by Ron Cully, Manager, Product Management, AWS Every journey to the AWS Cloud is unique. Some customers are migrating existing applications, while others are building new applications using cloud-native services. Along each of these journeys, identity and access management helps customers protect their applications and resources. In this session, you will learn how AWS’ Identity Services provide you a secure, flexible, and easy solution for managing identities and access on the AWS Cloud. With AWS’ Identity Services, you do not have to adapt to AWS. Instead, you have a choice of services designed to meet you anywhere along your journey to the AWS Cloud.

1. Pop-up Loft
Overview of AWS Identity, Directory, and Access Services
Ron Cully
Manager, Directory Service Product Management
Amazon Web Services

2. Every AWS Cloud journey is unique.
Migrating or extending
existing infrastructure
and applications.
Building customer
facing cloud-native
applications.
Going all-in on cloud
solutions across the
organization.
Using the scale of the
AWS Cloud to solve new
challenges.
Requiring unique identity and
access management solutions.

3. What to Expect
(C) Copyright Jean-Remy Duboc and licensed for reuse under the
Creative Commons Attribution-Generic 2.0 License
Provide
mental model
Chart the
Cloudscape
How to Use
IDAS Services

4. Disambiguation
Identity and Access Mgmt
(the subject)
AWS IAM
(the service)
Authentication,
authorization, audit and
governance for your cloud
workloads
Our scope
Authenticates and
authorizes AWS APIs
Includes

5. Identity and Access Management means…
Validate identities
securely
Authentication
Manage access using
fine-grained policies
Authorization
Meet compliance
requirements
Audit/Governance

6. At all levels…
Identity and Access Management
(the subject)
AWS Management Console/APIs
AWS
Infrastructure
AWS
Applications
Your Applications
Developers
Admins
Security Employees
Customers
Partners

7. Tenets
Mental model for Identity and Access Management services
Give you choice Secure, flexible,
comprehensive
Meet you
where you are

8. Benefits of AWS Identity, Directory,
and Access Services
Superior Security
Enable you to build applications and manage access more
securely in the AWS Cloud than on premises.
Increase Flexibility
Offer you options that meet you along your AWS Cloud
journey instead of forcing you to adapt to AWS.
Comprehensive
Breadth of services that help you get started quickly and are
feature rich to meet your more advanced needs over time.

9. Landscape

10. AWS Identity, Directory,
and Access Services
AWS Secrets Manager
(NEW!)
Lifecycle management
for application secrets.
AWS Identity and
Access Management
Fine-grained access
management for AWS
resources.
AWS
Organizations
Policy-based
management for
multiple AWS accounts.
AWS Directory Service
Integrates Active
Directory in AWS for
Windows workloads,
AWS resource access,
and AWS
AWS Single Sign-On
Manage single sign-on
(SSO) access to
multiple AWS accounts
and business
applications.

11. Broader Security Portfolio
AWS Config Rules
AWS Lambda
Incident
response
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Single Sign-On
AWS Directory Service
AWS Secrets Manager
Identity
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Detective
control
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
Infrastructure
security
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
Certificate Manager
Server Side Encryption
Data
protection

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Accounts
Account
Account
Account
Account Account
Account
Account
Account Account
Account
Account
AccountAccount
Account
Account

13. AWS Resources
AWS Organizations
M
Master Account / Administrative root
A1 A2 A4 AWS AccountsA3
Organizational Unit (OU)Dev Test Prod
Service
Control
Policies
(SCPs)

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SaaS
App
Account
IdP
SAML
OIDC
Federated
Users
Applications
IAM
Group
IAM Users
Security Principals
R
Root
Identity-based
Policies
EBS EC2
Resource-based
Policies
S3 SNS
ECR KMS
SES CognitoOrganizations RDS CloudWatch
AD
DS
AWS IAM
Service Control
Policies
Resulting
Permissions
Resource-based
Policies
Identity-based
Policies
Roles
Old
School
What’s my
permission?

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
IAM
Group
IAM Users Federated
Users
Roles Applications
R
Root
Identity-based
Policies
AWS IAM
How to Use IDAS Services

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Roles
Identity-based
Policies
R
Root
IAM Users
IAM
Group
Federated
Users
Applications
Assign permission to assume
roles and apply policies to roles
Use root to set up initial
admin users only
Require strong passwords for
users
ALWAYS set up multi-factor
authentication for Root user
and ideally for all other users
Don’t embed secrets in code!
Use AWS Secrets Manager
AWS IAM: Best Practices
*************
*************
// Authenticate app
User = “App1”
Pwd = “App1Pwd”
1X
Old
School

17. Lifecycle management for secrets such as
database credentials and API keys.
Rotate Secrets
Safely
Pay as you goManage access
with fine-grained
policies
Secure and
audit secrets
centrally
AWS Secrets Manager

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
User Identity Strategy
IdP
SAML
OIDC
Federated
Users
Have an existing
SAML or OIDC
infrastructure
Don’t need/want
Active Directory
in the AWS Cloud
IAM
Group
IAM Users
Small team, don’t
have a directory
Have or need
Active Directory
for users and groups
AD
Federated
Users
DS

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Managed AD: User Forest
Enable, authenticate, &
authorize
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePoint
SQL
Server
RD
Licensing
Enterprise
Certificate
Authority
Certificate
Services
SaaS Applications
Azure AD
Amazon
WorkSpaces
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
RDS for SQL
Server
AWS Managed
Microsoft AD
SAML
authenticate
Synchronize
users
AD FS
Server
AD FS
Azure AD
Connect
Server
Federate
ADSync
Manage, authenticate,
& authorize
Domain Join & Manage
Amazon EC2
Amazon
Windows EC2
instances
Amazon Linux
EC2 Instances

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Managed AD: User Forest
Enable, authenticate, &
authorize
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePoint
SQL
Server
RD
Licensing
Enterprise
Certificate
Authority
Certificate
Services
SaaS Applications
Azure AD
Amazon
WorkSpaces
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
RDS for SQL
Server
AWS Managed
Microsoft AD
Manage, authenticate,
& authorize
Domain Join & Manage
Amazon EC2
Amazon
Windows EC2
instances
Amazon Linux
EC2 Instances
On-premises
Microsoft Active
Directory
On-premises user
credentials
Corporate
data center
AD FS
Server
SAML
authenticate
Synchronize
users
Azure AD
Connect
Server
VPN
Direct
Connect
or
Trust
Authenticate

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Federation with AD Connector
AD Connector
SaaS Applications
Azure AD
Domain Join & Manage
On-premises
Microsoft Active
Directory
On-premises user
credentials
Corporate
data centerVPN
Direct
Connect
or
AD FS
Server
SAML
authenticate
Synchronize
users
Azure AD
Connect
Server
Authenticate & Proxy LDAP
Provision & Authenticate
.NET
Applications
Server
SharePoint
Server
SQL ServerRemote
Desktop
Licensing
Manager
Enterprise
Certificate
Authority
AD-aware Workloads
.NET SharePoint
SQL
Server
RD
Licensing
Certificate
Services
Amazon EC2
Amazon
Windows EC2
instances
Amazon Linux
EC2 Instances
Amazon
WorkSpaces
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
RDS for SQL
Server

22. AWS Single Sign-On
Entitlements
AWS SSO
Master Account
AWS Directory
Service
Groups
Active
Directory
On-premises
Install AWS SSO and
map AD groups
to defined permissions
Grant access to one AWS
account, an OU, or the
entire Organization
Connect AWS Directory
Service to on-premises AD
AWS Organizations

23. Account
SAML or OIDC Federation
SaaS Applications
Azure AD
On-premises
Microsoft Active
Directory
On-premises user
credentials
Corporate
data center
AD FS
Server
SAML
authenticate
Synchronize
users
Azure AD
Connect
Server
Account
Account
AWS IAM End-point for
Single Sign-on

24. Pop-up Loft
Questions?

25. Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS