(SEC315) AWS Directory Service Deep Dive
-
Upload
amazon-web-services -
Category
Technology
-
view
4.846 -
download
2
Transcript of (SEC315) AWS Directory Service Deep Dive
![Page 1: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rob Moncur, AWS Senior Product Manager
Sonya Ryherd, Cox Automotive Senior Systems Engineer
October 2015
SEC315
AWS Directory Service
Deep Dive
![Page 2: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/2.jpg)
What to expect from this session
• How can I use AWS Directory Service?
• Demo: Setting up a directory quickly and easily
• Demo: Domain join Windows and Linux
• Federation with Directory Service
• Discussion and demo with Sonya Ryherd from Cox Automotive
• WorkSpaces, WorkDocs, WorkMail integration
• Demo: Login and SSO with WorkSpaces and WorkDocs
• A few things to keep in mind
• Q&A in the AWS Security Booth
![Page 3: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/3.jpg)
Managing servers at scale is difficult
![Page 4: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/4.jpg)
New directory in AWS
What is AWS Directory Service?
Connect existing directory to AWS
Simple AD AD ConnectorBased on Samba 4 Custom federation proxy
On-premises
![Page 5: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/5.jpg)
Demo 1: Setting up a new directory
Simple AD
![Page 6: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/6.jpg)
Demo 2: Joining instances to a directory
Simple AD
EC2 Windows
EC2 Linux
![Page 7: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/7.jpg)
Joining your Linux instance#Step 1 - Log in to the instance
ssh -i "tuesday-demo.pem" [email protected]
#Step 2 - Make any updates, install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
#Step 3 - Join the instance to the directory
sudo realm join -U [email protected] tuesday.mydirectory.com --verbose
#Step 4 - Edit the config file
sudo vi /etc/ssh/sshd_config
PasswordAuthentication yes
#Start SSSD
sudo service sssd start
#Step 5 - Restart the instance - from the AWS Console. Log back in.
#Step 6 - Add the domain administrators group from the example.com domain.
sudo visudo -f /etc/sudoers
%Domain\ [email protected] ALL=(ALL:ALL) ALL
#Step 7 - approve a login
sudo realm permit [email protected]
sudo realm permit [email protected]
#Step 8 - login using a linux user
ssh [email protected]@xxx.xxx.xxx.xxx
![Page 8: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/8.jpg)
Managing federation to AWS
• Set up and manage SAML infrastructure
• Assign roles to users manually
• Now it is easier to set up federation
AD
![Page 9: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/9.jpg)
Sonya Ryherd, Sr. Systems Engineer
![Page 10: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/10.jpg)
Who is Cox Automotive?
![Page 11: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/11.jpg)
Our account hierarchy
Virtual private cloud (VPC)
AWS application accounts
AWS account – shared services
Billing account Master billing account
Productionmanagement
Application #1
VPC #1 VPC #2
Application #2
VPC #1
Nonproduction management
Application #1
VPC #1 VPC #2 VPC #3
Application #2
VPC #1 VPC #2
![Page 12: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/12.jpg)
Account access nightmare
• No centralized access management
• Multiple IAM users required to manage each application
• Users confused – What account/role/URL do I use to manage Application X?
AWS account 2 AWS account 3 AWS account 4AWS account 1
IAM IAM IAM IAM
AWS account 5
IAM
AWS account 6
IAM
AWS account 7
IAM
AWS account 8
IAM
![Page 13: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/13.jpg)
3 – AssumeRole into
the AWS
Management
Console
1) Assign IAM roles to AD users
AD Connector federation
2) AD users log in via access URL
2 – LDAP and
Kerberos requests
proxied over VPN
AD
1 – Log in using AD
credentials
AD
User1
User2
Group1
ReadOnly
Admin
S3-Access
via AWS Directory Service console mycompany.awsapps.com/console
![Page 14: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/14.jpg)
Cross-account access
![Page 15: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/15.jpg)
Cross Account Access Demo - Video
![Page 16: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/16.jpg)
AD Connector
AD
CAA-AdministratorAccessRole
CAA-NetworkAccessRole
CAA-CloudEngineerRole
CAA-ReadOnlyAccessRole
NetworkAccessRole - “Action”:[stsAssumeRole],
“Resource”: “arn:aws:iam::[account1-id]:role/IAM-1-NetworkAccessRole-*
“Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-*
“Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-*
Management
account
1
2
3
Application account
4
Switch role
AdministratorAccessRole
NetworkAccessRole
CloudEngineerRole
ReadOnlyAccessRole
Trusted entities: Assume role policy document“Principal”:
“AWS”:“arn:aws:iam::[management-account-id]:role/CAA-NetworkAccessRole”
“Action”: “sts:AssumeRole”
mycompany.awsapps.com/console
![Page 17: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/17.jpg)
Directory Services / Cross Account Access Demo - Video
![Page 18: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/18.jpg)
Retrieving tokens for API access with ALKS
ALKS
Windows Active Directory
Browser interface
2
1
4
User
browses to
a URL
3
Redirect to
AWS Management Console7
Pop-up
showing keys
6
5
8
GetFederatedTokens
Request tokens
![Page 19: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/19.jpg)
ALKS Demonstration
ALKS Demo - Video
![Page 20: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/20.jpg)
https://github.com/AirLiftKeyServices/ALKS
![Page 21: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/21.jpg)
AWS Applications integration
![Page 22: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/22.jpg)
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Simple AD/AD Connector
![Page 23: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/23.jpg)
AWS Applications integration
Access URL
https://mycompany.awsapps.com
![Page 24: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/24.jpg)
Demo 5: WorkSpaces and WorkDocs SSO
Simple AD
EC2 Windows
EC2 Linux
WorkSpace
WorkDocs site
![Page 25: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/25.jpg)
Things to keep in mind
![Page 26: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/26.jpg)
Samba 4 compatibility
• Users: 500 (small) / 5,000 (large)
• ADUC compatibility – Use Windows Server 2008 R2
• Windows PowerShell cmdlets not supported
• Schema extensions not supported
• Domain forest/trust not supported
• Only 2 domain controllers
• No LDAP-S
• No MFA
![Page 27: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/27.jpg)
AD Connector
• A federation mechanism to AWS
• A pure proxy – No information is cached
• Not a way around your firewall
• Availability is tied to your on-premises network
• Set up a domain controller in your VPC
![Page 28: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/28.jpg)
APIs + AWS CloudTrail
• Create and configure via API
• API calls logged in CloudTrail
![Page 29: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/29.jpg)
Demo 6: Create directory via AWS CLI
![Page 30: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/30.jpg)
Regional availability
![Page 31: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/31.jpg)
Get started today!
Visit our website
aws.amazon.com/directoryservice
30-day free trial
for small directories
![Page 32: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/32.jpg)
Remember to complete
your evaluations!
![Page 33: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/33.jpg)
Thank you!
Q&A in the AWS Security Booth
![Page 34: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/34.jpg)
Related Sessions
![Page 35: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/35.jpg)
Demo 1: Create a new Simple AD
![Page 36: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/36.jpg)
![Page 37: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/37.jpg)
![Page 38: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/38.jpg)
![Page 39: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/39.jpg)
![Page 40: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/40.jpg)
![Page 41: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/41.jpg)
Demo 2: EC2 Windows
Seamless Domain Join
![Page 42: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/42.jpg)
![Page 43: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/43.jpg)
![Page 44: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/44.jpg)
![Page 45: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/45.jpg)
![Page 46: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/46.jpg)
![Page 47: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/47.jpg)
![Page 48: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/48.jpg)
![Page 49: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/49.jpg)
![Page 50: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/50.jpg)
Demo 2: Domain Join EC2 Linux Instance
#Step 1 - Log in to the instance
ssh -i "tuesday-demo.pem" [email protected]
#Step 2 - Make any updates, install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
#Step 3 - Join the instance to the directory
sudo realm join -U [email protected] tuesday.mydirectory.com --verbose
#Step 4 - Edit the config file
sudo vi /etc/ssh/sshd_config
PasswordAuthentication yes
#Start SSSD
sudo service sssd start
#Step 5 - Restart the instance - from the AWS Console. Log back in.
#Step 6 - Add the domain administrators group from the example.com domain.
sudo visudo -f /etc/sudoers
%Domain\ [email protected] ALL=(ALL:ALL) ALL
#Step 7 - approve a login
sudo realm permit [email protected]
sudo realm permit [email protected]
#Step 8 - login using a linux user
ssh [email protected]@xxx.xxx.xxx.xxx
![Page 51: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/51.jpg)
Demo 5: WorkSpaces + WorkDocs SSO
![Page 52: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/52.jpg)
![Page 53: (SEC315) AWS Directory Service Deep Dive](https://reader034.fdocuments.in/reader034/viewer/2022052116/588195141a28ab0d358b657d/html5/thumbnails/53.jpg)
Demo 6: Create a directory via CLI