Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Delegating Access to your AWS Environment

5.031 visualizaciones

Publicado el

At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.

Publicado en: Tecnología
  • Sé el primero en comentar

Delegating Access to your AWS Environment

  1. 1. Jeff WiererDelegating Access to your AWS EnvironmentProduct Manager (IAM)
  2. 2. Goals for this talkUnderstand the technology usedto delegate access• Sessions and the AWS Security TokenService (STS)• Roles and assumed-role sessions• Federated sessions• The differences in session types andwhen to use whatUse cases we’ll cover• API Account Access Delegation• AWS API Federation• AWS Management Console Federation
  3. 3. Let’s start with a short demo 
  4. 4. AWS Management Console SSO Demo Setup(Sample - DirectoryLog into the console without a username and password!
  5. 5. Single Sign-On AWS Management ConsoleDemo
  6. 6. 1. Logged into my Windows desktop2. Hit an intranet web site3. Chose the “role” I wanted to play in AWS4. Auto-magically signed-in to the consoleHow did he dothat??Wait… what just happened?
  7. 7. Delegation basics:Sessions & the AWS Security Token Service
  8. 8. Sessions 101• Allow delegating temporary access to your AWS account• Are generated by the AWS Security Token Service• Include temporary credentials that are used to make API calls to AWS services
  9. 9. SessionAccess Key IdSecret Access KeyExpirationSession TokenRequesting a SessionStart by requesting a session from AWS STS
  10. 10. What’s in a Session?SessionAccess Key IdSecret Access KeyExpirationSession TokenTemporarySecurityCredentials
  11. 11. Three Ways to Get Sessions• Self-sessions (GetSessionToken)• Federated sessions (GetFederationToken)• Assumed-role sessions (assumeRole)SessionAccess Key IdSecret Access KeyExpirationSession Token
  12. 12. Sessions ExpireExpiration varies based on token type [Min/Max/Default]• Self (Account) [15 min / 60 min / 60 min]• Self (IAM User) [15 min / 36 hrs / 12 hrs]• Federated [15 min / 36 hrs / 12 hrs]• Assumed-role [15 min / 60 min / 60 min]Use caching to improve your application performanceSessionAccess Key IdSecret Access KeyExpirationSession Token
  13. 13. Role-based delegation:Using assumed-role sessions
  14. 14. What’s an IAM Role?• Entity that defines a set of permissions for making AWSservice requests• Not associated with a specific user or group• Roles must be “assumed” by trusted entities, but not by aroot account
  15. 15. Using an IAM Role with EC2• Allow EC2 apps to act on behalf of another entity• Create a role, apply a policy, launch EC2 instance with role• Credentials are automatically:– Made available to EC2 instances– Rotated multiple times a day• AWS SDK transparently uses the credentials
  16. 16. Create a Role and Launch an EC2 InstanceDemo
  17. 17. Benefits of Using Roles with EC2• Eliminates use of long term credentials• Automatic credential rotation• Less coding – AWS SDK does all the work
  18. 18. Use Case: API Account Access Delegation• Access resources across AWS accounts• Why do you need it?– Management visibility across all your AWS accounts– Developer access to resources across AWS accounts– Enables using third-party management solutions
  19. 19. Using IAM Roles for API Account Access Delegation• Extended “roles for EC2” concept– Set a policy as before– Set a trust granting access [NEW]• Delegate access to other AWS entities– AWS services (such as EC2)– IAM users within your account– IAM users under a different account• IAM users in one account can nowaccess resources in another account{ "Statement": [{"Effect": "Allow","Action": “sts:AssumeRole","Resource": "arn:aws:iam::111122223333:role/MyRole"}]}How to define who can assume the role using the consoleEntity can assume MyRole under account 111122223333
  20. 20. IAM Team AccountAcct ID: 111122223333s3-role{ "Statement": [{"Effect": "Allow","Action": “s3:*","Resource": "*"}]}My AWS AccountAcct ID: 123456789012Authenticate withJeff’s access keysGet temporary securitycredentials from s3-roleCall AWS APIs usingtemporary securitycredentials{ "Statement": [{"Effect": "Allow","Action": “sts:AssumeRole","Resource": "arn:aws:iam::111122223333:role/s3-role"}]}{ "Statement": [{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole"}]}API Account Access Delegation – How Does It Work?Policy assigned to s3-role definingwho (trusted entities) can assume the rolePolicy assigned to Jeff granting him permissionto assume s3-role in account BJeffPermissions assigned to s3-roleSTS
  21. 21. Building a Cross-Account Amazon S3 BrowserDemo
  22. 22. Assumed-Role Session – Code Samplepublic static Credentials getAssumeRoleSession(String AccessKey, String SecretKey ){Credentials sessionCredentials;AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(Accesskey, GetSecretkey,new AmazonSecurityTokenServiceConfig());// Store the attributes and request a new AssumeRole session (temporary security credentials)AssumeRoleRequest request = new AssumeRoleRequest{DurationSeconds = 3600,RoleArn = "arn:aws:iam::111122223333:role/s3-role",RoleSessionName = "S3BucketBrowser"};AssumeRoleResponse startSessionResponse = client.AssumeRole(request);if (startSessionResponse != null) // Check for valid security credentials or null{AssumeRoleResult startSessionResult = startSessionResponse.AssumeRoleResult;sessionCredentials = startSessionResult.Credentials;return sessionCredentials;}else{throw new Exception("S3 Browser :: Error in retrieving temporary security creds, received NULL");}}
  23. 23. API Account Access Delegation Benefits• Use one set of credentials• No more sharing long term credentials• Revoke access to the role anytime you want!
  24. 24. Federation:Using sessions to access AWS with yourexisting corporate identity
  25. 25. Federation Overview• Access AWS with your existing corporate identity• Why use federation?– Build apps that transparently access AWS resources and APIs– SSO to the AWS Management Console– Eliminate “yet another password” to manage
  26. 26. Use Case: API Federation(Sample -• Identity provider– Windows Active Directory– Privileges based on AD group membership– AD groups include policies• Relying party is AWS API (S3*)• Uses federated session via GetFederationToken
  27. 27. AWS API Federation WalkthroughCustomer (Identity Provider) AWS Cloud (Relying Party)AWS ResourcesUserApplicationActiveDirectoryFederation Proxy4 Get FederationToken Request32S3 Bucketwith ObjectsAmazonDynamoDBAmazonEC2RequestSession1ReceiveSession65Get Federation TokenResponse• Access Key• Secret Key• SessionTokenAPPFederationProxy• Uses a set of IAM user credentials tomake a GetFederationTokenRequest()• IAM user permissions needs to be theunion of all federated user permissions• Proxy needs to securely store theseprivileged credentialsCall AWS APIs7STS
  28. 28. API FederationDemo
  29. 29. Get Federation Session – Code Samplepublic Credentials GetSecurityToken(string userName, string Accesskey, string Secretkey){Credentials sessionCredentials;AmazonSecurityTokenServiceConfig config = new AmazonSecurityTokenServiceConfig();AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(Accesskey,Secretkey, config);string policy = Utilities.BuildAWSPolicy(userName); // Retrieve the AWS Policy from Active DirectoryGetFederationTokenRequest request = new GetFederationTokenRequest{DurationSeconds = 3600*8,Name = awsUsername,Policy = policy};GetFederationTokenResponse startSessionResponse = client.GetFederationToken(request);if (startSessionResponse != null) // Check the result returned, ex: Valid security credentials or null?{GetFederationTokenResult startSessionResult = startSessionResponse.GetFederationTokenResult;sessionCredentials = startSessionResult.Credentials;return sessionCredentials;}else{throw new Exception("FederationProxy :: Error in retrieving temporary security creds, received NULL");}}
  30. 30. • Assumed-role sessions can also be used for federation• Provides a different option for storing AWS permissions• Allows for “separation of duties” in managing AWS permissions• Corp admin manages: groups, users, and intranet permissions• AWS admin creates roles & maintains policies on those rolesUsing IAM Roles for Federation
  31. 31. Use Case: Console Federation(Sample -• Identity provider– Windows Active Directory– Privileges based on AD group membership– AD groups match the names of IAM roles• Relying party is AWS Management Console• Uses assumed-role session via AssumeRole
  32. 32. Basics of a Role-Based Federation ProxyAcct ID: 111122223333s3-role{ "Statement": [{"Effect": "Allow","Action": "s3:*","Resource": "*"}]}Authenticate withaccess keysGet temporarysecurity credentialslogin using temporary securitycredentials{ "Statement": [{"Effect": "Allow","Action": ["iam:ListRoles","sts:AssumeRole"],"Resource": "arn:aws:iam::1111222233334444:role/*"}]}{"Statement": {"Principal": {"AWS":"arn:aws:iam::111122223333:root"},"Condition": {"StringEquals": {"sts:externalId": “{SID1234…}"}},"Effect": "Allow","Action": ["sts:AssumeRole"]}}Policy assigned to s3role defining who can assume the rolePolicy assigned to Proxy granting permission to ListRoles and AssumeRolesfor all rolesProxy ServerIAM UserPermissions assigned to s3-roleSTSAWS Management Console
  33. 33. Console Federation Walkthrough (assumeRole)Customer (IdP) AWS Cloud (Relying Party)AWSManagementConsoleBrowserinterfaceCorporatedirectoryFederationproxy1Browse to URL32Redirect toConsole10Generate URL94 List RolesRequest8Assume Role ResponseTemp Credentials• Access Key• Secret Key• Session Token7 AssumeRole RequestCreate combobox6Federationproxy• Uses a set of IAM user credentials tomake AssumeRoleRequest()• IAM user permissions only need to beable to call ListRoles & assume role• Proxy needs to securely store thesecredentialsSTS5List RolesResponse
  34. 34. Console Federation (SSO)Demo
  35. 35. Console Federation – Code Samplepublic string getSignInURL(Credentials creds, String issuerURL, String consoleURL, String signInURL ){// Create the sign-in token using temporary credentials, Access Key ID, Secret Access Key, and securitytoken.String sessionJson = "{" +""sessionId":"" + creds.AccessKeyId + ""," +""sessionKey":"" + creds.SecretAccessKey + ""," +""sessionToken":"" + creds.SessionToken + """ +"}";String getSigninTokenURL = signInURL + "?Action=getSigninToken" +"&SessionType=json&Session=" +HttpUtility.UrlEncode(sessionJson, Encoding.UTF8);WebRequest Request = WebRequest.Create(getSigninTokenURL);HttpWebResponse WebResponse = (HttpWebResponse)Request.GetResponse();Stream data = WebResponse.GetResponseStream();StreamReader reader = new StreamReader(data);String Response = reader.ReadToEnd();String[] session_encrypted = Response.Split(new Char[] { :, " });String signinToken = session_encrypted[4];String signinTokenParameter = "&SigninToken=" + HttpUtility.UrlEncode(signinToken, Encoding.UTF8);String issuer_param = "&Issuer=" + HttpUtility.UrlEncode(issuerURL, Encoding.UTF8);String destination_param = "&Destination=" + HttpUtility.UrlEncode(consoleURL, Encoding.UTF8);String loginURL = signInURL + "?Action=login" + signinTokenParameter + issuer_param + destination_param;return loginURL;}
  36. 36. Federation Benefits• Leverage your existing corporate identities• Use the username/password you already know• Enforce corporate policies/governance• When employees leave, you only need to delete their corporate account
  37. 37. Variable Substitution• Use cases enabled– Easily enable users to manage theirown credentials– Easily set up access to “home folder”in S3– Personal topics (SNS) or queues(SQS)• Benefits– Reduces the need for user policies– Variables based on request context• Keys (e.g., aws:SourceIP, etc.)• New keys (aws:username, aws:userid,aws:principaltype){"Version": "2012-10-17","Statement": [{"Action": ["s3:ListBucket"],"Effect": "Allow","Resource": ["arn:aws:s3:::myBucket"],"Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}},{"Action":["s3:*"],"Effect":"Allow","Resource": ["arn:aws:s3:::myBucket/home/${aws:username}/*","arn:aws:s3:::myBucket/home/${aws:username}"]}]}
  38. 38. Access Control Policy VariablesDemo
  39. 39. Delegation optionsChoosing the right session type
  40. 40. Considerations When Choosing Session Type• What services do you want to use?• Where do you want to maintain AWS permissions– Within your enterprise?– Within AWS?• How are permissions derived?
  41. 41. What Services Support Sessions?Federated Assumed-RoleSecurity Token Service  AWS Identity and Access Management (IAM)  AWS CloudFormation  AWS Elastic Beanstalk  Amazon Elastic MapReduce  All other services  Accurate as of 4/30/2013. See for most up to date list
  42. 42. Where Do You Want to Maintain AWS Permissions?Within your enterprise• Use federated session• Proxy will require maximumpermissions• Required: attach policy to therequestWithin AWS• Use assumed-role session• Proxy will only require listRoles &assumeRole permissions• Optional: attach policy to therequest
  43. 43. Summary: Use Cases• Use one set of credentials• No more sharing long term credentials• Revoke access to the role anytime you want!Cross-Account API Access• Leverage your existing corporate identities• Use the username/password you already know• Enforce corporate policies/governance• When employees leave, you only need to delete their corporate accountFederation
  44. 44. Summary: TechnologySessions are the heart of delegation• Use keys to sign API requests• Use token as parameter when making requestsRequest sessions (federated/assumed-role) by calling AWS STS• Variable expiration timeframes• Service support varies per session type• AWS permissions derived differentlyChoose the right session for the job
  45. 45. For More Information• Learn more from our home page–• This is the IAM forum where we hang out– https://• Developer documentation–