The document discusses AWS Identity and Access Management (IAM) roles, which allow granting temporary security credentials to users, applications, and AWS services. IAM roles provide a secure way to delegate access and are easy to manage. The presentation covers when and how to use IAM roles, including for cross-account access, granting least privilege access, and enabling AWS services to access resources. It also provides examples of using IAM roles for EC2 instances and with AWS Secrets Manager.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unleash the Power of Temporary
AWS Credentials (a.k.a. IAM roles)
Apurv Awasthi
Sr. Product Manager
AWS
S I D 3 9 0
Ujjwal Pugalia
Sr. Product Manager
AWS

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
What are temporary AWS credentials, aka AWS Identity and Access
Management (IAM) roles
Why should you use IAM roles?
When should you use IAM roles?
How does all of this work (role play).
How will you use IAM roles?
Temporary credentials everywhere – a peek at AWS Secrets Manager

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What are IAM roles?
•IAM roles are IAM principals used to delegate access to employees,
applications, and AWS services
•An IAM role consists of:
• Trust policy: Who can use this IAM role
• Permissions policy: Which resources, services, and actions can be
accessed using this IAM role
•Employees, applications, and AWS services can assume IAM roles. Once
assumed, they are granted temporary AWS credentials to access
resources on AWS

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why should you use IAM roles?
Secure
Deliver temporary
AWS credentials
Convenient
Easy to manage because
multiple employees
and applications can use the
same role
Available at no charge
There are no charges
for using roles

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When should you use IAM roles?
• Grant cross-account access to employees
• Use identities in your current IdP to access resources on AWS
• Enable applications running on AWS or on premises to make
AWS API calls
• Enable AWS services to make AWS API calls on your behalf
Think of IAM roles as limited sudo in to AWS
Humans
Bots
AWS services

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Delegate access to contractor
@AnyCompany
Acct ID: 444455556666
s3-role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::ExampleCorp"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject" ],
"Resource": ["arn:aws:s3:::ExampleCorp/*"]
}]}
@Example Corp.
Acct ID: 111122223333
Authenticate with
Bob’s access keys
Get temporary
security credentials
for s3-role
Call AWS APIs using
temporary security
credentials
of s3-role
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::444455556666:role/s3-role“}
]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":“1111222233334444"},
"Action":"sts:AssumeRole"
}]}
s3-role trusts IAM users from the Example Corp.
account (111122223333)
Permissions assigned to Bob
granting him permission to
assume s3-role in account
AnyCompany
IAM user: Bob
Permissions assigned to s3-role
STS
Amazon S3
Bucket with objects

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How will you use IAM roles at AnyCompany?
1. [Cross-account access] Developer Dan requires access to an S3 bucket in the Prod
account
2. [Cross-account access] Contractor Bob requires access to an S3 bucket in the Prod
account
3. [Least privileges] Require Dan to use IAM roles to delete an Amazon DynamoDB
table
4. [Audit] Administrator Andy wants to track who used an IAM role
5. [Access for AWS services] Amazon Lex uses Amazon Polly to synthesize speech
responses for your bot
6. [IAM roles for EC2] Application running on Amazon Elastic Compute Cloud
(Amazon EC2) requires access to an S3 bucket and DynamoDB table
7. [SAML Federation] Administrator Andy wants to use IAM with identities stored in
an external IdP

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Temporary credentials everywhere –
a peek at AWS Secrets Manager
Secure
Store and encrypt
database credentials
etc. centrally
Rotate
Rotate secrets
automatically, on
demand or on schedule
Pay as you go
No licensing fee or
upfront cost

11. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Apurv Awasthi
awasth@amazon.com
(or, the blackjack tables at Treasure Island)

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Some resources to help you get started
re:Invent 2017 sessions (videos on YouTube)
• How You can use AWS’ Identity Services to be Successful on Your AWS Cloud
Journey (SID 303): https://bit.ly/2O5JhZ4
• Soup to Nuts: Identity Federation for AWS (SID 344): https://bit.ly/2D25dDu
• IAM Policy Ninja (SID 314): https://bit.ly/2JcEJT3
Documentation and blog posts
• IAM best practices: http://amzn.to/2gGcEUC
• Best practices for using IAM roles (video): http://bit.ly/2zttop2
• Using IAM roles for Amazon EC2 instances: http://amzn.to/1St3F4q
• Attaching IAM role to an existing Amazon EC2 instance: http://amzn.to/2lceuMB
• Limit Amazon S3 bucket access to a specific IAM role: http://amzn.to/2n5o9Kj
• Rotate database credentials using Secrets Manager: https://amzn.to/2GLceqD

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Appendix

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tracking & monitoring use of IAM roles
Production Support
Erin
Production Support
Bob
Production Support
Alice
Production Support
Carol
prod-support-S3-bucket-account-b
Assume
role
Put object A
B
C

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tracking IAM roles using AWS CloudTrail
Step 1: Locate the put object call using the object name.
Step 2: Find the assume role call using the temporary access key.
Step 3: Find the assume role call from the originating account
using the shared event ID.

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 1: Locate the put object call using the object name.
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJN6FXOWE7SY7KDNKW:AWS-CLI-session-1503619346",
"arn": "arn:aws:sts::123456789666:assumed-role/prod-support-S3-bucket-account-b/AWS-CLI-session-1503619346",
"accountId": "123456789666",
"accessKeyId": "ASIAJDCQY5DSKNVSQUKQ",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAJN6FXOWE7SY7KDNKW",
"arn": "arn:aws:iam::123456789666:role/prod-support-S3-bucket-account-b",
"accountId": "784011040245",
"userName": "prod-support-S3-bucket-account-b"
},
"attributes": {
"creationDate": "2017-08-25T00:02:26Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2017-08-25T00:02:27Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutObject",
"awsRegion": "us-east-1",
"sourceIPAddress": “XX.XX.XXX.XX",
"userAgent": "[aws-cli/1.11.46 Python/2.7.9 Windows/7 botocore/1.5.9]",
"requestParameters": {
"bucketName": "iam-roles-webinar-product-support-account-b",
"key": "mobile-resources/iam-roles-testFile.txt"

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 2: Find the assume role call using the temporary access key.
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-east-1",
"sourceIPAddress": “XX.XX.XXX.XX",
"userAgent": "aws-cli/1.11.46 Python/2.7.9 Windows/7 botocore/1.5.9",
"requestParameters": {
"roleArn": "arn:aws:iam::123456789666:role/prod-support-S3-bucket-account-b",
"roleSessionName": "AWS-CLI-session-1503619346"
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIAJDCQY5DSKNVSQUKQ",
"expiration": "Aug 25, 2017 1:02:26 AM",
"sessionToken": “XXX"
}, "assumedRoleUser": {
"assumedRoleId": "AROAJN6FXOWE7SY7KDNKW:AWS-CLI-session-1503619346",
"arn": "arn:aws:sts::123456789666:assumed-role/prod-support-S3-bucket-account-b/AWS-CLI-session-1503619346"
}},
"requestID": "adeb855c-8928-11e7-a0a2-8d7a034d3805",
"eventID": "f48cebce-2194-44c3-bc7d-a4b64b0c5802",
"resources": [{
"ARN": "arn:aws:iam::123456789666:role/prod-support-S3-bucket-account-b",
"accountId": "123456789666",
"type": "AWS::IAM::Role"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "123456789666",
"sharedEventID": "245452c8-af00-44fa-bd12-d13c16e1da2c"}]

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Step 3: Find the assume role call from the originating account using the
shared event ID.
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJI6WTWP4ZQ6ABT7BW",
"arn": "arn:aws:iam:: 123456789123:user/Brigid",
"accountId": “123456789123",
"accessKeyId": "AKIAJCZ6IERGFDSFAH4Q",
"userName": "Brigid"
},
"eventTime": "2017-08-25T00:02:26Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-east-1",
"sourceIPAddress": “XX.XX.XXX.XX", "userAgent": "aws-cli/1.11.46 Python/2.7.9 Windows/7 botocore/1.5.9",
"requestParameters": {
"roleArn": "arn:aws:iam::123456789123:role/prod-support-S3-bucket-account-b",
"roleSessionName": "AWS-CLI-session-1503619346"
},
"responseElements": {… },
"assumedRoleUser": {…}},
…
"eventType": "AwsApiCall",
"recipientAccountId": "123456789123",
"sharedEventID": "245452c8-af00-44fa-bd12-d13c16e1da2c"
}