(SSH, RDP, database clients, etc.)
36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Likely first questions
• How do I centrally authenticate users connecting to operating systems?
• How do I control which users can connect to which instances?
• How do I manage DBA access into relational database engines?
• How do I manage service accounts (non-interactive users)?
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services
Application
Infrastructure
AWS platform
AWS Organizations Directory ServiceIAMAWS SSO
39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing: AWS Directory Services
Managed Microsoft Active Directory in the AWS Cloud
Easily migrate your
directory-dependent
workloads by leveraging a
managed service
Provide infrastructure
access management
without syncing identity
data
Use actual Microsoft
Active Directory integrated
with other AWS services and
applications
40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Establishing Active Directory in AWS
AWS CloudCorporate data
center
Active
Directory AWS Managed AD
Users &
groups
LDAP,
Kerberos,
Referrals
Trust
Option 1: AWS Managed AD with Trust Option 2: AD Connector with Service Principal
AWS CloudCorporate data
center
Active
Directory AD Connector
Users &
groups
LDAP,
Kerberos
Service
Princ
Option 3: Stand alone AWS Managed AD
AWS Cloud
AWS Managed AD
Users &
Groups
Option X: Combinations of the above
Option 4: AD on Amazon EC2 with replication
AWS CloudCorporate data
center
Active
Directory
Self-managed ADUsers &
groups
Replication
41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Leveraging Active Directory in AWS
AWS CloudCorporate data
center
Active
Directory AWS Managed AD
Users &
groups
LDAP,
Kerberos,
Referrals
Trust
Amazon EC2
(Windows/Linux)
Amazon RDS for SQL Server
Amazon WorkSpaces
Amazon Chime Amazon WorkDocs Amazon WorkMail
Amazon QuickSight Amazon Connect
Amazon FSx
VPC AWS Managed Applications
Windows
application
Operator
access
End-user access
Domain
join
Provisioning
42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
It doesn’t depend
Operator access to
Amazon EC2 op
system
Operator access to
Amazon RDS SQL
server
End-user access to
AWS managed
applications
Amazon FSx End-user access
to apps on
Amazon EC2
Managed AD w/2-way trust
Managed AD w/1-way trust
AD Connector
AWS Managed AD (stand alone)
Self managed AD on EC2
Choosing the right option to extend AD domain services into AWS
Current as of May 2019; always consult documentation for latest information
43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Further exploration
AWS Managed AD deep dive:
AWS re:Invent 2018: AWS Directory Service
for Microsoft Active Directory Deep Dive
(WIN303-R1)
44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Identity “for the infrastructure”: Future steps
Traditional Utopia
• Domain joining
45. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Likely first questions
• How do I securely connect to AWS APIs from my infrastructure components?
• How do I manage and deploy application credentials for connecting to
relational databases?
47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Deeper look: IAM roles for AWS compute services
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by policy
attached to role
Your code
Operating
system
Amazon EC2
instance
AWS resources
Also works with AWS Lambda & Amazon ECS
Permissions
Role
Temporary
security credential
AWS SDKs
Amazon DynamoDB
Amazon Kinesis
Amazon S3
48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Secrets Manager
Your code
Operating
system
Amazon EC2
instance
AWS resources
Permissions
Role
Temporary
security credential
AWS SDKs
Amazon DynamoDB Amazon Kinesis
AWS Secrets Manager
VPC
Amazon RDS
DBA
AWS CloudFormation
Authorized call to
Secrets Manager DB creds
loaded
DB creds
returned
Connection
established
Safe
rotation
Combo provides a reliable, secure, auto-rotating solution for all credentials
49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Applications: Ready for end users!
AWS account
VPC
Amazon RDS
Amazon EC2
Application Resource access:
Relational databases
Builder
Operator
DBA
API access:
AWS servicesAmazon S3
AWS Secrets Manager
End user
50. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Likely first questions
• How do I add sign-up and sign-in to my applications easily?
• How do I add support for standards like OIDC or SAML?
• How do I control access to business applications for my workforce?
52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services
Application
Infrastructure
AWS platform
AWS Organizations Directory ServiceIAM Amazon CognitoAWS SSO
53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introducing Amazon Cognito
Simple and secure user sign-up, sign-in, and access control for
web and mobile apps
Offload undifferentiated
identity heavy lifting
Provide advanced
security for your apps
and users
Use standards-based
authentication
Use your choice of
existing or cloud
native identities
54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon Cognito: Flexible and fully managed application
identity
Extensible AuthN & AuthZ:
AWS
Lambda
Amazon
ALB
Amazon
API Gateway
Built-in UI for applications
SPAWebAndroidiOS
Out-of-the-box support for
open standards
SAML OAuth2 OIDC
Flexible and scalable API & SDK support
AWS SDKs
IonicVue
AngularNode JS React
iOS Android
MFACompromised Password
DB
Secure & available
Adaptive
Auth
99.9% SLA
Google Facebook Amazon
Out-of-the-box support for
social federation
Amazon Cognito
55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon Cognito
Get AWS credentials
Access AWS services
Authenticate 1
Redirect/ Post
back
Access serverless backend
Federating
IdP
IdP Token
CUP TokenCUP Token
CUP Token
AWS STS
AWS STS
User pool tokens are used to
access backend resources
Identity pools provide AWS
credentials to access AWS
services
User pools authenticate users
and returns standard tokens
2
3
4
56
Amazon Cognito
Amazon API Gateway AWS Lambda
Amazon Cognito
Amazon DynamoDB Amazon S3
56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Further exploration
Serverless authentication and
authorization session
Serverless authentication and
authorization workshop
57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Revisiting where we got ahead of ourselves, part 1
AWS CloudCorporate data center
Active
Directory AWS Managed AD
Users &
groups
LDAP,
Kerberos,
Referrals
Trust
VPC
Custom SAML-
enabled
application
End-user access
AWS SSO
Custom SAML-
enabled
application
Internet
SaaS
application
AWS SSO
user portal
AWS SSO: end-user access to business applications
58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Revisiting where we got ahead of ourselves, part 2
AWS CloudCorporate data
center
Active
Directory AWS Managed AD
Users &
groups
LDAP,
Kerberos,
Referrals
Trust
Amazon EC2
(Windows/Linux)
Amazon WorkSpaces
Amazon Chime Amazon WorkDocs Amazon WorkMail
Amazon QuickSight Amazon Connect
VPC AWS managed applications
Windows
application
End-user access
Directory Services: end-user access to windows applications and AWS-
managed applications
59. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services
Application
Infrastructure
AWS platform
AWS Organizations Directory ServiceIAM Amazon CognitoAWS SSO
Identity and
access
management
for your apps
& APIs
Actual Microsoft
Active Directory
as a managed
service on the
AWS Cloud
Fine-grained
access
management
for AWS
resources
Manage single
sign-on (SSO)
access to
multiple AWS
accounts and
business
applications
Central
governance and
management
for multiple
AWS accounts
61. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Quint Van Deman
@AWSIdentity on Twitter
Find me on LinkedIn