SlideShare a Scribd company logo

GPSTEC310_IAM Best Practices and Becoming an IAM Ninja

Amazon Web Services
Amazon Web Services

AWS Identity and Access Management (IAM) is the foundation that all AWS services require to function and perform any action. Mastering IAM is the skill set you need in your arsenal so that you can provide best-in-breed services through your application or services to your customers. This session shows you best practices for IAM, the latest service additions, and advanced automation techniques to become a certified IAM ninja.

1 of 42
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Scott Ward – Sol uti ons Archi tect Pat McDowel l – Sol uti ons Archi tect GPSTEC310 IAM Best Practices and Becoming an IAM Ninja
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “I have been to IAM presentations before and I have seen the best practices. I get all that you have told me. What else can you tell me? I want to be dazzled. How can I improve via Automation or Machine Learning?”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Scott Ward – Sol uti ons Archi tect Pat McDowel l – Sol uti ons Archi tect GPSTEC310 Extending AWS Identity and Access Management through Automation and Machine Learning
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer: “I would like to use your service to monitor my account.”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 1 – Access Keys Partner: “Sure, just send me your access keys…”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Partner Account Customer Account Access Keys Scenario 1 – Access Keys
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 2 – Manual Cross Account Role Partner: “Sure, just follow this guide to create a cross account role. Create a policy, then create a role with our account number and this unique external id, then give us the ARN of your role.”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 2 – Manual Cross Account Role Temporary Access Keys Policy, account#, external ID Role ARN Partner Account Customer Account
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles “My customers don’t like the number of steps to setup a cross account role… or they don’t understand why they are doing the steps…”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 3 – Automated Cross Account Role Partner: “Sure, tell us your account number and we will get you setup.”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 3 – Automated Cross Account Role Customer Account Partner role stack Customer “Click here to create cross account access” Partner Website Launch Partner AWS CloudFormation Template Role ARN Partner SNS Topic Partner Storage
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – Partner Web Site
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – Partner Web Site Master Template Generate External ID Customer Data Customer Account # External ID Role ARN Generate full URL to launch stack with customer specific values
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – The AWS CloudFormation Template
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – The AWS CloudFormation Template https://console.aws.amazon.com/cloudformation/home?region=us-east- 1#/stacks/create/review? templateURL=https://s3-us-west2.amazonaws.com/isco/wizard.yml& stackName=CrossAccountRoleSetup& param_TrustedAccount=123456789012& param_ExternalId=abcd1234
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – Getting Data Back from the Customer Customer Account Partner role stack Partner SNS Topic Use an AWS CloudFormation custom resource to “phone home” with the final ARN PhoneHomeCustomResource: Properties: ServiceToken: arn:aws:sns:us-west- 2:111111111112:ARNSnsTopic RoleArn: !GetAtt CrossAccountRole.Arn AccountID: !Ref AWS::AccountId Type: Custom::PhoneHomeCustomResource Version: '1.0'
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – AWS Organizations New Account Partner API Partner role stack Partner SNS TopicPartner Storage New Account Customer AWS Organizations Create New Account New Account Number Launch Partner AWS CloudFormation Template Partner Account Number External ID Template Location
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automating the Creation of Cross Account Roles Why should I take this approach? Less steps for the customer to understand. Enables customer and partner to easily be at the right security configuration. Ensures consistency across all the partners customers. Enables automation for setup of many accounts.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. When Should I Create an IAM User?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. When should I create an IAM user? Need programmatic access from a resource that is not housed in AWS. Individual user needs access and you are not linked into an identity provider yet. You want to enforce MFA on specific API calls. You want to enable longer lived sessions at the command line level (get-federated-token). Break Glass.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation and the Command Line https://github.com/AdRoll/hologram Hologram LDAP Local Dev Hologram
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation and the Command Line https://github.com/rapid7/awsaml 1 Identity Provider Local Dev 2 3 4
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie – Not just for S3! • User Behavior Analytics (UBA) applied to IAM User Activity • Applies AI to understand historical data access patterns and automatically assesses activity of users, applications and service accounts. Amazon Macie
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Privileged User Identification and Tracking • Helps classify privileged users into Platinum, Gold, Silver, Bronze • See total number of user sessions, see whose assuming roles, etc. • Find the needle in the haystack, see what API calls are never used
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Visualize Access Globally
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. User Investigation and Incident Response • Harness Macie ‘Research’ feature to Investigate IAM Anomalies • Macie assigns a risk level between 1 - 10 for each event • Alert through Amazon CloudWatch Events • Respond with AWS Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least Privilege Made Easy • Eliminate principals who may not need access • Reduce access sprawl and debt • Fine-tune policies to their absolute minimum • Use in conjunction with Access Advisor
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling IAM Management
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StackSets – Multi-Account AWS CloudFormation
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiply all the things! • Create a central IAM Policy CFN – One Stack to Rule them All! • Multi-Account and Multi-Region via a single click • … or Can deploy across your entire AWS Organization • Removes the friction of IAM management across N-accounts • Integrate into your CI/CD process to quickly deploy, audit, and collaborate • Maintain full process in AWS CodeStar
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1 Deploy, Many Updates •Central Identity Accounts were always a best practice….but operationally challenging •Scaling IAM Roles/Policies across N-Accounts is now approachable •Keep Control Central
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Easily Scale Central Identity Accounts Admin Role admins Admin Role Identity Account Sales Account Retail Account X-account Roles
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Central Identity Deployment with AWS CloudFormation StackSets StackSet Identity Account X-Account Trust
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rules for Easy Compliance Stop bad IAM hygiene before it’s problematic
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Building your own IAM CMDB • Maintain historical context and audit of all IAM changes, creates, deletes • Tracks actual policy and relationship changes • Auto-Remediate with Config rules and Lambda
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rules - Maintain IAM Governance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rules – DevSecOps for IAM • Use Lambda to create responses to alerts via Config Rules • Hook into HR Systems like Workday or corp directories • Suspend principals who violate rules • Create Guard Rails that align to corporate governance • Rules are Evaluated constantly to give a binary compliant or non-compliant state
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What’s New in IAM? Roughly the last six months
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM, What’s New? • Additional IAM Policy resource summaries • IAM Support for Auto-Scaling actions • Manage RDS MySQL and Aurora access using IAM • Service Linked Roles • IAM Policy Summaries
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU! C L I C K T O A D D T E X T C L I C K T O A D D T E X T

Recommended

SID344-Soup to Nuts Identity Federation for AWS
SID344-Soup to Nuts Identity Federation for AWSSID344-Soup to Nuts Identity Federation for AWS
SID344-Soup to Nuts Identity Federation for AWS
Amazon Web Services
 
GPSBUS204_Building a Profitable Next Generation AWS MSP Practice
GPSBUS204_Building a Profitable Next Generation AWS MSP PracticeGPSBUS204_Building a Profitable Next Generation AWS MSP Practice
GPSBUS204_Building a Profitable Next Generation AWS MSP Practice
Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security Team
Amazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through Failure
Amazon Web Services
 
ENT315_Landing Zones
ENT315_Landing ZonesENT315_Landing Zones
ENT315_Landing Zones
Amazon Web Services
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
Amazon Web Services
 
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
Amazon Web Services
 

Recommended

SID344-Soup to Nuts Identity Federation for AWS
SID344-Soup to Nuts Identity Federation for AWSSID344-Soup to Nuts Identity Federation for AWS
SID344-Soup to Nuts Identity Federation for AWS
Amazon Web Services
 
GPSBUS204_Building a Profitable Next Generation AWS MSP Practice
GPSBUS204_Building a Profitable Next Generation AWS MSP PracticeGPSBUS204_Building a Profitable Next Generation AWS MSP Practice
GPSBUS204_Building a Profitable Next Generation AWS MSP Practice
Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security Team
Amazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through Failure
Amazon Web Services
 
ENT315_Landing Zones
ENT315_Landing ZonesENT315_Landing Zones
ENT315_Landing Zones
Amazon Web Services
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
Amazon Web Services
 
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
ENT324-Automating and Auditing Cloud Governance and Compliance in Multi-Accou...
Amazon Web Services
 
GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpacesGPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
Amazon Web Services
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
Amazon Web Services
 
SRV213-Thirty Serverless Architectures in 30 Minutes
SRV213-Thirty Serverless Architectures in 30 MinutesSRV213-Thirty Serverless Architectures in 30 Minutes
SRV213-Thirty Serverless Architectures in 30 Minutes
Amazon Web Services
 
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDSDAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
Amazon Web Services
 
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
Amazon Web Services
 
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
AI & Deep Learning At Amazon
AI & Deep Learning At AmazonAI & Deep Learning At Amazon
AI & Deep Learning At Amazon
Amazon Web Services
 
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdfWPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
Amazon Web Services
 
WIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS ServicesWIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS Services
Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
Amazon Web Services
 
Soup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWSSoup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWS
Amazon Web Services
 
GPSTEC307_Too Many Tools
GPSTEC307_Too Many ToolsGPSTEC307_Too Many Tools
GPSTEC307_Too Many Tools
Amazon Web Services
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated Workload
Amazon Web Services
 
GPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data AnalyticsGPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data Analytics
Amazon Web Services
 
WIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSWIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWS
Amazon Web Services
 
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
Amazon Web Services
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
Amazon Web Services
 
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
Amazon Web Services
 
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
 
ARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at ScaleARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at Scale
Amazon Web Services
 

More Related Content

What's hot

GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpacesGPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
Amazon Web Services
 
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDSDAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
Amazon Web Services
 
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
Amazon Web Services
 
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
Amazon Web Services
 
AI & Deep Learning At Amazon
AI & Deep Learning At AmazonAI & Deep Learning At Amazon
AI & Deep Learning At Amazon
Amazon Web Services
 
WIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS ServicesWIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS Services
Amazon Web Services
 
GPSTEC307_Too Many Tools
GPSTEC307_Too Many ToolsGPSTEC307_Too Many Tools
GPSTEC307_Too Many Tools
Amazon Web Services
 
GPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data AnalyticsGPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data Analytics
Amazon Web Services
 
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
Amazon Web Services
 
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
Amazon Web Services
 
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
Amazon Web Services
 

What's hot (20)

GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpacesGPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
GPSTEC316_GPS-Image Management Best Practices for Amazon WorkSpaces
 
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdfWIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
 
SRV213-Thirty Serverless Architectures in 30 Minutes
SRV213-Thirty Serverless Architectures in 30 MinutesSRV213-Thirty Serverless Architectures in 30 Minutes
SRV213-Thirty Serverless Architectures in 30 Minutes
 
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDSDAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
DAT309_Best Practices for Migrating from Oracle and SQL Server to Amazon RDS
 
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
FSV307-Capital Markets Discovery How FINRA Runs Trade Analytics and Surveilla...
 
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
EUT303_Modernizing the Energy and Utilities Industry with IoT Moving SCADA to...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AI & Deep Learning At Amazon
AI & Deep Learning At AmazonAI & Deep Learning At Amazon
AI & Deep Learning At Amazon
 
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdfWPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
 
WIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS ServicesWIN204-Simplifying Microsoft Architectures with AWS Services
WIN204-Simplifying Microsoft Architectures with AWS Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
 
Soup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWSSoup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWS
 
GPSTEC307_Too Many Tools
GPSTEC307_Too Many ToolsGPSTEC307_Too Many Tools
GPSTEC307_Too Many Tools
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated Workload
 
GPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data AnalyticsGPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data Analytics
 
WIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSWIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWS
 
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
How Amazon Scales Its Infrastructure to Handle Billions of Transactions on Pr...
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
BAP202_Amazon Connect Delivers Personalized Customer Experiences for Your Clo...
 
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
Automate Best Practices and Operational Health for AWS Resources with AWS Tru...
 

Similar to GPSTEC310_IAM Best Practices and Becoming an IAM Ninja

How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS Workloads
Amazon Web Services
 
Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...
Amazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Amazon Web Services
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
Amazon Web Services
 
RET304_Rapidly Respond to Demanding Retail Customers with the Same Serverless...
RET304_Rapidly Respond to Demanding Retail Customers with the Same Serverless...RET304_Rapidly Respond to Demanding Retail Customers with the Same Serverless...
RET304_Rapidly Respond to Demanding Retail Customers with the Same Serverless...
Amazon Web Services
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
Amazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Amazon Web Services
 

Similar to GPSTEC310_IAM Best Practices and Becoming an IAM Ninja (20)

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
ARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at ScaleARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at Scale
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
AWS Startup Day Kyiv: AWS Security Best Practices
AWS Startup Day Kyiv: AWS Security Best PracticesAWS Startup Day Kyiv: AWS Security Best Practices
AWS Startup Day Kyiv: AWS Security Best Practices
 
Getting started with AWS
Getting started with AWSGetting started with AWS
Getting started with AWS
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
Best Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS WorkloadsBest Practices for Active Directory with AWS Workloads
Best Practices for Active Directory with AWS Workloads
 
Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...Advanced Techniques for Federation of the AWS Management Console and Command ...
Advanced Techniques for Federation of the AWS Management Console and Command ...
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
RET304_Rapidly Respond to Demanding Retail Customers with the Same Serverless...
RET304_Rapidly Respond to Demanding Retail Customers with the Same Serverless...RET304_Rapidly Respond to Demanding Retail Customers with the Same Serverless...
RET304_Rapidly Respond to Demanding Retail Customers with the Same Serverless...
 
Landing Zones Creating a Foundation - AWS Summit Sydney 2018
Landing Zones Creating a Foundation - AWS Summit Sydney 2018Landing Zones Creating a Foundation - AWS Summit Sydney 2018
Landing Zones Creating a Foundation - AWS Summit Sydney 2018
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
 
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
Introduction to the Security Perspective of the Cloud Adoption Framework (CAF)
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

GPSTEC310_IAM Best Practices and Becoming an IAM Ninja

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Scott Ward – Sol uti ons Archi tect Pat McDowel l – Sol uti ons Archi tect GPSTEC310 IAM Best Practices and Becoming an IAM Ninja
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “I have been to IAM presentations before and I have seen the best practices. I get all that you have told me. What else can you tell me? I want to be dazzled. How can I improve via Automation or Machine Learning?”
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Scott Ward – Sol uti ons Archi tect Pat McDowel l – Sol uti ons Archi tect GPSTEC310 Extending AWS Identity and Access Management through Automation and Machine Learning
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer: “I would like to use your service to monitor my account.”
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 1 – Access Keys Partner: “Sure, just send me your access keys…”
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Partner Account Customer Account Access Keys Scenario 1 – Access Keys
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 2 – Manual Cross Account Role Partner: “Sure, just follow this guide to create a cross account role. Create a policy, then create a role with our account number and this unique external id, then give us the ARN of your role.”
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 2 – Manual Cross Account Role Temporary Access Keys Policy, account#, external ID Role ARN Partner Account Customer Account
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles “My customers don’t like the number of steps to setup a cross account role… or they don’t understand why they are doing the steps…”
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 3 – Automated Cross Account Role Partner: “Sure, tell us your account number and we will get you setup.”
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Scenario 3 – Automated Cross Account Role Customer Account Partner role stack Customer “Click here to create cross account access” Partner Website Launch Partner AWS CloudFormation Template Role ARN Partner SNS Topic Partner Storage
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – Partner Web Site
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – Partner Web Site Master Template Generate External ID Customer Data Customer Account # External ID Role ARN Generate full URL to launch stack with customer specific values
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – The AWS CloudFormation Template
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – The AWS CloudFormation Template https://console.aws.amazon.com/cloudformation/home?region=us-east- 1#/stacks/create/review? templateURL=https://s3-us-west2.amazonaws.com/isco/wizard.yml& stackName=CrossAccountRoleSetup& param_TrustedAccount=123456789012& param_ExternalId=abcd1234
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – Getting Data Back from the Customer Customer Account Partner role stack Partner SNS Topic Use an AWS CloudFormation custom resource to “phone home” with the final ARN PhoneHomeCustomResource: Properties: ServiceToken: arn:aws:sns:us-west- 2:111111111112:ARNSnsTopic RoleArn: !GetAtt CrossAccountRole.Arn AccountID: !Ref AWS::AccountId Type: Custom::PhoneHomeCustomResource Version: '1.0'
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automation – AWS Organizations New Account Partner API Partner role stack Partner SNS TopicPartner Storage New Account Customer AWS Organizations Create New Account New Account Number Launch Partner AWS CloudFormation Template Partner Account Number External ID Template Location
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross Account Roles Automating the Creation of Cross Account Roles Why should I take this approach? Less steps for the customer to understand. Enables customer and partner to easily be at the right security configuration. Ensures consistency across all the partners customers. Enables automation for setup of many accounts.
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. When Should I Create an IAM User?
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. When should I create an IAM user? Need programmatic access from a resource that is not housed in AWS. Individual user needs access and you are not linked into an identity provider yet. You want to enforce MFA on specific API calls. You want to enable longer lived sessions at the command line level (get-federated-token). Break Glass.
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation and the Command Line https://github.com/AdRoll/hologram Hologram LDAP Local Dev Hologram
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation and the Command Line https://github.com/rapid7/awsaml 1 Identity Provider Local Dev 2 3 4
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie – Not just for S3! • User Behavior Analytics (UBA) applied to IAM User Activity • Applies AI to understand historical data access patterns and automatically assesses activity of users, applications and service accounts. Amazon Macie
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Privileged User Identification and Tracking • Helps classify privileged users into Platinum, Gold, Silver, Bronze • See total number of user sessions, see whose assuming roles, etc. • Find the needle in the haystack, see what API calls are never used
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Visualize Access Globally
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. User Investigation and Incident Response • Harness Macie ‘Research’ feature to Investigate IAM Anomalies • Macie assigns a risk level between 1 - 10 for each event • Alert through Amazon CloudWatch Events • Respond with AWS Lambda
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least Privilege Made Easy • Eliminate principals who may not need access • Reduce access sprawl and debt • Fine-tune policies to their absolute minimum • Use in conjunction with Access Advisor
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling IAM Management
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. StackSets – Multi-Account AWS CloudFormation
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiply all the things! • Create a central IAM Policy CFN – One Stack to Rule them All! • Multi-Account and Multi-Region via a single click • … or Can deploy across your entire AWS Organization • Removes the friction of IAM management across N-accounts • Integrate into your CI/CD process to quickly deploy, audit, and collaborate • Maintain full process in AWS CodeStar
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1 Deploy, Many Updates •Central Identity Accounts were always a best practice….but operationally challenging •Scaling IAM Roles/Policies across N-Accounts is now approachable •Keep Control Central
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Easily Scale Central Identity Accounts Admin Role admins Admin Role Identity Account Sales Account Retail Account X-account Roles
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Central Identity Deployment with AWS CloudFormation StackSets StackSet Identity Account X-Account Trust
  • 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rules for Easy Compliance Stop bad IAM hygiene before it’s problematic
  • 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Building your own IAM CMDB • Maintain historical context and audit of all IAM changes, creates, deletes • Tracks actual policy and relationship changes • Auto-Remediate with Config rules and Lambda
  • 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rules - Maintain IAM Governance
  • 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rules – DevSecOps for IAM • Use Lambda to create responses to alerts via Config Rules • Hook into HR Systems like Workday or corp directories • Suspend principals who violate rules • Create Guard Rails that align to corporate governance • Rules are Evaluated constantly to give a binary compliant or non-compliant state
  • 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What’s New in IAM? Roughly the last six months
  • 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM, What’s New? • Additional IAM Policy resource summaries • IAM Support for Auto-Scaling actions • Manage RDS MySQL and Aurora access using IAM • Service Linked Roles • IAM Policy Summaries
  • 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU! C L I C K T O A D D T E X T C L I C K T O A D D T E X T