AWS identity services: Enabling and securing your cloud journey - SEC203 - New York AWS Summit

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS identity services: Enabling and
securing your cloud journey
Quint Van Deman
Business Development Manager, AWS Identity (@AWSIdentity)
Amazon Web Services
S E C 2 0 3

Calibration

Identity: Our definition for today
Identity
management
Access
management
Resource
management

Our metaphor
Amazon Web
Services (AWS)
Infrastructure
Application
Builders
Operators
Users
AWS
CLI

Our backdrop: “Typical” journey to AWS
TIME
VALUE

What we hear from customers
Enable the business to innovate
Agility to move fast
Give developers freedom
Prevent dangerous actions
Accountable for security posture
Cost-effective solutions
Goal: Enable you to build foundation quickly while maintaining your
desired security and governance posture
Business needs Security requirements

Likely first questions
• How many AWS accounts do I need?
• How do I govern my AWS accounts?
• How do I provide access into those accounts?
• What permissions do my users have in those accounts?
• How do I keep all of my AWS resources organized and segmented?

AWS identity services
Application
Infrastructure
AWS platform
AWS Organizations

Introducing AWS Organizations
Govern access to AWS
services, resources, and
regions
Central governance and management for multiple
AWS accounts
Configure AWS services
across multiple AWS
accounts
Automate AWS
account creation
and management
Consolidate billing across
multiple AWS accounts

Primer: AWS accounts
What really is an AWS account?
• A container for AWS resources
• A clear isolation boundary for:
• Administration
• Network access
• Permissions/resource sharing
You can have any number of AWS accounts you wish (within limits).
One account designated as the master account, others are member accounts.

Manage global resources at scale
Customer-defined
keyand avalue on
AWSassets
Centralized servicefor
managing multiple
accounts
A securityand
management
boundary within an
organization

What AWS accounts do I need?
AWS opinionated views, solutions, and services

What AWS accounts do I
need?
Common options:
• Per environment (dev, test, prod)
• Per business unit per environment
• Per app per environment
• Per app per region per environment
Seek a reasonable balance:
• Isolation vs. maturity
• Evolve over time
Refining your own opinion

Organizations: Governing AWS accounts
Organizations
Service control
policies
Service control
policies
us-east-1
us-west-2
ap-south-1
AWS Account

Organizations: Managing AWS accounts
AWS Artifact AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service
AWS Firewall Manager AWS License Manager AWS RAM AWS Service Catalog AWS SSO
AWS services natively integrated with Organizations
More coming!
AWS IAM
AWS Control Tower Service Quotas

Next: Account access

Application
Infrastructure
AWS platform
Organizations AWS SSO

Introducing AWS SSO
Centrally manage SSO access to multiple AWS accounts and
business applications for your workforce
Centrally manage
access to multiple
AWS accounts
Easy to enable
and use
Use your choice of
existing or cloud
native identities
Provide SSO access to
business applications

SSO: Your choice of identity store
AWS CloudCorporate data center
Active
Directory Directory Service AWS SSO
Users and
groups
Option 1: Use corporate identities by connecting to
and existing directory
AWS Cloud
AWS SSO
Users and
groups
Option 2: Create users in AWS SSO

AWS SSO: Define permission sets
Master account
Member acct 1 Member acct N
Uses Organizations to retrieve your list and
structure of accounts
Define permissions using standard syntax and
tools
Definitions and policies automatically deployed
and maintained in member accounts

AWS SSO: Assign permission sets
Master account
Select users or
groups
Select desired
permission set
Grant access to one AWS
account, an OU, or the
entire organization

AWS SSO: User experience
End user authenticates
Permission sets they’ve
been granted
Options for console or
CLI/API access
Access other business
applications

What permissions do I give my users?
Least privilege is a journey,
not a starting point

Application
Infrastructure
AWS platform
Organizations AWS IAMAWS SSO

Introducing AWS IAM
Securely manage access to AWS services and resources
Authenticate and
authorize AWS APIs
Specify policy-based
permissions
Provide fine-grain
access controls for
AWS actions and
resources
Provide short-term
credentials for
humans, machines,
and applications

IAM policy basics
PARC model:
• Principal – Who
• Action – Can access
• Resource – What
• Condition – Under what cond.
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Development“
}
}
} ]
}
P

Attribute-based access control (ABAC)
“If the tag on the principal matches the tag on the
resource, allow, otherwise deny.”
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Development“
}
}
} ]
}
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": “${aws:PrincipalTag/Department}“
}
}
} ]
}

Short-term credential basics
Macro pattern 1:
Trust-based exchange
Macro pattern 2:
AWS-delivered credentials
Source credential
Time-bound
credentials returned
Assuming a role through
preestablished trust
AWS compute service
Provide identity by passing a
role
Time-bound credentials
delivered and rotated

Further exploration
Understanding IAM primitives: Understanding IAM policy:
AWS re:Invent 2018: A Practitionerʼs
Guide to Securing Your Cloud (Like an
Expert) (SEC203-R1)
AWS re:Invent 2018: Become an
IAM Policy Master in 60 Minutes
or Less (SEC316-R1)

AWS Account
AWS Account
SAML federation into AWS IAM
AWS Account
SAML federation for the console, APIs,
and CLI
Self-paced
workshop materials
Achieve the same core result as SSO, more “assembly level”

It doesn’t depend
So you want to manage access for a whole
bunch of users into a whole bunch of roles
in a whole bunch of AWS accounts?
Based on features available as of May 2019; will
change based on future launches

Cloud builders: Ready to get building!
AWS account
VPC
Amazon RDS
Amazon EC2
Application
“Control plane” – AWS APIs
(creating, terminating, etc.)
Builder
Operator
DBA
“Data plane” – VPC connections
(SSH, RDP, database clients, etc.)

• How do I centrally authenticate users connecting to operating systems?
• How do I control which users can connect to which instances?
• How do I manage DBA access into relational database engines?
• How do I manage service accounts (noninteractive users)?

Application
Infrastructure
AWS platform
Organizations Directory ServiceAWS IAMAWS SSO

Introducing: AWS Directory Services
Managed Microsoft Active Directory in the AWS Cloud
Easily migrate your
directory dependent
workloads by leveraging a
managed service
Provide infrastructure
access management
without syncing identity
data
Use actual Microsoft
Active Directory integrated
with other AWS services and
applications

Establishing Active Directory in AWS
AWS CloudCorporate data
center
Active
Directory AWS Managed
Microsoft AD
Users and
groups
LDAP,
Kerberos,
referrals
Trust
Option 1: AWS Managed Microsoft AD with
Trust
Option 2: AD Connector with service principal
center
Active
Directory AD Connector
Users and
groups
LDAP,
Kerberos
Service
principal
Option 3: Stand-alone AWS Managed
Microsoft AD
AWS Cloud
AWS Managed
Microsoft AD
Users and
groups
Option X: Combinations of the above
Option 4: AD on Amazon EC2 with replication
center
Active
Directory
Self-managed ADUsers and
groups
Replication

Leveraging Active Directory in AWS
center
Active
Directory AWS Managed
Microsoft AD
Users and
groups
LDAP,
Kerberos,
referrals
Trust
Amazon EC2
(Windows/Linux)
Amazon RDS for SQL Server
Amazon WorkSpaces
Amazon Chime Amazon WorkDocs Amazon WorkMail
Amazon QuickSight Amazon Connect
Amazon FSx
VPC AWS managed applications
Windows
application
Operator
access
End-user access
Domain
join
Provisioning

It doesn’t depend
Operator access to
Amazon EC2 op
system
Operator access to
Amazon RDS SQL
Server
End-user access to
AWS managed
applications
Amazon FSx End-user access
to apps on
Amazon EC2
Managed AD w/2-way trust
Managed AD w/1-way trust
AD Connector
AWS Managed AD (stand alone)
Self managed AD on EC2
Choosing the right option to extend AD domain services into AWS
Current as of May 2019; always consult documentation for latest information

Further exploration
AWS Managed Microsoft AD deep dive:
AWS re:Invent 2018: AWS Directory Service
for Microsoft Active Directory Deep Dive
(WIN303-R1)

Identity “for the infrastructure”: Future steps
Traditional Utopia
• Domain joining

• How do I securely connect to AWS APIs from my infrastructure components?
• How do I manage and deploy application credentials for connecting to
relational databases?

Deeper look: IAM roles for AWS compute services
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by policy
attached to role
Your code
Operating
system
EC2
instance
AWS resources
Also works with AWS Lambda and Amazon ECS
Permissions
Role
Temporary
security credential
AWS SDKs
Amazon DynamoDB
Amazon Kinesis
Amazon S3

AWS Secrets Manager
Your code
Operating
system
EC2
instance
AWS resources
Permissions
Role
Temporary
security credential
AWS SDKs
DynamoDB Kinesis
Secrets Manager
VPC
Amazon RDS
DBA
AWS CloudFormation
Authorized call to
Secrets Manager DB creds
loaded
DB creds
returned
Connection
established
Safe
rotation
Combo provides a reliable, secure, auto-rotating solution for ALL credentials

Applications: Ready for end users!
AWS account
VPC
Amazon RDS
Amazon EC2
Application Resource access:
Relational databases
Builder
Operator
DBA
API access:
AWS servicesAmazon S3
Secrets Manager
End user

• How do I add sign-up and sign-in to my applications easily?
• How do I add support for standards like OIDC or SAML?
• How do I control access to business applications for my workforce?

Application
Infrastructure
AWS platform
Organizations Directory ServiceAWS IAM Amazon CognitoAWS SSO

Introducing Amazon Cognito
Simple and secure user sign-up, sign-in, and access control for
web and mobile apps
Offload undifferentiated
identity heavy lifting
Provide advanced
security for your apps
and users
Use standards-based
authentication
Use your choice of
existing or cloud
native identities

Amazon Cognito: Flexible and fully managed application
identity
Extensible AuthN and AuthZ:
Lambda Application
Load
Balancer
Amazon
API Gateway
Built-in UI for applications
SPAWebAndroidiOS
Out-of-the-box support for
open standards
SAML OAuth2 OIDC
Flexible and scalable API and SDK support
AWS SDKs
IonicVue
AngularNode JS React
iOS Android
MFACompromised-password
DB
Secure and available
Adaptive
auth
99.9% SLA
Google Facebook Amazon
Out-of-the-box support for
social federation
Amazon Cognito

Amazon Cognito
Get AWS credentials
Access AWS services
Authenticate 1
Redirect/ post
back
Access serverless backend
Federating
IdP
IdP token
CUP tokenCUP token
CUP token
AWS STS
AWS STS
User pool tokens are used to
access backend resources
Identity pools provide AWS
credentials to access AWS
services
User pools authenticate users
and return standard tokens
2
3
4
56
Amazon Cognito
API Gateway Lambda
Amazon Cognito
DynamoDB Amazon S3

Further exploration
Serverless authentication and
authorization session
Serverless authentication and
authorization workshop

Revisiting where we got ahead of ourselves, part 1
AWS CloudCorporate data center
Active
Directory AWS Managed Microsoft
AD
Users and
groups
LDAP,
Kerberos,
referrals
Trust
VPC
Custom SAML-
enabled
application
End-user access
AWS SSO
Custom SAML
enabled
application
Internet
SaaS
application
AWS SSO
user portal
AWS SSO: End-user access to business applications

Revisiting where we got ahead of ourselves, part 2
center
Active
Directory AWS Managed Microsoft
AD
Users and
groups
LDAP,
Kerberos,
referrals
Trust
Amazon EC2
(Windows/Linux)
Amazon WorkSpaces
Amazon Chime WorkDocs WorkMail
Amazon QuickSight Amazon Connect
VPC AWS Managed Applications
Windows
application
End-user access
Directory Services: End-user access to windows applications and AWS-
managed applications

Application
Infrastructure
AWS platform
Organizations Directory ServiceAWS IAM Amazon CognitoAWS SSO
Identity and
access
management
for your apps
and APIs
Actual Microsoft
Active Directory
as a managed
service on the
AWS Cloud
Fine-grained
access
management
for AWS
resources
Manage single
sign-on (SSO)
access to
multiple AWS
accounts and
business
applications
Central
governance and
management
for multiple
AWS accounts

Thank you!
Quint Van Deman
@AWSIdentity on Twitter
Find me on LinkedIn

AWS identity services: Enabling and securing your cloud journey - SEC203 - New York AWS Summit

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS identity services: Enabling and securing your cloud journey - SEC203 - New York AWS Summit

Similar to AWS identity services: Enabling and securing your cloud journey - SEC203 - New York AWS Summit (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS identity services: Enabling and securing your cloud journey - SEC203 - New York AWS Summit