Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
- 1. SEC 201 - Access Control for the Cloud:
AWS Identity and Access Management (IAM)
Jim Scharf, AWS
November 13, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 2. Agenda
• Overview of AWS Identity and Access
Management
• How to enforce security policies in the cloud
• How to integrate with existing directories
• Highlight new features along the way
- 5. AWS Identity and Access Management
Access control
for AWS services and resources
that is flexible, powerful, familiar, and secure
- 7. A show of hands…
• How many already use AWS?
• Tried AWS because of
–
–
–
–
$: No upfront investment, free tier, low ongoing cost
Scale: Flexible capacity, global reach
Agility: Speed and agility, apps not ops
Services: Amazon EC2, Amazon S3, Amazon DynamoDB,
Amazon Redshift, Amazon RDS, Amazon EMR, Amazon
CloudFront, etc.
- 8. A show of hands…
• How many initially tried AWS because of
– Security
– Identity
- 18. IAM
• Users, groups, permissions
– Individual security credentials
– Secure by default
– Grant least privilege
• Easy to use
– Graphical user interface
– Ability to script/automate (CLI & API)
- 21. Control
• AWS multi-factor authentication
– Hardware tokens
– Smartphone app tokens
• Credential management policies
• Control billing, support, and AWS Marketplace
purchases
- 24. AWS Identity and Access Management
Access control
for AWS services and resources
that is flexible, powerful, familiar, and secure
- 26. Cloud Resources
Elastic IPs
Stacks
Spot Instances
AMIs
Users
Topics
Placement groups
Templates
Buckets
Volumes
Messages
Instances
Files
Snapshots
Security Groups
Domains
Queues
Distributions
Groups Roles
Load Balancers
Apps
Workflows
Auto Scaling groups
Applications Network interfaces
Layers
Clusters
- 29. Amazon EC2 Resource-Level Permissions
Example use cases:
• Ben can terminate instance i-abc12345 but not
instance i-def67890
• Jeff can launch instances only in the subnet
subnet-bdf2468
• Ken can use only the AMI ami-cba54321 to run
instances
• A user can take any action on resources if they
have the tag “sandbox=${aws:username}”
• Derek must authenticate using MFA before he can
terminate instances with the tag “stack=prod”
- 32. IAM Role
• Entity that defines a set of permissions
• Not associated with a specific user or
group
• Roles must be “assumed” by trusted
entities
- 33. IAM Roles for Amazon EC2
• Allow Amazon EC2-based apps to act on behalf of
another entity
• Create a role, apply a policy, launch instance with role
• Credentials are automatically:
– Made available to Amazon EC2 instances
– Rotated multiple times a day
• AWS SDKs transparently use the credentials
- 34. Roles for EC2 Instances
Auto
Scaling
AWS IAM
Role: RW access
to files, rows
Amazon
DynamoDB
Auto
Scaling
Amazon
S3
AWS Cloud
- 35. Benefits of Using Roles with Amazon EC2
•
•
•
•
Eliminates use of long-term credentials
Automatic credential rotation
Less coding – AWS SDK does all the work
Easier and more Secure!
- 45. IAM Policy Simulator
• Test the effect of access control policies before
pushing to production
• Verify and troubleshoot permissions
- 54. Federation
• AWS websites and/or APIs as relying party
• Pre-packaged samples: Windows Active Directory, Shibboleth
Active Directory
- 55. SSO Federation Using SAML New
• STS now supports SAML 2.0
• Benefits:
–
–
–
–
Open standards
Quicker and easier to implement federation
Leverage existing identity management software to manage access to AWS resources
No coding required
• AWS Management Console SSO
– IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile)
– New sign-in URL that greatly simplifies SSO
https://signin.aws.amazon.com/saml<SAML AuthN response>
• API federation using new assumeRoleWithSAML operation
- 56. Partner Integrations for Federation / SSO
http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services
http://www.okta.com/aws/
http://www.symplified.com/solutions/single-sign-on-sso
https://www.pingidentity.com/products/pingfederate/
http://www.cloudberrylab.com/ad-bridge.aspx
http://wiki.developerforce.com/page/Configuring-SAML-SSO-to-AWS
- 58. Web Identity Federation
• App sign-in using 3rd party identity providers
– Login with Amazon
– Facebook
– Google
• Apps can access data from
– Amazon S3, Amazon DynamoDB, Amazon Simple Notification
Service (now with mobile push!)
• No server-side code required
- 64. Delegate Access Across Accounts
• Access resources across AWS accounts
• Why do you need it?
– Management visibility across all your AWS accounts
– Developer access to resources across AWS accounts
– Use third-party solutions, with no sharing of credentials
- 65. Cross-Account Access - Setup
dev@example.com
prod@example.com
Acct ID: 111122223333
Acct ID: 123456789012
STS
ddb-role
IAM user: Jeff
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
Permissions assigned to Jeff granting him permission
to assume ddb-role in account B
Permissions assigned
to ddb-role
{ "Statement": [
{
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS
account dev@example.com (123456789012)
- 66. Cross-Account Access - Use
dev@example.com
Acct ID: 123456789012
prod@example.com
Authenticate to
AWS with
Jeff access keys
Acct ID: 111122223333
STS
ddb-role
IAM user: Jeff
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
- 68. AWS CloudTrail
Log API calls to:
Amazon EC2
AWS IAM
Amazon RDS
Amazon VPC
AWS Security
Token Service
Amazon Redshift
Amazon EBS
AWS CloudTrail
Additional services added over time…
- 69. AWS CloudTrail
• Your AWS account’s API calls logged and delivered to
your Amazon S3 bucket
• Amazon SNS notifications of new log files (optional)
• Data analysis partners:
- 70. Achieving Best Practices: Trusted Advisor
• AWS Support service
– Analyzes account for issues and
recommendations
– API for integration with your tools
• Categories:
–
–
–
–
Cost savings
Security
Fault tolerance
Performance
- 73. New AWS Whitepapers
• AWS Security Best Practices
– http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
– Best practices on wide range of topics, including:
•
•
•
•
•
Defining and categorizing assets on AWS
Managing identities
Implementing data security
Securing your operating systems and applications
Monitoring, alerting, auditing, and incident response
• Securing Data at Rest with Encryption
–
http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
- 76. AWS Identity and Access Management
• Flexible
– Individual use
– Organizations
– Enterprise
• Powerful
–
–
–
–
Integrated
Fine-grained
Delegation
Scale
• Familiar
– Administration
– Enterprise federation
– Web identity federation
• Secure
– Powerful controls
– Audit
– Compliance
- 77. For More Information
•
•
•
•
•
IAM detail page: http://aws.amazon.com/iam
AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76
Documentation: http://aws.amazon.com/documentation/iam/
AWS Security Blog: http://blogs.aws.amazon.com/security
Twitter: @AWSIdentity
• Meet the IAM and Security teams:
– Thursday 11/14 4pm - 6pm
– Toscana 3605
- 78. Customers who liked this talk also may like…
• SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices
–
Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503
• SEC302 - Mastering Access Control Policies
–
Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A
• SEC303 - Delegating Access to your AWS Environment
–
Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A
• SEC304 - Encryption and key management in AWS
–
Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406
• SEC401 - Integrate Social Login Into Mobile Apps
–
Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A
• SEC402 - Intrusion Detection in the Cloud
–
Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406
- 79. Please give us your feedback on this
presentation
SEC201
As a thank you, we will select prize
winners daily for completed surveys!