AWS supports logging in with Federated Access, using SAML or integration with Active Directory. This is integrated with user Roles in AWS which provide the permissions to access various services. in this session we will explain the options for authentication. we will cover basic access control concepts and in addition we will use AWS Systems Manager to talk about how you can also facilitate secured access to your Instances. AWS Services: IAM, AWS SSO, Managed Active Directory, AWS Systems Manager (With Demo)

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lior Pollack, Solutions Architect – Security & Compliance TFC
February 2019
Federating Identity and Access
Understanding key concepts and use cases

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
Learn about Identity & Access Management in AWS
Identify patterns for accessing AWS
Use cases & Demo

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do we mean when we say
“federation”?

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity consumersIdentity providers
Definition (for today)
Stores
identities
Authentication Authorization
(Coarse)
Authorization
(Fine)
Trust
Stores
references
Protocols
No Sync

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Every service has an API Endpoint
Control Plane Data Plane
EC2 Simple
Storage
Service
(S3)
DynamoDB

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understanding planes of access
Amazon EC2
Control plane—AWS API
(e.g. ec2:StartInstance)
Data plane—Amazon VPC
connection (e.g., SSH, RDP)
Different:
• Paths
• Credentials
• Protocols

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understanding planes of access
Amazon
DynamoDB
Control plane—AWS API
(e.g. dynamodb:CreateTable)
Data plane—AWS API
(e.g. dynamodb:GetItem)
Same:
• Path
• Credential
• Protocol

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Action – Properties – Resource
• ec2:runInstances
• imageId <values>
• Availablity Zone <value>
• Out: Specific Instances (Resource)
• dynamodb:putItem
• Table Name <value>
• Item <Value>
• Specific Table (Resource)
‫פ‬‫ע‬‫ו‬‫ל‬‫ה‬:‫ב‬‫ק‬‫ש‬‫ה‬‫ל‬‫ק‬‫ב‬‫ל‬‫ת‬‫ש‬‫ר‬‫ת‬‫י‬‫ם‬)Instances(
‫ה‬‫ג‬‫ד‬‫ר‬‫ו‬‫ת‬:‫מ‬‫א‬‫י‬‫ז‬‫ה‬Image‫ו‬‫ה‬‫י‬‫כ‬‫ן‬‫ל‬‫מ‬‫ק‬‫ם‬
‫פ‬‫ו‬‫ע‬‫ל‬‫ע‬‫ל‬:‫ב‬‫ק‬‫ש‬‫ת‬‫מ‬‫ש‬‫א‬‫ב‬‫י‬‫ם‬‫ח‬‫ד‬‫ש‬‫י‬‫ם‬.
‫פ‬‫ע‬‫ו‬‫ל‬‫ה‬:‫ל‬‫כ‬‫ת‬‫ו‬‫ב‬‫א‬‫ו‬‫ב‬‫י‬‫י‬‫ק‬‫ט‬‫ל‬‫ב‬‫ס‬‫י‬‫ס‬‫ה‬‫נ‬‫ת‬‫ו‬‫נ‬‫י‬‫ם‬
‫ה‬‫ג‬‫ד‬‫ר‬‫ו‬‫ת‬:‫ש‬‫ם‬‫ה‬‫ט‬‫ב‬‫ל‬‫א‬,‫ה‬‫פ‬‫ר‬‫י‬‫ט‬‫ל‬‫כ‬‫ת‬‫י‬‫ב‬‫ה‬
‫פ‬‫ו‬‫ע‬‫ל‬‫ע‬‫ל‬:‫ה‬-‫ט‬‫ב‬‫ל‬‫א‬‫ש‬‫ב‬‫ר‬‫צ‬‫ו‬‫נ‬‫נ‬‫ו‬‫ל‬‫ש‬‫נ‬‫ו‬‫ת‬
‫ב‬‫ע‬‫ב‬‫ר‬‫י‬‫ת‬
‫מ‬‫ו‬‫ת‬‫ר‬?‫ל‬‫מ‬‫י‬?‫מ‬‫ת‬‫י‬?
‫מ‬‫א‬‫י‬‫פ‬‫ה‬?‫מ‬‫ה‬‫ב‬‫ד‬‫י‬‫ו‬‫ק‬?

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAMAWS Security Token
Service
The ABCs – Stuff you must know before we start

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The ABCs of AWS IAM
• I: Identity. AWS IAM lets you create identities in your AWS account who
can make authenticated requests to AWS
• AM: Access Management. AWS IAM is your tool for defining who has
permissions to do what to which resources in IAM.
• IAM is the AWS-wide permissions control system. So you need to know it.
IAM

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of API call to an AWS service
https://ec2.amazonaws.com/?Action=RunInstances &ImageId=ami-
2bb65342 &MaxCount=3 &MinCount=1 &Placement.AvailabilityZone=us-
east-1a &Monitoring.Enabled=true &Version=2016-11-15 &X-Amz-
Algorithm=AWS4-HMAC-SHA256 &X-Amz-
Credential=AKIAIOSFODNN7EXAMPLE_us-east-1%2Fec2%2Faws4_request
&X-Amz-Date=20130813T150206Z &X-Amz-SignedHeaders=content-
type%3Bhost%3Bx-amz-date &X-Amz-
Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0194b84example
54174deb456c
Content-type: application/json
host:ec2.amazonaws.com
‫ת‬‫מ‬‫י‬‫ד‬ ‫ה‬API‫ש‬‫ל‬‫ה‬‫ש‬‫י‬‫ר‬‫ו‬‫ת‬‫ה‬‫מ‬‫ב‬‫ו‬‫ק‬‫ש‬ ‫פ‬‫ר‬‫מ‬‫ט‬‫ר‬‫י‬‫ם‬‫ה‬‫פ‬‫ע‬‫ו‬‫ל‬‫ה‬‫ה‬‫מ‬‫ב‬‫ו‬‫ק‬‫ש‬‫ת‬
‫ח‬‫ת‬‫י‬‫מ‬‫ה‬‫ד‬‫י‬‫ג‬‫י‬‫ט‬‫ל‬‫י‬‫ת‬–‫ל‬‫א‬‫ע‬‫ו‬‫ב‬‫ר‬‫ב‬‫ל‬‫י‬‫ז‬‫ה‬!
)‫ז‬‫י‬‫ה‬‫ו‬‫י‬‫ש‬‫ל‬‫ה‬‫מ‬‫פ‬‫ת‬‫ח‬,‫ת‬‫א‬‫ר‬‫י‬‫ך‬,‫ו‬‫כ‬‫ו‬‫׳‬(.
IAM

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Term: IAM Policy
• Every AWS service supports
authorization via IAM Policy
• AWS authorizes every API call
against the IAM Policies that
apply
• IAM Policies can be attached
to IAM Roles, Users, and
Groups
• Later in this talk: Other places
IAM Policy can be attached.
IAM

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Granular access policies
• JSON-formatted documents
• Contain a statement
(permissions) that specifies:
• Which actions a principal can
perform
• Which resources can be accessed
{
"Statement":[{
"Effect":"effect",
"Principal":"principal",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value" }
}
}
]
}
Principal
Action
Resource
Condition
IAM

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:TerminateInstances"],
"Resource":["*"],
"Condition":{
"Null":{"aws:MultiFactorAuthAge":"false"}
}
}
]
}
Enables a user to terminate EC2 instances only if the
user has authenticated with their MFA device.
MFA
{
"Statement":[{
"Effect":"Allow",
"Action":"iam:*AccessKey*",
"Resource”:"arn:aws:iam::123456789012:user/*",
"Condition":{
"Bool":{"aws:SecureTransport":"true"}
}
}
]
}
Enables a user to manage access keys for all IAM users only if the
user is coming over SSL.
SSL
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:*Route*“],
"Resource":["*“],
"Condition":{
"IpAddress":{"aws:SourceIP":"192.168.176.0/24"}
}
}
]
}
Enables a user to change routing tables only if the user is accessing
Amazon EC2 from 192.168.176.0/24.
SourceIP
{
"Statement":[{
"Effect": "Allow",
"Action":"ec2:TerminateInstances",
"Resource": "*",
"Condition":{
"StringEquals":{"ec2:ResourceTag/Environment":"Dev"}
}
}
]
}
Enables a user to terminate EC2 instances only if the instance is
tagged with “Environment=Dev”.
Tags
IAM Policy Examples (Allow + Conditions)
IAM

15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyAccessToUserItems",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:us-
west-2:123456789012:table/GameScores",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${www.amazon.com:user_id}"
]
…
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventUpdatesOnCertainAttributes",
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:us-west-
2:123456789012:table/GameScores",
"Condition": {
"ForAllValues:StringNotLike": {
"dynamodb:Attributes": [
"FreeGamesAvailable",
"BossLevelUnlocked"
]
…
Limitqueryyourownuser
PreventUpdatingSpecificAttributes
Data Plane Examples (DynamoDB):

16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Don’t Worry if you don’t like JSON…
IAM

17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sane default policies provided IAM

18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Restricting access with policies:
• Implicit Deny (what’s not explicitly allowed is denied)
• Explicit Deny
ØService Control Policies
(i.e. account wide - controlled by organization).
Ø IAM Policy (i.e. per user/group or role assigned).
• Permission Boundaries
Ø Used to restrict what permissions a principal can pass-on to
other principal it can create.
IAM

19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Term: IAM Principal
An IAM Principal is an identity defined within an AWS
account.
IAM
IAM Roles IAM Users
IAM Roles are for:
• Automated processes
• AWS Services
• Federated identities
IAM Roles authenticate using
short-lived credentials.
IAM Users are for:
• Direct human access
IAM Users authenticate
using long-lived credentials

20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Temporary Security Credentials (AWS STS)
Session
Access Key Id
Secret Access Key
Session Token
Expiration
Temporary Security Credentials
15 minutes to 36 hours
(default 12 hours)
Use Cases
Cross account access
Federation (SAML2/OAUTH2)
Key Rotation for Application Roles
(EC2, Lambda, ECS/Fargate)
Web/Mobile Applications

21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mechanics of (Cross-Account) assume role
Target AWS account
IAM Role
Permission Policy:
Controls access to
AWS services & resources
Trust Policy:
Specifies the Principals who
can assume the role, and a
shared secret (external id)
Source AWS account
IAM Role
IAM User
Permission Policy:
Allows sts:AssumeRole
to remote role (in target)
sts:AssumeRole
Short-term credential
Invoke AWS APIs
Access Mgmt Console
(You) (External entity)(or vice versa)

22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity & Federation

23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAML to AWS
federation IdP
1) authentication
Assertion
2) authn, attributes
3) assertion
federation SP
STS
4) AssumeRoleWithSAML()
IAM Role
(STS Credentials)
5)Query()
Directory
{STS Credentials}
STS
Credentials

24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Basic Access Patterns
Cross-
account
trust
SAML
Amazon
Redshift
Amazon RDS
(Aurora, MySQL)
Amazon
QuickSight
Amazon
AppStream
Data plane APIs
SaaS Apps (Outside AWS)
Console API CLI
External
Apps
IdPCredential
AWS Cred
Windows/
Amazon EC2
Amazon
WorkSpaces
Amazon RDS
(SQL Server)
Amazon
WorkDocs
Amazon
WorkMail

25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3 ways to Single Sign On:
Using AWS Single
Sign On Directory
Federation Direct Integration
with Directory
Services
Social/OIDC with:
Amazon Cognito
Directly with:
AWS Active Directory
Simple AD
AD Connector

26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mental model
Evaluation SelectionUse cases Blueprints

27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Basic SAML federation
Metadata
Configuration
Details

28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Directory Services

29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid forest: AD Connector
Haifa
DC1
Tel Aviv
DC2
Proxy to use a specific AD Domain
VPC
Availability zone
Subnet
On-Premise
Availability zone
Subnet
VPN
ConnectionVPN Gateway Customer
gateway
Company.local
LDAP
Authentication over
SSL
AD ConnectorAD Connector
WorkDocs
WorkMail
WorkSpaces

30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid forest: AD Connector
Haifa
DC1
Tel Aviv
DC2
Proxy to use a specific AD Domain
VPC
Availability zone
Subnet
On-Premise
Availability zone
Subnet
VPN
ConnectionVPN Gateway Customer
gateway
Company.local
LDAP
Authentication over
SSL
AD ConnectorAD Connector
WorkDocs
WorkMail
WorkSpaces

31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid forest: Managed AD
Haifa
DC1
Tel Aviv
DC2
Establish one / two way trust to a forest / child / tree
domain (Incoming/Outgoing and Two-way directions)
VPC
Availability zone
Subnet
On-Premise
Availability zone
Subnet
Company.cloud
VPN
ConnectionVPN Gateway Customer
gateway
Company.local
Trust relationship
Amazon RDS
WorkDocs
WorkMail
WorkSpaces
Third-party

32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hybrid forest: Managed AD + Multiple accounts
Use AWS Managed Microsoft AD Directory from multiple accounts and VPCs
VPC
Company.cloud
Account 1
VPC
Company.cloud
Account 2
Peering
Directory Sharing to
external account /
AWS Organizations
• Share the directory
with other AWS
accounts to extend
user access to your
AWS applications and
services.
• Support seamlessly
domain join to the
directory

33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SSO

34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SSO
Centrally manage single sign-on (SSO) access to multiple
AWS accounts and business applications.
Linked account
Master account
AWS
Organizations
Shared resources account
RoleAWS STS
Linked account
RoleAWS STS
Amazon
Connect
Amazon
WorkMail
Amazon
WorKSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
Use AD as IDP /
Use SSO Directory

35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Role
Centrally manage single sign-on (SSO) access to multiple
AWS accounts and business applications.
Linked account
AWS SSO
Master account
AWS
Organizations
Shared resources account
AWS STS
Linked account
RoleAWS STS
Amazon
Connect
Amazon
WorkMail
Amazon
WorKSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
Use AD as IDP /
Use SSO Directory

36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo:
Federation:
Job functions
Network admin vs
Developer
Controlling access
to Dataplane with
IAM Policies
EC2 Instance Profile
(Lambda / ECS…)
AWS SSO

38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SSO DEMO

39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EC2 Instance (Profile) Role

41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM Roles - Instance Profiles
Amazon EC2
App &
EC2 MetaData Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S3
1
2
3
4
Create Instance
SelectIAMRole
ApplicationinteractswithS3

42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So, EC2 data plane out of scope for
IAM? Well… here’s how to fix it!

43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understanding planes of access
Amazon EC2
Control plane—AWS API
(e.g. ec2:StartInstance)
Data plane—Amazon VPC
connection (e.g., SSH, RDP)
Different:
• Paths
• Credentials
• Protocols

44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Systems Manager
Hybrid Cloud Management at Scale
AWS cloud
corporate data
center
IT Admin, DevOps
Engineer
Role-based
Access Control
A set of capabilities that:
• Enables role based server management
• Audits every management action
• Are free - no charge to use
• Manages thousands of Windows and Linux
instances running on anywhere
(Amazon EC2, other clouds, or on-premises)

45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Session Manager
VPC boundary
AZ boundary
Subnet
Security group
IAM
permissions
IAM or Federated
No ports
open
Control
access
SSM using
IAM
Session
Manager
SSM
endpoint

46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you.
Lior Pollack – Solutions Architect