AWS Identity and Access Management and Consolidated Billing

5,010 views

Published on

Published in: Technology, Business
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total views
5,010
On SlideShare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
0
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

AWS Identity and Access Management and Consolidated Billing

  1. 1. AWS Meister Series Reloaded~IAM & Consolidated Billing~ Jan. 30th 2012 Akio Katayama( @c9katayama ) Solutions Architect in Japan SA Team - Translated by Kenta Yasukawa -
  2. 2. Web SeminarAWS Meister Series Reloaded  Up-to-date materials from the Meister Series in Japanese  New contents and New speakers!  New services will be introduced!Join at (Japanese) : http://aws.amazon.com/jp/event_schedule/
  3. 3. Agenda IAM Overview IAM Operations & Configuration Identity Federation Consolidated Billing Overview How to use Consolidated Billing Closing Remarks Copyright © 2011 Amazon Web Services
  4. 4. IAM Overview
  5. 5. IAM(AWS Identity and AccessManagement) For AWS User Authentication and Access Policy Management  Creating users and groups for different AWS operations  Applying access policies such as “allowing to launch EC2 instances” and “allowing to write to an S3 bucket” User/Group management  Each user is authenticated and applied a different access policy  Each group may have a different access policy  Each group may have multiple users • Users in a group inherit the access policy of the group Developers O&M
  6. 6. IAM(AWS Identity and AccessManagement) Various authentication token issued for each user  Access key and Secret key  For authentication upon use of SDKs  Security Certificate (X.509)  For authentication upon operations such as AMI-tools  Login password for AWS management console  Multi-Factor Authentication (MFA) device  For providing additional level of security for management console Developers AWS O&M
  7. 7. How IAM Works Authorizes every request from API and Management ConsoleAll Administrator groupoperationsgrantedAll S3 Developer groupoperationsgrantedS3 Read-only access O&M groupgranted
  8. 8. Use Cases Improving Security  IAM User can be easily invalidated Backup-only User  Taking Snapshots with a user with only EBS snapshot permission granted  Wrong operations cannot stop EC2 instances Assigning different S3 buckets to users  Partitioned access for S3 for an account Business Management User  Creating IAM User(s) who can only access billing information
  9. 9. IAM Operations and Configuration
  10. 10. Operations and Configuration Two Ways for Managing Users and Groups  AWS Management Console  IAM API ”Access Policy Language” for describing policies  JSON format
  11. 11. Management Console Select “IAM” User/Group management
  12. 12. Access Policy Language{ "Statement": [ { "Effect": "Allow", "Action": [ " s3:ListBuckets ", " s3:Get * " ], "Resource": [ "*" ], "Condition": { "StringEquals": { "aws:SourceIP": [“176.32.92.49/32“] } } } ]}
  13. 13. Access Policy Language{ "Statement": [ { "Effect": "Allow", "Action": [ " s3:ListBuckets ", " s3:Get * " ], "Resource": [ "*" Access is granted or rejected ], according to the statement "Condition": { "StringEquals": { "aws:SourceIP": [“176.32.92.49/32“] } } } ]}
  14. 14. Access Policy Configuration { “Allow” for granting access "Effect": "Allow", “Deny” for rejecting "Action": [ " s3:ListBuckets ", Specifies target operations " s3:Get * " * Wildcard is allowed ], "Resource": [ Specifies target resources with "*" Amazon Resource Name (ARN) ], * Wildcard is allowed "Condition": { "StringEquals": { "aws:SourceIP": Specifies condition to enable this [“176.32.92.49/32“] policy } } } This example means “If the request is from 176.32.92.49, S3 ListBuckets and Get related oprations would be allowed”
  15. 15. Action & Resource “Action” specifies right for operations, e.g.  RunInstances  AttachVolume  CreateBucket  DeleteObject “Resource” specifies right for targets of operations, e.g.  EC2 Instances  EBS Volumes  S3 Buckets  S3 Objects
  16. 16. Support for Action/Resource AWS Services Action Resource IAM Amazon CloudFront Amazon CloudWatch EC2 does not support Amazon EC2 Resource and thus Amazon ElastiCache controlling access to Amazon Elastic MapReduce each EC2 instance Amazon RDS and/or EBS volume is Amazon Route 53 not supported Amazon S3 Amazon SES Amazon SimpleDB Amazon SNS Amazon SQS Amazon VPC Auto Scaling AWS CloudFormation AWS Elastic Beanstalk Elastic Load Balancing DynamoDB
  17. 17. Available Condition Statements Text String  StringEquals,StringNotEquals, StringEqualsIgnoreCase  StringNotEqualsIgnoreCase,StringLike,StringNotLike Number Date Boolean IP Address  IpAddress  NotIpAddress
  18. 18. Condition Statement "Condition" : { "DateGreaterThan" : { "aws:CurrentTime" : "2009-04-16T12:00:00Z" AND }, "DateLessThan": { "aws:CurrentTime" : "2009-04-16T15:00:00Z" }, AND "IpAddress" : { "aws:SourceIp" : ["192.168.176.0/24","192.168.143.0/24"] } } OR
  19. 19. Policy Configuration on Management Console Choosing from templates Creating with Policy Generator Manual editing for policies
  20. 20. Policy Generator
  21. 21. Logic for Granting or Rejecting Access Multiple Conditions are Allowed for a Policy  Each user or group may have different conditions  Contradicting conditions may be configured All access is denied by default (Default to Deny)  Access is granted only if an “Allow” condition matches  If a “Deny” condition matches, access is denied (Explicit Denial)  Default to Deny < Allow < Explicit Denial Group’s Statement Group’s Statement Deny Allow Allow (Explicit Denial User’s Statement User’s Statement No matching (Default to Deny) Allow Decides to Allow Decides to Deny
  22. 22. User based and Resource based Besides Users and Groups, Policies can be Assigned to Resources E.g. S3 Buckets and SQS queues can be applied policies  Configuring a bucket to be only accessible from a certain IP address(es) User based Resource based
  23. 23. Cross-Account Access Granting Access from an AWS account to Another 1. Configure the following policy to Account A’s bucket { "Statement" : { "Effect":"Allow", "Principal" : { "AWS":“<AWS Account B’s account number>" }, "Action":"s3:*", "Resource":"arn:aws:s3:::mybucket/*" } } 2. Create User1 in Account B and grant access to “mybucket”  User1 will be granted to access mybucket 3. Unless explicitly allowed, User2 cannot access mybucket
  24. 24. Use of Management Console with IAM User Use Dedicated URL for IAM users that belong to an AWS account Friendly name can be configured with “Account Alias”  First come, First served –basis as same as S3 buckets Created Account Alias Dedicated URL
  25. 25. Limitations Each AWS Account can have  Up to 100 Groups  Up to 5000 Users  1 User can belong up to 10 groups  Contact AWS support team to increase the limits
  26. 26. Identity Federation
  27. 27. Identity Federation Feature to link the authentication system in a company/organization and AWS authentication E.g. Granting access to S3 for users authenticated with LDAP Users authenticated with the federated authentication (Federated Users) are issued Temporary Security Credentials for AWS
  28. 28. Temporary Security Credentials Temporal authentication information for AWS  A set of Time-limited Authentication Token Each Federated User gets:  Access Key  Secret Key  Session Token Expiration Timer for issued credential is configurable  12 hours by default  From Minimum 1 hour to Maximum 36 hours  No way to extend or shorten the timer once issued8
  29. 29. Metaphor with Hotel… AWS Account’s IAM User Temporary Security Access Key ID Credentials
  30. 30. IAM Permission Hierarchy Permissions Example All operations Action: * Effect: Allow possible Resource: * AWS Account (implicit) Permissions granted Action: [‘s3:*’, ‘sts:Get*’] for User/Group Effect: Allow IAM User Resource: * Determined when the Action: [ ‘s3:Get*’ ] Temporary Effect: Allow credential is issued Resource: Security Credentials ‘arn:aws:s3:::mybucket/*’
  31. 31. Use Cases Mobile Applications  Issuing Temporary Security Credential for each authenticated mobile application user  The user can upload files directly to S3  Secure because the credential has expiration date Temporal Access Permissions  Creating applications which can upload files to S3 for a limited period  Applications which can launch EC2 instances for a limited period Different Access Policies for users in an organization  Creating S3 bucket for each user  Giving different rights to different groups
  32. 32. How Identity Federation Works Use in Web Applications Company/Organization Temporary Credential Issuing Service
  33. 33. How Identity Federation Works Use in Mobile and Client Applications Company/Organization Temporary Credential Issuing Service
  34. 34. How to Use Identity Federation Federation Token Get from application by final String userId = request.getParameter("userId"); final String password = request.getParameter("password"); using API // Performs certain authentication in organization specific way executeLDAPAuthentication(userId,password); AWSCredentials credentials = new BasicAWSCredentials(IAM User ID, Password); // SecurityToken Client AWSSecurityTokenService securityTokenService = new AWSSecurityTokenServiceClient(masterCredentials); GetFederationTokenRequest req = new GetFederationTokenRequest(); req.setName(userId); // Setting S3 Read only policy req.setPolicy(“{”Statement“: [{”Effect“: ”Allow“,”Action“: ["s3:Get*","s3:List*"],"Resource": "*"}]}"); // Getting Temporary Security Credentials GetFederationTokenResult result = securityTokenService.getFederationToken(req); Credentials cs = result.getCredentials(); String tempAccessId = cs.getAccessKeyId(); String tempSecretkey = cs.getSecretAccessKey(); String sessionToken = cs.getSessionToken();16
  35. 35. Limitations Support for Temporary Users (As of Jan. 2012) CloudFront S3 CloudWatch SimpleDB DynamoDB(API Only) SQS EC2 SNS ElastiCache ELB RDS Route53
  36. 36. Logon to Management Console Dedicated URL for Temporary Users  https://signin.aws.amazon.com/federation Steps for Logon  Access to: • /federation?Action=getSigninToken&SessionType=js on&Session={“sessionId”:””, ”sessionKey”:””, “sessionToken”:””}  Token for logon is returned in response to the above request  Redirected to: • /federation?Action=login&SigninToken=<Token>&De stination=<Management Console URL>
  37. 37. How Identity Federation Works Company/Organization Temporary Credential Issuing Service Encrypts Token
  38. 38. Consolidated Billing
  39. 39. Consolidated Billing AWS bills for multiple accounts can be consolidated Single payment for multiple accounts All AWS fees are Billing Account charged to this account Sub Account Sub Account
  40. 40. Benefits Centralized Billing Management Possible to check each account’s usage breakdown, e.g.  Each section  Each project Amount for Traffic and Stored Data used by all accounts is aggregated  Volume discount is applied for the aggregated amount Reserved Instance (RI) is flexibly applied  E.g. If a RI purchased by an account is not used, the discount would be automatically applied to another account
  41. 41. Process to Apply Decide the billing account Approve at sub-accounts by checking Emails Create sub-accounts (And/or use existing accounts) Notify sub accounts from the billing account Consolidation (Send Email from the Established dedicated web page)
  42. 42. Process to ApplyLogon with the billing account and choose “ConsolidatedBilling”
  43. 43. Process to ApplySend a request to each sub account
  44. 44. Process to ApplySend a request to each sub account Email address of the sub account
  45. 45. Process to ApplySub account receives an Email from AWS
  46. 46. Process to ApplyApprove the request at Sub account
  47. 47. Process to ApplyConsolidated Billing Established
  48. 48. After ConsolidationBilling account gets additional field for sub accounts
  49. 49. Closing Remarks
  50. 50. Closing Remarks IAM enables detailed access policy control for AWS operations Improved Security by creating different users and giving different policies Identity Federation with authentication systems in a company or organization Consolidated Billing enables  Centralized Billing Management  Checking breakdown for different accounts  More chances for volume discount
  51. 51. Q&ACopyright © 2011 Amazon Web Services
  52. 52. Thank You For Joining Copyright © 2011 Amazon Web Services

×