Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit

172 views

Published on

In this session, we provide an overview of AWS identity services within the context of a typical cloud journey. We learn about each service, the high-level capabilities each provides, and how they all fit and work together to provide you with a robust identity foundation. We also learn how to better advance your own identity-services cloud journey with confidence and speed. Finally, we look more closely at several identity-based use cases where the power and programmability of the cloud is radically simplifying implementation and strengthening security.

  • Be the first to comment

AWS identity services: Enabling and securing your cloud journey - SEC203 - Chicago AWS Summit

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS identity services: Enabling and securing your cloud journey Quint Van Deman Business Development Manager, AWS Identity Amazon Web Services S E C 2 0 3
  2. 2. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Calibration
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Disambiguation Identity Securely manage the identities, resources, and permissions for your cloud workloads Our scope for today AWS Identity and Access Management (IAM) (the service) Authenticates and authorizes AWS APIs Includes (the subject)
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Identity – our definition for today Identity management Access management Resource management
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Our metaphor AWS Infrastructure Application Builders Operators Users AWS CLI
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Our backdrop: “typical” journey to AWS TIME VALUE
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What we hear from customers Enable the business to innovate Agility to move fast Give developers freedom Prevent dangerous actions Accountable for security posture Cost-effective solutions Goal: Enable you to build foundation quickly while maintaining your desired security and governance posture Business needs Security requirements
  9. 9. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Likely first questions • How many AWS accounts do I need? • How do I govern my AWS accounts? • How do I provide access into those accounts? • What permissions do my users have in those accounts? • How do I keep all of my AWS resources organized and segmented?
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS identity services Application Infrastructure AWS platform AWS Organizations
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introducing AWS Organizations Govern access to AWS services, resources, and Regions Central governance and management for multiple AWS accounts Configure AWS services across multiple AWS accounts Automate AWS account creation and management Consolidate billing across multiple AWS accounts
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Primer: AWS accounts What really is an AWS account? • A container for AWS resources • A clear isolation boundary for: • Administration • Network access • Permissions/resource sharing You can have any number of AWS accounts you wish (within limits). One account designated as the master account, others are member accounts.
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Manage global resources at scale Customer-defined keyand a value on AWS assets Centralized servicefor managing multiple accounts Asecurity and management boundary within an organization
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What AWS accounts do I need? AWS opinionated views, solutions, and services
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What AWS accounts do I need? Common options: • Per environment (dev, test, prod) • Per business unit per environment • Per app per environment • Per app per region per environment Seek a reasonable balance: • Isolation vs. maturity • Evolve over time Refining your own opinion
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations: Governing AWS accounts AWS Organizations Service control policies Service control policies us-east-1 us-west-2 ap-south-1 AWS account
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations: Managing AWS accounts AWS Artifact AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service AWS Firewall Manager AWS License Manager AWS Resource Access Manager AWS Service Catalog AWS SSO AWS Services natively integrated with AWS Organizations More coming!
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Next: Account access
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS SSO
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introducing AWS SSO Centrally manage single sign-on access to multiple AWS accounts and business applications for your workforce Centrally manage access to multiple AWS accounts Easy to enable and use Use your choice of existing or cloud- native identities Provide AWS SSO access to business applications
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS SSO: Your choice of identity store AWS CloudCorporate data center Active directory AWS Directory Service AWS SSO Users & groups Option 1: Use corporate identities by connecting to and existing directory AWS Cloud AWS SSO Users & groups Option 2: Create users in AWS SSO
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS SSO: Define permission sets Master account Member acct 1 Member acct N Uses AWS Organizations to retrieve your list and structure of accounts Define permissions using standard syntax and tools Definitions and policies automatically deployed and maintained in member accounts
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS SSO: Assign permission sets Master account Select users or groups Select desired permission set Grant access to one AWS account, an OU, or the entire organization
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS SSO: User experience End user authenticates Permission sets they’ve been granted Options for console or CLI/API access Access other business applications
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What permissions do I give my users? Least privilege is a journey, not a starting point.
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS identity services Application Infrastructure AWS platform AWS Organizations IAMAWS SSO
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introducing IAM Securely manage access to AWS services and resources Authenticate and Authorize AWS APIs Specify policy-based permissions Provide fine-grain access controls for AWS actions and resources Provide short-term credentials for humans, machines, and applications
  29. 29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policy basics PARC model: • Principal – Who • Action – Can access • Resource – What • Condition – Under what cond. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Department": "Development“ } } } ] } P
  30. 30. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Attribute-based access control (ABAC) “If the tag on the principal matches the tag on the resource, allow, otherwise deny.” { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Department": "Development“ } } } ] } { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Department": “${aws:PrincipalTag/Department}“ } } } ] }
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Short-term credential basics Macro pattern 1: Trust-based exchange Macro pattern 2: AWS-delivered credentials Source credential Time-bound credentials returned Assuming a role through preestablished trust AWS compute service Provide identity by passing a role Time-bound credentials delivered and rotated
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Further exploration Understanding IAM primitives: Understanding IAM policy: AWS re:Invent 2018: A Practitioner’s Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) AWS re:Invent 2018: Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS account AWS account SAML federation into IAM AWS account SAML federation for the AWS Management Console, APIs, and CLI Self-paced workshop materials Achieve the same core result as AWS SSO, more “assembly level”
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T It doesn’t depend So you want to manage access for a whole bunch of users into a whole bunch of roles in a whole bunch of AWS accounts? Based on features available as of May 2019; will change based on future launches
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cloud builders: ready to get building! AWS account VPC Amazon RDS Amazon EC2 Application “Control plane” – AWS APIs (creating, terminating, etc.) Builder Operator DBA “Data plane” – VPC connections (SSH, RDP, database clients, etc.)
  36. 36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Likely first questions • How do I centrally authenticate users connecting to operating systems? • How do I control which users can connect to which instances? • How do I manage DBA access into relational database engines? • How do I manage service accounts (non-interactive users)?
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS identity services Application Infrastructure AWS platform AWS Organizations Directory ServiceIAMAWS SSO
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introducing: AWS Directory Services Managed Microsoft Active Directory in the AWS Cloud Easily migrate your directory-dependent workloads by leveraging a managed service Provide infrastructure access management without syncing identity data Use actual Microsoft Active Directory integrated with other AWS services and applications
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Establishing Active Directory in AWS AWS CloudCorporate data center Active Directory AWS Managed AD Users & groups LDAP, Kerberos, Referrals Trust Option 1: AWS Managed AD with Trust Option 2: AD Connector with Service Principal AWS CloudCorporate data center Active Directory AD Connector Users & groups LDAP, Kerberos Service Princ Option 3: Stand alone AWS Managed AD AWS Cloud AWS Managed AD Users & Groups Option X: Combinations of the above Option 4: AD on Amazon EC2 with replication AWS CloudCorporate data center Active Directory Self-managed ADUsers & groups Replication
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Leveraging Active Directory in AWS AWS CloudCorporate data center Active Directory AWS Managed AD Users & groups LDAP, Kerberos, Referrals Trust Amazon EC2 (Windows/Linux) Amazon RDS for SQL Server Amazon WorkSpaces Amazon Chime Amazon WorkDocs Amazon WorkMail Amazon QuickSight Amazon Connect Amazon FSx VPC AWS Managed Applications Windows application Operator access End-user access Domain join Provisioning
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T It doesn’t depend Operator access to Amazon EC2 op system Operator access to Amazon RDS SQL server End-user access to AWS managed applications Amazon FSx End-user access to apps on Amazon EC2 Managed AD w/2-way trust Managed AD w/1-way trust AD Connector AWS Managed AD (stand alone) Self managed AD on EC2 Choosing the right option to extend AD domain services into AWS Current as of May 2019; always consult documentation for latest information
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Further exploration AWS Managed AD deep dive: AWS re:Invent 2018: AWS Directory Service for Microsoft Active Directory Deep Dive (WIN303-R1)
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Identity “for the infrastructure”: Future steps Traditional Utopia • Domain joining
  45. 45. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  46. 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Likely first questions • How do I securely connect to AWS APIs from my infrastructure components? • How do I manage and deploy application credentials for connecting to relational databases?
  47. 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Deeper look: IAM roles for AWS compute services AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Your code Operating system Amazon EC2 instance AWS resources Also works with AWS Lambda & Amazon ECS Permissions Role Temporary security credential AWS SDKs Amazon DynamoDB Amazon Kinesis Amazon S3
  48. 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Secrets Manager Your code Operating system Amazon EC2 instance AWS resources Permissions Role Temporary security credential AWS SDKs Amazon DynamoDB Amazon Kinesis AWS Secrets Manager VPC Amazon RDS DBA AWS CloudFormation Authorized call to Secrets Manager DB creds loaded DB creds returned Connection established Safe rotation Combo provides a reliable, secure, auto-rotating solution for all credentials
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Applications: Ready for end users! AWS account VPC Amazon RDS Amazon EC2 Application Resource access: Relational databases Builder Operator DBA API access: AWS servicesAmazon S3 AWS Secrets Manager End user
  50. 50. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  51. 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Likely first questions • How do I add sign-up and sign-in to my applications easily? • How do I add support for standards like OIDC or SAML? • How do I control access to business applications for my workforce?
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS identity services Application Infrastructure AWS platform AWS Organizations Directory ServiceIAM Amazon CognitoAWS SSO
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introducing Amazon Cognito Simple and secure user sign-up, sign-in, and access control for web and mobile apps Offload undifferentiated identity heavy lifting Provide advanced security for your apps and users Use standards-based authentication Use your choice of existing or cloud native identities
  54. 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Cognito: Flexible and fully managed application identity Extensible AuthN & AuthZ: AWS Lambda Amazon ALB Amazon API Gateway Built-in UI for applications SPAWebAndroidiOS Out-of-the-box support for open standards SAML OAuth2 OIDC Flexible and scalable API & SDK support AWS SDKs IonicVue AngularNode JS React iOS Android MFACompromised Password DB Secure & available Adaptive Auth 99.9% SLA Google Facebook Amazon Out-of-the-box support for social federation Amazon Cognito
  55. 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Cognito Get AWS credentials Access AWS services Authenticate 1 Redirect/ Post back Access serverless backend Federating IdP IdP Token CUP TokenCUP Token CUP Token AWS STS AWS STS User pool tokens are used to access backend resources Identity pools provide AWS credentials to access AWS services User pools authenticate users and returns standard tokens 2 3 4 56 Amazon Cognito Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB Amazon S3
  56. 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Further exploration Serverless authentication and authorization session Serverless authentication and authorization workshop
  57. 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Revisiting where we got ahead of ourselves, part 1 AWS CloudCorporate data center Active Directory AWS Managed AD Users & groups LDAP, Kerberos, Referrals Trust VPC Custom SAML- enabled application End-user access AWS SSO Custom SAML- enabled application Internet SaaS application AWS SSO user portal AWS SSO: end-user access to business applications
  58. 58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Revisiting where we got ahead of ourselves, part 2 AWS CloudCorporate data center Active Directory AWS Managed AD Users & groups LDAP, Kerberos, Referrals Trust Amazon EC2 (Windows/Linux) Amazon WorkSpaces Amazon Chime Amazon WorkDocs Amazon WorkMail Amazon QuickSight Amazon Connect VPC AWS managed applications Windows application End-user access Directory Services: end-user access to windows applications and AWS- managed applications
  59. 59. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  60. 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS identity services Application Infrastructure AWS platform AWS Organizations Directory ServiceIAM Amazon CognitoAWS SSO Identity and access management for your apps & APIs Actual Microsoft Active Directory as a managed service on the AWS Cloud Fine-grained access management for AWS resources Manage single sign-on (SSO) access to multiple AWS accounts and business applications Central governance and management for multiple AWS accounts
  61. 61. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Quint Van Deman @AWSIdentity on Twitter Find me on LinkedIn

×