SlideShare una empresa de Scribd logo
1 de 57
Descargar para leer sin conexión
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Mastering Identity at Every Layer of
the Cake
Quint Van Deman
Principal Business Development Manager
AWS Identity and Directory Services
S E C 4 0 1 R
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect
Explore advanced
identity features
& patterns
“It doesn’t depend” Demos, code,
and more
demos
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Disambiguation
Identity
Authentication, authorization,
audit, and governance for
your cloud workloads
Our scope for today
AWS Identity and Access
Management (IAM)
(the service)
Authenticates and authorizes
AWS APIs
Includes
(the subject)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our scope
Amazon Web
Services (AWS)
Infrastructure
Application
Builders
Operators
Users
AWS Command
Line Interface (AWS
CLI)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered cake or tiramisu?
This file is licensed under the Creative Commons
Attribution 2.0 Generic license
Pexels
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding planes of access
Amazon Elastic Compute
Cloud (Amazon EC2)
Control plane – AWS API
(example: ec2:StartInstance)
Data plane – VPC connection
(example: SSH, RDP)
Different:
• Paths
• Credentials
• Protocols
*
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding planes of access
Amazon
DynamoDBControl plane – AWS API
(example: dynamodb:CreateTable)
Data plane – AWS API
(example: dynamodb:GetItem)
Same:
• Path
• Credential
• Protocol
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The challenge
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your options
SAML to IAM AWS Single Sign-
On (AWS SSO)
Custom Broker
SAML to IAM AWS SSO Custom Broker
Directory You You or AWS You
Identity provider You AWS You
Credential exchange AWS AWS You
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
It doesn’t depend
So you want to manage access for a
whole bunch of users into a whole
bunch of roles in a whole bunch of
AWS accounts?
Based on features available as of November
2018; will change based on future launches
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Further exploration
Workshop: Choose your own
SAML Adventure
AWS SSO: Getting Started
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before July 2018
• Certain IAM policy actions (for
example, PutUserPolicy,
AttachRolePolicy) were full
admin permissions
• Doing any form of self-service
permissions management
required non-trivial
intermediary automation
IAM delegated administration
Now
• Administrator can grant
previously IAM management
permissions, but specify a
“permissions boundary”
• Use case: Allow developers the
ability to create principals for
their applications and attach
policies, but only within the
boundary
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Effective permissions: The intersection
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM delegated administration walkthrough
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": "*",
"Condition": {
"StringEquals": { "aws:RequestedRegion": "eu-central-1“ }
}
} ]
}
Admin Step 1: Create the permission boundary (managed policy)
arn:aws:iam::<ACCOUNT_NUMBER>:policy/boundaries/dynamodb_eu
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM delegated administration walkthrough
{
"Version":"2012-10-17",
"Statement":[ {
"Effect":"Allow",
"Action":["iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy“ ],
"Resource":"arn:aws:iam::<ACCOUNT_NUMBER>:role/executionroles/MyTestApp*",
"Condition":{
"StringEquals":{
"iam:PermissionsBoundary":
"arn:aws:iam::<ACCOUNT_NUMBER>:policy/boundaries/dynamodb_eu"
}
}
},
{
"Effect":"Allow",
"Action":[ "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion" ],
"Resource":"arn:aws:iam::<ACCOUNT_NUMBER>:policy/delegatedadmin/*"
} ]
}
Admin Step 2: Allow role creation,
but only within boundary
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM delegated administration walkthrough
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<ACCOUNT_NUMBER>:role/executionroles/MyTestApp*"
}
]
}
Admin Step 3: Allow developer to pass role
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
-–permissions-boundary arn:aws:iam::<ACCOUNT_NUMBER>:policy/boundaries/dynamodb_eu
# Step 2: Create policy
# No change
# Step 3: Attach policy
# No change
IAM delegated administration walkthrough
# Step 1: Create role
$aws iam create-role –role-name MyTestAppRole
--path /executionroles/
-–assume-role-policy-document file://Role_Trust_Policy_Text.json
User steps: App developer creates role with delegated permissions
Another example coming
in the first demo …
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Self-service role creation: A tale of two challenges
Fixed: Self-service role
creation with guardrails!
Now: How do we make it super
easy to do the right thing?
Pexels
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What if, instead of this …
{ "AWSTemplateFormatVersion":"2010-09-09",
"Resources":{
"ExecutionRoleBuilderMacroTestRole":{
"Type":"AWS::IAM::Role",
"Properties":{
"RoleName":"ExecutionRoleForAppA",
“PermissionsBoundary":"arn:aws:iam::012345678912:policy/ApplicationA”,
"Policies":[ {
"PolicyDocument":{
"Version":"2012-10-17",
"Statement":[ {
"Action":[ "dynamodb:GetItem","dynamodb:PutItem“ ],
"Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/table1",
"Effect":"Allow"
}, {
"Action":[ "s3:GetBucketLocation", "s3:ListAllMyBuckets“ ],
"Resource":"*",
"Effect":"Allow"
}, {
"Action":[ "s3:ListBucket“ ],
"Resource":"arn:aws:s3:::mygreatbucket1",
"Effect":"Allow"
}, {
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::mygreatbucket1/*",
"Effect":"Allow"
} ] } } ],
"AssumeRolePolicyDocument":{
"Version":"2012-10-17",
"Statement":[ {
"Action":[ "sts:AssumeRole" ],
"Effect":"Allow",
"Principal":{
"Service":[ "lambda.amazonaws.com“ ]
}
} ]
} } } } }
Example of a permission policy
for a bounded execution role
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
They could write this …
AWSTemplateFormatVersion: "2010-09-09“
Transform: ExecutionRoleBuilder
Resources:
ExecutionRoleBuilderMacroTestRole:
Type: "AWS::IAM::Role"
Properties:
Name: "ExecutionRoleForAppA"
Type: "Lambda“
PermissionsBoundary":"arn:aws:iam::012345678912:policy/ApplicationA”
Permissions:
- ReadOnly: "arn:aws:s3:::mygreatbucket1"
- ReadWrite: "arn:aws:dynamodb:us-west-2:123456789012:table/table1"
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CFn Macro: Execution role builder
Code on GitHub
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity “for” and “of” the infrastructure
Operating
systems
Database
engines
EC2 instances
DynamoDB
Table
S3 Bucket
with objects
for of
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“For” the infrastructure: Options
Traditional Utopia
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“For” the Infrastructure: IAM-based auth
• New option to facilitate the journey: IAM based auth
• Authentication advantages:
• Replaces username & password with ephemeral credentials
• Strength of AWS SigV4
• Authorization advantages:
• Codify “who can access what” within IAM policies
• Unified with other AWS permissions (for example, accessing S3 buckets)
• Management advantages:
• Reduce/eliminate bootstrapping requirements
• No clean up for short lived infrastructure
• Growing set of supported services:
• Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational
• Database Service (Amazon RDS), Amazon Aurora, and Amazon Redshift
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Further exploration
AWS Systems
Manager (SSM)
Session Manager
Amazon RDS IAM
database
authentication
Amazon Redshift
IAM database
authentication
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Base primitive: IAM roles
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by
policy attached to role
Also works with AWS Lambda & Amazon Elastic Container Service (Amazon ECS)
Permissions
Role
Temporary
security
credential
Your code
Operating
system
EC2
instance
AWS resources
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM roles provide your
applications a reliable, secure,
auto-rotating solution for
AWS credentials
But what about:
Database connection
credentials?
Third-party API keys?
OAuth refresh tokens?
How do we avoid the back
alley exchange? (C) Copyright A not very creative mind and licensed for
reuse under the Creative Commons Attribution-Generic 2.0
License
Still missing a key part
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Secrets Manager
Authorized call to
Secrets Manager
DB creds loaded
DB creds
returned
Connection established
Safe
rotation
Combo provides a reliable, secure, auto-rotating solution for ALL credentials
Permissions
Role
Temporary
security
credential
Your code
Operating
system
EC2
instance
AWS resources
VPC
DBA
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Further exploration
Secrets Manager
workshop
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“At the end of the day, it’s all about the
apps.”
–Cool Citation N/A
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
For the humans and the machines
Credentials Container
Lambda
Function
Service 1 Service 2
Service to serviceHuman to application
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Cognito
• Application identity Swiss army knife
• Offloads identity focused undifferentiated heavy lifting
• Normalizing layer for applications
• Native and/or federated users – App doesn’t need to care
• Vends standard tokens
• CUP (that is, JWTs) – Accessing your APIs
• AWS Security Token Service (AWS STS) – Accessing
AWS APIs
• Clean integrations with adjacent services
• Amazon API Gateway – AuthN/Z for your APIs
• Application Load Balancer – AuthN/Z for your apps
Wikimedia Commons - By James Case from Philadelphia,
Mississippi, U.S.A.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Cognito
Get AWS credentials
Access AWS services
Authenticate 1
Redirect /
Post back
Access serverless backend
Federating
IdP
IdP Token
CUP TokenCUP Token
CUP Token
AWS STS
AWS STS
User pool tokens are used to
access backend resources
Identity pools provide AWS
credentials to access AWS
services
User pools authenticate
users and returns standard
tokens
2
3
4
56
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional service to service (at least one way)
Service 1 Service 2SSL
Certificate
SSL
Certificate
Pros:
• Very well established
technology
Cons:
• Generating & delivering
certificates generally less than
easy
• No central place to
define/audit authorizations
TLS Mutual Authentication
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service to service in AWS using IAM
Container
Lambda
Function
Service 1 Service 2
Permissions
Role
Temporary
security
credential
Permissions
 AWS takes care of credential distribution
 Centrally defined authorizations in IAM policies
 Resource-based policies allows access across AWS accounts
AWS Cloud
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service to service in AWS using Amazon Cognito (OAuth)
Container
Lambda
Function
Service 1 Service 2
Permissions
Role
AWS Cloud
CUP Token
 Alignment with human based authorization
 Bearer token model familiar to developers
• You perform credential distribution (using AWS primitives)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Further exploration
Serverless Authentication
and Authorization session
Serverless Authentication
and Authorization workshop
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adding some awesome sauce
CC0 Creative Commons Free for commercial use No attribution requiredCreative Commons BY-NC-SA 2.0 Credit: Tom Magliery
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dynamic break glass access
140 lines of code
EC2 Operator Break glass
portal
Corporate
Identity
Provider
Lambda
Function
Break glass API
Role
Specific
instance
Assertion
with EC2
Authorization
s
/listmyinstances
i-a1b2c3d4e5f6000000
“It’s go time”
/gettoken
AWS STS
“FYI”
Corporate
Credentials
CUP Token
with custom
claims
Break glass
credential
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dynamic break glass access
(C) Copyright Stephanie Van Deman and licensed for reuse
under the Creative Commons Attribution-Generic 2.0
License
Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Quint Van Deman
Find me on LinkedIn
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Más contenido relacionado

La actualidad más candente

re:Invent 行ってきた
re:Invent 行ってきたre:Invent 行ってきた
re:Invent 行ってきたYusuke Komahara
 
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Amazon Web Services
 
AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築
AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築
AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築Amazon Web Services Japan
 
워크로드 특성에 따른 안전하고 효율적인 Data Lake 운영 방안
워크로드 특성에 따른 안전하고 효율적인 Data Lake 운영 방안워크로드 특성에 따른 안전하고 효율적인 Data Lake 운영 방안
워크로드 특성에 따른 안전하고 효율적인 Data Lake 운영 방안Amazon Web Services Korea
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS KMS 에서 제공하는 봉투암호화 방식의 암호화 및 사이닝 기능에 대한 소개와 실습 - 신은수, AWS 솔루션즈 아키텍트 :: AWS...
AWS KMS 에서 제공하는 봉투암호화 방식의 암호화 및 사이닝 기능에 대한 소개와 실습 - 신은수, AWS 솔루션즈 아키텍트 :: AWS...AWS KMS 에서 제공하는 봉투암호화 방식의 암호화 및 사이닝 기능에 대한 소개와 실습 - 신은수, AWS 솔루션즈 아키텍트 :: AWS...
AWS KMS 에서 제공하는 봉투암호화 방식의 암호화 및 사이닝 기능에 대한 소개와 실습 - 신은수, AWS 솔루션즈 아키텍트 :: AWS...Amazon Web Services Korea
 
Kinesis→Redshift連携を、KCLからFirehoseに切り替えたお話
Kinesis→Redshift連携を、KCLからFirehoseに切り替えたお話Kinesis→Redshift連携を、KCLからFirehoseに切り替えたお話
Kinesis→Redshift連携を、KCLからFirehoseに切り替えたお話Hajime Sano
 
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...Amazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
Amazon DynamoDB Deep Dive Advanced Design Patterns for DynamoDB (DAT401) - AW...
Amazon DynamoDB Deep Dive Advanced Design Patterns for DynamoDB (DAT401) - AW...Amazon DynamoDB Deep Dive Advanced Design Patterns for DynamoDB (DAT401) - AW...
Amazon DynamoDB Deep Dive Advanced Design Patterns for DynamoDB (DAT401) - AW...Amazon Web Services
 
20190320 AWS Black Belt Online Seminar Amazon EBS
20190320 AWS Black Belt Online Seminar Amazon EBS20190320 AWS Black Belt Online Seminar Amazon EBS
20190320 AWS Black Belt Online Seminar Amazon EBSAmazon Web Services Japan
 
AWS Black Belt Techシリーズ AWS Key Management Service
AWS Black Belt Techシリーズ AWS Key Management ServiceAWS Black Belt Techシリーズ AWS Key Management Service
AWS Black Belt Techシリーズ AWS Key Management ServiceAmazon Web Services Japan
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
AWS Black Belt Tech シリーズ 2015 - AWS Data PipelineAWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
AWS Black Belt Tech シリーズ 2015 - AWS Data PipelineAmazon Web Services Japan
 
AWS 클라우드 비용 최적화를 위한 TIP - 임성은 AWS 매니저
AWS 클라우드 비용 최적화를 위한 TIP - 임성은 AWS 매니저AWS 클라우드 비용 최적화를 위한 TIP - 임성은 AWS 매니저
AWS 클라우드 비용 최적화를 위한 TIP - 임성은 AWS 매니저Amazon Web Services Korea
 
Getting Started with AWS Compute Services
Getting Started with AWS Compute ServicesGetting Started with AWS Compute Services
Getting Started with AWS Compute ServicesAmazon Web Services
 

La actualidad más candente (20)

re:Invent 行ってきた
re:Invent 行ってきたre:Invent 行ってきた
re:Invent 行ってきた
 
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
Module 1: Introduction to the AWS Cloud - AWSome Day Online Conference 2019
 
AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築
AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築
AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
 
워크로드 특성에 따른 안전하고 효율적인 Data Lake 운영 방안
워크로드 특성에 따른 안전하고 효율적인 Data Lake 운영 방안워크로드 특성에 따른 안전하고 효율적인 Data Lake 운영 방안
워크로드 특성에 따른 안전하고 효율적인 Data Lake 운영 방안
 
Masterclass - Amazon WorkSpaces
Masterclass - Amazon WorkSpacesMasterclass - Amazon WorkSpaces
Masterclass - Amazon WorkSpaces
 
Big Data Architectural Patterns
Big Data Architectural PatternsBig Data Architectural Patterns
Big Data Architectural Patterns
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS KMS 에서 제공하는 봉투암호화 방식의 암호화 및 사이닝 기능에 대한 소개와 실습 - 신은수, AWS 솔루션즈 아키텍트 :: AWS...
AWS KMS 에서 제공하는 봉투암호화 방식의 암호화 및 사이닝 기능에 대한 소개와 실습 - 신은수, AWS 솔루션즈 아키텍트 :: AWS...AWS KMS 에서 제공하는 봉투암호화 방식의 암호화 및 사이닝 기능에 대한 소개와 실습 - 신은수, AWS 솔루션즈 아키텍트 :: AWS...
AWS KMS 에서 제공하는 봉투암호화 방식의 암호화 및 사이닝 기능에 대한 소개와 실습 - 신은수, AWS 솔루션즈 아키텍트 :: AWS...
 
Kinesis→Redshift連携を、KCLからFirehoseに切り替えたお話
Kinesis→Redshift連携を、KCLからFirehoseに切り替えたお話Kinesis→Redshift連携を、KCLからFirehoseに切り替えたお話
Kinesis→Redshift連携を、KCLからFirehoseに切り替えたお話
 
HSBC and AWS
HSBC and AWSHSBC and AWS
HSBC and AWS
 
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
Best Practices for Implementing Your Encryption Strategy Using AWS Key Manage...
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
Amazon DynamoDB Deep Dive Advanced Design Patterns for DynamoDB (DAT401) - AW...
Amazon DynamoDB Deep Dive Advanced Design Patterns for DynamoDB (DAT401) - AW...Amazon DynamoDB Deep Dive Advanced Design Patterns for DynamoDB (DAT401) - AW...
Amazon DynamoDB Deep Dive Advanced Design Patterns for DynamoDB (DAT401) - AW...
 
20190320 AWS Black Belt Online Seminar Amazon EBS
20190320 AWS Black Belt Online Seminar Amazon EBS20190320 AWS Black Belt Online Seminar Amazon EBS
20190320 AWS Black Belt Online Seminar Amazon EBS
 
AWS Black Belt Techシリーズ AWS Key Management Service
AWS Black Belt Techシリーズ AWS Key Management ServiceAWS Black Belt Techシリーズ AWS Key Management Service
AWS Black Belt Techシリーズ AWS Key Management Service
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
AWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
AWS Black Belt Tech シリーズ 2015 - AWS Data PipelineAWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
AWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
 
AWS 클라우드 비용 최적화를 위한 TIP - 임성은 AWS 매니저
AWS 클라우드 비용 최적화를 위한 TIP - 임성은 AWS 매니저AWS 클라우드 비용 최적화를 위한 TIP - 임성은 AWS 매니저
AWS 클라우드 비용 최적화를 위한 TIP - 임성은 AWS 매니저
 
Getting Started with AWS Compute Services
Getting Started with AWS Compute ServicesGetting Started with AWS Compute Services
Getting Started with AWS Compute Services
 

Similar a Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018

Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksAmazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceAmazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
AWSome Day Online Conference 2018 - Module 3
AWSome Day Online Conference 2018 - Module 3AWSome Day Online Conference 2018 - Module 3
AWSome Day Online Conference 2018 - Module 3Amazon Web Services
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Amazon Web Services
 
Identity and Access Management and Directory Services
Identity and Access Management and Directory ServicesIdentity and Access Management and Directory Services
Identity and Access Management and Directory ServicesAmazon Web Services
 
AWS Identity Access Management
AWS Identity Access ManagementAWS Identity Access Management
AWS Identity Access ManagementRichard Harvey
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsAmazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Amazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...Amazon Web Services
 

Similar a Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018 (20)

Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
AWSome Day Online Conference 2018 - Module 3
AWSome Day Online Conference 2018 - Module 3AWSome Day Online Conference 2018 - Module 3
AWSome Day Online Conference 2018 - Module 3
 
Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018Module 3 - AWSome Day Online Conference 2018
Module 3 - AWSome Day Online Conference 2018
 
Identity and Access Management and Directory Services
Identity and Access Management and Directory ServicesIdentity and Access Management and Directory Services
Identity and Access Management and Directory Services
 
AWS Identity Access Management
AWS Identity Access ManagementAWS Identity Access Management
AWS Identity Access Management
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS Workloads
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Governance@scale [Portuguese]
Governance@scale [Portuguese]Governance@scale [Portuguese]
Governance@scale [Portuguese]
 
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
Module 3: Security, Architecting Best Practices, Pricing, Partner Solutions, ...
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018

  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Mastering Identity at Every Layer of the Cake Quint Van Deman Principal Business Development Manager AWS Identity and Directory Services S E C 4 0 1 R
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What to expect Explore advanced identity features & patterns “It doesn’t depend” Demos, code, and more demos
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads Our scope for today AWS Identity and Access Management (IAM) (the service) Authenticates and authorizes AWS APIs Includes (the subject)
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Our scope Amazon Web Services (AWS) Infrastructure Application Builders Operators Users AWS Command Line Interface (AWS CLI)
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered cake or tiramisu? This file is licensed under the Creative Commons Attribution 2.0 Generic license Pexels
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding planes of access Amazon Elastic Compute Cloud (Amazon EC2) Control plane – AWS API (example: ec2:StartInstance) Data plane – VPC connection (example: SSH, RDP) Different: • Paths • Credentials • Protocols *
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding planes of access Amazon DynamoDBControl plane – AWS API (example: dynamodb:CreateTable) Data plane – AWS API (example: dynamodb:GetItem) Same: • Path • Credential • Protocol
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The challenge
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your options SAML to IAM AWS Single Sign- On (AWS SSO) Custom Broker SAML to IAM AWS SSO Custom Broker Directory You You or AWS You Identity provider You AWS You Credential exchange AWS AWS You
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. It doesn’t depend So you want to manage access for a whole bunch of users into a whole bunch of roles in a whole bunch of AWS accounts? Based on features available as of November 2018; will change based on future launches
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Further exploration Workshop: Choose your own SAML Adventure AWS SSO: Getting Started
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Before July 2018 • Certain IAM policy actions (for example, PutUserPolicy, AttachRolePolicy) were full admin permissions • Doing any form of self-service permissions management required non-trivial intermediary automation IAM delegated administration Now • Administrator can grant previously IAM management permissions, but specify a “permissions boundary” • Use case: Allow developers the ability to create principals for their applications and attach policies, but only within the boundary
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Effective permissions: The intersection
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM delegated administration walkthrough { "Version" : "2012-10-17", "Statement" : [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "eu-central-1“ } } } ] } Admin Step 1: Create the permission boundary (managed policy) arn:aws:iam::<ACCOUNT_NUMBER>:policy/boundaries/dynamodb_eu
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM delegated administration walkthrough { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy“ ], "Resource":"arn:aws:iam::<ACCOUNT_NUMBER>:role/executionroles/MyTestApp*", "Condition":{ "StringEquals":{ "iam:PermissionsBoundary": "arn:aws:iam::<ACCOUNT_NUMBER>:policy/boundaries/dynamodb_eu" } } }, { "Effect":"Allow", "Action":[ "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion" ], "Resource":"arn:aws:iam::<ACCOUNT_NUMBER>:policy/delegatedadmin/*" } ] } Admin Step 2: Allow role creation, but only within boundary
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM delegated administration walkthrough { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::<ACCOUNT_NUMBER>:role/executionroles/MyTestApp*" } ] } Admin Step 3: Allow developer to pass role
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. -–permissions-boundary arn:aws:iam::<ACCOUNT_NUMBER>:policy/boundaries/dynamodb_eu # Step 2: Create policy # No change # Step 3: Attach policy # No change IAM delegated administration walkthrough # Step 1: Create role $aws iam create-role –role-name MyTestAppRole --path /executionroles/ -–assume-role-policy-document file://Role_Trust_Policy_Text.json User steps: App developer creates role with delegated permissions Another example coming in the first demo …
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Self-service role creation: A tale of two challenges Fixed: Self-service role creation with guardrails! Now: How do we make it super easy to do the right thing? Pexels
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What if, instead of this … { "AWSTemplateFormatVersion":"2010-09-09", "Resources":{ "ExecutionRoleBuilderMacroTestRole":{ "Type":"AWS::IAM::Role", "Properties":{ "RoleName":"ExecutionRoleForAppA", “PermissionsBoundary":"arn:aws:iam::012345678912:policy/ApplicationA”, "Policies":[ { "PolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":[ "dynamodb:GetItem","dynamodb:PutItem“ ], "Resource":"arn:aws:dynamodb:us-west-2:123456789012:table/table1", "Effect":"Allow" }, { "Action":[ "s3:GetBucketLocation", "s3:ListAllMyBuckets“ ], "Resource":"*", "Effect":"Allow" }, { "Action":[ "s3:ListBucket“ ], "Resource":"arn:aws:s3:::mygreatbucket1", "Effect":"Allow" }, { "Action":"s3:GetObject", "Resource":"arn:aws:s3:::mygreatbucket1/*", "Effect":"Allow" } ] } } ], "AssumeRolePolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":[ "sts:AssumeRole" ], "Effect":"Allow", "Principal":{ "Service":[ "lambda.amazonaws.com“ ] } } ] } } } } } Example of a permission policy for a bounded execution role
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. They could write this … AWSTemplateFormatVersion: "2010-09-09“ Transform: ExecutionRoleBuilder Resources: ExecutionRoleBuilderMacroTestRole: Type: "AWS::IAM::Role" Properties: Name: "ExecutionRoleForAppA" Type: "Lambda“ PermissionsBoundary":"arn:aws:iam::012345678912:policy/ApplicationA” Permissions: - ReadOnly: "arn:aws:s3:::mygreatbucket1" - ReadWrite: "arn:aws:dynamodb:us-west-2:123456789012:table/table1"
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CFn Macro: Execution role builder Code on GitHub
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity “for” and “of” the infrastructure Operating systems Database engines EC2 instances DynamoDB Table S3 Bucket with objects for of
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. “For” the infrastructure: Options Traditional Utopia
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. “For” the Infrastructure: IAM-based auth • New option to facilitate the journey: IAM based auth • Authentication advantages: • Replaces username & password with ephemeral credentials • Strength of AWS SigV4 • Authorization advantages: • Codify “who can access what” within IAM policies • Unified with other AWS permissions (for example, accessing S3 buckets) • Management advantages: • Reduce/eliminate bootstrapping requirements • No clean up for short lived infrastructure • Growing set of supported services: • Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational • Database Service (Amazon RDS), Amazon Aurora, and Amazon Redshift
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Further exploration AWS Systems Manager (SSM) Session Manager Amazon RDS IAM database authentication Amazon Redshift IAM database authentication
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Base primitive: IAM roles AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon Elastic Container Service (Amazon ECS) Permissions Role Temporary security credential Your code Operating system EC2 instance AWS resources
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM roles provide your applications a reliable, secure, auto-rotating solution for AWS credentials But what about: Database connection credentials? Third-party API keys? OAuth refresh tokens? How do we avoid the back alley exchange? (C) Copyright A not very creative mind and licensed for reuse under the Creative Commons Attribution-Generic 2.0 License Still missing a key part
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Secrets Manager Authorized call to Secrets Manager DB creds loaded DB creds returned Connection established Safe rotation Combo provides a reliable, secure, auto-rotating solution for ALL credentials Permissions Role Temporary security credential Your code Operating system EC2 instance AWS resources VPC DBA
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Further exploration Secrets Manager workshop
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 40. “At the end of the day, it’s all about the apps.” –Cool Citation N/A
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. For the humans and the machines Credentials Container Lambda Function Service 1 Service 2 Service to serviceHuman to application
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito • Application identity Swiss army knife • Offloads identity focused undifferentiated heavy lifting • Normalizing layer for applications • Native and/or federated users – App doesn’t need to care • Vends standard tokens • CUP (that is, JWTs) – Accessing your APIs • AWS Security Token Service (AWS STS) – Accessing AWS APIs • Clean integrations with adjacent services • Amazon API Gateway – AuthN/Z for your APIs • Application Load Balancer – AuthN/Z for your apps Wikimedia Commons - By James Case from Philadelphia, Mississippi, U.S.A.
  • 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Cognito Get AWS credentials Access AWS services Authenticate 1 Redirect / Post back Access serverless backend Federating IdP IdP Token CUP TokenCUP Token CUP Token AWS STS AWS STS User pool tokens are used to access backend resources Identity pools provide AWS credentials to access AWS services User pools authenticate users and returns standard tokens 2 3 4 56
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Traditional service to service (at least one way) Service 1 Service 2SSL Certificate SSL Certificate Pros: • Very well established technology Cons: • Generating & delivering certificates generally less than easy • No central place to define/audit authorizations TLS Mutual Authentication
  • 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Service to service in AWS using IAM Container Lambda Function Service 1 Service 2 Permissions Role Temporary security credential Permissions  AWS takes care of credential distribution  Centrally defined authorizations in IAM policies  Resource-based policies allows access across AWS accounts AWS Cloud
  • 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Service to service in AWS using Amazon Cognito (OAuth) Container Lambda Function Service 1 Service 2 Permissions Role AWS Cloud CUP Token  Alignment with human based authorization  Bearer token model familiar to developers • You perform credential distribution (using AWS primitives)
  • 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Further exploration Serverless Authentication and Authorization session Serverless Authentication and Authorization workshop
  • 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Adding some awesome sauce CC0 Creative Commons Free for commercial use No attribution requiredCreative Commons BY-NC-SA 2.0 Credit: Tom Magliery
  • 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dynamic break glass access 140 lines of code EC2 Operator Break glass portal Corporate Identity Provider Lambda Function Break glass API Role Specific instance Assertion with EC2 Authorization s /listmyinstances i-a1b2c3d4e5f6000000 “It’s go time” /gettoken AWS STS “FYI” Corporate Credentials CUP Token with custom claims Break glass credential
  • 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dynamic break glass access (C) Copyright Stephanie Van Deman and licensed for reuse under the Creative Commons Attribution-Generic 2.0 License
  • 56. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Quint Van Deman Find me on LinkedIn
  • 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.