0
SEC 201 - Access Control for the Cloud:
AWS Identity and Access Management (IAM)
Jim Scharf, AWS
November 13, 2013

© 2013...
Agenda
• Overview of AWS Identity and Access
Management
• How to enforce security policies in the cloud
• How to integrate...
Identity and Access Management
Who?
What Actions?
Which Resources?
What is AWS Identity and Access
Management?
AWS Identity and Access Management

Access control
for AWS services and resources
that is flexible, powerful, familiar, an...
Flexible
A show of hands…
• How many already use AWS?
• Tried AWS because of
–
–
–
–

$: No upfront investment, free tier, low ongo...
A show of hands…

• How many initially tried AWS because of
– Security
– Identity
Flexible  Individual Use
Hear About AWS
Create Account
Innovate!
Flexible  Organizations
CEO

Dev/Ops

Development

Sales/Mar
keting

Graeme

Nate

Anders

Greg

Cicilie

Erin

Kevin

Brian

Jeff

Finance/Acc
ou...
CEO

Dev/Ops

Development

Sales/Marketing

Finance/Accounting

Administrator
access:
control all AWS
resources,
including...
IAM
IAM
• Users, groups, permissions
– Individual security credentials
– Secure by default
– Grant least privilege

• Easy to ...
Flexible  Enterprise
Control
Control
• AWS multi-factor authentication
– Hardware tokens
– Smartphone app tokens

• Credential management policies
• Co...
Flexible Control That Adapts with Your Needs

No additional charge
Powerful Integrated
AWS Identity and Access Management

Access control
for AWS services and resources
that is flexible, powerful, familiar, an...
Cloud Services

Amazon
RDS

Amazon
SES

AWS
Storage
Gateway

Amazon
CloudWatch

Amazon
Route 53

Amazon
EC2

AWS IAM

AWS
...
Cloud Resources
Elastic IPs
Stacks
Spot Instances

AMIs

Users
Topics
Placement groups
Templates
Buckets

Volumes
Messages...
Powerful Fine-Grained
AWS Access Control
Who?
What actions?
Which resources?
When?
Where?
How?
Amazon EC2 Resource-Level Permissions
Example use cases:
• Ben can terminate instance i-abc12345 but not
instance i-def678...
Amazon DynamoDB Fine-Grained Access Control
By Item
By Attribute

Or Both
Powerful Delegation
IAM Role
• Entity that defines a set of permissions
• Not associated with a specific user or
group
• Roles must be “assume...
IAM Roles for Amazon EC2
• Allow Amazon EC2-based apps to act on behalf of
another entity
• Create a role, apply a policy,...
Roles for EC2 Instances

Auto
Scaling

AWS IAM

Role: RW access
to files, rows

Amazon
DynamoDB

Auto
Scaling

Amazon
S3
A...
Benefits of Using Roles with Amazon EC2
•
•
•
•

Eliminates use of long-term credentials
Automatic credential rotation
Les...
Powerful Scale
Trillions
Resources
Million+
Requests/Second
Hundreds of
Thousands
Customers
in 190 countries
each with one to millions of identities
Lots!
Servers
Global
Familiar  Administration
IAM Policy Simulator
• Test the effect of access control policies before
pushing to production
• Verify and troubleshoot p...
Amazon EC2

Instance OS

Familiar Instance OS Controls

RunInstances
IAM

Amazon
EC2

Instance
Familiar  Enterprise Federation
Federation
• AWS websites and/or APIs as relying party
• Pre-packaged samples: Windows Active Directory, Shibboleth

Activ...
SSO Federation Using SAML New
• STS now supports SAML 2.0
• Benefits:
–
–
–
–

Open standards
Quicker and easier to implem...
Partner Integrations for Federation / SSO

http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services
http://www.okta.c...
Familiar  Web Identity Federation
Web Identity Federation
• App sign-in using 3rd party identity providers
– Login with Amazon
– Facebook
– Google

• Apps c...
Web Identity Federation
US-EAST-1

Amazon S3

Amazon
DynamoDB

AWS Services

STS
Identity
Provider

Assume Role
Web Identity Federation Playground
• UI tool
• Try it out, no coding
required!
Secure  Powerful Controls
Control Your Users
Multi-Factor
Authentication

Password/Credential
Management Policies
Delegate Access Across Accounts
• Access resources across AWS accounts
• Why do you need it?
– Management visibility acros...
Cross-Account Access - Setup
dev@example.com

prod@example.com
Acct ID: 111122223333

Acct ID: 123456789012
STS

ddb-role
...
Cross-Account Access - Use
dev@example.com
Acct ID: 123456789012

prod@example.com
Authenticate to
AWS with
Jeff access ke...
Secure  Audit
AWS CloudTrail
Log API calls to:
Amazon EC2

AWS IAM

Amazon RDS

Amazon VPC

AWS Security
Token Service

Amazon Redshift
...
AWS CloudTrail
• Your AWS account’s API calls logged and delivered to
your Amazon S3 bucket
• Amazon SNS notifications of ...
Achieving Best Practices: Trusted Advisor
• AWS Support service
– Analyzes account for issues and
recommendations
– API fo...
Secure  Compliance
Regular Exhaustive 3rd Party Evaluations
New AWS Whitepapers
• AWS Security Best Practices
– http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

– ...
AWS Security Blog
http://blogs.aws.amazon.com/security/
Summary
AWS Identity and Access Management
• Flexible
– Individual use
– Organizations
– Enterprise

• Powerful
–
–
–
–

Integrate...
For More Information
•
•
•
•
•

IAM detail page: http://aws.amazon.com/iam
AWS forum: https://forums.aws.amazon.com/forum....
Customers who liked this talk also may like…
• SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices
–

...
Please give us your feedback on this
presentation

SEC201
As a thank you, we will select prize
winners daily for completed...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013
Upcoming SlideShare
Loading in...5
×

Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013

5,051

Published on

Learn how AWS IAM enables you to control who can do what in your AWS environment. We discuss how IAM provides flexible access control that helps you maintain security while adapting to your evolving business needs. Wel review how to integrate AWS IAM with your existing identity directories via identity federation. We outline some of the unique challenges that make providing IAM for the cloud a little different. And throughout the presentation, we highlight recent features that make it even easier to manage the security of your workloads on the cloud.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,051
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
128
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013"

  1. 1. SEC 201 - Access Control for the Cloud: AWS Identity and Access Management (IAM) Jim Scharf, AWS November 13, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. Agenda • Overview of AWS Identity and Access Management • How to enforce security policies in the cloud • How to integrate with existing directories • Highlight new features along the way
  3. 3. Identity and Access Management Who? What Actions? Which Resources?
  4. 4. What is AWS Identity and Access Management?
  5. 5. AWS Identity and Access Management Access control for AWS services and resources that is flexible, powerful, familiar, and secure
  6. 6. Flexible
  7. 7. A show of hands… • How many already use AWS? • Tried AWS because of – – – – $: No upfront investment, free tier, low ongoing cost Scale: Flexible capacity, global reach Agility: Speed and agility, apps not ops Services: Amazon EC2, Amazon S3, Amazon DynamoDB, Amazon Redshift, Amazon RDS, Amazon EMR, Amazon CloudFront, etc.
  8. 8. A show of hands… • How many initially tried AWS because of – Security – Identity
  9. 9. Flexible  Individual Use
  10. 10. Hear About AWS
  11. 11. Create Account
  12. 12. Innovate!
  13. 13. Flexible  Organizations
  14. 14. CEO Dev/Ops Development Sales/Mar keting Graeme Nate Anders Greg Cicilie Erin Kevin Brian Jeff Finance/Acc ounting Joan
  15. 15. CEO Dev/Ops Development Sales/Marketing Finance/Accounting Administrator access: control all AWS resources, including managing users Full access to: Amazon S3, Amazon DynamoDB + The ability to start (but not stop) Amazon EC2 instances Read-only to Amazon S3 Account activity and usage reports only
  16. 16. IAM
  17. 17. IAM • Users, groups, permissions – Individual security credentials – Secure by default – Grant least privilege • Easy to use – Graphical user interface – Ability to script/automate (CLI & API)
  18. 18. Flexible  Enterprise
  19. 19. Control
  20. 20. Control • AWS multi-factor authentication – Hardware tokens – Smartphone app tokens • Credential management policies • Control billing, support, and AWS Marketplace purchases
  21. 21. Flexible Control That Adapts with Your Needs No additional charge
  22. 22. Powerful Integrated
  23. 23. AWS Identity and Access Management Access control for AWS services and resources that is flexible, powerful, familiar, and secure
  24. 24. Cloud Services Amazon RDS Amazon SES AWS Storage Gateway Amazon CloudWatch Amazon Route 53 Amazon EC2 AWS IAM AWS OpsWorks Amazon SNS Amazon DynamoDB Amazon CloudFront Amazon S3 AWS Amazon Redshift CloudFormation Amazon Elastic MapReduce Amazon ElastiCache Amazon CloudSearch Amazon VPC Amazon Simple Workflow Amazon Elastic Transcoder AWS Elastic Beanstalk Amazon SQS
  25. 25. Cloud Resources Elastic IPs Stacks Spot Instances AMIs Users Topics Placement groups Templates Buckets Volumes Messages Instances Files Snapshots Security Groups Domains Queues Distributions Groups Roles Load Balancers Apps Workflows Auto Scaling groups Applications Network interfaces Layers Clusters
  26. 26. Powerful Fine-Grained
  27. 27. AWS Access Control Who? What actions? Which resources? When? Where? How?
  28. 28. Amazon EC2 Resource-Level Permissions Example use cases: • Ben can terminate instance i-abc12345 but not instance i-def67890 • Jeff can launch instances only in the subnet subnet-bdf2468 • Ken can use only the AMI ami-cba54321 to run instances • A user can take any action on resources if they have the tag “sandbox=${aws:username}” • Derek must authenticate using MFA before he can terminate instances with the tag “stack=prod”
  29. 29. Amazon DynamoDB Fine-Grained Access Control By Item By Attribute Or Both
  30. 30. Powerful Delegation
  31. 31. IAM Role • Entity that defines a set of permissions • Not associated with a specific user or group • Roles must be “assumed” by trusted entities
  32. 32. IAM Roles for Amazon EC2 • Allow Amazon EC2-based apps to act on behalf of another entity • Create a role, apply a policy, launch instance with role • Credentials are automatically: – Made available to Amazon EC2 instances – Rotated multiple times a day • AWS SDKs transparently use the credentials
  33. 33. Roles for EC2 Instances Auto Scaling AWS IAM Role: RW access to files, rows Amazon DynamoDB Auto Scaling Amazon S3 AWS Cloud
  34. 34. Benefits of Using Roles with Amazon EC2 • • • • Eliminates use of long-term credentials Automatic credential rotation Less coding – AWS SDK does all the work Easier and more Secure!
  35. 35. Powerful Scale
  36. 36. Trillions Resources
  37. 37. Million+ Requests/Second
  38. 38. Hundreds of Thousands Customers in 190 countries each with one to millions of identities
  39. 39. Lots! Servers
  40. 40. Global
  41. 41. Familiar  Administration
  42. 42. IAM Policy Simulator • Test the effect of access control policies before pushing to production • Verify and troubleshoot permissions
  43. 43. Amazon EC2 Instance OS Familiar Instance OS Controls RunInstances IAM Amazon EC2 Instance
  44. 44. Familiar  Enterprise Federation
  45. 45. Federation • AWS websites and/or APIs as relying party • Pre-packaged samples: Windows Active Directory, Shibboleth Active Directory
  46. 46. SSO Federation Using SAML New • STS now supports SAML 2.0 • Benefits: – – – – Open standards Quicker and easier to implement federation Leverage existing identity management software to manage access to AWS resources No coding required • AWS Management Console SSO – IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile) – New sign-in URL that greatly simplifies SSO https://signin.aws.amazon.com/saml<SAML AuthN response> • API federation using new assumeRoleWithSAML operation
  47. 47. Partner Integrations for Federation / SSO http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services http://www.okta.com/aws/ http://www.symplified.com/solutions/single-sign-on-sso https://www.pingidentity.com/products/pingfederate/ http://www.cloudberrylab.com/ad-bridge.aspx http://wiki.developerforce.com/page/Configuring-SAML-SSO-to-AWS
  48. 48. Familiar  Web Identity Federation
  49. 49. Web Identity Federation • App sign-in using 3rd party identity providers – Login with Amazon – Facebook – Google • Apps can access data from – Amazon S3, Amazon DynamoDB, Amazon Simple Notification Service (now with mobile push!) • No server-side code required
  50. 50. Web Identity Federation US-EAST-1 Amazon S3 Amazon DynamoDB AWS Services STS Identity Provider Assume Role
  51. 51. Web Identity Federation Playground • UI tool • Try it out, no coding required!
  52. 52. Secure  Powerful Controls
  53. 53. Control Your Users Multi-Factor Authentication Password/Credential Management Policies
  54. 54. Delegate Access Across Accounts • Access resources across AWS accounts • Why do you need it? – Management visibility across all your AWS accounts – Developer access to resources across AWS accounts – Use third-party solutions, with no sharing of credentials
  55. 55. Cross-Account Access - Setup dev@example.com prod@example.com Acct ID: 111122223333 Acct ID: 123456789012 STS ddb-role IAM user: Jeff { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to Jeff granting him permission to assume ddb-role in account B Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }]} { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} ddb-role trusts IAM users from the AWS account dev@example.com (123456789012)
  56. 56. Cross-Account Access - Use dev@example.com Acct ID: 123456789012 prod@example.com Authenticate to AWS with Jeff access keys Acct ID: 111122223333 STS ddb-role IAM user: Jeff Get temporary security credentials for ddb-role Call AWS APIs using temporary security credentials of ddb-role
  57. 57. Secure  Audit
  58. 58. AWS CloudTrail Log API calls to: Amazon EC2 AWS IAM Amazon RDS Amazon VPC AWS Security Token Service Amazon Redshift Amazon EBS AWS CloudTrail Additional services added over time…
  59. 59. AWS CloudTrail • Your AWS account’s API calls logged and delivered to your Amazon S3 bucket • Amazon SNS notifications of new log files (optional) • Data analysis partners:
  60. 60. Achieving Best Practices: Trusted Advisor • AWS Support service – Analyzes account for issues and recommendations – API for integration with your tools • Categories: – – – – Cost savings Security Fault tolerance Performance
  61. 61. Secure  Compliance
  62. 62. Regular Exhaustive 3rd Party Evaluations
  63. 63. New AWS Whitepapers • AWS Security Best Practices – http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf – Best practices on wide range of topics, including: • • • • • Defining and categorizing assets on AWS Managing identities Implementing data security Securing your operating systems and applications Monitoring, alerting, auditing, and incident response • Securing Data at Rest with Encryption – http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
  64. 64. AWS Security Blog http://blogs.aws.amazon.com/security/
  65. 65. Summary
  66. 66. AWS Identity and Access Management • Flexible – Individual use – Organizations – Enterprise • Powerful – – – – Integrated Fine-grained Delegation Scale • Familiar – Administration – Enterprise federation – Web identity federation • Secure – Powerful controls – Audit – Compliance
  67. 67. For More Information • • • • • IAM detail page: http://aws.amazon.com/iam AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76 Documentation: http://aws.amazon.com/documentation/iam/ AWS Security Blog: http://blogs.aws.amazon.com/security Twitter: @AWSIdentity • Meet the IAM and Security teams: – Thursday 11/14 4pm - 6pm – Toscana 3605
  68. 68. Customers who liked this talk also may like… • SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices – Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503 • SEC302 - Mastering Access Control Policies – Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A • SEC303 - Delegating Access to your AWS Environment – Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A • SEC304 - Encryption and key management in AWS – Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406 • SEC401 - Integrate Social Login Into Mobile Apps – Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A • SEC402 - Intrusion Detection in the Cloud – Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406
  69. 69. Please give us your feedback on this presentation SEC201 As a thank you, we will select prize winners daily for completed surveys!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×