SlideShare a Scribd company logo

beAuth

AWS User Group Italy
AWS User Group Italy

Temporary AWS credentials renewal and management. The beSharp approach

Internet
1 of 21
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWSThe beSharp approach
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS BESHARP CASE STUDY beSharp follows AWS and security best practise. We want a root account where we don’t have any operational resource while being able to setup policies, roles and resource access to other accounts. ๏ SSO with G-Suite as IdP ๏ Root account setup ๏ Multiple linked account setup
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS BESHARP CASE STUDY
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS SECURITY TOKEN SERVICE Enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or federated users.
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS AND WHAT IS IAM… ? Enables you to securely control access to AWS services and resources for your users, offering great security, flexibility and control when using AWS. You can create and manage: ๏ IAM users and their access ๏ Federated users access
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS JUST A REMINDER… ๏ IAM USER An individual, system or application that interacts with AWS programatically ๏ IAM ROLE An entity that has a set of permissions, and that other entities assumes to make calls to access AWS resources and services.
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS ABOUT CREDENTIALS When requesting access through STS, it typically return a set of: ๏ Access Key ID ๏ Secret Access Key ๏ Security Token
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS CREDENTIALS CHAIN 1. Command line options – You can specify --region, --output, and --profile as parameters on the command line. 2. Environment variables – AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN 3. The CLI credentials file – This is one of the files that is updated when you run the command aws configure. The file is located at ~/.aws/credentials. 4. The CLI configuration file – This is another file that is updated when you run the command aws configure. The file is located at ~/.aws/config 5. Credentials – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. 6. Instance profile credentials – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service.
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS ASSUMING IAM ROLE IN AWS CLI You can configure the AWS CLI to use an IAM role by defining a profile for the role in the ~/.aws/config file. [profile myAwesomeProfile] role_arn = arn:aws:iam::123456789012:role/myAwesomeRole FOR PROGRAMMERS Some SDKs will automatically pick up a set of temporary generated credentials (i.e. .NET) . Problem is that not all SDKs are supported like (Java, Ruby, Javascript…)
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS WHY? 12/7/2018
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS WHY?
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS WHY? https://eslint.org/blog/2018/07/postmortem-for-malicious- package-publishes IS A GOOD ENOUGH REASON?
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS BEAUTH TO THE RESCUE
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS WHAT DOES IT DO? A simple program devised to store securely in local the data needed for generating short-term lived credentials with STS. The generated credentials are valid for one hour, and regenerated after expiration. It overwrites directly the .aws file in the user folder.
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS FULL CLI INTEGRATION By changing the file based on all CLI tools, it’s fully compatible with any tool that is based upon the AWS CLI: ๏ CLI ๏ AWS-SDK ๏ CodeCommit ๏ All tools based on AWS CLI ๏ Terraform, Serverless, SAM, ecc…
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS LIVE-DEMO SHOWTIME!
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS MOCK EC2 INSTANCE-METADATA SERVICE BETA!
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS MOCK EC2 INSTANCE-METADATA SERVICE
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS MOCK EC2 INSTANCE-METADATA SERVICE How it works?
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS NEXT ๏ User Access Key and Secret Access Key support ๏ Clean credentials upon exit ๏ Multiple providers ๏ Timeout settings (cannot be less than 15 minutes) ๏ Remote DB
TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS THANK YOU Q&Anicolo@besharp.it
 alessio@besharp.it

Recommended

(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
Amazon Web Services
 
Advanced Container Management and Scheduling
Advanced Container Management and SchedulingAdvanced Container Management and Scheduling
Advanced Container Management and Scheduling
Amazon Web Services
 
AWS January 2016 Webinar Series - Introduction to Docker on AWS
AWS January 2016 Webinar Series - Introduction to Docker on AWSAWS January 2016 Webinar Series - Introduction to Docker on AWS
AWS January 2016 Webinar Series - Introduction to Docker on AWS
Amazon Web Services
 
Amazon EC2 and AWS Elastic Beanstalk Introduction
Amazon EC2 and AWS Elastic Beanstalk IntroductionAmazon EC2 and AWS Elastic Beanstalk Introduction
Amazon EC2 and AWS Elastic Beanstalk Introduction
Amazon Web Services
 
AWS OpsWorks Under the Hood (DMG304) | AWS re:Invent 2013
AWS OpsWorks Under the Hood (DMG304) | AWS re:Invent 2013AWS OpsWorks Under the Hood (DMG304) | AWS re:Invent 2013
AWS OpsWorks Under the Hood (DMG304) | AWS re:Invent 2013
Amazon Web Services
 
(DVO301) AWS OpsWorks Under the Hood
(DVO301) AWS OpsWorks Under the Hood(DVO301) AWS OpsWorks Under the Hood
(DVO301) AWS OpsWorks Under the Hood
Amazon Web Services
 
Running Microservices on Amazon ECS - AWS April 2016 Webinar Series
Running Microservices on Amazon ECS - AWS April 2016 Webinar SeriesRunning Microservices on Amazon ECS - AWS April 2016 Webinar Series
Running Microservices on Amazon ECS - AWS April 2016 Webinar Series
Amazon Web Services
 
Improving Infrastructure Governance on AWS
Improving Infrastructure Governance on AWSImproving Infrastructure Governance on AWS
Improving Infrastructure Governance on AWS
Amazon Web Services
 

Recommended

(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
(SEC315) NEW LAUNCH: Get Deep Visibility into Resource Configurations | AWS r...
Amazon Web Services
 
Advanced Container Management and Scheduling
Advanced Container Management and SchedulingAdvanced Container Management and Scheduling
Advanced Container Management and Scheduling
Amazon Web Services
 
AWS January 2016 Webinar Series - Introduction to Docker on AWS
AWS January 2016 Webinar Series - Introduction to Docker on AWSAWS January 2016 Webinar Series - Introduction to Docker on AWS
AWS January 2016 Webinar Series - Introduction to Docker on AWS
Amazon Web Services
 
Amazon EC2 and AWS Elastic Beanstalk Introduction
Amazon EC2 and AWS Elastic Beanstalk IntroductionAmazon EC2 and AWS Elastic Beanstalk Introduction
Amazon EC2 and AWS Elastic Beanstalk Introduction
Amazon Web Services
 
AWS OpsWorks Under the Hood (DMG304) | AWS re:Invent 2013
AWS OpsWorks Under the Hood (DMG304) | AWS re:Invent 2013AWS OpsWorks Under the Hood (DMG304) | AWS re:Invent 2013
AWS OpsWorks Under the Hood (DMG304) | AWS re:Invent 2013
Amazon Web Services
 
(DVO301) AWS OpsWorks Under the Hood
(DVO301) AWS OpsWorks Under the Hood(DVO301) AWS OpsWorks Under the Hood
(DVO301) AWS OpsWorks Under the Hood
Amazon Web Services
 
Running Microservices on Amazon ECS - AWS April 2016 Webinar Series
Running Microservices on Amazon ECS - AWS April 2016 Webinar SeriesRunning Microservices on Amazon ECS - AWS April 2016 Webinar Series
Running Microservices on Amazon ECS - AWS April 2016 Webinar Series
Amazon Web Services
 
Improving Infrastructure Governance on AWS
Improving Infrastructure Governance on AWSImproving Infrastructure Governance on AWS
Improving Infrastructure Governance on AWS
Amazon Web Services
 
Aws interview questions
Aws interview questionsAws interview questions
Aws interview questions
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Amazon Elastic Container Service (ECS)
Amazon Elastic Container Service (ECS)Amazon Elastic Container Service (ECS)
Amazon Elastic Container Service (ECS)
Andrew Dixon
 
Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot InstancesWorkshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
Amazon Web Services
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Amazon Web Services
 
AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
Amazon Web Services
 
DevOps for the Enterprise: Automated Testing and Monitoring
DevOps for the Enterprise: Automated Testing and Monitoring DevOps for the Enterprise: Automated Testing and Monitoring
DevOps for the Enterprise: Automated Testing and Monitoring
Amazon Web Services
 
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Amazon Web Services
 
AWS Identity and access Managment
AWS Identity and access ManagmentAWS Identity and access Managment
AWS Identity and access Managment
Mahesh Raj
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web Services
Brett Gillett
 
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
Amazon Web Services Korea
 
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
Amazon Web Services
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
Amazon Web Services
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices
Amazon Web Services
 
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
Amazon Web Services
 
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
Amazon Web Services Korea
 
ClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWSClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWS
Amazon Web Services
 
Amazon Lightsail: Jumpstart Your Cloud Project for a Low, Predictable Price.
Amazon Lightsail: Jumpstart Your Cloud Project for a Low, Predictable Price. Amazon Lightsail: Jumpstart Your Cloud Project for a Low, Predictable Price.
Amazon Lightsail: Jumpstart Your Cloud Project for a Low, Predictable Price.
Amazon Web Services
 
數據庫遷移到雲端的成功秘訣
數據庫遷移到雲端的成功秘訣數據庫遷移到雲端的成功秘訣
數據庫遷移到雲端的成功秘訣
Amazon Web Services
 
Getting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute ServicesGetting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute Services
Amazon Web Services
 
Intro to Azure Static Web Apps
Intro to Azure Static Web AppsIntro to Azure Static Web Apps
Intro to Azure Static Web Apps
Moaid Hathot
 
AWS Primer and Quickstart
AWS Primer and QuickstartAWS Primer and Quickstart
AWS Primer and Quickstart
Manish Pandit
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
Amazon Web Services
 

More Related Content

What's hot

Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot InstancesWorkshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
Amazon Web Services
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Amazon Web Services
 
AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
Amazon Web Services
 
DevOps for the Enterprise: Automated Testing and Monitoring
DevOps for the Enterprise: Automated Testing and Monitoring DevOps for the Enterprise: Automated Testing and Monitoring
DevOps for the Enterprise: Automated Testing and Monitoring
Amazon Web Services
 
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
Amazon Web Services
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
Amazon Web Services
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices
Amazon Web Services
 
ClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWSClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWS
Amazon Web Services
 
Getting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute ServicesGetting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute Services
Amazon Web Services
 

What's hot (20)

Aws interview questions
Aws interview questionsAws interview questions
Aws interview questions
 
Amazon Elastic Container Service (ECS)
Amazon Elastic Container Service (ECS)Amazon Elastic Container Service (ECS)
Amazon Elastic Container Service (ECS)
 
Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot InstancesWorkshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
Workshop; Deploy a Deep Learning Framework on Amazon ECS and Spot Instances
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 
AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
 
DevOps for the Enterprise: Automated Testing and Monitoring
DevOps for the Enterprise: Automated Testing and Monitoring DevOps for the Enterprise: Automated Testing and Monitoring
DevOps for the Enterprise: Automated Testing and Monitoring
 
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
Managing Your Infrastructure as Code by Travis Williams, Solutions Architect,...
 
AWS Identity and access Managment
AWS Identity and access ManagmentAWS Identity and access Managment
AWS Identity and access Managment
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web Services
 
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
 
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
AWS January 2016 Webinar Series - Amazon Aurora for Enterprise Database Appli...
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices
 
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
 
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
 
ClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWSClearScale: Continuous Automation with Docker on AWS
ClearScale: Continuous Automation with Docker on AWS
 
Amazon Lightsail: Jumpstart Your Cloud Project for a Low, Predictable Price.
Amazon Lightsail: Jumpstart Your Cloud Project for a Low, Predictable Price. Amazon Lightsail: Jumpstart Your Cloud Project for a Low, Predictable Price.
Amazon Lightsail: Jumpstart Your Cloud Project for a Low, Predictable Price.
 
數據庫遷移到雲端的成功秘訣
數據庫遷移到雲端的成功秘訣數據庫遷移到雲端的成功秘訣
數據庫遷移到雲端的成功秘訣
 
Getting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute ServicesGetting Started with Amazon EC2 and Compute Services
Getting Started with Amazon EC2 and Compute Services
 
Intro to Azure Static Web Apps
Intro to Azure Static Web AppsIntro to Azure Static Web Apps
Intro to Azure Static Web Apps
 

Similar to beAuth

Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214
Amazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
Amazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
Amazon Web Services
 

Similar to beAuth (20)

AWS Primer and Quickstart
AWS Primer and QuickstartAWS Primer and Quickstart
AWS Primer and Quickstart
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
 
Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214Aw some day_essentials3.2ish_072214
Aw some day_essentials3.2ish_072214
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
re:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF Loftre:Invent Recap: Security Week at the SF Loft
re:Invent Recap: Security Week at the SF Loft
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Architecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayArchitecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlay
 
Aws glossary flash cards
Aws glossary flash cardsAws glossary flash cards
Aws glossary flash cards
 
Security Basics in AWS or How To Get Rid of Hardcoded Credential and Reduce D...
Security Basics in AWS or How To Get Rid of Hardcoded Credential and Reduce D...Security Basics in AWS or How To Get Rid of Hardcoded Credential and Reduce D...
Security Basics in AWS or How To Get Rid of Hardcoded Credential and Reduce D...
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
AWS Solution Architect Associate Report
AWS Solution Architect Associate ReportAWS Solution Architect Associate Report
AWS Solution Architect Associate Report
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 

Recently uploaded

一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
apekaom
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
ayvbos
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
A
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
AS
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
AS
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
F
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
SS
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
hfkmxufye
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
AS
 

Recently uploaded (20)

一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
Sholinganallur (Chennai) Independent Escorts - 9632533318 100% genuine
Sholinganallur (Chennai) Independent Escorts - 9632533318 100% genuineSholinganallur (Chennai) Independent Escorts - 9632533318 100% genuine
Sholinganallur (Chennai) Independent Escorts - 9632533318 100% genuine
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 

beAuth

  • 1. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWSThe beSharp approach
  • 2. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS BESHARP CASE STUDY beSharp follows AWS and security best practise. We want a root account where we don’t have any operational resource while being able to setup policies, roles and resource access to other accounts. ๏ SSO with G-Suite as IdP ๏ Root account setup ๏ Multiple linked account setup
  • 3. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS BESHARP CASE STUDY
  • 4. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS SECURITY TOKEN SERVICE Enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or federated users.
  • 5. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS AND WHAT IS IAM… ? Enables you to securely control access to AWS services and resources for your users, offering great security, flexibility and control when using AWS. You can create and manage: ๏ IAM users and their access ๏ Federated users access
  • 6. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS JUST A REMINDER… ๏ IAM USER An individual, system or application that interacts with AWS programatically ๏ IAM ROLE An entity that has a set of permissions, and that other entities assumes to make calls to access AWS resources and services.
  • 7. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS ABOUT CREDENTIALS When requesting access through STS, it typically return a set of: ๏ Access Key ID ๏ Secret Access Key ๏ Security Token
  • 8. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS CREDENTIALS CHAIN 1. Command line options – You can specify --region, --output, and --profile as parameters on the command line. 2. Environment variables – AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN 3. The CLI credentials file – This is one of the files that is updated when you run the command aws configure. The file is located at ~/.aws/credentials. 4. The CLI configuration file – This is another file that is updated when you run the command aws configure. The file is located at ~/.aws/config 5. Credentials – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. 6. Instance profile credentials – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service.
  • 9. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS ASSUMING IAM ROLE IN AWS CLI You can configure the AWS CLI to use an IAM role by defining a profile for the role in the ~/.aws/config file. [profile myAwesomeProfile] role_arn = arn:aws:iam::123456789012:role/myAwesomeRole FOR PROGRAMMERS Some SDKs will automatically pick up a set of temporary generated credentials (i.e. .NET) . Problem is that not all SDKs are supported like (Java, Ruby, Javascript…)
  • 10. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS WHY? 12/7/2018
  • 11. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS WHY?
  • 12. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS WHY? https://eslint.org/blog/2018/07/postmortem-for-malicious- package-publishes IS A GOOD ENOUGH REASON?
  • 13. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS BEAUTH TO THE RESCUE
  • 14. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS WHAT DOES IT DO? A simple program devised to store securely in local the data needed for generating short-term lived credentials with STS. The generated credentials are valid for one hour, and regenerated after expiration. It overwrites directly the .aws file in the user folder.
  • 15. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS FULL CLI INTEGRATION By changing the file based on all CLI tools, it’s fully compatible with any tool that is based upon the AWS CLI: ๏ CLI ๏ AWS-SDK ๏ CodeCommit ๏ All tools based on AWS CLI ๏ Terraform, Serverless, SAM, ecc…
  • 16. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS LIVE-DEMO SHOWTIME!
  • 17. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS MOCK EC2 INSTANCE-METADATA SERVICE BETA!
  • 18. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS MOCK EC2 INSTANCE-METADATA SERVICE
  • 19. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS MOCK EC2 INSTANCE-METADATA SERVICE How it works?
  • 20. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS NEXT ๏ User Access Key and Secret Access Key support ๏ Clean credentials upon exit ๏ Multiple providers ๏ Timeout settings (cannot be less than 15 minutes) ๏ Remote DB
  • 21. TEMPORARY CREDENTIALS RENEWAL AND MANAGEMENT WITH AWS THANK YOU Q&Anicolo@besharp.it
 alessio@besharp.it