Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
•
11 likes•12,332 views
Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.
Report
Share
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
- 1. SEC 201 - Access Control for the Cloud: AWS Identity and Access Management (IAM) Jim Scharf, AWS November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 2. Agenda • Overview of AWS Identity and Access Management • How to enforce security policies in the cloud • How to integrate with existing directories • Highlight new features along the way
- 3. Identity and Access Management Who? What Actions? Which Resources?
- 4. What is AWS Identity and Access Management?
- 5. AWS Identity and Access Management Access control for AWS services and resources that is flexible, powerful, familiar, and secure
- 6. Flexible
- 7. A show of hands… • How many already use AWS? • Tried AWS because of – – – – $: No upfront investment, free tier, low ongoing cost Scale: Flexible capacity, global reach Agility: Speed and agility, apps not ops Services: Amazon EC2, Amazon S3, Amazon DynamoDB, Amazon Redshift, Amazon RDS, Amazon EMR, Amazon CloudFront, etc.
- 8. A show of hands… • How many initially tried AWS because of – Security – Identity
- 9. Flexible Individual Use
- 10. Hear About AWS
- 11. Create Account
- 12. Innovate!
- 15. CEO Dev/Ops Development Sales/Marketing Finance/Accounting Administrator access: control all AWS resources, including managing users Full access to: Amazon S3, Amazon DynamoDB + The ability to start (but not stop) Amazon EC2 instances Read-only to Amazon S3 Account activity and usage reports only
- 16. IAM
- 18. IAM • Users, groups, permissions – Individual security credentials – Secure by default – Grant least privilege • Easy to use – Graphical user interface – Ability to script/automate (CLI & API)
- 20. Control
- 21. Control • AWS multi-factor authentication – Hardware tokens – Smartphone app tokens • Credential management policies • Control billing, support, and AWS Marketplace purchases
- 22. Flexible Control That Adapts with Your Needs No additional charge
- 24. AWS Identity and Access Management Access control for AWS services and resources that is flexible, powerful, familiar, and secure
- 25. Cloud Services Amazon RDS Amazon SES AWS Storage Gateway Amazon CloudWatch Amazon Route 53 Amazon EC2 AWS IAM AWS OpsWorks Amazon SNS Amazon DynamoDB Amazon CloudFront Amazon S3 AWS Amazon Redshift CloudFormation Amazon Elastic MapReduce Amazon ElastiCache Amazon CloudSearch Amazon VPC Amazon Simple Workflow Amazon Elastic Transcoder AWS Elastic Beanstalk Amazon SQS
- 26. Cloud Resources Elastic IPs Stacks Spot Instances AMIs Users Topics Placement groups Templates Buckets Volumes Messages Instances Files Snapshots Security Groups Domains Queues Distributions Groups Roles Load Balancers Apps Workflows Auto Scaling groups Applications Network interfaces Layers Clusters
- 28. AWS Access Control Who? What actions? Which resources? When? Where? How?
- 29. Amazon EC2 Resource-Level Permissions Example use cases: • Ben can terminate instance i-abc12345 but not instance i-def67890 • Jeff can launch instances only in the subnet subnet-bdf2468 • Ken can use only the AMI ami-cba54321 to run instances • A user can take any action on resources if they have the tag “sandbox=${aws:username}” • Derek must authenticate using MFA before he can terminate instances with the tag “stack=prod”
- 30. Amazon DynamoDB Fine-Grained Access Control By Item By Attribute Or Both
- 32. IAM Role • Entity that defines a set of permissions • Not associated with a specific user or group • Roles must be “assumed” by trusted entities
- 33. IAM Roles for Amazon EC2 • Allow Amazon EC2-based apps to act on behalf of another entity • Create a role, apply a policy, launch instance with role • Credentials are automatically: – Made available to Amazon EC2 instances – Rotated multiple times a day • AWS SDKs transparently use the credentials
- 34. Roles for EC2 Instances Auto Scaling AWS IAM Role: RW access to files, rows Amazon DynamoDB Auto Scaling Amazon S3 AWS Cloud
- 35. Benefits of Using Roles with Amazon EC2 • • • • Eliminates use of long-term credentials Automatic credential rotation Less coding – AWS SDK does all the work Easier and more Secure!
- 36. Powerful Scale
- 39. Hundreds of Thousands Customers in 190 countries each with one to millions of identities
- 40. Lots! Servers
- 41. Global
- 45. IAM Policy Simulator • Test the effect of access control policies before pushing to production • Verify and troubleshoot permissions
- 52. Amazon EC2 Instance OS Familiar Instance OS Controls RunInstances IAM Amazon EC2 Instance
- 53. Familiar Enterprise Federation
- 54. Federation • AWS websites and/or APIs as relying party • Pre-packaged samples: Windows Active Directory, Shibboleth Active Directory
- 55. SSO Federation Using SAML New • STS now supports SAML 2.0 • Benefits: – – – – Open standards Quicker and easier to implement federation Leverage existing identity management software to manage access to AWS resources No coding required • AWS Management Console SSO – IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile) – New sign-in URL that greatly simplifies SSO https://signin.aws.amazon.com/saml<SAML AuthN response> • API federation using new assumeRoleWithSAML operation
- 56. Partner Integrations for Federation / SSO http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services http://www.okta.com/aws/ http://www.symplified.com/solutions/single-sign-on-sso https://www.pingidentity.com/products/pingfederate/ http://www.cloudberrylab.com/ad-bridge.aspx http://wiki.developerforce.com/page/Configuring-SAML-SSO-to-AWS
- 57. Familiar Web Identity Federation
- 58. Web Identity Federation • App sign-in using 3rd party identity providers – Login with Amazon – Facebook – Google • Apps can access data from – Amazon S3, Amazon DynamoDB, Amazon Simple Notification Service (now with mobile push!) • No server-side code required
- 59. Web Identity Federation US-EAST-1 Amazon S3 Amazon DynamoDB AWS Services STS Identity Provider Assume Role
- 61. Web Identity Federation Playground • UI tool • Try it out, no coding required!
- 62. Secure Powerful Controls
- 64. Delegate Access Across Accounts • Access resources across AWS accounts • Why do you need it? – Management visibility across all your AWS accounts – Developer access to resources across AWS accounts – Use third-party solutions, with no sharing of credentials
- 65. Cross-Account Access - Setup dev@example.com prod@example.com Acct ID: 111122223333 Acct ID: 123456789012 STS ddb-role IAM user: Jeff { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Jeff granting him permission to assume ddb-role in account B Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012)
- 66. Cross-Account Access - Use dev@example.com Acct ID: 123456789012 prod@example.com Authenticate to AWS with Jeff access keys Acct ID: 111122223333 STS ddb-role IAM user: Jeff Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role
- 67. Secure Audit
- 68. AWS CloudTrail Log API calls to: Amazon EC2 AWS IAM Amazon RDS Amazon VPC AWS Security Token Service Amazon Redshift Amazon EBS AWS CloudTrail Additional services added over time…
- 69. AWS CloudTrail • Your AWS account’s API calls logged and delivered to your Amazon S3 bucket • Amazon SNS notifications of new log files (optional) • Data analysis partners:
- 70. Achieving Best Practices: Trusted Advisor • AWS Support service – Analyzes account for issues and recommendations – API for integration with your tools • Categories: – – – – Cost savings Security Fault tolerance Performance
- 72. Regular Exhaustive 3rd Party Evaluations
- 73. New AWS Whitepapers • AWS Security Best Practices – http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf – Best practices on wide range of topics, including: • • • • • Defining and categorizing assets on AWS Managing identities Implementing data security Securing your operating systems and applications Monitoring, alerting, auditing, and incident response • Securing Data at Rest with Encryption – http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
- 75. Summary
- 76. AWS Identity and Access Management • Flexible – Individual use – Organizations – Enterprise • Powerful – – – – Integrated Fine-grained Delegation Scale • Familiar – Administration – Enterprise federation – Web identity federation • Secure – Powerful controls – Audit – Compliance
- 77. For More Information • • • • • IAM detail page: http://aws.amazon.com/iam AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76 Documentation: http://aws.amazon.com/documentation/iam/ AWS Security Blog: http://blogs.aws.amazon.com/security Twitter: @AWSIdentity • Meet the IAM and Security teams: – Thursday 11/14 4pm - 6pm – Toscana 3605
- 78. Customers who liked this talk also may like… • SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices – Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503 • SEC302 - Mastering Access Control Policies – Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A • SEC303 - Delegating Access to your AWS Environment – Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A • SEC304 - Encryption and key management in AWS – Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406 • SEC401 - Integrate Social Login Into Mobile Apps – Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A • SEC402 - Intrusion Detection in the Cloud – Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406
- 79. Please give us your feedback on this presentation SEC201 As a thank you, we will select prize winners daily for completed surveys!