Are you hard coding credentials in your software? Do you have passwords you need to centrally manage, while maintaining access control? In this session you will learn the best ways of using the AWS platform to build applications with zero knowledge of the credentials that are used. AWS and Xero will talk about the various methods AWS gives you to ensure you can handle secret values with confidence using automation in a multi-account environment. From IAM Roles, to bearer tokens and automatically rotated secrets, we will walk through a real life application and show how easy it is to keep your secrets safe.
3. • We help small businesses thrive worldwide
• Best known for our accounting platform
• 1.58+ million subscribers
• 2,300 employees
• ~700 of whom are developers or engineers
Who are Xero?
4. • I’m Rupert
• I help Security Engineers thrive in Wellington,
New Zealand
• Our team continuously deploy edge and platform
security infrastructure
• We have built fully-automated AWS identity
management for our users
Who am I?
5. IAM for users, at scale
Maintaining developer velocityAWS root accounts, at scale
Building Zero Knowledge
applications
‘Zero Knowledge’ security model in AWS
6. AWS users in multi-account environments
Test
IAM Role AWS
CloudFormation
Stack
Prod
IAM Role AWS
CloudFormation
Stack
7. Third Party Federation
Bring-your-own-identities
AWS users in multi-account environments
AWS Single Sign-On
A fully-managed solution
for growing teams
Identity Account
An AWS Root Account
specifically for human IAM
9. Federated AWS IAM
• Bring your existing tooling
• AWS supported integration partners
• Authentication via OIDC or SAML is available
• Trust IdP or lock down specific attributes on the
AWS side as well
10. Federated AWS IAM
Account A
IAM Role AWS
CloudFormation
Stack
Master Account
AWS
CloudFormation
Federation
Token
Federation
Token
Federation
Token
Account B
IAM Role AWS
CloudFormation
Stack
Account C
IAM Role AWS
CloudFormation
Stack
SAML Assertion
11. AWS users in multi-account environments
AWS Single Sign-On
A fully-managed solution
for growing teams
12. AWS Single Sign-On
• Managed AWS service
• Integrates with Active Directory
• Multi-factor authentication via AD & RADIUS
• Authorisation is via SSO Permission Sets
13. AWS Single Sign-On
Account A
IAM Role
Master Account
Radius
Server
AWS Directory
Service
AWS Single
Sign-On
Permission
Sets
Users
Account B
IAM Role
Account C
IAM Role
1
2
3
4
5
MFA
14. Identity Account
An AWS Root Account
specifically for human IAM
AWS users in multi-account environments
15. Identity account
Full support of existing IAM features like
MFA, CLI
Allows for AuthZ via Groups or Policies
Centralises IAM Users away from
other accounts
No cost
16. Identity account
Account A
IAM Role
IAM
Users
IAM Policies
Users
Account B
IAM Role
Account C
IAM Role
MFA
1
2
3
Master Account
17. Identity account
Account A
IAM Role
Master Account
IAM
Users
IAM Policies
Users
Account B
IAM Role
Account C
IAM Role
MFA
18. Authorisation of
AssumeRole
7 “Standard” IAM Roles for AssumeRole
~100 AWS Accounts
~700 Unique Roles
Users could hypothetically require any Role
in any Account in any combination
Too many possible combinations to be
managed via Groups
19. AWS IAM access, KMS key management
Rotates Access Keys across all accounts
Approval workflow for granular
access requests
Database access management
Platform Access
Control Manager
20. Users don’t need additional credentials
Platform Access
Control Manager
21. Platform Access Control Manager
Identity Account
IAM UsersIAM Policies
Users
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::123456789012:role/Developer",
"arn:aws:iam::123456789012:role/Admin",
"arn:aws:iam::098765432109:role/ReadOnly"
]
}
1 IAM Managed Policy per User
MFA
MFA
Request Access
Changes
Modify Policy
22.
23. Platform Access Control Manager
PACMAN Account
Database
Access
KMS
Management
IAM Policy
Processor
Parameter
Store
Identity Account
IAM
Users
IAM
Policies
Directory Account KMS Account
AWS Key
Management Service
AWS Directory
Service
24. (Not) handling secrets within applications
AWS Systems
Manager Commands
AWS Secrets
Manager
AWS Key
Management Service
IAM Roles
Let AWS handle them for you
27. IAM roles are secure and versatile
PACMAN Account
Database
Access
KMS
Management
IAM Policy
Processor
Parameter
Store
KMS Account
AWS STS IAM Role
Identity Account
AWS STS IAM Role
28. Key-value pairs
Native and custom secret rotation
Cross-account access
AuthZ with KMS Key and Resource Policies
CloudFormation via Dynamic References
Secrets Manager
29. (Not) handling secrets within applications
GetSecretVaule
{Ua, Pa}
{Ua,Pa}
Data
AWS Region – Sydney
Amazon RDS
AWS CloudFormation
ApplicationAWS Secrets Manager
30. (Not) handling secrets within applications
Cross-account secrets are great for shared credentials like domain join users or logging API
keys directly to the systems that need them
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/EC2RoleToAccessSecrets"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}]
}
31. (Not) handling secrets within applications
Put references to secrets directly into your CloudFormation templates, without having them
visible to the Console using Dynamic References
MyRDSInstance:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: MyRDSInstance
AllocatedStorage: '20'
DBInstanceClass: db.t2.micro
Engine: mysql
MasterUsername: '{{resolve:secretsmanager:MyRDSSecret:SecretString:username}}'
MasterUserPassword: '{{resolve:secretsmanager:MyRDSSecret:SecretString:password}}'
32. Native SSH all the way to the instance
Can traverse multi-hop networks (jump hosts)
Generates time-limited SSH Certificates
Tied to AWS IAM Access
Works with EC2 Instance Tags for AuthZ
LastKeyPair
34. Remote execution – the good kind!
Allows for IAM-backed audit trail via
CloudTrail
Per-instance authorisation can be handled
with EC2 Tagging
Amazon AMIs come with SSM pre-
installed, just attach the Role
SSM sessions &
commands
36. Consider whether you need access to
instances at all
All logs should be shipped
Instances should include a host-security
agent and process logging
No SSH, no SSM, changes are deployed
through infra-as-code
Immutable
infrastructure