Delegating Access to your AWS Environment

  • 2,096 views
Uploaded on

At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to …

At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,096
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
66
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Jeff WiererDelegating Access to your AWS EnvironmentProduct Manager (IAM)
  • 2. Goals for this talkUnderstand the technology usedto delegate access• Sessions and the AWS Security TokenService (STS)• Roles and assumed-role sessions• Federated sessions• The differences in session types andwhen to use whatUse cases we’ll cover• API Account Access Delegation• AWS API Federation• AWS Management Console Federation
  • 3. Let’s start with a short demo 
  • 4. AWS Management Console SSO Demo Setup(Sample - http://aws.amazon.com/code/4001165270590826)Active DirectoryLog into the console without a username and password!
  • 5. Single Sign-On AWS Management ConsoleDemo
  • 6. 1. Logged into my Windows desktop2. Hit an intranet web site3. Chose the “role” I wanted to play in AWS4. Auto-magically signed-in to the consoleHow did he dothat??Wait… what just happened?
  • 7. Delegation basics:Sessions & the AWS Security Token Service
  • 8. Sessions 101• Allow delegating temporary access to your AWS account• Are generated by the AWS Security Token Service• Include temporary credentials that are used to make API calls to AWS services
  • 9. SessionAccess Key IdSecret Access KeyExpirationSession TokenRequesting a SessionStart by requesting a session from AWS STS
  • 10. What’s in a Session?SessionAccess Key IdSecret Access KeyExpirationSession TokenTemporarySecurityCredentials
  • 11. Three Ways to Get Sessions• Self-sessions (GetSessionToken)• Federated sessions (GetFederationToken)• Assumed-role sessions (assumeRole)SessionAccess Key IdSecret Access KeyExpirationSession Token
  • 12. Sessions ExpireExpiration varies based on token type [Min/Max/Default]• Self (Account) [15 min / 60 min / 60 min]• Self (IAM User) [15 min / 36 hrs / 12 hrs]• Federated [15 min / 36 hrs / 12 hrs]• Assumed-role [15 min / 60 min / 60 min]Use caching to improve your application performanceSessionAccess Key IdSecret Access KeyExpirationSession Token
  • 13. Role-based delegation:Using assumed-role sessions
  • 14. What’s an IAM Role?• Entity that defines a set of permissions for making AWSservice requests• Not associated with a specific user or group• Roles must be “assumed” by trusted entities, but not by aroot account
  • 15. Using an IAM Role with EC2• Allow EC2 apps to act on behalf of another entity• Create a role, apply a policy, launch EC2 instance with role• Credentials are automatically:– Made available to EC2 instances– Rotated multiple times a day• AWS SDK transparently uses the credentials
  • 16. Create a Role and Launch an EC2 InstanceDemo
  • 17. Benefits of Using Roles with EC2• Eliminates use of long term credentials• Automatic credential rotation• Less coding – AWS SDK does all the work
  • 18. Use Case: API Account Access Delegation• Access resources across AWS accounts• Why do you need it?– Management visibility across all your AWS accounts– Developer access to resources across AWS accounts– Enables using third-party management solutions
  • 19. Using IAM Roles for API Account Access Delegation• Extended “roles for EC2” concept– Set a policy as before– Set a trust granting access [NEW]• Delegate access to other AWS entities– AWS services (such as EC2)– IAM users within your account– IAM users under a different account• IAM users in one account can nowaccess resources in another account{ "Statement": [{"Effect": "Allow","Action": “sts:AssumeRole","Resource": "arn:aws:iam::111122223333:role/MyRole"}]}How to define who can assume the role using the consoleEntity can assume MyRole under account 111122223333
  • 20. IAM Team AccountAcct ID: 111122223333s3-role{ "Statement": [{"Effect": "Allow","Action": “s3:*","Resource": "*"}]}My AWS AccountAcct ID: 123456789012Authenticate withJeff’s access keysGet temporary securitycredentials from s3-roleCall AWS APIs usingtemporary securitycredentials{ "Statement": [{"Effect": "Allow","Action": “sts:AssumeRole","Resource": "arn:aws:iam::111122223333:role/s3-role"}]}{ "Statement": [{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"},"Action":"sts:AssumeRole"}]}API Account Access Delegation – How Does It Work?Policy assigned to s3-role definingwho (trusted entities) can assume the rolePolicy assigned to Jeff granting him permissionto assume s3-role in account BJeffPermissions assigned to s3-roleSTS
  • 21. Building a Cross-Account Amazon S3 BrowserDemo
  • 22. Assumed-Role Session – Code Samplepublic static Credentials getAssumeRoleSession(String AccessKey, String SecretKey ){Credentials sessionCredentials;AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(Accesskey, GetSecretkey,new AmazonSecurityTokenServiceConfig());// Store the attributes and request a new AssumeRole session (temporary security credentials)AssumeRoleRequest request = new AssumeRoleRequest{DurationSeconds = 3600,RoleArn = "arn:aws:iam::111122223333:role/s3-role",RoleSessionName = "S3BucketBrowser"};AssumeRoleResponse startSessionResponse = client.AssumeRole(request);if (startSessionResponse != null) // Check for valid security credentials or null{AssumeRoleResult startSessionResult = startSessionResponse.AssumeRoleResult;sessionCredentials = startSessionResult.Credentials;return sessionCredentials;}else{throw new Exception("S3 Browser :: Error in retrieving temporary security creds, received NULL");}}
  • 23. API Account Access Delegation Benefits• Use one set of credentials• No more sharing long term credentials• Revoke access to the role anytime you want!
  • 24. Federation:Using sessions to access AWS with yourexisting corporate identity
  • 25. Federation Overview• Access AWS with your existing corporate identity• Why use federation?– Build apps that transparently access AWS resources and APIs– SSO to the AWS Management Console– Eliminate “yet another password” to manage
  • 26. Use Case: API Federation(Sample - http://aws.amazon.com/code/1288653099190193)• Identity provider– Windows Active Directory– Privileges based on AD group membership– AD groups include policies• Relying party is AWS API (S3*)• Uses federated session via GetFederationToken
  • 27. AWS API Federation WalkthroughCustomer (Identity Provider) AWS Cloud (Relying Party)AWS ResourcesUserApplicationActiveDirectoryFederation Proxy4 Get FederationToken Request32S3 Bucketwith ObjectsAmazonDynamoDBAmazonEC2RequestSession1ReceiveSession65Get Federation TokenResponse• Access Key• Secret Key• SessionTokenAPPFederationProxy• Uses a set of IAM user credentials tomake a GetFederationTokenRequest()• IAM user permissions needs to be theunion of all federated user permissions• Proxy needs to securely store theseprivileged credentialsCall AWS APIs7STS
  • 28. API FederationDemo
  • 29. Get Federation Session – Code Samplepublic Credentials GetSecurityToken(string userName, string Accesskey, string Secretkey){Credentials sessionCredentials;AmazonSecurityTokenServiceConfig config = new AmazonSecurityTokenServiceConfig();AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(Accesskey,Secretkey, config);string policy = Utilities.BuildAWSPolicy(userName); // Retrieve the AWS Policy from Active DirectoryGetFederationTokenRequest request = new GetFederationTokenRequest{DurationSeconds = 3600*8,Name = awsUsername,Policy = policy};GetFederationTokenResponse startSessionResponse = client.GetFederationToken(request);if (startSessionResponse != null) // Check the result returned, ex: Valid security credentials or null?{GetFederationTokenResult startSessionResult = startSessionResponse.GetFederationTokenResult;sessionCredentials = startSessionResult.Credentials;return sessionCredentials;}else{throw new Exception("FederationProxy :: Error in retrieving temporary security creds, received NULL");}}
  • 30. • Assumed-role sessions can also be used for federation• Provides a different option for storing AWS permissions• Allows for “separation of duties” in managing AWS permissions• Corp admin manages: groups, users, and intranet permissions• AWS admin creates roles & maintains policies on those rolesUsing IAM Roles for Federation
  • 31. Use Case: Console Federation(Sample - http://aws.amazon.com/code/4001165270590826)• Identity provider– Windows Active Directory– Privileges based on AD group membership– AD groups match the names of IAM roles• Relying party is AWS Management Console• Uses assumed-role session via AssumeRole
  • 32. Basics of a Role-Based Federation ProxyAcct ID: 111122223333s3-role{ "Statement": [{"Effect": "Allow","Action": "s3:*","Resource": "*"}]}Authenticate withaccess keysGet temporarysecurity credentialslogin using temporary securitycredentials{ "Statement": [{"Effect": "Allow","Action": ["iam:ListRoles","sts:AssumeRole"],"Resource": "arn:aws:iam::1111222233334444:role/*"}]}{"Statement": {"Principal": {"AWS":"arn:aws:iam::111122223333:root"},"Condition": {"StringEquals": {"sts:externalId": “{SID1234…}"}},"Effect": "Allow","Action": ["sts:AssumeRole"]}}Policy assigned to s3role defining who can assume the rolePolicy assigned to Proxy granting permission to ListRoles and AssumeRolesfor all rolesProxy ServerIAM UserPermissions assigned to s3-roleSTSAWS Management Console
  • 33. Console Federation Walkthrough (assumeRole)Customer (IdP) AWS Cloud (Relying Party)AWSManagementConsoleBrowserinterfaceCorporatedirectoryFederationproxy1Browse to URL32Redirect toConsole10Generate URL94 List RolesRequest8Assume Role ResponseTemp Credentials• Access Key• Secret Key• Session Token7 AssumeRole RequestCreate combobox6Federationproxy• Uses a set of IAM user credentials tomake AssumeRoleRequest()• IAM user permissions only need to beable to call ListRoles & assume role• Proxy needs to securely store thesecredentialsSTS5List RolesResponse
  • 34. Console Federation (SSO)Demo
  • 35. Console Federation – Code Samplepublic string getSignInURL(Credentials creds, String issuerURL, String consoleURL, String signInURL ){// Create the sign-in token using temporary credentials, Access Key ID, Secret Access Key, and securitytoken.String sessionJson = "{" +""sessionId":"" + creds.AccessKeyId + ""," +""sessionKey":"" + creds.SecretAccessKey + ""," +""sessionToken":"" + creds.SessionToken + """ +"}";String getSigninTokenURL = signInURL + "?Action=getSigninToken" +"&SessionType=json&Session=" +HttpUtility.UrlEncode(sessionJson, Encoding.UTF8);WebRequest Request = WebRequest.Create(getSigninTokenURL);HttpWebResponse WebResponse = (HttpWebResponse)Request.GetResponse();Stream data = WebResponse.GetResponseStream();StreamReader reader = new StreamReader(data);String Response = reader.ReadToEnd();String[] session_encrypted = Response.Split(new Char[] { :, " });String signinToken = session_encrypted[4];String signinTokenParameter = "&SigninToken=" + HttpUtility.UrlEncode(signinToken, Encoding.UTF8);String issuer_param = "&Issuer=" + HttpUtility.UrlEncode(issuerURL, Encoding.UTF8);String destination_param = "&Destination=" + HttpUtility.UrlEncode(consoleURL, Encoding.UTF8);String loginURL = signInURL + "?Action=login" + signinTokenParameter + issuer_param + destination_param;return loginURL;}
  • 36. Federation Benefits• Leverage your existing corporate identities• Use the username/password you already know• Enforce corporate policies/governance• When employees leave, you only need to delete their corporate account
  • 37. Variable Substitution• Use cases enabled– Easily enable users to manage theirown credentials– Easily set up access to “home folder”in S3– Personal topics (SNS) or queues(SQS)• Benefits– Reduces the need for user policies– Variables based on request context• Keys (e.g., aws:SourceIP, etc.)• New keys (aws:username, aws:userid,aws:principaltype){"Version": "2012-10-17","Statement": [{"Action": ["s3:ListBucket"],"Effect": "Allow","Resource": ["arn:aws:s3:::myBucket"],"Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}},{"Action":["s3:*"],"Effect":"Allow","Resource": ["arn:aws:s3:::myBucket/home/${aws:username}/*","arn:aws:s3:::myBucket/home/${aws:username}"]}]}
  • 38. Access Control Policy VariablesDemo
  • 39. Delegation optionsChoosing the right session type
  • 40. Considerations When Choosing Session Type• What services do you want to use?• Where do you want to maintain AWS permissions– Within your enterprise?– Within AWS?• How are permissions derived?
  • 41. What Services Support Sessions?Federated Assumed-RoleSecurity Token Service  AWS Identity and Access Management (IAM)  AWS CloudFormation  AWS Elastic Beanstalk  Amazon Elastic MapReduce  All other services  Accurate as of 4/30/2013. See http://aws.amazon.com/iam for most up to date list
  • 42. Where Do You Want to Maintain AWS Permissions?Within your enterprise• Use federated session• Proxy will require maximumpermissions• Required: attach policy to therequestWithin AWS• Use assumed-role session• Proxy will only require listRoles &assumeRole permissions• Optional: attach policy to therequest
  • 43. Summary: Use Cases• Use one set of credentials• No more sharing long term credentials• Revoke access to the role anytime you want!Cross-Account API Access• Leverage your existing corporate identities• Use the username/password you already know• Enforce corporate policies/governance• When employees leave, you only need to delete their corporate accountFederation
  • 44. Summary: TechnologySessions are the heart of delegation• Use keys to sign API requests• Use token as parameter when making requestsRequest sessions (federated/assumed-role) by calling AWS STS• Variable expiration timeframes• Service support varies per session type• AWS permissions derived differentlyChoose the right session for the job
  • 45. For More Information• Learn more from our home page– http://aws.amazon.com/iam• This is the IAM forum where we hang out– https:// forums.aws.amazon.com/forum.jspa?forumID=76• Developer documentation– http://aws.amazon.com/documentation/iam/