AWS Identity and Access Management (IAM) offers a continuum of interfaces and configuration options that enables customers to integrate their unique organizational identity structure and operational processes to the AWS platform. In this session we will evaluate the progressive journey of federation options that most customers go through as they widen their integration with IAM. This will include best practices, lessons learned from the field, and examples of actual customer implementations, covering technologies such as SAML, LDAP, and custom identity brokers.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman, Sr. IT Transformation Consultant, AWS Professional Services
Chad Wintzer, DevOps Engineering Lead, Dow Jones & Company
October 2015
SEC 307
A Progressive Journey Through
AWS IAM Federation Options:
From Roles to SAML to Custom Identity Brokers

2. What you will take away from this session

3. What you will take away from this session
Understand your
federation options
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License

4. What you will take away from this session
Understand your
federation options
Get it right at scale
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License

5. What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License

6. What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach Tooling to
get started
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
License: Creative Commons
Public Domain Universal 1.0

7. Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials

8. Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
• If you need to brush up, check out:
• SEC305 – Become an AWS IAM Policy Ninja in 60 Minutes or
Less
• SEC302 – IAM Best Practices to Live By
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials

9. AWS IAM federation: A progression of options
Cross-
account
trust
AWS
Directory
Service
Security
Assertion
Markup
Language
(SAML)
Custom
identity
broker
Involvement
Control

10. AWS IAM federation: A progression of options
Cross-
account
trust
AWS
Directory
Service
Security
Assertion
Markup
Language
(SAML)
Custom
identity
broker
Involvement
Control
SEC305
SEC315

11. AWS IAM federation: A progression of options
Cross-
account
trust
AWS
Directory
Service
Security
Assertion
Markup
Language
(SAML)
Custom
identity
broker
Involvement
Control
Session focusSEC305
SEC315

12. Federation rationale
Before:
After:
Result:

13. Federation rationale
Before:
After:
Result:
Unique credentials
Users

14. Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Users

15. Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Users Security

16. Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
Users Security

17. Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Users Security Compliance

18. Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance

19. Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance

20. The journey: Federation with
Security Assertion Markup
Language (SAML)

21. Quick SAML primer

22. Quick SAML primer
Identity provider

23. Quick SAML primer
Identity provider (IdP) Service provider

24. Quick SAML primer
Identity provider Service provider
Metadata
(in advance)

25. Quick SAML primer
Identity provider Service provider
Metadata
(in advance)
Assertion
(login flow)

26. Basic AWS federation with SAML
• Known science, assuming:
• Few AWS accounts
• AWS Management
Console access
• Well documented:
• Whitepapers
• Blogs
• Documentation
(C) Copyright Diliff and licensed for
reuse under the Creative Commons Attribution 3.0 License

27. AWS federation with SAML: At-scale

28. AWS federation with SAML: At-scale

29. AWS federation with SAML: At-scale

30. AWS federation with SAML: At-scale
Many AWS
accounts?

31. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of users?

32. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Lots of users?

33. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Lots of users?

34. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
Lots of users?

35. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?

36. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?

37. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
???

38. AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
Dive deep = Get it right
???

39. AWS federation with SAML: At-scale demo

40. AWS federation with SAML: At-scale demo
Automate onboarding
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License

41. AWS federation with SAML: At-scale demo
Automate onboarding User experience
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License

42. AWS federation with SAML: At-scale demo
Automate onboarding User experience Under the hood
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright bagera3005 and licensed
for reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License

43. Automate onboarding
AWS federation with SAML: At-scale demo
Directory
Group
definitions
AWS account
Providers,
roles, and
policies

44. Automate onboarding
AWS federation with SAML: At-scale demo
Key takeaways
Directory
Group
definitions
AWS account
• Automate deployment of IAM
roles and policies.
• Automate deployment of
companion directory structure.
• Keep role definitions constant
across accounts.
Providers,
roles, and
policies

45. Smooth user experience
AWS federation with SAML: At-scale demo
AWS
SDKs
AWS
CLI

46. Smooth user experience
AWS federation with SAML: At-scale demo
Key takeaways
• Federation shouldn’t limit
access vectors.
• Getting users into groups
should be automated and
efficient.
• Don’t create a “low-to-high”
exposure in the back end.
AWS
SDKs
AWS
CLI

47. Under the hood
AWS federation with SAML: At-scale demo
IdP
configurations
AWS CloudTrail
samples

48. Under the hood
AWS federation with SAML: At-scale demo
Key takeaways
IdP
configurations
AWS CloudTrail
samples
• Naming conventions are
critical.
• Configurations should rely on
patterns, not values.
• Think about traceability now.
• Tighter policies help reduce
AWS account sprawl.

49. AWS federation with SAML: Looking beyond
• For some: SAML bliss!

50. AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies

51. AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
• If so:
• Custom identity broker

52. The journey: Federation using
a custom identity broker

53. 3+ Years on AWS
Several flagship products
run on AWS including
WSJ.com
3,000+ Amazon EC2
instances

54. How we interact with AWS
Automate!

55. Our journey through identity management
IAM users with
static keys
Nova v1
Basic roles
Nova v2
Resource-level
permissions,
tagging standards
Nova v3
Dynamic policy
generation

56. Nova workflow
Bob the
Engineer
PHP web
application
Active
Directory
Look up group
membership
Corporate
SSO
Authenticate
w/ MFA
Nova
database
Group-to-role
mappings
Ask Bob which AWS
account he would like
to access based on
available roles
IAM API
sts:AssumeRole
for appropriate IAM role
Access to AWS Management Console and keys for API/CLI access

57. Nova v1 basic roles
General roles like “Developer”
assignable to different AWS
accounts
Maps membership in AD
groups to IAM roles
Roles
AWS accounts

58. Nova v1 basic roles
Active Directory group
NOVA_PRODSHARED_DEVELOPER
IAM role
nova.prodshared.developer
{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateKeyPair",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSnapshot",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",

59. Nova v2 resource-level permissions
Tagging and resource-level
permissions matured
Tagging resources by team
enabled resource-level
permissions by team
Easy expansion, no changes
necessary to Nova
Roles

60. Nova v2 resource-level permissions
{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/servicename": [
"djcs/*"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
Active Directory group
NOVA_PRODSHARED_DJCS_DEV
IAM role
nova.prodshared.djcs.developer

61. Nova v3 dynamic policy generation
EC2
instances
Amazon RDS
instance
Amazon Route 53
zone
Application: Poseidon, Lifecycle: Prod
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/Application": [
”Poseidon"
]
"ec2:ResourceTag/Lifecycle": [
”Prod"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
Authenticate w/ MFA
Select AWS account
Select application
Select lifecycle

62. Your own journey:
Rationalizing the decision-
making process

63. Rationalizing the decision-making process
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic

64. Rationalizing the decision-making process
• Existing federation
investments?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic

65. Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic

66. Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic

67. Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic

68. Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic

69. SAML
Comparison: SAML vs. Custom identity broker
Custom identity broker

70. SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control

71. SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations

72. SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Choose SAML if you want a
balanced federation approach.
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
Choose a custom identity broker if
you prefer to increase federation
involvement for the ultimate control.

73. Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.

74. Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.

75. Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
• Evolve your federation approach as your needs evolve.
• Right for tomorrow is not always right for today.

76. Your own journey: Taking the
first steps

77. Additional information
• Session resources (code and samples)
• AWS documentation
• Manage Federation
• Integrating Third-Party SAML Solution Providers with AWS
• Request Information That You Can Use for Policy Variables
• Custom Federation Broker
• AWS blogs
• Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP,
and Shibboleth
• How to Implement a General Solution for Federated API/CLI
Access Using SAML 2.0

78. Remember to complete
your evaluations!

79. Thank you!