Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013

6,824 views
6,376 views

Published on

Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.

Published in: Technology, Business
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,824
On SlideShare
0
From Embeds
0
Number of Embeds
172
Actions
Shares
0
Downloads
198
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013

  1. 1. SEC 201 - Access Control for the Cloud: AWS Identity and Access Management (IAM) Jim Scharf, AWS November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. Agenda • Overview of AWS Identity and Access Management • How to enforce security policies in the cloud • How to integrate with existing directories • Highlight new features along the way
  3. 3. Identity and Access Management Who? What Actions? Which Resources?
  4. 4. What is AWS Identity and Access Management?
  5. 5. AWS Identity and Access Management Access control for AWS services and resources that is flexible, powerful, familiar, and secure
  6. 6. Flexible
  7. 7. A show of hands… • How many already use AWS? • Tried AWS because of – – – – $: No upfront investment, free tier, low ongoing cost Scale: Flexible capacity, global reach Agility: Speed and agility, apps not ops Services: Amazon EC2, Amazon S3, Amazon DynamoDB, Amazon Redshift, Amazon RDS, Amazon EMR, Amazon CloudFront, etc.
  8. 8. A show of hands… • How many initially tried AWS because of – Security – Identity
  9. 9. Flexible  Individual Use
  10. 10. Hear About AWS
  11. 11. Create Account
  12. 12. Innovate!
  13. 13. Flexible  Organizations
  14. 14. CEO Dev/Ops Development Sales/Mar keting Graeme Nate Anders Greg Cicilie Erin Kevin Brian Jeff Finance/Acc ounting Joan
  15. 15. CEO Dev/Ops Development Sales/Marketing Finance/Accounting Administrator access: control all AWS resources, including managing users Full access to: Amazon S3, Amazon DynamoDB + The ability to start (but not stop) Amazon EC2 instances Read-only to Amazon S3 Account activity and usage reports only
  16. 16. IAM
  17. 17. IAM • Users, groups, permissions – Individual security credentials – Secure by default – Grant least privilege • Easy to use – Graphical user interface – Ability to script/automate (CLI & API)
  18. 18. Flexible  Enterprise
  19. 19. Control
  20. 20. Control • AWS multi-factor authentication – Hardware tokens – Smartphone app tokens • Credential management policies • Control billing, support, and AWS Marketplace purchases
  21. 21. Flexible Control That Adapts with Your Needs No additional charge
  22. 22. Powerful Integrated
  23. 23. AWS Identity and Access Management Access control for AWS services and resources that is flexible, powerful, familiar, and secure
  24. 24. Cloud Services Amazon RDS Amazon SES AWS Storage Gateway Amazon CloudWatch Amazon Route 53 Amazon EC2 AWS IAM AWS OpsWorks Amazon SNS Amazon DynamoDB Amazon CloudFront Amazon S3 AWS Amazon Redshift CloudFormation Amazon Elastic MapReduce Amazon ElastiCache Amazon CloudSearch Amazon VPC Amazon Simple Workflow Amazon Elastic Transcoder AWS Elastic Beanstalk Amazon SQS
  25. 25. Cloud Resources Elastic IPs Stacks Spot Instances AMIs Users Topics Placement groups Templates Buckets Volumes Messages Instances Files Snapshots Security Groups Domains Queues Distributions Groups Roles Load Balancers Apps Workflows Auto Scaling groups Applications Network interfaces Layers Clusters
  26. 26. Powerful Fine-Grained
  27. 27. AWS Access Control Who? What actions? Which resources? When? Where? How?
  28. 28. Amazon EC2 Resource-Level Permissions Example use cases: • Ben can terminate instance i-abc12345 but not instance i-def67890 • Jeff can launch instances only in the subnet subnet-bdf2468 • Ken can use only the AMI ami-cba54321 to run instances • A user can take any action on resources if they have the tag “sandbox=${aws:username}” • Derek must authenticate using MFA before he can terminate instances with the tag “stack=prod”
  29. 29. Amazon DynamoDB Fine-Grained Access Control By Item By Attribute Or Both
  30. 30. Powerful Delegation
  31. 31. IAM Role • Entity that defines a set of permissions • Not associated with a specific user or group • Roles must be “assumed” by trusted entities
  32. 32. IAM Roles for Amazon EC2 • Allow Amazon EC2-based apps to act on behalf of another entity • Create a role, apply a policy, launch instance with role • Credentials are automatically: – Made available to Amazon EC2 instances – Rotated multiple times a day • AWS SDKs transparently use the credentials
  33. 33. Roles for EC2 Instances Auto Scaling AWS IAM Role: RW access to files, rows Amazon DynamoDB Auto Scaling Amazon S3 AWS Cloud
  34. 34. Benefits of Using Roles with Amazon EC2 • • • • Eliminates use of long-term credentials Automatic credential rotation Less coding – AWS SDK does all the work Easier and more Secure!
  35. 35. Powerful Scale
  36. 36. Trillions Resources
  37. 37. Million+ Requests/Second
  38. 38. Hundreds of Thousands Customers in 190 countries each with one to millions of identities
  39. 39. Lots! Servers
  40. 40. Global
  41. 41. Familiar  Administration
  42. 42. IAM Policy Simulator • Test the effect of access control policies before pushing to production • Verify and troubleshoot permissions
  43. 43. Amazon EC2 Instance OS Familiar Instance OS Controls RunInstances IAM Amazon EC2 Instance
  44. 44. Familiar  Enterprise Federation
  45. 45. Federation • AWS websites and/or APIs as relying party • Pre-packaged samples: Windows Active Directory, Shibboleth Active Directory
  46. 46. SSO Federation Using SAML New • STS now supports SAML 2.0 • Benefits: – – – – Open standards Quicker and easier to implement federation Leverage existing identity management software to manage access to AWS resources No coding required • AWS Management Console SSO – IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile) – New sign-in URL that greatly simplifies SSO https://signin.aws.amazon.com/saml<SAML AuthN response> • API federation using new assumeRoleWithSAML operation
  47. 47. Partner Integrations for Federation / SSO http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services http://www.okta.com/aws/ http://www.symplified.com/solutions/single-sign-on-sso https://www.pingidentity.com/products/pingfederate/ http://www.cloudberrylab.com/ad-bridge.aspx http://wiki.developerforce.com/page/Configuring-SAML-SSO-to-AWS
  48. 48. Familiar  Web Identity Federation
  49. 49. Web Identity Federation • App sign-in using 3rd party identity providers – Login with Amazon – Facebook – Google • Apps can access data from – Amazon S3, Amazon DynamoDB, Amazon Simple Notification Service (now with mobile push!) • No server-side code required
  50. 50. Web Identity Federation US-EAST-1 Amazon S3 Amazon DynamoDB AWS Services STS Identity Provider Assume Role
  51. 51. Web Identity Federation Playground • UI tool • Try it out, no coding required!
  52. 52. Secure  Powerful Controls
  53. 53. Control Your Users Multi-Factor Authentication Password/Credential Management Policies
  54. 54. Delegate Access Across Accounts • Access resources across AWS accounts • Why do you need it? – Management visibility across all your AWS accounts – Developer access to resources across AWS accounts – Use third-party solutions, with no sharing of credentials
  55. 55. Cross-Account Access - Setup dev@example.com prod@example.com Acct ID: 111122223333 Acct ID: 123456789012 STS ddb-role IAM user: Jeff { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Jeff granting him permission to assume ddb-role in account B Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012)
  56. 56. Cross-Account Access - Use dev@example.com Acct ID: 123456789012 prod@example.com Authenticate to AWS with Jeff access keys Acct ID: 111122223333 STS ddb-role IAM user: Jeff Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role
  57. 57. Secure  Audit
  58. 58. AWS CloudTrail Log API calls to: Amazon EC2 AWS IAM Amazon RDS Amazon VPC AWS Security Token Service Amazon Redshift Amazon EBS AWS CloudTrail Additional services added over time…
  59. 59. AWS CloudTrail • Your AWS account’s API calls logged and delivered to your Amazon S3 bucket • Amazon SNS notifications of new log files (optional) • Data analysis partners:
  60. 60. Achieving Best Practices: Trusted Advisor • AWS Support service – Analyzes account for issues and recommendations – API for integration with your tools • Categories: – – – – Cost savings Security Fault tolerance Performance
  61. 61. Secure  Compliance
  62. 62. Regular Exhaustive 3rd Party Evaluations
  63. 63. New AWS Whitepapers • AWS Security Best Practices – http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf – Best practices on wide range of topics, including: • • • • • Defining and categorizing assets on AWS Managing identities Implementing data security Securing your operating systems and applications Monitoring, alerting, auditing, and incident response • Securing Data at Rest with Encryption – http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
  64. 64. AWS Security Blog http://blogs.aws.amazon.com/security/
  65. 65. Summary
  66. 66. AWS Identity and Access Management • Flexible – Individual use – Organizations – Enterprise • Powerful – – – – Integrated Fine-grained Delegation Scale • Familiar – Administration – Enterprise federation – Web identity federation • Secure – Powerful controls – Audit – Compliance
  67. 67. For More Information • • • • • IAM detail page: http://aws.amazon.com/iam AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76 Documentation: http://aws.amazon.com/documentation/iam/ AWS Security Blog: http://blogs.aws.amazon.com/security Twitter: @AWSIdentity • Meet the IAM and Security teams: – Thursday 11/14 4pm - 6pm – Toscana 3605
  68. 68. Customers who liked this talk also may like… • SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices – Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503 • SEC302 - Mastering Access Control Policies – Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A • SEC303 - Delegating Access to your AWS Environment – Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A • SEC304 - Encryption and key management in AWS – Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406 • SEC401 - Integrate Social Login Into Mobile Apps – Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A • SEC402 - Intrusion Detection in the Cloud – Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406
  69. 69. Please give us your feedback on this presentation SEC201 As a thank you, we will select prize winners daily for completed surveys!

×