by Ron Cully, Manager, Product Management, AWS
Every journey to the AWS Cloud is unique. Some customers are migrating existing applications, while others are building new applications using cloud-native services. Along each of these journeys, identity and access management helps customers protect their applications and resources. In this session, you will learn how AWS’ Identity Services provide you a secure, flexible, and easy solution for managing identities and access on the AWS Cloud. With AWS’ Identity Services, you do not have to adapt to AWS. Instead, you have a choice of services designed to meet you anywhere along your journey to the AWS Cloud.
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
1. Pop-up Loft
Overview of AWS Identity, Directory, and Access Services
Ron Cully
Manager, Directory Service Product Management
Amazon Web Services
2. Every AWS Cloud journey is unique.
Migrating or extending
existing infrastructure
and applications.
Building customer
facing cloud-native
applications.
Going all-in on cloud
solutions across the
organization.
Using the scale of the
AWS Cloud to solve new
challenges.
Requiring unique identity and
access management solutions.
3. What to Expect
(C) Copyright Jean-Remy Duboc and licensed for reuse under the
Creative Commons Attribution-Generic 2.0 License
Provide
mental model
Chart the
Cloudscape
How to Use
IDAS Services
4. Disambiguation
Identity and Access Mgmt
(the subject)
AWS IAM
(the service)
Authentication,
authorization, audit and
governance for your cloud
workloads
Our scope
Authenticates and
authorizes AWS APIs
Includes
5. Identity and Access Management means…
Validate identities
securely
Authentication
Manage access using
fine-grained policies
Authorization
Meet compliance
requirements
Audit/Governance
6. At all levels…
Identity and Access Management
(the subject)
AWS Management Console/APIs
AWS
Infrastructure
AWS
Applications
Your Applications
Developers
Admins
Security Employees
Customers
Partners
7. Tenets
Mental model for Identity and Access Management services
Give you choice Secure, flexible,
comprehensive
Meet you
where you are
8. Benefits of AWS Identity, Directory,
and Access Services
Superior Security
Enable you to build applications and manage access more
securely in the AWS Cloud than on premises.
Increase Flexibility
Offer you options that meet you along your AWS Cloud
journey instead of forcing you to adapt to AWS.
Comprehensive
Breadth of services that help you get started quickly and are
feature rich to meet your more advanced needs over time.
10. AWS Identity, Directory,
and Access Services
AWS Secrets Manager
(NEW!)
Lifecycle management
for application secrets.
AWS Identity and
Access Management
Fine-grained access
management for AWS
resources.
AWS
Organizations
Policy-based
management for
multiple AWS accounts.
AWS Directory Service
Integrates Active
Directory in AWS for
Windows workloads,
AWS resource access,
and AWS
AWS Single Sign-On
Manage single sign-on
(SSO) access to
multiple AWS accounts
and business
applications.
11. Broader Security Portfolio
AWS Config Rules
AWS Lambda
Incident
response
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Single Sign-On
AWS Directory Service
AWS Secrets Manager
Identity
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Detective
control
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
Infrastructure
security
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
Data
protection
13. AWS Resources
AWS Organizations
M
Master Account / Administrative root
A1 A2 A4 AWS AccountsA3
Organizational Unit (OU)Dev Test Prod
Service
Control
Policies
(SCPs)
17. Lifecycle management for secrets such as
database credentials and API keys.
Rotate Secrets
Safely
Pay as you goManage access
with fine-grained
policies
Secure and
audit secrets
centrally
AWS Secrets Manager
22. AWS Single Sign-On
Entitlements
AWS SSO
Master Account
AWS Directory
Service
Groups
Active
Directory
On-premises
Install AWS SSO and
map AD groups
to defined permissions
Grant access to one AWS
account, an OU, or the
entire Organization
Connect AWS Directory
Service to on-premises AD
AWS Organizations
23. Account
SAML or OIDC Federation
SaaS Applications
Azure AD
On-premises
Microsoft Active
Directory
On-premises user
credentials
Corporate
data center
AD FS
Server
SAML
authenticate
Synchronize
users
Azure AD
Connect
Server
Account
Account
AWS IAM End-point for
Single Sign-on