Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Federation & Access Management

246 views

Published on

AWS supports logging in with Federated Access, using SAML or integration with Active Directory. This is integrated with user Roles in AWS which provide the permissions to access various services. in this session we will explain the options for authentication. we will cover basic access control concepts and in addition we will use AWS Systems Manager to talk about how you can also facilitate secured access to your Instances.
AWS Services: IAM, AWS SSO, Managed Active Directory, AWS Systems Manager (With Demo)

  • Be the first to comment

  • Be the first to like this

Federation & Access Management

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lior Pollack, Solutions Architect – Security & Compliance TFC February 2019 Federating Identity and Access Understanding key concepts and use cases
  2. 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda Learn about Identity & Access Management in AWS Identify patterns for accessing AWS Use cases & Demo
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What do we mean when we say “federation”?
  4. 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity consumersIdentity providers Definition (for today) Stores identities Authentication Authorization (Coarse) Authorization (Fine) Trust Stores references Protocols No Sync
  5. 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Every service has an API Endpoint Control Plane Data Plane EC2 Simple Storage Service (S3) DynamoDB
  6. 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understanding planes of access Amazon EC2 Control plane—AWS API (e.g. ec2:StartInstance) Data plane—Amazon VPC connection (e.g., SSH, RDP) Different: • Paths • Credentials • Protocols
  7. 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understanding planes of access Amazon DynamoDB Control plane—AWS API (e.g. dynamodb:CreateTable) Data plane—AWS API (e.g. dynamodb:GetItem) Same: • Path • Credential • Protocol
  8. 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Action – Properties – Resource • ec2:runInstances • imageId <values> • Availablity Zone <value> • Out: Specific Instances (Resource) • dynamodb:putItem • Table Name <value> • Item <Value> • Specific Table (Resource) ‫פ‬‫ע‬‫ו‬‫ל‬‫ה‬:‫ב‬‫ק‬‫ש‬‫ה‬‫ל‬‫ק‬‫ב‬‫ל‬‫ת‬‫ש‬‫ר‬‫ת‬‫י‬‫ם‬)Instances( ‫ה‬‫ג‬‫ד‬‫ר‬‫ו‬‫ת‬:‫מ‬‫א‬‫י‬‫ז‬‫ה‬Image‫ו‬‫ה‬‫י‬‫כ‬‫ן‬‫ל‬‫מ‬‫ק‬‫ם‬ ‫פ‬‫ו‬‫ע‬‫ל‬‫ע‬‫ל‬:‫ב‬‫ק‬‫ש‬‫ת‬‫מ‬‫ש‬‫א‬‫ב‬‫י‬‫ם‬‫ח‬‫ד‬‫ש‬‫י‬‫ם‬. ‫פ‬‫ע‬‫ו‬‫ל‬‫ה‬:‫ל‬‫כ‬‫ת‬‫ו‬‫ב‬‫א‬‫ו‬‫ב‬‫י‬‫י‬‫ק‬‫ט‬‫ל‬‫ב‬‫ס‬‫י‬‫ס‬‫ה‬‫נ‬‫ת‬‫ו‬‫נ‬‫י‬‫ם‬ ‫ה‬‫ג‬‫ד‬‫ר‬‫ו‬‫ת‬:‫ש‬‫ם‬‫ה‬‫ט‬‫ב‬‫ל‬‫א‬,‫ה‬‫פ‬‫ר‬‫י‬‫ט‬‫ל‬‫כ‬‫ת‬‫י‬‫ב‬‫ה‬ ‫פ‬‫ו‬‫ע‬‫ל‬‫ע‬‫ל‬:‫ה‬-‫ט‬‫ב‬‫ל‬‫א‬‫ש‬‫ב‬‫ר‬‫צ‬‫ו‬‫נ‬‫נ‬‫ו‬‫ל‬‫ש‬‫נ‬‫ו‬‫ת‬ ‫ב‬‫ע‬‫ב‬‫ר‬‫י‬‫ת‬ ‫מ‬‫ו‬‫ת‬‫ר‬?‫ל‬‫מ‬‫י‬?‫מ‬‫ת‬‫י‬? ‫מ‬‫א‬‫י‬‫פ‬‫ה‬?‫מ‬‫ה‬‫ב‬‫ד‬‫י‬‫ו‬‫ק‬?
  9. 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAMAWS Security Token Service The ABCs – Stuff you must know before we start
  10. 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The ABCs of AWS IAM • I: Identity. AWS IAM lets you create identities in your AWS account who can make authenticated requests to AWS • AM: Access Management. AWS IAM is your tool for defining who has permissions to do what to which resources in IAM. • IAM is the AWS-wide permissions control system. So you need to know it. IAM
  11. 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of API call to an AWS service https://ec2.amazonaws.com/?Action=RunInstances &ImageId=ami- 2bb65342 &MaxCount=3 &MinCount=1 &Placement.AvailabilityZone=us- east-1a &Monitoring.Enabled=true &Version=2016-11-15 &X-Amz- Algorithm=AWS4-HMAC-SHA256 &X-Amz- Credential=AKIAIOSFODNN7EXAMPLE_us-east-1%2Fec2%2Faws4_request &X-Amz-Date=20130813T150206Z &X-Amz-SignedHeaders=content- type%3Bhost%3Bx-amz-date &X-Amz- Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0194b84example 54174deb456c Content-type: application/json host:ec2.amazonaws.com ‫ת‬‫מ‬‫י‬‫ד‬ ‫ה‬API‫ש‬‫ל‬‫ה‬‫ש‬‫י‬‫ר‬‫ו‬‫ת‬‫ה‬‫מ‬‫ב‬‫ו‬‫ק‬‫ש‬ ‫פ‬‫ר‬‫מ‬‫ט‬‫ר‬‫י‬‫ם‬‫ה‬‫פ‬‫ע‬‫ו‬‫ל‬‫ה‬‫ה‬‫מ‬‫ב‬‫ו‬‫ק‬‫ש‬‫ת‬ ‫ח‬‫ת‬‫י‬‫מ‬‫ה‬‫ד‬‫י‬‫ג‬‫י‬‫ט‬‫ל‬‫י‬‫ת‬–‫ל‬‫א‬‫ע‬‫ו‬‫ב‬‫ר‬‫ב‬‫ל‬‫י‬‫ז‬‫ה‬! )‫ז‬‫י‬‫ה‬‫ו‬‫י‬‫ש‬‫ל‬‫ה‬‫מ‬‫פ‬‫ת‬‫ח‬,‫ת‬‫א‬‫ר‬‫י‬‫ך‬,‫ו‬‫כ‬‫ו‬‫׳‬(. IAM
  12. 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Term: IAM Policy • Every AWS service supports authorization via IAM Policy • AWS authorizes every API call against the IAM Policies that apply • IAM Policies can be attached to IAM Roles, Users, and Groups • Later in this talk: Other places IAM Policy can be attached. IAM
  13. 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Granular access policies • JSON-formatted documents • Contain a statement (permissions) that specifies: • Which actions a principal can perform • Which resources can be accessed { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } Principal Action Resource Condition IAM
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. { "Statement":[{ "Effect":"Allow", "Action":["ec2:TerminateInstances"], "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"false"} } } ] } Enables a user to terminate EC2 instances only if the user has authenticated with their MFA device. MFA { "Statement":[{ "Effect":"Allow", "Action":"iam:*AccessKey*", "Resource”:"arn:aws:iam::123456789012:user/*", "Condition":{ "Bool":{"aws:SecureTransport":"true"} } } ] } Enables a user to manage access keys for all IAM users only if the user is coming over SSL. SSL { "Statement":[{ "Effect":"Allow", "Action":["ec2:*Route*“], "Resource":["*“], "Condition":{ "IpAddress":{"aws:SourceIP":"192.168.176.0/24"} } } ] } Enables a user to change routing tables only if the user is accessing Amazon EC2 from 192.168.176.0/24. SourceIP { "Statement":[{ "Effect": "Allow", "Action":"ec2:TerminateInstances", "Resource": "*", "Condition":{ "StringEquals":{"ec2:ResourceTag/Environment":"Dev"} } } ] } Enables a user to terminate EC2 instances only if the instance is tagged with “Environment=Dev”. Tags IAM Policy Examples (Allow + Conditions) IAM
  15. 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccessToUserItems", "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query" ], "Resource": "arn:aws:dynamodb:us- west-2:123456789012:table/GameScores", "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${www.amazon.com:user_id}" ] … { "Version": "2012-10-17", "Statement": [ { "Sid": "PreventUpdatesOnCertainAttributes", "Effect": "Allow", "Action": [ "dynamodb:UpdateItem" ], "Resource": "arn:aws:dynamodb:us-west- 2:123456789012:table/GameScores", "Condition": { "ForAllValues:StringNotLike": { "dynamodb:Attributes": [ "FreeGamesAvailable", "BossLevelUnlocked" ] … Limitqueryyourownuser PreventUpdatingSpecificAttributes Data Plane Examples (DynamoDB):
  16. 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Don’t Worry if you don’t like JSON… IAM
  17. 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Sane default policies provided IAM
  18. 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Restricting access with policies: • Implicit Deny (what’s not explicitly allowed is denied) • Explicit Deny ØService Control Policies (i.e. account wide - controlled by organization). Ø IAM Policy (i.e. per user/group or role assigned). • Permission Boundaries Ø Used to restrict what permissions a principal can pass-on to other principal it can create. IAM
  19. 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Term: IAM Principal An IAM Principal is an identity defined within an AWS account. IAM IAM Roles IAM Users IAM Roles are for: • Automated processes • AWS Services • Federated identities IAM Roles authenticate using short-lived credentials. IAM Users are for: • Direct human access IAM Users authenticate using long-lived credentials
  20. 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Temporary Security Credentials (AWS STS) Session Access Key Id Secret Access Key Session Token Expiration Temporary Security Credentials 15 minutes to 36 hours (default 12 hours) Use Cases Cross account access Federation (SAML2/OAUTH2) Key Rotation for Application Roles (EC2, Lambda, ECS/Fargate) Web/Mobile Applications
  21. 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mechanics of (Cross-Account) assume role Target AWS account IAM Role Permission Policy: Controls access to AWS services & resources Trust Policy: Specifies the Principals who can assume the role, and a shared secret (external id) Source AWS account IAM Role IAM User Permission Policy: Allows sts:AssumeRole to remote role (in target) sts:AssumeRole Short-term credential Invoke AWS APIs Access Mgmt Console (You) (External entity)(or vice versa)
  22. 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity & Federation
  23. 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAML to AWS federation IdP 1) authentication Assertion 2) authn, attributes 3) assertion federation SP STS 4) AssumeRoleWithSAML() IAM Role (STS Credentials) 5)Query() Directory {STS Credentials} STS Credentials
  24. 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Basic Access Patterns Cross- account trust SAML Amazon Redshift Amazon RDS (Aurora, MySQL) Amazon QuickSight Amazon AppStream Data plane APIs SaaS Apps (Outside AWS) Console API CLI External Apps IdPCredential AWS Cred Windows/ Amazon EC2 Amazon WorkSpaces Amazon RDS (SQL Server) Amazon WorkDocs Amazon WorkMail
  25. 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3 ways to Single Sign On: Using AWS Single Sign On Directory Federation Direct Integration with Directory Services Social/OIDC with: Amazon Cognito Directly with: AWS Active Directory Simple AD AD Connector
  26. 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mental model Evaluation SelectionUse cases Blueprints
  27. 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Basic SAML federation Metadata Configuration Details
  28. 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Directory Services
  29. 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hybrid forest: AD Connector Haifa DC1 Tel Aviv DC2 Proxy to use a specific AD Domain VPC Availability zone Subnet On-Premise Availability zone Subnet VPN ConnectionVPN Gateway Customer gateway Company.local LDAP Authentication over SSL AD ConnectorAD Connector WorkDocs WorkMail WorkSpaces
  30. 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hybrid forest: AD Connector Haifa DC1 Tel Aviv DC2 Proxy to use a specific AD Domain VPC Availability zone Subnet On-Premise Availability zone Subnet VPN ConnectionVPN Gateway Customer gateway Company.local LDAP Authentication over SSL AD ConnectorAD Connector WorkDocs WorkMail WorkSpaces
  31. 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hybrid forest: Managed AD Haifa DC1 Tel Aviv DC2 Establish one / two way trust to a forest / child / tree domain (Incoming/Outgoing and Two-way directions) VPC Availability zone Subnet On-Premise Availability zone Subnet Company.cloud VPN ConnectionVPN Gateway Customer gateway Company.local Trust relationship Amazon RDS WorkDocs WorkMail WorkSpaces Third-party
  32. 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hybrid forest: Managed AD + Multiple accounts Use AWS Managed Microsoft AD Directory from multiple accounts and VPCs VPC Company.cloud Account 1 VPC Company.cloud Account 2 Peering Directory Sharing to external account / AWS Organizations • Share the directory with other AWS accounts to extend user access to your AWS applications and services. • Support seamlessly domain join to the directory
  33. 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SSO
  34. 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SSO Centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications. Linked account Master account AWS Organizations Shared resources account RoleAWS STS Linked account RoleAWS STS Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Use AD as IDP / Use SSO Directory
  35. 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Role Centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications. Linked account AWS SSO Master account AWS Organizations Shared resources account AWS STS Linked account RoleAWS STS Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Use AD as IDP / Use SSO Directory
  36. 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  37. 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: Federation: Job functions Network admin vs Developer Controlling access to Dataplane with IAM Policies EC2 Instance Profile (Lambda / ECS…) AWS SSO
  38. 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SSO DEMO
  39. 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  40. 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. EC2 Instance (Profile) Role
  41. 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS IAM Roles - Instance Profiles Amazon EC2 App & EC2 MetaData Service http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename Amazon S3 1 2 3 4 Create Instance SelectIAMRole ApplicationinteractswithS3
  42. 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. So, EC2 data plane out of scope for IAM? Well… here’s how to fix it!
  43. 43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understanding planes of access Amazon EC2 Control plane—AWS API (e.g. ec2:StartInstance) Data plane—Amazon VPC connection (e.g., SSH, RDP) Different: • Paths • Credentials • Protocols
  44. 44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Systems Manager Hybrid Cloud Management at Scale AWS cloud corporate data center IT Admin, DevOps Engineer Role-based Access Control A set of capabilities that: • Enables role based server management • Audits every management action • Are free - no charge to use • Manages thousands of Windows and Linux instances running on anywhere (Amazon EC2, other clouds, or on-premises)
  45. 45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Session Manager VPC boundary AZ boundary Subnet Security group IAM permissions IAM or Federated No ports open Control access SSM using IAM Session Manager SSM endpoint
  46. 46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you. Lior Pollack – Solutions Architect

×