Post on 06-Sep-2014
description
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
SEC 201 - Access Control for the Cloud:
AWS Identity and Access Management (IAM)
Jim Scharf, AWS
November 13, 2013
Agenda
• Overview of AWS Identity and Access
Management
• How to enforce security policies in the cloud
• How to integrate with existing directories
• Highlight new features along the way
Identity and Access Management
Who?
What Actions?
Which Resources?
What is AWS Identity and Access
Management?
AWS Identity and Access Management
Access control
for AWS services and resources
that is flexible, powerful, familiar, and secure
Flexible
A show of hands…
• How many already use AWS?
• Tried AWS because of
– $: No upfront investment, free tier, low ongoing cost
– Scale: Flexible capacity, global reach
– Agility: Speed and agility, apps not ops
– Services: Amazon EC2, Amazon S3, Amazon DynamoDB,
Amazon Redshift, Amazon RDS, Amazon EMR, Amazon
CloudFront, etc.
A show of hands…
• How many initially tried AWS because of
– Security
– Identity
Flexible Individual Use
Hear About AWS
Create Account
Innovate!
Flexible Organizations
CEO
Dev/Ops
Graeme
Greg
Development
Nate
Cicilie
Kevin
Jeff
Sales/Marketing
Anders
Erin
Brian
Finance/Accounting
Joan
CEO
Dev/Ops Development Sales/Marketing Finance/Accounting
Administrator
access:
control all AWS
resources,
including
managing users
Full access to:
Amazon S3, Amazon
DynamoDB
+
The ability to start
(but not stop)
Amazon EC2
instances
Read-only to
Amazon S3
Account activity
and usage
reports only
IAM
IAM
• Users, groups, permissions
– Individual security credentials
– Secure by default
– Grant least privilege
• Easy to use
– Graphical user interface
– Ability to script/automate (CLI & API)
Flexible Enterprise
Control
Control
• AWS multi-factor authentication
– Hardware tokens
– Smartphone app tokens
• Credential management policies
• Control billing, support, and AWS Marketplace
purchases
Flexible Control That Adapts with Your Needs
No additional charge
Powerful Integrated
AWS Identity and Access Management
Access control
for AWS services and resources
that is flexible, powerful, familiar, and secure
Cloud Services
Amazon
EC2 Amazon
S3
Amazon
Elastic
MapReduce
AWS
Storage
Gateway
Amazon DynamoDB
Amazon
RDS
Amazon ElastiCache
Amazon
Route 53
Amazon
VPC
Amazon CloudFront
Amazon CloudWatch
AWS
Elastic
Beanstalk
AWS CloudFormation
AWS IAM
Amazon
SQS
Amazon
SES
Amazon
SNS
Amazon CloudSearch
Amazon
Simple
Workflow
Amazon Redshift
AWS
OpsWorks
Amazon Elastic
Transcoder
Cloud Resources
Instances Files
AMIs
Spot Instances
Volumes
Messages
Snapshots
Security Groups
Elastic IPs Placement groups
Users
Groups Roles
Load Balancers
Auto Scaling groups
Network interfaces Queues
Topics
Domains
Workflows
Applications
Templates
Distributions Buckets
Stacks
Apps
Layers Clusters
Powerful Fine-Grained
AWS Access Control
Who?
What actions?
Which resources?
When?
Where?
How?
Amazon EC2 Resource-Level Permissions
Example use cases:
• Ben can terminate instance i-abc12345 but not instance i-def67890
• Jeff can launch instances only in the subnet subnet-bdf2468
• Ken can use only the AMI ami-cba54321 to run instances
• A user can take any action on resources if they have the tag “sandbox=${aws:username}”
• Derek must authenticate using MFA before he can terminate instances with the tag “stack=prod”
Amazon DynamoDB Fine-Grained Access Control
By Item
By Attribute
Or Both
Powerful Delegation
IAM Role
• Entity that defines a set of permissions
• Not associated with a specific user or
group
• Roles must be “assumed” by trusted
entities
IAM Roles for Amazon EC2
• Allow Amazon EC2-based apps to act on behalf of
another entity
• Create a role, apply a policy, launch instance with role
• Credentials are automatically: – Made available to Amazon EC2 instances
– Rotated multiple times a day
• AWS SDKs transparently use the credentials
Roles for EC2 Instances
AWS Cloud
Amazon
S3
Amazon
DynamoDB AWS IAM
Auto
Scaling
Auto
Scaling
Role: RW access
to files, rows
Benefits of Using Roles with Amazon EC2
• Eliminates use of long-term credentials
• Automatic credential rotation
• Less coding – AWS SDK does all the work
• Easier and more Secure!
Powerful Scale
Trillions
Resources
Million+
Requests/Second
Hundreds of
Thousands
Customers in 190 countries
each with one to millions of identities
Lots!
Servers
Global
Familiar Administration
IAM Policy Simulator
• Test the effect of access control policies before
pushing to production
• Verify and troubleshoot permissions
Instance
Instance OS Amazon EC2
Amazon
EC2
RunInstances
IAM
Familiar Instance OS Controls
Familiar Enterprise Federation
Federation
• AWS websites and/or APIs as relying party
• Pre-packaged samples: Windows Active Directory, Shibboleth
Active Directory
SSO Federation Using SAML
• STS now supports SAML 2.0
• Benefits: – Open standards
– Quicker and easier to implement federation
– Leverage existing identity management software to manage access to AWS resources
– No coding required
• AWS Management Console SSO – IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile)
– New sign-in URL that greatly simplifies SSO
https://signin.aws.amazon.com/saml<SAML AuthN response>
• API federation using new assumeRoleWithSAML operation
New
Partner Integrations for Federation / SSO
http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services
http://www.okta.com/aws/
http://www.symplified.com/solutions/single-sign-on-sso
https://www.pingidentity.com/products/pingfederate/
http://www.cloudberrylab.com/ad-bridge.aspx http://wiki.developerforce.com/page/Configuring-SAML-SSO-to-AWS
Familiar Web Identity Federation
Web Identity Federation
• App sign-in using 3rd party identity providers
– Login with Amazon
• Apps can access data from – Amazon S3, Amazon DynamoDB, Amazon Simple Notification
Service (now with mobile push!)
• No server-side code required
Web Identity Federation
US
-EA
ST
-1
AWS Services
STS Identity Provider Assume Role
Amazon S3 Amazon
DynamoDB
Web Identity Federation Playground
• UI tool
• Try it out, no coding
required!
Secure Powerful Controls
Control Your Users
Multi-Factor
Authentication
Password/Credential
Management Policies
Delegate Access Across Accounts
• Access resources across AWS accounts
• Why do you need it?
– Management visibility across all your AWS accounts
– Developer access to resources across AWS accounts
– Use third-party solutions, with no sharing of credentials
prod@example.com Acct ID: 111122223333
ddb-role
{ "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }]}
dev@example.com Acct ID: 123456789012
{ "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]}
{ "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]}
Cross-Account Access - Setup
ddb-role trusts IAM users from the AWS
account dev@example.com (123456789012)
Permissions assigned to Jeff granting him permission
to assume ddb-role in account B
IAM user: Jeff
Permissions assigned
to ddb-role
STS
prod@example.com Acct ID: 111122223333
ddb-role
dev@example.com Acct ID: 123456789012 Authenticate to
AWS with
Jeff access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
Cross-Account Access - Use
IAM user: Jeff
STS
Secure Audit
AWS CloudTrail
Log API calls to:
Amazon EC2
Amazon EBS
Amazon VPC
Amazon RDS AWS IAM
AWS CloudTrail
Amazon Redshift
Additional services added over time…
AWS Security
Token Service
AWS CloudTrail
• Your AWS account’s API calls logged and delivered to your Amazon S3 bucket
• Amazon SNS notifications of new log files (optional)
• Data analysis partners:
Achieving Best Practices: Trusted Advisor
• AWS Support service – Analyzes account for issues and
recommendations
– API for integration with your tools
• Categories: – Cost savings
– Security
– Fault tolerance
– Performance
Secure Compliance
Regular Exhaustive 3rd Party Evaluations
New AWS Whitepapers
• AWS Security Best Practices – http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
– Best practices on wide range of topics, including:
• Defining and categorizing assets on AWS
• Managing identities
• Implementing data security
• Securing your operating systems and applications
• Monitoring, alerting, auditing, and incident response
• Securing Data at Rest with Encryption – http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
http://blogs.aws.amazon.com/security/
AWS Security Blog
Summary
AWS Identity and Access Management
• Flexible – Individual use
– Organizations
– Enterprise
• Powerful – Integrated
– Fine-grained
– Delegation
– Scale
• Familiar – Administration
– Enterprise federation
– Web identity federation
• Secure – Powerful controls
– Audit
– Compliance
For More Information
• IAM detail page: http://aws.amazon.com/iam
• AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76
• Documentation: http://aws.amazon.com/documentation/iam/
• AWS Security Blog: http://blogs.aws.amazon.com/security
• Twitter: @AWSIdentity
• Meet the IAM and Security teams: – Thursday 11/14 4pm - 6pm
– Toscana 3605
Customers who liked this talk also may like…
• SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices
– Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503
• SEC302 - Mastering Access Control Policies – Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A
• SEC303 - Delegating Access to your AWS Environment – Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A
• SEC304 - Encryption and key management in AWS – Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406
• SEC401 - Integrate Social Login Into Mobile Apps – Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A
• SEC402 - Intrusion Detection in the Cloud – Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC201