At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.

1. Delegating Access to your AWS Environment
Jeff Wierer, Identity and Access Management (IAM)
November 14, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. Goals for this talk
Understand the technology
Use cases we’ll cover
• Sessions and the AWS
Security Token Service
(STS)
• Roles and assumed-role
sessions
• Federated sessions
• And more…
• Cross-Account API Access
• AWS API Federation
• AWS Management Console
Federation
• Web Identity Federation

3. Let’s start with a short demo 

4. AWS Management Console SSO Demo Setup
(Sample - http://aws.amazon.com/code/4001165270590826)
Active Directory
Log into the console without a user name and
password!

5. Single Sign-On AWS Management Console
Demo

6. Wait… what just happened?
1.
2.
3.
4.
Logged into my Windows desktop
Hit an intranet website
Chose the “role” I wanted to play in AWS
Auto-magically signed in to the console

7. Delegation basics:
Sessions & the AWS Security Token Service

8. Sessions 101
• Allow delegating temporary access to your AWS account
• Are generated by the AWS Security Token Service
• Include temporary security credentials that are used to
make API calls to AWS services

9. Requesting a Session
Start by requesting a session from AWS STS
Session
Access Key Id
Secret Access Key
Session Token
Expiration

10. What’s in a Session?
Session
Access Key Id
Secret Access Key
Session Token
Expiration
Temporary
Security
Credentials

11. Multiple Ways to Get Sessions
Session
Access Key Id
Secret Access Key
Session Token
Expiration
•
•
•
Self-sessions (GetSessionToken)
Federated sessions (GetFederationToken)
Assumed-role sessions
•
•
•
assumeRole
assumeRoleWithWebIdentity
assumeRoleWithSAML

12. Sessions Expire
Session
Access Key Id
Secret Access Key
Session Token
Expiration
Expiration varies based on token type [Min/Max/Default]
•
•
•
•
Self (Account)
Self (IAM User)
Federated
Assumed-role
[15 min / 60 min / 60 min]
[15 min / 36 hrs / 12 hrs]
[15 min / 36 hrs / 12 hrs]
[15 min / 60 min / 60 min]
Use caching to improve your application performance

13. Role-based Delegation:
Using assumed-role sessions

14. What’s an IAM Role?
• Entity that defines a set of permissions for making AWS
service requests
• Not associated with a specific user or group
• Roles must be “assumed” by trusted entities

15. Using AWS Service Roles
• Allow AWS services (e.g., Amazon EC2, AWS Data
Pipeline, AWS OpsWorks) to act on behalf of your account
• Create a role, apply an access policy, launch service with it
• Services can now access resources/API defined by the
access policy
• With used with EC2, credentials are automatically:
– Made available to the metadata cache*
– Rotated multiple times a day
– AWS SDK transparently uses these credentials within your apps!
*http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
Returns the temporary credentials for the instance

16. Roles for EC2 Demo
Create a role and launch an EC2 instance:

17. Benefits of Using Roles
•
•
•
•
Eliminates use of long-term credentials
Automatic credential rotation
Less coding – AWS SDK does all the work
Simple to delegate access to AWS
Services to perform work on your behalf

18. Use Case: Cross-Account API Access
• Access resources across AWS accounts
• Why do you need it?
– Management visibility across all your AWS accounts
– Developer access to resources across AWS accounts
– Enables using third-party management solutions

19. Using IAM Roles for Cross-Account API Access
• Extended “Service Roles” concept
– Set a trust policy granting access
– Set an access policy as before
• Delegate access to other trusted entities
– AWS services (such as EC2)
– IAM users/roles within your account
– IAM users/roles under a different
account
• IAM users in one account can now
access resources in another account
How to define who can assume the role using the console
{ "Statement": [
{
"Effect": "Allow",
"Action": “sts:AssumeRole",
"Resource": "arn:aws:iam::111122223333:role/MyRole"
}
]
}
Entity can assume MyRole under account 111122223333

20. Cross-Account API Access – How Does It Work?
IAM Team Account
My AWS Account
Acct ID: 123456789012
Jeff (IAM User)
Acct ID: 111122223333
Authenticate with Jeff’s
access keys
STS
s3-role
Get temp security credentials
by “assuming” s3-role
Permissions assigned to s3-role
{ "Statement": [
{
"Effect": "Allow",
"Action": “s3:*",
"Resource": "*"
}
]
}
Call S3 APIs using temporary
security credentials
{ "Statement": [{
"Effect": "Allow",
"Action": “sts:AssumeRole",
"Resource": "arn:aws:iam::111122223333:role/s3-role"
}
]
}
{ "Statement": [{
"Effect":"Allow",
"Principal":{"AWS":"arn:aws:iam::123456789012:root"},
"Action":"sts:AssumeRole"
}
]
}
Policy assigned to Jeff granting him permission to assume s3-role in account B
Policy assigned to s3-role defining who (trusted entities) can assume the role

21. Cross-Account Demo
Building a Cross-Account Amazon S3 Browser

22. Assumed-Role Session – Code Sample
public static Credentials getAssumeRoleSession(String AccessKey, String SecretKey )
{
Credentials sessionCredentials;
AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(
Accesskey, GetSecretkey,
new AmazonSecurityTokenServiceConfig());
// Store the attributes and request a new AssumeRole session (temporary security credentials)
AssumeRoleRequest request = new AssumeRoleRequest
{
DurationSeconds = 3600,
RoleArn = "arn:aws:iam::111122223333:role/s3-role",
RoleSessionName = "S3BucketBrowser"
};
AssumeRoleResponse startSessionResponse = client.AssumeRole(request);
if (startSessionResponse != null) // Check for valid security credentials or null
{
AssumeRoleResult startSessionResult = startSessionResponse.AssumeRoleResult;
sessionCredentials = startSessionResult.Credentials;
return sessionCredentials;
}
else
{
throw new Exception("S3 Browser :: Error in retrieving temporary security creds, received NULL");
}
}

23. Cross-Account API Access Delegation Benefits
• Use one set of credentials
• No more sharing long-term credentials
• Revoke access to the role anytime you want!

24. Federation:
Access AWS with your existing corporate identity

25. Federation Overview
• Access AWS with your existing corporate identity
• Why use federation?
– SSO to the AWS Management Console
– Build apps that transparently access AWS resources and APIs
– Eliminate “yet another password” to manage

26. Use Case: API Federation
(Sample - http://aws.amazon.com/code/1288653099190193)
• Identity provider
– Windows Active Directory
– Privileges based on AD group membership
– AD groups include policies
• Relying party is AWS API (S3*)
• Uses federated session via GetFederationToken
API

27. AWS API Federation Walkthrough
Customer (Identity Provider)
AWS Cloud (Relying Party)
Get Federation
Token Request
4
2
Federation Proxy
3
•
•
•
5
Access Key
Secret Key
Session Token
S3 Bucket
with Objects
6
Active
Directory
Request
Session
User
Application
Get Federation Token
Response
Receive
Session
Amazon
EC2
AWS Resources
1
7
APP
Amazon
DynamoDB
Call AWS APIs
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions need to be the
union of all federated user permissions
• Proxy needs to securely store these
Federation
privileged credentials
Proxy

28. API Federation Demos
Federation sample + CloudBerry AD bridge

29. Using IAM Roles for Federation
• Assumed-role sessions can also be used for federation
• Provides a different option for storing AWS permissions
• Allows for “separation of duties” in managing AWS
permissions
• Corp admin manages groups, users, and intranet permissions
• AWS admin creates roles & maintains policies on those roles

30. Use Case: Console Federation
(Sample - http://aws.amazon.com/code/4001165270590826)
• Identity provider
– Windows Active Directory
– Privileges based on AD group membership
– AD groups match the names of IAM roles
• Relying party is AWS Management Console
• Uses assumed-role session via AssumeRole

31. Basics of a Role-Based Federation Proxy
Acct ID: 111122223333
Authenticate with
access keys
STS
s3-role
Proxy Server
IAM User
Get temporary
security credentials
login using temporary security
credentials
Access policy set to s3-role
{
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
AWS Management
Console
Access policy assigned to Proxy (IAM user) granting access to
ListRoles and AssumeRoles for all roles
Trust policy set to s3role defining who can assume the role
{
"Statement": [{
"Effect": "Allow",
"Action": ["iam:ListRoles","sts:AssumeRole"],
"Resource": "arn:aws:iam::1111222233334444:role/*"
}
]
}
{"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {"sts:externalId": "SOME-AD-SID"}}
}
]
}

32. Console Federation Walkthrough (assumeRole)
List RolesResponse
Customer (IdP)
4
7
2
AWS Cloud (Relying Party)
5
AssumeRole Request
Assume Role Response
Temp Credentials
6
Federation
Create combo
proxy
box
•
•
•
9
3
List RolesRequest
8
Access Key
Secret Key
Session Token
Generate URL
10
Redirect to
Console
AWS
Management
Console
Corporate
directory
1
Browser
interface
Browse to URL
Federation
proxy
• Uses a set of IAM user credentials to
make AssumeRoleRequest()
• IAM user permissions only need to be
able to call ListRoles & assume role
• Proxy needs to securely store these
credentials

33. SSO Federation using SAML 2.0
New
• STS supports Security Assertion Markup Language
• Use existing identity management software to access
AWS Resources
• AWS Management Console SSO
– IdP Initiated Web SSO via SAML 2.0 using the HTTP-POST binding
(Web SSO profile)
– New sign-in URL that greatly simplifies SSO
https://signin.aws.amazon.com/saml<SAML AuthN response>
• API federation using new assumeRoleWithSAML API

34. Console Federation using SAML
Enterprise (Identity Provider)
AWS (Service Provider)
Identity provider
2
3
AWS Sign-in
Receives
AuthN response
4
Post to Sign-In
Passing AuthN Response
Corporate
identity store
User
browses to
Identity provider
Browser
interface
1
5
Redirect client
AWS Management
Console

35. SAML Federation Demos
Single Sign-On to AWS Management Console
API Federation

36. Partner Offerings for Federation / SSO
http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services
http://www.okta.com/aws/
http://www.symplified.com/solutions/single-sign-on-sso
https://www.pingidentity.com/products/pingfederate/
http://www.cloudberrylab.com/ad-bridge.aspx

37. Federation Benefits
•
•
•
•
Leverage your existing corporate identities
Use the user name/password you already know
Enforce corporate policies/governance
When employees leave, you only need to delete
their corporate account

38. Use Case: Web Identity Federation
• Want to create cloud-backed mobile apps
– Leaderboards
– Image/File Sharing
– Saved state/user settings for cross-device access
• Challenges
– Users may, or may not, be authenticated
– Assume users don’t have AWS accounts
– Developers need to securely delegate limited access to
their AWS resources
• Enables granting access to AWS resources
without embedding credentials in app

39. Web Identity Federation: Detailed Walkthrough
7
3
Id Token
Web identity
Provider
EC2
Instances
S3
AWS Services
6
2
4
Token
Verification
5
Check
Policy
IAM
AWS Cloud
AP-SOUTHEAST-1
Amazon
DynamoDB
Mobile App
EU-WEST-1
1
US-EAST-1
Authenticate
User

40. Web Identity Federation Benefits
• Create mobile/web-based apps that easily integrate
major web identity providers with AWS
• Eliminates the need to
– Directly embed AWS access key IDs and secret access keys
– Utilize proxy servers to access AWS services
• Introduces assumeRoleWithWebIdentity API
– Create an IAM role per application
– Use a policy that replace a variable using metadata from an id/access token
– Pass the token with the request to assume the role
• Support: Login with Amazon, Facebook, & Google
• Learn more at session SEC401

41. A few final words

42. Are There Any Limitations to using Sessions?
Federated
Assumed-Role*

Security Token Service

AWS Identity and Access Management (IAM)


AWS Elastic Beanstalk
Amazon Elastic MapReduce


All other services




(for assumeRole)
Accurate as of 11/14/2013. See http://aws.amazon.com/iam for most up to date list

43. Summary: Use Cases
Cross-Account API Access
• Use one set of credentials
• No more sharing long-term credentials
• Revoke access to the role anytime you want!
AWS API / Management Console Federation
•
•
•
•
Leverage your existing corporate identities
Use the user name/password you already know
Enforce corporate policies/governance
When employees leave, you only need to delete their corporate account
Web Identity Federation
• Simplify granting access to resources for your mobile apps
• Built-in support for Login with Amazon, Facebook, & Google identities

44. Additional resources
•
•
•
•
•
IAM detail page: http://aws.amazon.com/iam
AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76
Documentation: http://aws.amazon.com/documentation/iam/
AWS Security Blog: http://blogs.aws.amazon.com/security
Twitter: @AWSIdentity

45. All IAM related sessions at re:Invent
ID
Title
Time, Room
CPN205
Securing Your Amazon EC2 Environment with AWS IAM
Roles and Resource-Based Permissions
Wed 11/13 11am, Delfino 4003
SEC201
Access Control for the Cloud: AWS Identity and Access
Management (IAM)
Wed 11/13 1.30pm, Marcello 4406
SEC301
TOP 10 IAM Best Practices
Wed 11/13 3pm, Marcello 4503
SEC302
Mastering Access Control Policies
Wed 11/13 4.15pm, Venetian A
SEC303
Delegating Access to Your AWS Environment
Thu 11/14 11am, Venetian A
Come talk security with AWS
Thu 11/14 4pm, Toscana 3605

46. Please give us your feedback on this
presentation
SEC303
As a thank you, we will select prize
winners daily for completed surveys!