Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.

1. SEC 201 - Access Control for the Cloud:
AWS Identity and Access Management (IAM)
Jim Scharf, AWS
November 13, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. Agenda
• Overview of AWS Identity and Access
Management
• How to enforce security policies in the cloud
• How to integrate with existing directories
• Highlight new features along the way

3. Identity and Access Management
Who?
What Actions?
Which Resources?

4. What is AWS Identity and Access
Management?

5. AWS Identity and Access Management
Access control
for AWS services and resources
that is flexible, powerful, familiar, and secure

6. Flexible

7. A show of hands…
• How many already use AWS?
• Tried AWS because of
–
–
–
–
$: No upfront investment, free tier, low ongoing cost
Scale: Flexible capacity, global reach
Agility: Speed and agility, apps not ops
Services: Amazon EC2, Amazon S3, Amazon DynamoDB,
Amazon Redshift, Amazon RDS, Amazon EMR, Amazon
CloudFront, etc.

8. A show of hands…
• How many initially tried AWS because of
– Security
– Identity

9. Flexible  Individual Use

10. Hear About AWS

11. Create Account

12. Innovate!

13. Flexible  Organizations

14. CEO
Dev/Ops
Development
Sales/Mar
keting
Graeme
Nate
Anders
Greg
Cicilie
Erin
Kevin
Brian
Jeff
Finance/Acc
ounting
Joan

15. CEO
Dev/Ops
Development
Sales/Marketing
Finance/Accounting
Administrator
access:
control all AWS
resources,
including
managing users
Full access to:
Amazon S3, Amazon
DynamoDB
+
The ability to start
(but not stop)
Amazon EC2
instances
Read-only to
Amazon S3
Account activity
and usage
reports only

16. IAM

18. IAM
• Users, groups, permissions
– Individual security credentials
– Secure by default
– Grant least privilege
• Easy to use
– Graphical user interface
– Ability to script/automate (CLI & API)

19. Flexible  Enterprise

20. Control

21. Control
• AWS multi-factor authentication
– Hardware tokens
– Smartphone app tokens
• Credential management policies
• Control billing, support, and AWS Marketplace
purchases

22. Flexible Control That Adapts with Your Needs
No additional charge

23. Powerful Integrated

24. AWS Identity and Access Management
Access control
for AWS services and resources
that is flexible, powerful, familiar, and secure

25. Cloud Services
Amazon
RDS
Amazon
SES
AWS
Storage
Gateway
Amazon
CloudWatch
Amazon
Route 53
Amazon
EC2
AWS IAM
AWS
OpsWorks
Amazon
SNS
Amazon
DynamoDB
Amazon
CloudFront
Amazon
S3
AWS
Amazon Redshift
CloudFormation
Amazon
Elastic
MapReduce
Amazon
ElastiCache
Amazon
CloudSearch
Amazon
VPC
Amazon
Simple
Workflow
Amazon Elastic
Transcoder
AWS
Elastic
Beanstalk
Amazon
SQS

26. Cloud Resources
Elastic IPs
Stacks
Spot Instances
AMIs
Users
Topics
Placement groups
Templates
Buckets
Volumes
Messages
Instances
Files
Snapshots
Security Groups
Domains
Queues
Distributions
Groups Roles
Load Balancers
Apps
Workflows
Auto Scaling groups
Applications Network interfaces
Layers
Clusters

27. Powerful Fine-Grained

28. AWS Access Control
Who?
What actions?
Which resources?
When?
Where?
How?

29. Amazon EC2 Resource-Level Permissions
Example use cases:
• Ben can terminate instance i-abc12345 but not
instance i-def67890
• Jeff can launch instances only in the subnet
subnet-bdf2468
• Ken can use only the AMI ami-cba54321 to run
instances
• A user can take any action on resources if they
have the tag “sandbox=${aws:username}”
• Derek must authenticate using MFA before he can
terminate instances with the tag “stack=prod”

30. Amazon DynamoDB Fine-Grained Access Control
By Item
By Attribute
Or Both

31. Powerful Delegation

32. IAM Role
• Entity that defines a set of permissions
• Not associated with a specific user or
group
• Roles must be “assumed” by trusted
entities

33. IAM Roles for Amazon EC2
• Allow Amazon EC2-based apps to act on behalf of
another entity
• Create a role, apply a policy, launch instance with role
• Credentials are automatically:
– Made available to Amazon EC2 instances
– Rotated multiple times a day
• AWS SDKs transparently use the credentials

34. Roles for EC2 Instances
Auto
Scaling
AWS IAM
Role: RW access
to files, rows
Amazon
DynamoDB
Auto
Scaling
Amazon
S3
AWS Cloud

35. Benefits of Using Roles with Amazon EC2
•
•
•
•
Eliminates use of long-term credentials
Automatic credential rotation
Less coding – AWS SDK does all the work
Easier and more Secure!

36. Powerful Scale

37. Trillions
Resources

38. Million+
Requests/Second

39. Hundreds of
Thousands
Customers
in 190 countries
each with one to millions of identities

40. Lots!
Servers

41. Global

42. Familiar  Administration

45. IAM Policy Simulator
• Test the effect of access control policies before
pushing to production
• Verify and troubleshoot permissions

52. Amazon EC2
Instance OS
Familiar Instance OS Controls
RunInstances
IAM
Amazon
EC2
Instance

53. Familiar  Enterprise Federation

54. Federation
• AWS websites and/or APIs as relying party
• Pre-packaged samples: Windows Active Directory, Shibboleth
Active Directory

55. SSO Federation Using SAML New
• STS now supports SAML 2.0
• Benefits:
–
–
–
–
Open standards
Quicker and easier to implement federation
Leverage existing identity management software to manage access to AWS resources
No coding required
• AWS Management Console SSO
– IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile)
– New sign-in URL that greatly simplifies SSO
https://signin.aws.amazon.com/saml<SAML AuthN response>
• API federation using new assumeRoleWithSAML operation

56. Partner Integrations for Federation / SSO
http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services
http://www.okta.com/aws/
http://www.symplified.com/solutions/single-sign-on-sso
https://www.pingidentity.com/products/pingfederate/
http://www.cloudberrylab.com/ad-bridge.aspx
http://wiki.developerforce.com/page/Configuring-SAML-SSO-to-AWS

57. Familiar  Web Identity Federation

58. Web Identity Federation
• App sign-in using 3rd party identity providers
– Login with Amazon
– Facebook
– Google
• Apps can access data from
– Amazon S3, Amazon DynamoDB, Amazon Simple Notification
Service (now with mobile push!)
• No server-side code required

59. Web Identity Federation
US-EAST-1
Amazon S3
Amazon
DynamoDB
AWS Services
STS
Identity
Provider
Assume Role

61. Web Identity Federation Playground
• UI tool
• Try it out, no coding
required!

62. Secure  Powerful Controls

63. Control Your Users
Multi-Factor
Authentication
Password/Credential
Management Policies

64. Delegate Access Across Accounts
• Access resources across AWS accounts
• Why do you need it?
– Management visibility across all your AWS accounts
– Developer access to resources across AWS accounts
– Use third-party solutions, with no sharing of credentials

65. Cross-Account Access - Setup
dev@example.com
prod@example.com
Acct ID: 111122223333
Acct ID: 123456789012
STS
ddb-role
IAM user: Jeff
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
Permissions assigned to Jeff granting him permission
to assume ddb-role in account B
Permissions assigned
to ddb-role
{ "Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS
account dev@example.com (123456789012)

66. Cross-Account Access - Use
dev@example.com
Acct ID: 123456789012
prod@example.com
Authenticate to
AWS with
Jeff access keys
Acct ID: 111122223333
STS
ddb-role
IAM user: Jeff
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role

67. Secure  Audit

68. AWS CloudTrail
Log API calls to:
Amazon EC2
AWS IAM
Amazon RDS
Amazon VPC
AWS Security
Token Service
Amazon Redshift
Amazon EBS
AWS CloudTrail
Additional services added over time…

69. AWS CloudTrail
• Your AWS account’s API calls logged and delivered to
your Amazon S3 bucket
• Amazon SNS notifications of new log files (optional)
• Data analysis partners:

70. Achieving Best Practices: Trusted Advisor
• AWS Support service
– Analyzes account for issues and
recommendations
– API for integration with your tools
• Categories:
–
–
–
–
Cost savings
Security
Fault tolerance
Performance

71. Secure  Compliance

72. Regular Exhaustive 3rd Party Evaluations

73. New AWS Whitepapers
• AWS Security Best Practices
– http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
– Best practices on wide range of topics, including:
•
•
•
•
•
Defining and categorizing assets on AWS
Managing identities
Implementing data security
Securing your operating systems and applications
Monitoring, alerting, auditing, and incident response
• Securing Data at Rest with Encryption
–
http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf

74. AWS Security Blog
http://blogs.aws.amazon.com/security/

75. Summary

76. AWS Identity and Access Management
• Flexible
– Individual use
– Organizations
– Enterprise
• Powerful
–
–
–
–
Integrated
Fine-grained
Delegation
Scale
• Familiar
– Administration
– Enterprise federation
– Web identity federation
• Secure
– Powerful controls
– Audit
– Compliance

77. For More Information
•
•
•
•
•
IAM detail page: http://aws.amazon.com/iam
AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76
Documentation: http://aws.amazon.com/documentation/iam/
AWS Security Blog: http://blogs.aws.amazon.com/security
Twitter: @AWSIdentity
• Meet the IAM and Security teams:
– Thursday 11/14 4pm - 6pm
– Toscana 3605

78. Customers who liked this talk also may like…
• SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices
–
Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503
• SEC302 - Mastering Access Control Policies
–
Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A
• SEC303 - Delegating Access to your AWS Environment
–
Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A
• SEC304 - Encryption and key management in AWS
–
Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406
• SEC401 - Integrate Social Login Into Mobile Apps
–
Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A
• SEC402 - Intrusion Detection in the Cloud
–
Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406

79. Please give us your feedback on this
presentation
SEC201
As a thank you, we will select prize
winners daily for completed surveys!