(sec307) a progressive journey through aws iam federation options
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman, Sr. IT Transformation Consultant, AWS Professional Services
Chad Wintzer, DevOps Engineering Lead, Dow Jones & Company
October 2015
SEC 307
A Progressive Journey Through
AWS IAM Federation Options:From Roles to SAML to Custom Identity Brokers
What you will take away from this session
What you will take away from this session
Understand your
federation options
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
What you will take away from this session
Understand your
federation options
Get it right at scale
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach Tooling to
get started
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
License: Creative Commons
Public Domain Universal 1.0
Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials
Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
• If you need to brush up, check out:
• SEC305 – Become an AWS IAM Policy Ninja in 60 Minutes or
Less
• SEC302 – IAM Best Practices to Live By
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
SEC305
SEC315
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
Session focusSEC305
SEC315
Federation rationale
Before:
After:
Result:
Federation rationale
Before:
After:
Result:
Unique credentials
Users
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Users
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Users Security
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
Users Security
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Users Security Compliance
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
The journey: Federation with
Security Assertion Markup
Language (SAML)
Quick SAML primer
Quick SAML primer
Identity provider
Quick SAML primer
Identity provider (IdP) Service provider
Quick SAML primer
Identity provider Service provider
Metadata
(in advance)
Quick SAML primer
Identity provider Service provider
Metadata
(in advance)
Assertion
(login flow)
Basic AWS federation with SAML
• Known science, assuming:
• Few AWS accounts
• AWS Management
Console access
• Well documented:
• Whitepapers
• Blogs
• Documentation
(C) Copyright Diliff and licensed for
reuse under the Creative Commons Attribution 3.0 License
AWS federation with SAML: At-scale
AWS federation with SAML: At-scale
AWS federation with SAML: At-scale
AWS federation with SAML: At-scale
Many AWS
accounts?
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of users?
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Lots of users?
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Lots of users?
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
Lots of users?
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy????
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
Dive deep = Get it right
???
AWS federation with SAML: At-scale demo
AWS federation with SAML: At-scale demo
Automate onboarding
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
AWS federation with SAML: At-scale demo
Automate onboarding User experience
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License
AWS federation with SAML: At-scale demo
Automate onboarding User experience Under the hood
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright bagera3005 and licensed
for reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License
Automate onboarding
AWS federation with SAML: At-scale demo
Directory
Group
definitions
AWS account
Providers,
roles, and
policies
Automate onboarding
AWS federation with SAML: At-scale demo
Key takeaways
Directory
Group
definitions
AWS account
• Automate deployment of IAM
roles and policies.
• Automate deployment of
companion directory structure.
• Keep role definitions constant
across accounts.
Providers,
roles, and
policies
Smooth user experience
AWS federation with SAML: At-scale demo
AWS
SDKsAWS
CLI
Smooth user experience
AWS federation with SAML: At-scale demo
Key takeaways
• Federation shouldn’t limit
access vectors.
• Getting users into groups
should be automated and
efficient.
• Don’t create a “low-to-high”
exposure in the back end.
AWS
SDKsAWS
CLI
Under the hood
AWS federation with SAML: At-scale demo
IdP
configurationsAWS CloudTrail
samples
Under the hood
AWS federation with SAML: At-scale demo
Key takeaways
IdP
configurationsAWS CloudTrail
samples
• Naming conventions are
critical.
• Configurations should rely on
patterns, not values.
• Think about traceability now.
• Tighter policies help reduce
AWS account sprawl.
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
• If so:
• Custom identity broker
The journey: Federation using
a custom identity broker
3+ Years on AWS
Several flagship products
run on AWS including
WSJ.com
3,000+ Amazon EC2
instances
How we interact with AWS
Automate!
Our journey through identity management
IAM users with
static keys
Nova v1
Basic roles
Nova v2
Resource-level
permissions,
tagging standards
Nova v3
Dynamic policy
generation
Nova workflow
Bob the
Engineer
PHP web
application
Active
Directory
Look up group
membership
Corporate
SSO
Authenticate
w/ MFA
Nova
database
Group-to-role
mappings
Ask Bob which AWS
account he would like
to access based on
available roles
IAM API
sts:AssumeRole
for appropriate IAM role
Access to AWS Management Console and keys for API/CLI access
Nova v1 basic roles
General roles like “Developer”
assignable to different AWS
accounts
Maps membership in AD
groups to IAM roles
Role
s
AWS accounts
Nova v1 basic roles
Active Directory group
NOVA_PRODSHARED_DEVELOPER
IAM role
nova.prodshared.developer
{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateKeyPair",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSnapshot",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteNetworkInterface",
Nova v2 resource-level permissions
Tagging and resource-level
permissions matured
Tagging resources by team
enabled resource-level
permissions by team
Easy expansion, no changes
necessary to Nova
Role
s
Nova v2 resource-level permissions{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/servicename": [
"djcs/*"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
Active Directory group
NOVA_PRODSHARED_DJCS_DEV
IAM role
nova.prodshared.djcs.developer
Nova v3 dynamic policy generation
EC2
instances
Amazon RDS
instanceAmazon Route 53
zone
Application: Poseidon, Lifecycle: Prod
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/Application": [
”Poseidon"
]
"ec2:ResourceTag/Lifecycle": [
”Prod"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
Authenticate w/ MFA
Select AWS account
Select application
Select lifecycle
Your own journey:
Rationalizing the decision-
making process
Rationalizing the decision-making process
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Rationalizing the decision-making process
• Existing federation
investments?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
SAML
Comparison: SAML vs. Custom identity broker
Custom identity broker
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Choose SAML if you want a
balanced federation approach.
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
Choose a custom identity broker if
you prefer to increase federation
involvement for the ultimate control.
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
• Evolve your federation approach as your needs evolve.
• Right for tomorrow is not always right for today.
Your own journey: Taking the
first steps
Additional information
• Session resources (code and samples)
• AWS documentation
• Manage Federation
• Integrating Third-Party SAML Solution Providers with AWS
• Request Information That You Can Use for Policy Variables
• Custom Federation Broker
• AWS blogs
• Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP,
and Shibboleth
• How to Implement a General Solution for Federated API/CLI
Access Using SAML 2.0
Remember to complete
your evaluations!
Thank you!