SEC101 A Guided Tour of AWS Identity and Access Management - AWS re: Invent…

1,579 views
1,445 views

Published on

Learn what AWS Identity and Access Management (IAM) technologies are available for you to manage users and their access to your AWS environment. We present a high level discussion of the benefits and functionality IAM provides to control secure access to your AWS environment. We discuss how you can manage users and their permissions when using IAM, how roles makes it simpler for you delegate access, and how to use Multi-Factor Authentication (MFA) to require additional proof of identity.

SEC101 A Guided Tour of AWS Identity and Access Management - AWS re: Invent…

  1. 1. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. File Sharing: C:homemydata.log Who Name Permission Level Patrick Read What Anna Owner Actions? WhichResources?
  3. 3. Amazon Amazon Amazon Amazon Amazon AWS IAM Amazon RDS SES CloudWatch SNS Route 53 DynamoDB Amazon CloudFront Amazon Amazon AWS EC2 S3 Storage Gateway AWS CloudFormation Amazon Amazon Amazon Amazon Amazon Amazon Amazon Elastic ElastiCache CloudSearch VPC SWF Elastic SQSMapReduce Beanstalk© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  4. 4. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  5. 5. AMIs Elastic IPs Placement Groups UsersSpot Instances Templates Distributions Buckets Volumes Clusters Roles Messages Instances Files Groups Tables Snapshots Topics Load BalancersSecurity Groups Workflows Autoscaling Groups Domains Applications Queues Network Interfaces© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  6. 6. Over 1 Trillion Resources Over 650K Requests/SecHundreds of Thousands “Many” Servers of Customers© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  7. 7. AWS© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  8. 8. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  9. 9. *While Joe and his story are fictional, you may find many of his challenges quite real
  10. 10. Joe Raises $1.5M Series A Financing Round!
  11. 11. Joe Dev/Ops Development Sales/Marketing Finance/Accounting Administrator Full access to: Read-only to Account Activity Access: Amazon S3, Amazon Amazon S3 and Usage DynamoDBControl all AWS + Reports only resources, The ability to start including (but not stop)managing users Amazon EC2 instances
  12. 12. Joe Sales/Mark Finance/AcDev/Ops Development eting counting Graeme Nate Anders Joan Greg Cicilie Erin Kevin Brian Jeff
  13. 13. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  14. 14. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  15. 15. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  16. 16. Joe Sales/Mark Finance/AcDev/Ops Development eting counting Graeme Nate Anders Joan Greg Cicilie Erin Kevin Brian Jeff
  17. 17. #!/bin/bashexport AWS_IAM_HOME=~/IAMCli-1.5.0export AWS_CREDENTIAL_FILE=~/IAMCli-1.5.0/aws-credential.templateexport JAVA_HOME=/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home# Create users, and add them to the "TestSubjects" groupiam-usercreate -u RedShirt1 -g TestSubjectsiam-usercreate -u RedShirt2 -g TestSubjectsiam-usercreate -u RedShirt3 -g TestSubjects…iam-usercreate -u RedShirt24 -g TestSubjectsiam-usercreate -u RedShirt25 -g TestSubjects
  18. 18. http://aws.amazon.com/documentation/iam/
  19. 19. Amazon AmazonDynamo S3 DB AWS Cloud
  20. 20. ? ? Auto Scaling Auto Scaling ? ? Amazon Amazon Dynamo S3 DB AWS Cloud
  21. 21. Auto Auto Scaling Scaling Amazon Amazon GeneticAnalysis Dynamo S3AWS IAM Server: RW DB access to files, AWS Cloud rows
  22. 22. MARTHA!
  23. 23. Capacity The Martha effect Urbanchickens.org Time
  24. 24. AWS MFA supports any OATH TOTP compatible application (RFC 6238)
  25. 25. Joe’s Chicken GeneticsIntranet Portal Joe
  26. 26. Enterprise Multi-Factor Authentication Startup/ Federation & SSO SMB Password Strength Policy AWS Marketplace Control Joe Users, Groups, Permissions Management UI, CLI, API Basic Roles for EC2 No additional charge© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
  27. 27. Code Session TimeSEC101 A Guided Tour of AWS Identity and Access Management Wednesday 11/28 2.05pmSEC302 Delegating Access to Your AWS Environment Wednesday 11/28 3.25pmSEC303 TOP 10 IAM Best Practices Thursday 11/29 3pm
  28. 28. We are sincerely eager to hear your feedback on thispresentation and on re:Invent. Please fill out an evaluation form when you have a chance.

×