Contenu connexe Similaire à Soup to Nuts: Identity Federation for AWS (20) Plus de Amazon Web Services (20) Soup to Nuts: Identity Federation for AWS1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Soup to Nuts: Identity Federation for AWS
Quint Van Deman,
Global Business Development Manager,
AWS Identity & Directory Services
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Build consistent vernacular
& mental model
Tour the major federation
bridges across AWS
Fun & lively session with
demos
Links to key content &
patterns
What to expect
(C) Copyright Jean-Remy Duboc and licensed for reuse under
the Creative Commons Attribution-Generic2.0 License
By Adam.J.W.C. (Own work) [CC BY 3.0
(http://creativecommons.org/licenses/by/3.0], via
Wikimedia Commons
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Building a consistent vernacular & mental model
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
What do we mean when we say
“federation”?
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Identity consumersIdentity providers
Definition (for today)
Stores
identities
Authentication Authorization
(Coarse)
Authorization
(Fine)
Trust
Stores
references
Protocols
No Sync
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Rationale
Users Security Compliance
Before
After
Unique credentials
1:Many reuse
Credentials everywhere
Centrally managed
Bespoke
Unified
Result
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Understanding planes of access
EC2
Control plane – AWS API
(e.g. ec2:StartInstance)
Data plane – VPC connection
(e.g. SSH, RDP)
Different:
• Paths
• Credentials
• Protocols
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Understanding planes of access
DynamoDB
Control plane – AWS API
(e.g. dynamodb:CreateTable)
Data plane – AWS API
(e.g. dynamodb:GetItem)
Same:
• Path
• Credential
• Protocol
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mental Model
Evaluation SelectionUse cases Blueprints
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #1: Security Markup Assertion Language (SAML)
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML Primer
Service provider
(SP)
Metadata (in advance)
Assertion
Identity provider
(IdP)
AuthN &
AuthZ
User
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML
Internal
AD
SAML IdP
Cognito Apps APIs
Console API CLI Data plane APIs
SAML Federation
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML Federation
Demonstrations
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML demo review
Amazon S3
permissions
Many AWS accounts
Custom
durations
MFA for
SAML
http://bit.ly/2dBXMUq
SAML federation for the
AWS Management Console,
APIs, and CLI
Self-paced
workshop materials
(all this & much more)
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML demo review
SAML federation for an Amazon Cognito
enabled web app & custom API (using API Gateway)
Cognito documentation
(includes sample code)
http://amzn.to/2wSH4IC
CloudFront S3 SPA
Cognito
Cognito
SAML IdP Assertion
Tokens API Gateway
(Chalice)
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML Federation
SAML
Internal
AD
SAML IdP
Cognito Apps APIs
Console API CLI Data plane APIs
Redshift Aurora MySQL
QuickSight AppStream
SaaS Apps (Outside AWS)
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #2: Open ID Connect (OIDC)
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC Primer
Relying Party
(RP)
Metadata & Registration (in advance)
Tokens
OpenID provider
(OP)
User
AuthN &
AuthZ
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC Federation
SAML
OIDC
OIDCExternal
Internal
AD
OIDC OP
SAML IdP
Cognito Apps APIs
Redshift Aurora MySQL
QuickSight AppStream
Apps
Data plane APIs
SaaS Apps (Outside AWS)
Console API CLI
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC Federation
Demonstrations
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC demo review
OIDC federation for an Amazon Cognito
enabled web app & custom API (using API Gateway)
Cognito documentation
(includes sample code)
CloudFront S3 SPA
Cognito
Cognito
OP
Tokens API Gateway
(Chalice)
Tokens http://amzn.to/2wSH4IC
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC demo review
OIDC federation for an Amazon Cognito
enabled backend app & external API
Cognito documentation
Cognito Tokens
SSM Param Store
External API
http://amzn.to/2grl7NV
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #3: Active Directory Trust with Kerberos
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AD Trust/Kerberos Primer
On premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
(Enterprise Edition)
Kerberos enabled
resource
AD Forest Trust Domain Join
User Group
Add group membership
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AD Trust
SAML
OIDC
OIDC
AD Trust
External
Internal
AD
OIDC OP
SAML IdP
Cognito Apps APIs
Redshift Aurora MySQL
QuickSight AppStream
Apps
Data plane APIs
Windows/EC2
Workspaces
SQL Server
WorkDocs WorkMail
SaaS Apps (Outside AWS)
Console API CLI
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AD Trust details for Windows/EC2
Use on premises AD identities for
authentication & authorization in
Windows/EC2
Directory Service documentation
On premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
(Enterprise Edition)
Domain joined
Windows EC2
instance
AD Forest Trust Domain Join
User
Group
Add group membership
http://amzn.to/2ysq4Ns
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD Trust details for Workspaces
Use on premises AD identities to
provision and access workspaces
Workspaces documentation
On premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
(Enterprise Edition)
AD Forest Trust
User Admin
Search &
Provision
Domain Join
Login
(AuthN & AuthZ)
http://amzn.to/2x6IcZB
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #4: AWS Cross Account (XA) Trust
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS XA Trust Primer
Target AWS Account
IAM Role
Permission Policy:
Controls access to
AWS services & resources
Trust Policy:
Specifies the Principals who
can assume the role, and a
shared secret (external id)
Source AWS Account
IAM Role
IAM User
Permission Policy:
Allows sts:AssumeRole
to remote role (in
target)
sts:AssumeRole
Short-term credential
Invoke AWS APIs
Access Mgmt Console
( You ) ( External Entity )( or vice versa )
Note: AWS XA Trusts also support many other use cases
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Cross Account
Cross
Account
Trust
Cognito Apps APIs
Redshift Aurora MySQL
QuickSight AppStream
Data plane APIs
Windows/EC2
Workspaces
SQL Server
WorkDocs WorkMail
SaaS Apps (Outside AWS)
Console API CLI
External
Apps AWS Cred
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Cross account trust details
Use AWS credentials from one account
to federate into another account
IAM documentation
aws sts assume-role --role-arn arn:aws:iam::012345678912:role/RoleName
--role-session-name use_traceable_name --external-id mysharedsecret
{
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXXXXXXXXXXXXXXXXX:use_traceable_name",
"Arn": “<roleARN>/use_traceable_name"
},
"Credentials": {
"SecretAccessKey": "ssssssssssssssssssssssssssssssssssssssss",
"SessionToken": "ttttttttttttttttttttttttttttttttttttttttttt",
"Expiration": "2017-10-19T00:01:38Z",
"AccessKeyId": "aaaaaaaaaaaaaaaaaaaaaaa"
}
}
http://amzn.to/2zzwE2n
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #5: Custom Federation Broker
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Custom Federation Broker Primer
Broker
Credential
User
Entitlements &
Policies
sts:AssumeRole (or)
sts:GetFederationToken
Scoping policy
Short-term credential
authN & authZ
Note: Mostly a legacy mechanism
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Custom Broker
Cross
Account
Trust
Custom
Cognito Apps APIs
Redshift Aurora MySQL
QuickSight AppStream
Data plane APIs
Windows/EC2
Workspaces
SQL Server
WorkDocs WorkMail
SaaS Apps (Outside AWS)
Console API CLI
External
Apps
BrokerCredential
AWS Cred
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Wrap Up
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Summary
SAML
OIDC
AD Trust
XA Trust
Custom
Many bridges, for different:
• Planes of access
• Protocols
• Source credentials
Remember our mental model:
37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Remaining whitespace
CC0 Public Domain - Free for commercial use
http://maxpixel.freegreatpicture.com/Shadow-White-Space-Renovate-Blank-Renovated-Light-763247
38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Other helpful links
• SAML:
• Amazon Redshift - http://amzn.to/2yxWX98
• Amazon RDS MySQL & Amazon Aurora - http://amzn.to/2gjBDvP
• Amazon AppStream 2.0 - http://amzn.to/2gkU17q
• Amazon Quicksight - http://amzn.to/2xPfyf3
• OIDC:
• Amazon Cognito Federated Identities - http://amzn.to/2gl3yvp
• sts:AssumeRoleWithWebIdentity - http://amzn.to/2yTcOCr
• AD Trust:
• Amazon RDS SQL Server - http://amzn.to/2glehop
• WorkDocs - http://amzn.to/2x6CNBz
• WorkMail - http://amzn.to/2kZFxyZ
• AWS IAM Cross account trust - http://amzn.to/2kZvRon
• Custom federation broker - http://amzn.to/2yyqzov
• Chalice (Python serverless framework for AWS) - https://github.com/aws/chalice
39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS