Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013

  • 2,801 views
Uploaded on

At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to …

At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,801
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
108
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Delegating Access to your AWS Environment Jeff Wierer, Identity and Access Management (IAM) November 14, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. Goals for this talk Understand the technology Use cases we’ll cover • Sessions and the AWS Security Token Service (STS) • Roles and assumed-role sessions • Federated sessions • And more… • Cross-Account API Access • AWS API Federation • AWS Management Console Federation • Web Identity Federation
  • 3. Let’s start with a short demo 
  • 4. AWS Management Console SSO Demo Setup (Sample - http://aws.amazon.com/code/4001165270590826) Active Directory Log into the console without a user name and password!
  • 5. Single Sign-On AWS Management Console Demo
  • 6. Wait… what just happened? 1. 2. 3. 4. Logged into my Windows desktop Hit an intranet website Chose the “role” I wanted to play in AWS Auto-magically signed in to the console
  • 7. Delegation basics: Sessions & the AWS Security Token Service
  • 8. Sessions 101 • Allow delegating temporary access to your AWS account • Are generated by the AWS Security Token Service • Include temporary security credentials that are used to make API calls to AWS services
  • 9. Requesting a Session Start by requesting a session from AWS STS Session Access Key Id Secret Access Key Session Token Expiration
  • 10. What’s in a Session? Session Access Key Id Secret Access Key Session Token Expiration Temporary Security Credentials
  • 11. Multiple Ways to Get Sessions Session Access Key Id Secret Access Key Session Token Expiration • • • Self-sessions (GetSessionToken) Federated sessions (GetFederationToken) Assumed-role sessions • • • assumeRole assumeRoleWithWebIdentity assumeRoleWithSAML
  • 12. Sessions Expire Session Access Key Id Secret Access Key Session Token Expiration Expiration varies based on token type [Min/Max/Default] • • • • Self (Account) Self (IAM User) Federated Assumed-role [15 min / 60 min / 60 min] [15 min / 36 hrs / 12 hrs] [15 min / 36 hrs / 12 hrs] [15 min / 60 min / 60 min] Use caching to improve your application performance
  • 13. Role-based Delegation: Using assumed-role sessions
  • 14. What’s an IAM Role? • Entity that defines a set of permissions for making AWS service requests • Not associated with a specific user or group • Roles must be “assumed” by trusted entities
  • 15. Using AWS Service Roles • Allow AWS services (e.g., Amazon EC2, AWS Data Pipeline, AWS OpsWorks) to act on behalf of your account • Create a role, apply an access policy, launch service with it • Services can now access resources/API defined by the access policy • With used with EC2, credentials are automatically: – Made available to the metadata cache* – Rotated multiple times a day – AWS SDK transparently uses these credentials within your apps! *http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access Returns the temporary credentials for the instance
  • 16. Roles for EC2 Demo Create a role and launch an EC2 instance:
  • 17. Benefits of Using Roles • • • • Eliminates use of long-term credentials Automatic credential rotation Less coding – AWS SDK does all the work Simple to delegate access to AWS Services to perform work on your behalf
  • 18. Use Case: Cross-Account API Access • Access resources across AWS accounts • Why do you need it? – Management visibility across all your AWS accounts – Developer access to resources across AWS accounts – Enables using third-party management solutions
  • 19. Using IAM Roles for Cross-Account API Access • Extended “Service Roles” concept – Set a trust policy granting access – Set an access policy as before • Delegate access to other trusted entities – AWS services (such as EC2) – IAM users/roles within your account – IAM users/roles under a different account • IAM users in one account can now access resources in another account How to define who can assume the role using the console { "Statement": [ { "Effect": "Allow", "Action": “sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/MyRole" } ] } Entity can assume MyRole under account 111122223333
  • 20. Cross-Account API Access – How Does It Work? IAM Team Account My AWS Account Acct ID: 123456789012 Jeff (IAM User) Acct ID: 111122223333 Authenticate with Jeff’s access keys STS s3-role Get temp security credentials by “assuming” s3-role Permissions assigned to s3-role { "Statement": [ { "Effect": "Allow", "Action": “s3:*", "Resource": "*" } ] } Call S3 APIs using temporary security credentials { "Statement": [{ "Effect": "Allow", "Action": “sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/s3-role" } ] } { "Statement": [{ "Effect":"Allow", "Principal":{"AWS":"arn:aws:iam::123456789012:root"}, "Action":"sts:AssumeRole" } ] } Policy assigned to Jeff granting him permission to assume s3-role in account B Policy assigned to s3-role defining who (trusted entities) can assume the role
  • 21. Cross-Account Demo Building a Cross-Account Amazon S3 Browser
  • 22. Assumed-Role Session – Code Sample public static Credentials getAssumeRoleSession(String AccessKey, String SecretKey ) { Credentials sessionCredentials; AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient( Accesskey, GetSecretkey, new AmazonSecurityTokenServiceConfig()); // Store the attributes and request a new AssumeRole session (temporary security credentials) AssumeRoleRequest request = new AssumeRoleRequest { DurationSeconds = 3600, RoleArn = "arn:aws:iam::111122223333:role/s3-role", RoleSessionName = "S3BucketBrowser" }; AssumeRoleResponse startSessionResponse = client.AssumeRole(request); if (startSessionResponse != null) // Check for valid security credentials or null { AssumeRoleResult startSessionResult = startSessionResponse.AssumeRoleResult; sessionCredentials = startSessionResult.Credentials; return sessionCredentials; } else { throw new Exception("S3 Browser :: Error in retrieving temporary security creds, received NULL"); } }
  • 23. Cross-Account API Access Delegation Benefits • Use one set of credentials • No more sharing long-term credentials • Revoke access to the role anytime you want!
  • 24. Federation: Access AWS with your existing corporate identity
  • 25. Federation Overview • Access AWS with your existing corporate identity • Why use federation? – SSO to the AWS Management Console – Build apps that transparently access AWS resources and APIs – Eliminate “yet another password” to manage
  • 26. Use Case: API Federation (Sample - http://aws.amazon.com/code/1288653099190193) • Identity provider – Windows Active Directory – Privileges based on AD group membership – AD groups include policies • Relying party is AWS API (S3*) • Uses federated session via GetFederationToken API
  • 27. AWS API Federation Walkthrough Customer (Identity Provider) AWS Cloud (Relying Party) Get Federation Token Request 4 2 Federation Proxy 3 • • • 5 Access Key Secret Key Session Token S3 Bucket with Objects 6 Active Directory Request Session User Application Get Federation Token Response Receive Session Amazon EC2 AWS Resources 1 7 APP Amazon DynamoDB Call AWS APIs • Uses a set of IAM user credentials to make a GetFederationTokenRequest() • IAM user permissions need to be the union of all federated user permissions • Proxy needs to securely store these Federation privileged credentials Proxy
  • 28. API Federation Demos Federation sample + CloudBerry AD bridge
  • 29. Using IAM Roles for Federation • Assumed-role sessions can also be used for federation • Provides a different option for storing AWS permissions • Allows for “separation of duties” in managing AWS permissions • Corp admin manages groups, users, and intranet permissions • AWS admin creates roles & maintains policies on those roles
  • 30. Use Case: Console Federation (Sample - http://aws.amazon.com/code/4001165270590826) • Identity provider – Windows Active Directory – Privileges based on AD group membership – AD groups match the names of IAM roles • Relying party is AWS Management Console • Uses assumed-role session via AssumeRole
  • 31. Basics of a Role-Based Federation Proxy Acct ID: 111122223333 Authenticate with access keys STS s3-role Proxy Server IAM User Get temporary security credentials login using temporary security credentials Access policy set to s3-role { "Statement": [{ "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] } AWS Management Console Access policy assigned to Proxy (IAM user) granting access to ListRoles and AssumeRoles for all roles Trust policy set to s3role defining who can assume the role { "Statement": [{ "Effect": "Allow", "Action": ["iam:ListRoles","sts:AssumeRole"], "Resource": "arn:aws:iam::1111222233334444:role/*" } ] } {"Statement": [{ "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": {"sts:externalId": "SOME-AD-SID"}} } ] }
  • 32. Console Federation Walkthrough (assumeRole) List RolesResponse Customer (IdP) 4 7 2 AWS Cloud (Relying Party) 5 AssumeRole Request Assume Role Response Temp Credentials 6 Federation Create combo proxy box • • • 9 3 List RolesRequest 8 Access Key Secret Key Session Token Generate URL 10 Redirect to Console AWS Management Console Corporate directory 1 Browser interface Browse to URL Federation proxy • Uses a set of IAM user credentials to make AssumeRoleRequest() • IAM user permissions only need to be able to call ListRoles & assume role • Proxy needs to securely store these credentials
  • 33. SSO Federation using SAML 2.0 New • STS supports Security Assertion Markup Language • Use existing identity management software to access AWS Resources • AWS Management Console SSO – IdP Initiated Web SSO via SAML 2.0 using the HTTP-POST binding (Web SSO profile) – New sign-in URL that greatly simplifies SSO https://signin.aws.amazon.com/saml<SAML AuthN response> • API federation using new assumeRoleWithSAML API
  • 34. Console Federation using SAML Enterprise (Identity Provider) AWS (Service Provider) Identity provider 2 3 AWS Sign-in Receives AuthN response 4 Post to Sign-In Passing AuthN Response Corporate identity store User browses to Identity provider Browser interface 1 5 Redirect client AWS Management Console
  • 35. SAML Federation Demos Single Sign-On to AWS Management Console API Federation
  • 36. Partner Offerings for Federation / SSO http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services http://www.okta.com/aws/ http://www.symplified.com/solutions/single-sign-on-sso https://www.pingidentity.com/products/pingfederate/ http://www.cloudberrylab.com/ad-bridge.aspx
  • 37. Federation Benefits • • • • Leverage your existing corporate identities Use the user name/password you already know Enforce corporate policies/governance When employees leave, you only need to delete their corporate account
  • 38. Use Case: Web Identity Federation • Want to create cloud-backed mobile apps – Leaderboards – Image/File Sharing – Saved state/user settings for cross-device access • Challenges – Users may, or may not, be authenticated – Assume users don’t have AWS accounts – Developers need to securely delegate limited access to their AWS resources • Enables granting access to AWS resources without embedding credentials in app
  • 39. Web Identity Federation: Detailed Walkthrough 7 3 Id Token Web identity Provider EC2 Instances S3 AWS Services 6 2 4 Token Verification 5 Check Policy IAM AWS Cloud AP-SOUTHEAST-1 Amazon DynamoDB Mobile App EU-WEST-1 1 US-EAST-1 Authenticate User
  • 40. Web Identity Federation Benefits • Create mobile/web-based apps that easily integrate major web identity providers with AWS • Eliminates the need to – Directly embed AWS access key IDs and secret access keys – Utilize proxy servers to access AWS services • Introduces assumeRoleWithWebIdentity API – Create an IAM role per application – Use a policy that replace a variable using metadata from an id/access token – Pass the token with the request to assume the role • Support: Login with Amazon, Facebook, & Google • Learn more at session SEC401
  • 41. A few final words
  • 42. Are There Any Limitations to using Sessions? Federated Assumed-Role*  Security Token Service  AWS Identity and Access Management (IAM)   AWS Elastic Beanstalk Amazon Elastic MapReduce   All other services     (for assumeRole) Accurate as of 11/14/2013. See http://aws.amazon.com/iam for most up to date list
  • 43. Summary: Use Cases Cross-Account API Access • Use one set of credentials • No more sharing long-term credentials • Revoke access to the role anytime you want! AWS API / Management Console Federation • • • • Leverage your existing corporate identities Use the user name/password you already know Enforce corporate policies/governance When employees leave, you only need to delete their corporate account Web Identity Federation • Simplify granting access to resources for your mobile apps • Built-in support for Login with Amazon, Facebook, & Google identities
  • 44. Additional resources • • • • • IAM detail page: http://aws.amazon.com/iam AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76 Documentation: http://aws.amazon.com/documentation/iam/ AWS Security Blog: http://blogs.aws.amazon.com/security Twitter: @AWSIdentity
  • 45. All IAM related sessions at re:Invent ID Title Time, Room CPN205 Securing Your Amazon EC2 Environment with AWS IAM Roles and Resource-Based Permissions Wed 11/13 11am, Delfino 4003 SEC201 Access Control for the Cloud: AWS Identity and Access Management (IAM) Wed 11/13 1.30pm, Marcello 4406 SEC301 TOP 10 IAM Best Practices Wed 11/13 3pm, Marcello 4503 SEC302 Mastering Access Control Policies Wed 11/13 4.15pm, Venetian A SEC303 Delegating Access to Your AWS Environment Thu 11/14 11am, Venetian A Come talk security with AWS Thu 11/14 4pm, Toscana 3605
  • 46. Please give us your feedback on this presentation SEC303 As a thank you, we will select prize winners daily for completed surveys!