Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.
2. Agenda
• Overview of AWS Identity and Access
Management
• How to enforce security policies in the cloud
• How to integrate with existing directories
• Highlight new features along the way
7. A show of hands…
• How many already use AWS?
• Tried AWS because of
–
–
–
–
$: No upfront investment, free tier, low ongoing cost
Scale: Flexible capacity, global reach
Agility: Speed and agility, apps not ops
Services: Amazon EC2, Amazon S3, Amazon DynamoDB,
Amazon Redshift, Amazon RDS, Amazon EMR, Amazon
CloudFront, etc.
8. A show of hands…
• How many initially tried AWS because of
– Security
– Identity
18. IAM
• Users, groups, permissions
– Individual security credentials
– Secure by default
– Grant least privilege
• Easy to use
– Graphical user interface
– Ability to script/automate (CLI & API)
29. Amazon EC2 Resource-Level Permissions
Example use cases:
• Ben can terminate instance i-abc12345 but not
instance i-def67890
• Jeff can launch instances only in the subnet
subnet-bdf2468
• Ken can use only the AMI ami-cba54321 to run
instances
• A user can take any action on resources if they
have the tag “sandbox=${aws:username}”
• Derek must authenticate using MFA before he can
terminate instances with the tag “stack=prod”
32. IAM Role
• Entity that defines a set of permissions
• Not associated with a specific user or
group
• Roles must be “assumed” by trusted
entities
33. IAM Roles for Amazon EC2
• Allow Amazon EC2-based apps to act on behalf of
another entity
• Create a role, apply a policy, launch instance with role
• Credentials are automatically:
– Made available to Amazon EC2 instances
– Rotated multiple times a day
• AWS SDKs transparently use the credentials
34. Roles for EC2 Instances
Auto
Scaling
AWS IAM
Role: RW access
to files, rows
Amazon
DynamoDB
Auto
Scaling
Amazon
S3
AWS Cloud
35. Benefits of Using Roles with Amazon EC2
•
•
•
•
Eliminates use of long-term credentials
Automatic credential rotation
Less coding – AWS SDK does all the work
Easier and more Secure!
54. Federation
• AWS websites and/or APIs as relying party
• Pre-packaged samples: Windows Active Directory, Shibboleth
Active Directory
55. SSO Federation Using SAML New
• STS now supports SAML 2.0
• Benefits:
–
–
–
–
Open standards
Quicker and easier to implement federation
Leverage existing identity management software to manage access to AWS resources
No coding required
• AWS Management Console SSO
– IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile)
– New sign-in URL that greatly simplifies SSO
https://signin.aws.amazon.com/saml<SAML AuthN response>
• API federation using new assumeRoleWithSAML operation
58. Web Identity Federation
• App sign-in using 3rd party identity providers
– Login with Amazon
– Facebook
– Google
• Apps can access data from
– Amazon S3, Amazon DynamoDB, Amazon Simple Notification
Service (now with mobile push!)
• No server-side code required
64. Delegate Access Across Accounts
• Access resources across AWS accounts
• Why do you need it?
– Management visibility across all your AWS accounts
– Developer access to resources across AWS accounts
– Use third-party solutions, with no sharing of credentials
65. Cross-Account Access - Setup
dev@example.com
prod@example.com
Acct ID: 111122223333
Acct ID: 123456789012
STS
ddb-role
IAM user: Jeff
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
Permissions assigned to Jeff granting him permission
to assume ddb-role in account B
Permissions assigned
to ddb-role
{ "Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS
account dev@example.com (123456789012)
66. Cross-Account Access - Use
dev@example.com
Acct ID: 123456789012
prod@example.com
Authenticate to
AWS with
Jeff access keys
Acct ID: 111122223333
STS
ddb-role
IAM user: Jeff
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
68. AWS CloudTrail
Log API calls to:
Amazon EC2
AWS IAM
Amazon RDS
Amazon VPC
AWS Security
Token Service
Amazon Redshift
Amazon EBS
AWS CloudTrail
Additional services added over time…
69. AWS CloudTrail
• Your AWS account’s API calls logged and delivered to
your Amazon S3 bucket
• Amazon SNS notifications of new log files (optional)
• Data analysis partners:
70. Achieving Best Practices: Trusted Advisor
• AWS Support service
– Analyzes account for issues and
recommendations
– API for integration with your tools
• Categories:
–
–
–
–
Cost savings
Security
Fault tolerance
Performance
73. New AWS Whitepapers
• AWS Security Best Practices
– http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
– Best practices on wide range of topics, including:
•
•
•
•
•
Defining and categorizing assets on AWS
Managing identities
Implementing data security
Securing your operating systems and applications
Monitoring, alerting, auditing, and incident response
• Securing Data at Rest with Encryption
–
http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
77. For More Information
•
•
•
•
•
IAM detail page: http://aws.amazon.com/iam
AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76
Documentation: http://aws.amazon.com/documentation/iam/
AWS Security Blog: http://blogs.aws.amazon.com/security
Twitter: @AWSIdentity
• Meet the IAM and Security teams:
– Thursday 11/14 4pm - 6pm
– Toscana 3605
78. Customers who liked this talk also may like…
• SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices
–
Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503
• SEC302 - Mastering Access Control Policies
–
Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A
• SEC303 - Delegating Access to your AWS Environment
–
Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A
• SEC304 - Encryption and key management in AWS
–
Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406
• SEC401 - Integrate Social Login Into Mobile Apps
–
Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A
• SEC402 - Intrusion Detection in the Cloud
–
Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406
79. Please give us your feedback on this
presentation
SEC201
As a thank you, we will select prize
winners daily for completed surveys!