AWS Identity and Access Management (IAM) offers a continuum of interfaces and configuration options that enables customers to integrate their unique organizational identity structure and operational processes to the AWS platform. In this session we will evaluate the progressive journey of federation options that most customers go through as they widen their integration with IAM. This will include best practices, lessons learned from the field, and examples of actual customer implementations, covering technologies such as SAML, LDAP, and custom identity brokers.
3. What you will take away from this session
Understand your
federation options
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
4. What you will take away from this session
Understand your
federation options
Get it right at scale
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
5. What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
6. What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach Tooling to
get started
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
License: Creative Commons
Public Domain Universal 1.0
7. Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials
8. Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
• If you need to brush up, check out:
• SEC305 – Become an AWS IAM Policy Ninja in 60 Minutes or
Less
• SEC302 – IAM Best Practices to Live By
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials
9. AWS IAM federation: A progression of options
Cross-
account
trust
AWS
Directory
Service
Security
Assertion
Markup
Language
(SAML)
Custom
identity
broker
Involvement
Control
10. AWS IAM federation: A progression of options
Cross-
account
trust
AWS
Directory
Service
Security
Assertion
Markup
Language
(SAML)
Custom
identity
broker
Involvement
Control
SEC305
SEC315
11. AWS IAM federation: A progression of options
Cross-
account
trust
AWS
Directory
Service
Security
Assertion
Markup
Language
(SAML)
Custom
identity
broker
Involvement
Control
Session focusSEC305
SEC315
32. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Lots of users?
33. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Lots of users?
34. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
Lots of users?
35. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
36. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
37. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
???
38. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
Dive deep = Get it right
???
40. AWS federation with SAML: At-scale demo
Automate onboarding
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
41. AWS federation with SAML: At-scale demo
Automate onboarding User experience
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License
42. AWS federation with SAML: At-scale demo
Automate onboarding User experience Under the hood
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright bagera3005 and licensed
for reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License
44. Automate onboarding
AWS federation with SAML: At-scale demo
Key takeaways
Directory
Group
definitions
AWS account
• Automate deployment of IAM
roles and policies.
• Automate deployment of
companion directory structure.
• Keep role definitions constant
across accounts.
Providers,
roles, and
policies
46. Smooth user experience
AWS federation with SAML: At-scale demo
Key takeaways
• Federation shouldn’t limit
access vectors.
• Getting users into groups
should be automated and
efficient.
• Don’t create a “low-to-high”
exposure in the back end.
AWS
SDKs
AWS
CLI
47. Under the hood
AWS federation with SAML: At-scale demo
IdP
configurations
AWS CloudTrail
samples
48. Under the hood
AWS federation with SAML: At-scale demo
Key takeaways
IdP
configurations
AWS CloudTrail
samples
• Naming conventions are
critical.
• Configurations should rely on
patterns, not values.
• Think about traceability now.
• Tighter policies help reduce
AWS account sprawl.
50. AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
51. AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
• If so:
• Custom identity broker
55. Our journey through identity management
IAM users with
static keys
Nova v1
Basic roles
Nova v2
Resource-level
permissions,
tagging standards
Nova v3
Dynamic policy
generation
56. Nova workflow
Bob the
Engineer
PHP web
application
Active
Directory
Look up group
membership
Corporate
SSO
Authenticate
w/ MFA
Nova
database
Group-to-role
mappings
Ask Bob which AWS
account he would like
to access based on
available roles
IAM API
sts:AssumeRole
for appropriate IAM role
Access to AWS Management Console and keys for API/CLI access
57. Nova v1 basic roles
General roles like “Developer”
assignable to different AWS
accounts
Maps membership in AD
groups to IAM roles
Roles
AWS accounts
58. Nova v1 basic roles
Active Directory group
NOVA_PRODSHARED_DEVELOPER
IAM role
nova.prodshared.developer
{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateKeyPair",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSnapshot",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
59. Nova v2 resource-level permissions
Tagging and resource-level
permissions matured
Tagging resources by team
enabled resource-level
permissions by team
Easy expansion, no changes
necessary to Nova
Roles
60. Nova v2 resource-level permissions
{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/servicename": [
"djcs/*"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
Active Directory group
NOVA_PRODSHARED_DJCS_DEV
IAM role
nova.prodshared.djcs.developer
63. Rationalizing the decision-making process
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
64. Rationalizing the decision-making process
• Existing federation
investments?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
65. Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
66. Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
67. Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
68. Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
70. SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
71. SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
72. SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Choose SAML if you want a
balanced federation approach.
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
Choose a custom identity broker if
you prefer to increase federation
involvement for the ultimate control.
73. Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
74. Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
75. Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
• Evolve your federation approach as your needs evolve.
• Right for tomorrow is not always right for today.
77. Additional information
• Session resources (code and samples)
• AWS documentation
• Manage Federation
• Integrating Third-Party SAML Solution Providers with AWS
• Request Information That You Can Use for Policy Variables
• Custom Federation Broker
• AWS blogs
• Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP,
and Shibboleth
• How to Implement a General Solution for Federated API/CLI
Access Using SAML 2.0