aws may webinar series - getting started with aws identity and access management
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jonathan DesrocherSecurity Solutions Architect
5.22.2015
Best Practices: Control
Access Authentication and
Authorization with AWS IAM
Today’s agenda
• AWS Security model fundamentals.
• Review of IAM core mechanics for controlling account
authentication and authorization.
• IAM Federation options.
• Integrating IAM to other AWS services.
• Best practices for implementing and scaling IAM
configuration on AWS
• Questions & Answers.
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Network
Security
Server
Security
Customer applications & contentYou get to define
your controls IN
the Cloud
AWS takes care
of the security
OF the Cloud
You
AWS And You Share Responsibility for Security
Data
Security
Access
Control
• You benefit from an environment built for the most security
sensitive organizations
• AWS manages 1800+ security controls so you don’t have to
• You get to define the right security controls for your workload
sensitivity
• You always have full ownership and control of your data
What This Means
Introducing AWS Identity and Access
Management• Enables you to control who can do what to your AWS account and
resources.
• Accept or deny any operation to your AWS based on customer-
configurable parameters.
• API calls captured in AWS CloudTrail and correlated to AWS Config
configuration items.
AWS IAM service interfaces
AWS Management
Console
Windows
PowerShell &
Command Line
Interface
AWS Software
Development Kits
Other AWS Services
AWS IAM service interfaces
AWS Management
Console
Windows
PowerShell &
Command Line
Interface
AWS Software
Development Kits
Other AWS Services
Operator Interfaces Programmer Interfaces
Getting started with IAM: User Authentication
IAM Users can be
authenticated using:
• Username/password
• API Access Keys
• Multi-factor tokens
Getting started with IAM: Policies
IAM Policies manage level of
access to established identities
such as IAM Users and
Groups.
Each policy contains
statements that define user’s
privileges
Creating IAM Policies in code
See the full article on the AWS .NET blog:
http://blogs.aws.amazon.com/net/post/Tx24U6H2IJVUUTT/Creating-Access-Policies-in-Code
public Policy GeneratePolicy(string bucket, string username, string ipAddress){
var statement = new Statement(Statement.StatementEffect.Allow);
// Allow access to the sub folder represented by the username in the bucketstatement.Resources.Add(ResourceFactory.NewS3ObjectResource(bucket, username + "/*"));
// Allow Get and Put object requests.statement.Actions = new List()
{ S3ActionIdentifiers.GetObject, S3ActionIdentifiers.PutObject };
// Lock the requests coming from the client machine.statement.Conditions.Add(ConditionFactory.NewIpAddressCondition(ipAddress));
var policy = new Policy();policy.Statements.Add(statement);
return policy;}
New IAM Policy Validation Requirements
• Effective March 2015 – for every policy creation and
update.
• See reference documentation:
http://docs.aws.amazon.com/IAM/latest/UserGuide/polici
es_policy-validator.html
New release: Managed Policies
• IAM Policies can now be a
standalone object.
• Customer can link
Managed Policies to
Users and Roles.
• AWS maintains a set of
Managed Policies for you.
• You can maintain your own
set of Managed Policies.
Visibility of API access using AWS CloudTrail logs
• AWS CloudTrail captures and aggregates API access for:
• Security analysis
• Compliance
• Troubleshooting operational
issues.
• Each AWS CloudTrail log
entry contains caller’s IAM
identity.
Leveraging AWS Security Token Service
• Provides trusted users with
temporary credentials to
AWS resources.
• STS Tokens can be
provisioned as:
• Existing IAM users
• Ad-hoc users
Console Federation using SAML (AssumeRoleWithSAML)
Enterprise (Identity Provider) AWS (Service Provider)
AWS Sign-in
Browser
interface
Corporate
identity store
Identity provider
1User
browses to
Identity provider
2 Receives
AuthN response
5 Redirect client
AWS Management
Console
3
Post to Sign-In
Passing AuthN Response
4
Leveraging IAM Roles
• Defines a set of permissions for making AWS service
requests
• Not associated with a specific user or group.
• Assumed by trusted entities such as IAM users,
accounts and AWS services such as EC2.
• Each Role is composed of:
• Trust Policy (who is allowed to assume it).
• Authorization Policy (what can that entity do).
Trust Policy
Authorization
Policy
AWS Directory Service
• Managed service that lets you:
• Connect your AWS resources with existing on-premises
Microsoft Active Directory
• Set up new standalone directory in AWS Cloud.
• Can use directory to allow federation of directory users
and groups to the AWS Management Console.
Web Identity Federation (AssumeRoleWithWebIdentity)
AWS IAM
US
-EA
ST
-1
EU
-WE
ST
-1
AP
-SO
UT
HE
AS
T-1AWS Services
Amazon
DynamoDBS3
Authenticate
User 1
6
7
Token
Verification4
Web identity
Provider
3
5Check
Policy
Id Token
2
Mobile AppAmazon SQS
Integrate your application to the AWS platform
• Check out AWS Cognito for accelerating the
development of applications using external user
identities.
• Mobile applications: http://aws.amazon.com/mobile/
• AWS JavaScript in the Browser SDK:
http://aws.amazon.com/developers/getting-
started/browser/
• “Building a website that costs pennies to operate”:
https://www.youtube.com/watch?v=BgU-GDgj4SM
AWS Service Roles
• A role that you create, and authorize an AWS service to
assume on your behalf.
• Useful for maintaining control and visibility of your AWS
resources.
• For example:
• Amazon EC2 (Making API calls from instances).
• AWS Directory Service (Enabling console access from DS
users).
• AWS Lambda (enable your function to interact with
resources).
How you can use IAM features to the maximum
Avoid hard-coding
No need to put credentials into applications –
access AWS resources using IAM roles for
EC2
• Search source code for hard-coded
access keys
• Create IAM roles with least-privilege
permissions
• Use IAM roles in application
• Launch EC2 instance with role
Rotate AWS IAM access keys regularly
Shorter access key period reduces
potential impace
• Create additional access key
• Update all applications to use new key
• Validate that applications are working
• Mark previous access key as inactive
• Validate that applications still
• Delete inactive access key
Putting it all together
Root Account
IAM Users/Groups
STS Tokens
Roles (this account)
AWS Services
EC2 InstancesLambda Function
Other AWS Services
Directory Services Users
SAML/Web Identity Provider
Federated Users
Trusted Role (any account)
Other AWS Account
In summary
• IAM is about controlling who can do what to your
account and resources.
• IAM can be federated into external systems.
• IAM federation is the basis of directly integrating
applications to other AWS services.
• There are other AWS services that can be used to
configure and augment IAM such as:
• AWS CloudFormation.
• AWS Cognito.
• AWS CloudTrail.
Additional resources
• IAM product page: http://aws.amazon.com/iam
• AWS Self-Paced IAM Lab:
https://qwiklabs.com/focuses/preview/1172?locale=en
• AWS Security Blog:
https://blogs.aws.amazon.com/security/
• 2014 re:Invent security track videos:
https://www.youtube.com/playlist?list=PLhr1KZpdzukcJvl
0e65MqqwycgpkCENmg
Get training from an instructor or try the self-paced labs• http://aws.amazon.com/training/
Become AWS certified and gain recognition and visibility• http://aws.amazon.com/certification
• Demonstrate that you have skills, knowledge and expertise to design,
deploy and manage projects applications on the AWS platform.
• Prove skills and foster credibility with your employer and peers.
Choose your discipline (or do all of them!)• Solutions Architect
• Developer
• SysOps Administrator
Get training and become AWS certified in your discipline
AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details• July 1, 2015
• Chicago, Illinois
• @ McCormick Place
Featuring• New product launches
• 36+ sessions, labs, and bootcamps
• Executive and partner networking
Registration is now open• Come and see what AWS and the cloud can do for you.
CTA Script
- If you are interested in learning more about how to navigate the cloud to grow
your business - then attend the AWS Summit Chicago, July 1st.
- Register today to learn from technical sessions led by AWS engineers, hear best
practices from AWS customers and partners, and participate in some of the 30+
paid sessions and labs.
- Simply go to
https://aws.amazon.com/summits/chicago/?trkcampaign=summit_chicago_bootc
amps&trk=Webinar_slide
to register today.
- Registration is FREE.
TRACKING CODE:
- Listed above.