This document discusses Amazon Web Services (AWS) Identity and Access Management (IAM), as presented by Jim Scharf, Director of IAM. It provides an overview of IAM and how it enables control over access to AWS services and resources. Examples are given of how NASA uses AWS for scalable cloud-based processing of data from Mars rovers. The wide range of AWS services and capabilities are also outlined.

1. AWS Identity and
Access Management
Jim Scharf
7/11/2013

2. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Jim Scharf
Director, AWS Identity and Access Management
Joined AWS in 2004
Own
• AWS Identity and Access Management
• Authentication, Authorization
• Federation
Introductions

3. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Enable businesses and developers
to use web services*
to build scalable, sophisticated applications.
*What people now call “the cloud”
AWS Mission

4. Free steak
campaign
Facebook
page
Mars exploration
operations
Consumer social app
Gene sequencing Marketing web site Interactive TV apps Financial markets
analytics
Web site &
media sharing
Disaster recovery Media streaming Web and mobile apps
Diverse
Customers,
Wide
Range
of
Use
Cases
©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.

5. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Mission-­‐criFcal
Projects
Mars
Rover
Image
processing
Video
Streaming
for
Landing
Scale
up
as
needed
Highly
Parallel
Processing
Whole
World
Watching
One-­‐Time
Event
Mars
Rovers
OperaFons

6. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Panoramas
of
5
Gigapixels,
created
on
AWS
in
just
5
minutes!
Curiosity
©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.

7. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Daily
Mars
Rover
Data
Processing
Window
(2
hours)
Serial
Process
Upload
Plan
Pre-­‐cloud:
Parallel
Process
Upload
Plan
Cloud:
Increased
available
mission
planning
Fme
by
1.5
hours!
Mission
Data
Processing

8. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
More on NASA & AWS
AWS
Re:Invent
Conference,
2012
Keynote
Video
hp://youtu.be/8FJ5DBLSFe4?t=11m58s

9. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Compute
Networking
Storage
&
CDN
Amazon
EC2
Amazon
ElasFc
MapReduce
Amazon
ElasFc
Load
Balancer
Amazon
Route
53
Amazon
Virtual
Private
Cloud
AWS
Direct
Connect
Amazon
S3
Amazon
Glacier
Amazon
EBS
AWS
Import/Export
Amazon
CloudFront
Database
App
Services
Management
Amazon
RDS
Amazon
DynamoDB
Amazon
ElasFCache
Amazon
Redshie
Amazon
CloudSearch
Amazon
SWF
Amazon
SQS
(Queues)
Amazon
SNS
(NoFficaFons)
Amazon
SES
(Email)
Amazon
ElasFc
Transcoder
AWS
IAM
Amazon
CloudWatch
AWS
ElasFc
Beanstalk
AWS
CloudFormaFon
AWS
Data
Pipeline
AWS
OpsWorks
AWS
CloudHSM
AWS
Trusted
Advisor
AWS
Marketplace
AWS Services

10. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Access control
for AWS services and resources
AWS Identity and Access Management

11. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.

12. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Difference #1

13. Image
courtesy
of:
hp://imgsrc.hubblesite.org/hu/db/images/hs-­‐2005-­‐01-­‐a-­‐full_jpg.jpg
©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.

14. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
AWS Scale
• $5.2B e-commerce company
• 7,800 employees
• A whole lot of servers!
Every day (on average), AWS
adds server capacity equivalent
to that entire $5.2B enterprise

15. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Trillions
Resources

16. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Million+
Requests/Second

17. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Hundreds of
Thousands
Customers
in 190 countries
each with one to millions of identities

18. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Lots!
Servers

19. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Global

20. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Difference #2

21. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Resources

22. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Cloud Services
Amazon
EC2

23. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Instance O/S

24. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Cloud Services
Amazon
EC2
Amazon
S3
Amazon
ElasFc
MapReduce
AWS
Storage
Gateway
Amazon
DynamoDB
Amazon
RDS
Amazon
ElasFCache
Amazon
Route
53
Amazon
VPC
Amazon
CloudFront
Amazon
CloudWatch
Amazon
ElasFc
Beanstalk
AWS
CloudFormaFon
AWS
IAM
Amazon
SQS
Amazon
SES
Amazon
SNS
Amazon
CloudSearch
Amazon
SWF
Amazon Redshift
OpsWorks
Amazon
ElasFc
Transcoder

25. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Cloud Resources
Amazon
EC2
Amazon
S3
Amazon
ElasFc
MapReduce
AWS
Storage
Gateway
Amazon
DynamoDB
Amazon
RDS
Amazon
ElasFCache
Amazon
Route
53
Amazon
VPC
Amazon
CloudFront
Amazon
CloudWatch
Amazon
ElasFc
Beanstalk
AWS
CloudFormaFon
AWS
IAM
Amazon
SQS
Amazon
SES
Amazon
SNS
Amazon
CloudSearch
Amazon
SWF
Amazon Redshift
OpsWorks
Amazon
ElasFc
Transcoder
Instances
Files
AMIs
Spot
Instances
Volumes
Messages
Snapshots
Security
Groups
ElasFc
IPs
Placement
Groups
Users
Groups
Roles
Load
Balancers
Autoscaling
Groups
Network
Interfaces
Queues
Topics
Domains
Workflows
ApplicaFons
Templates
DistribuFons
Buckets
Stacks
Apps
Layers
Clusters

26. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
AWS Marketplace

27. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Difference #3

28. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Customers
• Individual Developers
• Students

29. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Hear about AWS

30. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Create Account

31. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Innovate!

32. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Customers
• Individual Developers
• Students
• Startups
• SMBs

33. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
IAM
• Users, Groups, Permissions
– Individual security credentials
– Secure by default
– Grant least privilege
• Easy to use
– Graphical user interface
– Ability to script/automate (CLI & API)

34. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Customers
• Individual Developers
• Students
• Startups
• SMBs
• Enterprises
• Government
Agencies

35. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Control
• AWS Multi-Factor Authentication
– Hardware tokens
– Smartphone app tokens
• Credential management policies
• Control billing, support, and AWS Marketplace
purchases

36. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
• HIPAA
• SOC 1/SSAE 16/ISAE
3402 (formerly SAS70)
• SOC 2
• SOC 3
• PCI DSS Level 1
• ISO 27001
• FedRAMP
• DIACAP and FISMA
• ITAR
• FIPS 140-2
• CSA
• MPAA
Compliance

37. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Federation
• AWS Websites and/or APIs as relying party
• Pre-packaged sample: Windows Active Directory as identity provider
SSO
AcFve
Directory

38. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Federation
• Partners are critical
http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services
http://www.okta.com/aws/
http://www.symplified.com/solutions/single-sign-on-sso
https://www.pingidentity.com/products/pingfederate/
• More federation support coming…

39. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Customers
• Individual Developers
• Students
• Startups
• SMBs
• Enterprises
• Government
Agencies
• Mobile Developers

40. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Web Identity Federation
• App sign-in using 3rd party identity providers
–
– Facebook
– Google (using OpenID Connect)
• No server-side code required

41. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Web Identity Federation
US-EAST-1
AWS Services
STS
Access
AWS
Resources
IdenFty
Provider
Assume
Role
Amazon
S3
Amazon
DynamoDB

42. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
Customer Evolution
Username
&
Password
IAM
Management
UI,
CLI,
API
MulF-­‐Factor
AuthenFcaFon
FederaFon
&
SSO
Password
Strength
Policy
AWS
Marketplace
Control
Enterprise
Joe
Startup/
SMB
No
addiGonal
charge
Mobile

43. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
• Scale
• Resources
• Customers
Summary

44. ©
2013
Amazon.com,
Inc.
and
its
affiliates.
All
rights
reserved.
May
not
be
copied,
modified
or
distributed
in
whole
or
in
part
without
the
express
consent
of
Amazon.com,
Inc.
jscharf@amazon.com
@jim_scharf
Additional resources:
• AWS Security Blog: http://blogs.aws.amazon.com/security/
• AWS IAM: http://aws.amazon.com/iam/
• AWS IAM on Twitter: @AWSIdentity
Thank You!
RegistraGon
opens
July
17,
9
AM
PDT
Last
year,
it
sold
out,
so
register
early