(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014
-
Upload
amazon-web-services -
Category
Technology
-
view
1.649 -
download
4
description
Transcript of (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014
![Page 1: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/1.jpg)
![Page 2: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/2.jpg)
![Page 3: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/3.jpg)
![Page 4: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/4.jpg)
![Page 5: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/5.jpg)
![Page 6: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/6.jpg)
![Page 7: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/7.jpg)
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::1111"
},
"Action":"sts:AssumeRole"
}
{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"*"
}
![Page 8: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/8.jpg)
![Page 9: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/9.jpg)
Session
Access Key ID
Secret Access Key
Expiration
Session Token
![Page 10: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/10.jpg)
![Page 11: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/11.jpg)
AWS Account
Instances Table
User
![Page 12: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/12.jpg)
![Page 13: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/13.jpg)
![Page 14: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/14.jpg)
Instances Table
Role
User
Your AWS Account
Another AWS Account
![Page 15: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/15.jpg)
1Authenticate with
“Demo” user’s access
keys
Construct sign-in URL using
the temporary security
credentials to access the
AWS Management Console
3
Assume the
“CrossAccount” role to get
temporary
security credentials
2
Script
“CrossAccount” Role
Trusts: PM Team AWS Account
Grants: EC2 full and IAM read-only
Uses External ID
IAM/STS
My AWS Account
“Demo” IAM User
Can assume the
“CrossAccount” role
IAM/STS
PM Team AWS Account
![Page 16: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/16.jpg)
![Page 17: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/17.jpg)
Partner’s AWS Account
User
Instances Table
Role
External ID
Your AWS Account
ID
![Page 18: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/18.jpg)
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::EXAMPLE-CORP-ACCOUNT-ID"},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "ID-ISSUED-BY-EXAMPLE-CORP"
}}}
![Page 19: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/19.jpg)
Partner’s AWS Account
Customer A’s AWS Account
Customer B’s AWS Account
User
Role A
Trusts: Partner account
Role B
Trusts: Partner account
1 Use role B
2 Assume role B
3 Show customer
B’s resources
Only if External ID =
Customer A’s external ID
Only if External ID =
Customer B’s external ID
Pass customer’s external
ID while assuming role
![Page 20: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/20.jpg)
“TrendMicro” Role
Trusts: Trend Micro AWS Account
Grants: Few EC2, ELB, Route53 actions
IAM/STS
My AWS Account1Authenticate using
access keys of IAM user
in Trend Micro’s AWS
account
Call AWS APIs using the
temporary security
credentials
3
Assume the role to get
temporary security
credentials
2
Route 53Amazon EC2 Elastic Load
Balancing
Trend Micro Deep Security for Web Apps
![Page 21: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/21.jpg)
![Page 22: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/22.jpg)
![Page 23: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/23.jpg)
User
Instances Table
Role
Your AWS Account
AWS Service’s AWS Account
![Page 24: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/24.jpg)
![Page 25: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/25.jpg)
User
Instances Table
RoleInstance
Your AWS Account
EC2 Service’s AWS Account
![Page 26: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/26.jpg)
Amazon
S3
Amazon
DynamoDB
Role: Allow Amazon S3
access but nothing else
Amazon EC2 Instance
![Page 27: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/27.jpg)
![Page 28: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/28.jpg)
![Page 29: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/29.jpg)
![Page 30: (SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014](https://reader033.fdocuments.in/reader033/viewer/2022052621/5589e67ad8b42a980c8b4617/html5/thumbnails/30.jpg)
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals