At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.
SEC302 Delegating Access to Your AWS Environment - AWS re: Invent 2012
1.
2. Understand the technology used to delegate access
• Sessions and the AWS Security Token Service
• Roles and assumed-role sessions
• Federated sessions
• The differences in session types and when to use what
Use cases we’ll cover:
• Cross Account Access
• AWS API Federation
• AWS Console Federation
5. Sessions allow delegating temporary access to your AWS account
Use cases being covered in this talk:
• Cross Account Access
• Inbound AWS federation
• AWS service API
• AWS Management Console
Other use cases not covered today:
• Mobile and browser-based applications
• Consumer applications with unlimited users
• MFA Protected API Access
14. How to define who can assume the role using the console
{ "Statement": [
{
"Effect": "Allow",
"Action": “sts:AssumeRole",
"Resource": "arn:aws:iam::111122223333:role/MyRole"
}
]
}
Entity can assume MyRole under account 111122223333
15. IAM Team Account Permissions assigned to s3-role
My AWS Account Acct ID: 111122223333
Acct ID: 123456789012 { "Statement": [
Authenticate with {
Jeff’s access keys STS
"Effect": "Allow",
"Action": “s3:*",
"Resource": "*"
}
Jeff s3-role ]
Get temporary security
}
credentials from s3-role
Call AWS APIs using
temporary security
credentials
{ "Statement": [ { "Statement": [
{ {
"Effect": "Allow", "Effect":"Allow",
"Action": “sts:AssumeRole", "Principal":{"AWS":"arn:aws:iam::123456789012:root"},
"Resource": "arn:aws:iam::111122223333:role/s3-role" "Action":"sts:AssumeRole"
} }
] ]
} }
Policy assigned to Jeff granting him permission Policy assigned to s3-role defining
to assume s3-role in account B who (trusted entities) can assume the role
16.
17. Assumed-Role Session – Code Sample
public static Credentials getAssumeRoleSession(String roleArn, String AccessKey, String SecretKey )
{
Credentials sessionCredentials;
AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(
Accesskey, GetSecretkey,
new AmazonSecurityTokenServiceConfig());
// Store the attributes and request a new AssumeRole session (temporary security credentials)
AssumeRoleRequest request = new AssumeRoleRequest
{
DurationSeconds = 3600,
RoleArn = roleArn,
RoleSessionName = "S3BucketBrowser"
};
AssumeRoleResponse startSessionResponse = client.AssumeRole(request);
if (startSessionResponse != null) // Check for valid security credentials or null
{
AssumeRoleResult startSessionResult = startSessionResponse.AssumeRoleResult;
sessionCredentials = startSessionResult.Credentials;
return sessionCredentials;
}
else
{
throw new Exception("S3 Browser :: Error in retrieving temporary security creds, received NULL");
}
}
20. Customer (IdP) AWS Cloud (Relying Party)
Get Federation
4 Token Request
2 Get Federation Token
STS
Response 5
Federation Proxy
• Access Key
• Secret Key
• Session Token
3
S3 Bucket Amazon Amazon
with Objects DynamoDB EC2
Directory 6 Receive
Token
AWS Resources
Request
Token
1 • Uses a set of IAM user credentials to call
7 Call AWS APIs GetFederatedTokenRequest()
• IAM user permissions needs to be the union
User APP of all federated user permissions
Application Federation • Proxy needs to securely store these
Proxy privileged credentials
21.
22. Get Federated Session – Code Sample
public Credentials GetSecurityToken(string userName, string Accesskey, string Secretkey)
{
Credentials sessionCredentials;
AmazonSecurityTokenServiceConfig config = new AmazonSecurityTokenServiceConfig();
AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(Accesskey,Secretkey, config);
string policy = Utilities.BuildAWSPolicy(userName); // Retrieve the AWS Policy from Active Directory
GetFederationTokenRequest request = new GetFederationTokenRequest
{
DurationSeconds = Utilities.GetSessionDuration(),
Name = awsUsername,
Policy = policy
};
GetFederationTokenResponse startSessionResponse = client.GetFederationToken(request);
if (startSessionResponse != null) // Check the result returned, ex: Valid security credentials or null?
{
GetFederationTokenResult startSessionResult = startSessionResponse.GetFederationTokenResult;
sessionCredentials = startSessionResult.Credentials;
return sessionCredentials;
}
else
{
throw new Exception("FederationProxy :: Error in retrieving temporary security creds, received NULL");
}
}
23.
24. Permissions assigned to s3-role
Acct ID: 111122223333
{ "Statement": [
Authenticate with {
access keys STS
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
s3-role ]
Get temporary
Proxy Server }
security credentials
IAM User
login using temporary security AWS Management Console
credentials
Policy assigned to Proxy granting permission to ListRoles and Policy assigned to s3role defining who can
AssumeRoles for all roles assume the role
{"Statement": {
{ "Statement": [
"Principal": {"AWS":"arn:aws:iam::111122223333:root"},
{
"Condition": {
"Effect": "Allow",
"StringEquals": {"sts:externalId": “{SID1234…}"}
"Action": ["iam:ListRoles","sts:AssumeRole"],
},
"Resource": "arn:aws:iam::1111222233334444:role/*"
"Effect": "Allow",
}
"Action": ["sts:AssumeRole"]
]
}
}
}
25. Customer (IdP)
List RolesResponse 5 AWS Cloud (Relying Party)
List RolesRequest
4
AssumeRole Request
2
7
Assume Role Response
STS
6 Federation Temp Credentials 8
Create combo • Access Key
proxy
box • Secret Key
• Session Token
3 9 Generate URL
AWS
10 Redirect to Management
Console Console
Corporate
directory
• Uses a set of IAM user credentials to make
1 AssumeRoleRequest()
Browse to URL • IAM user permissions only need to be able
to call ListRoles & assume role
Federation • Proxy needs to securely store these
Browser proxy credentials
interface
26.
27. Console Federation – Code Sample
public string getSignInURL(Credentials federatedCredentials, String issuerURL, String consoleURL, String signInURL )
{
// Create the sign-in token using temporary credentials, Access Key ID, Secret Access Key, and security token.
String sessionJson = "{" +
""sessionId":"" + federatedCredentials.AccessKeyId + ""," +
""sessionKey":"" + federatedCredentials.SecretAccessKey + ""," +
""sessionToken":"" + federatedCredentials.SessionToken + """ +
"}";
String getSigninTokenURL = signInURL + "?Action=getSigninToken" +
"&SessionType=json&Session=" +
HttpUtility.UrlEncode(sessionJson, Encoding.UTF8);
WebRequest Request = WebRequest.Create(getSigninTokenURL);
HttpWebResponse WebResponse = (HttpWebResponse)Request.GetResponse();
Stream data = WebResponse.GetResponseStream();
StreamReader reader = new StreamReader(data);
String Response = reader.ReadToEnd();
String[] session_encrypted = Response.Split(new Char[] { ':', '"' });
String signinToken = session_encrypted[4];
String signinTokenParameter = "&SigninToken=" + HttpUtility.UrlEncode(signinToken, Encoding.UTF8);
// The issuer parameter is optional, but recommended. Use it to direct users
// to your sign-in page when their session expires.
String issuer_param = "&Issuer=" + HttpUtility.UrlEncode(issuerURL, Encoding.UTF8);
String destination_param = "&Destination=" + HttpUtility.UrlEncode(consoleURL, Encoding.UTF8);
String loginURL = signInURL + "?Action=login" + signinTokenParameter + issuer_param + destination_param;
return loginURL;
}
30. Permissions Example
Unrestricted access to all Action: “*”
AWS Effect: Allow
enabled services and
account resources
Resource: “*”
(implicit)
Action: [“s3:*”,”sts:Get*”]
Access restricted by group
IAM users and user policies
Effect: Allow
Resource: “*”
Access restricted by Action: [“s3:Get*”]
Federated generating identity & Effect: Allow
sessions scoped further by policies Resource:
used to generate request “arn:aws:s3:::mybucket/*”
Assumed- Access restricted by role
Action: [“ddb:*”]
assumed & scoped further
role by policies used to
Effect: Allow
Resource:“*”
sessions generate request
34. Code Session Time
SEC101 A Guided Tour of AWS Identity and Access Management Wednesday 11/28 2.05pm
SEC302 Delegating Access to Your AWS Environment Wednesday 11/28 3.25pm
MBL302 Solving Common Mobile Use Cases with the AWS Mobile Wednesday 11/28 3.25pm
SDKs
SEC303 TOP 10 IAM Best Practices Thursday 11/29 3pm
35. We are sincerely eager to
hear your feedback on this
presentation and on re:Invent.
Please fill out an evaluation
form when you have a
chance.