Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SEC302 Delegating Access to Your AWS Environment - AWS re: Invent 2012


Published on

At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.

SEC302 Delegating Access to Your AWS Environment - AWS re: Invent 2012

  1. 1. Understand the technology used to delegate access• Sessions and the AWS Security Token Service• Roles and assumed-role sessions• Federated sessions• The differences in session types and when to use whatUse cases we’ll cover:• Cross Account Access• AWS API Federation• AWS Console Federation
  2. 2. Sessions & the AWS Security Token Service
  3. 3. Sessions allow delegating temporary access to your AWS accountUse cases being covered in this talk: • Cross Account Access • Inbound AWS federation • AWS service API • AWS Management ConsoleOther use cases not covered today: • Mobile and browser-based applications • Consumer applications with unlimited users • MFA Protected API Access
  4. 4. SessionAccess Key IdSecret Access KeySession TokenExpiration
  5. 5. SessionAccess Key IdSecret Access Key Temporary security credentialsSession TokenExpiration
  6. 6. SessionAccess Key IdSecret Access KeySession TokenExpiration
  7. 7. SessionAccess Key IdSecret Access KeySession TokenExpiration
  8. 8. Roles and assumed-role sessions
  9. 9. How to define who can assume the role using the console{ "Statement": [ { "Effect": "Allow", "Action": “sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/MyRole" } ]} Entity can assume MyRole under account 111122223333
  10. 10. IAM Team Account Permissions assigned to s3-role My AWS Account Acct ID: 111122223333 Acct ID: 123456789012 { "Statement": [ Authenticate with { Jeff’s access keys STS "Effect": "Allow", "Action": “s3:*", "Resource": "*" } Jeff s3-role ] Get temporary security } credentials from s3-role Call AWS APIs using temporary security credentials{ "Statement": [ { "Statement": [ { { "Effect": "Allow", "Effect":"Allow", "Action": “sts:AssumeRole", "Principal":{"AWS":"arn:aws:iam::123456789012:root"}, "Resource": "arn:aws:iam::111122223333:role/s3-role" "Action":"sts:AssumeRole" } } ] ]} } Policy assigned to Jeff granting him permission Policy assigned to s3-role defining to assume s3-role in account B who (trusted entities) can assume the role
  11. 11. Assumed-Role Session – Code Samplepublic static Credentials getAssumeRoleSession(String roleArn, String AccessKey, String SecretKey ) { Credentials sessionCredentials; AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient( Accesskey, GetSecretkey, new AmazonSecurityTokenServiceConfig()); // Store the attributes and request a new AssumeRole session (temporary security credentials) AssumeRoleRequest request = new AssumeRoleRequest { DurationSeconds = 3600, RoleArn = roleArn, RoleSessionName = "S3BucketBrowser" }; AssumeRoleResponse startSessionResponse = client.AssumeRole(request); if (startSessionResponse != null) // Check for valid security credentials or null { AssumeRoleResult startSessionResult = startSessionResponse.AssumeRoleResult; sessionCredentials = startSessionResult.Credentials; return sessionCredentials; } else { throw new Exception("S3 Browser :: Error in retrieving temporary security creds, received NULL"); } }
  12. 12. Let’s talk about federation
  13. 13. Customer (IdP) AWS Cloud (Relying Party) Get Federation 4 Token Request 2 Get Federation Token STS Response 5 Federation Proxy • Access Key • Secret Key • Session Token 3 S3 Bucket Amazon Amazon with Objects DynamoDB EC2Directory 6 Receive Token AWS Resources Request Token 1 • Uses a set of IAM user credentials to call 7 Call AWS APIs GetFederatedTokenRequest() • IAM user permissions needs to be the union User APP of all federated user permissions Application Federation • Proxy needs to securely store these Proxy privileged credentials
  14. 14. Get Federated Session – Code Samplepublic Credentials GetSecurityToken(string userName, string Accesskey, string Secretkey) { Credentials sessionCredentials; AmazonSecurityTokenServiceConfig config = new AmazonSecurityTokenServiceConfig(); AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(Accesskey,Secretkey, config); string policy = Utilities.BuildAWSPolicy(userName); // Retrieve the AWS Policy from Active Directory GetFederationTokenRequest request = new GetFederationTokenRequest { DurationSeconds = Utilities.GetSessionDuration(), Name = awsUsername, Policy = policy }; GetFederationTokenResponse startSessionResponse = client.GetFederationToken(request); if (startSessionResponse != null) // Check the result returned, ex: Valid security credentials or null? { GetFederationTokenResult startSessionResult = startSessionResponse.GetFederationTokenResult; sessionCredentials = startSessionResult.Credentials; return sessionCredentials; } else { throw new Exception("FederationProxy :: Error in retrieving temporary security creds, received NULL"); } }
  15. 15. Permissions assigned to s3-role Acct ID: 111122223333 { "Statement": [ Authenticate with { access keys STS "Effect": "Allow", "Action": "s3:*", "Resource": "*" } s3-role ] Get temporary Proxy Server } security credentials IAM User login using temporary security AWS Management Console credentials Policy assigned to Proxy granting permission to ListRoles and Policy assigned to s3role defining who can AssumeRoles for all roles assume the role {"Statement": {{ "Statement": [ "Principal": {"AWS":"arn:aws:iam::111122223333:root"}, { "Condition": { "Effect": "Allow", "StringEquals": {"sts:externalId": “{SID1234…}"} "Action": ["iam:ListRoles","sts:AssumeRole"], }, "Resource": "arn:aws:iam::1111222233334444:role/*" "Effect": "Allow", } "Action": ["sts:AssumeRole"] ] }} }
  16. 16. Customer (IdP) List RolesResponse 5 AWS Cloud (Relying Party) List RolesRequest 4 AssumeRole Request 2 7 Assume Role Response STS 6 Federation Temp Credentials 8 Create combo • Access Key proxy box • Secret Key • Session Token 3 9 Generate URL AWS 10 Redirect to Management Console ConsoleCorporatedirectory • Uses a set of IAM user credentials to make 1 AssumeRoleRequest() Browse to URL • IAM user permissions only need to be able to call ListRoles & assume role Federation • Proxy needs to securely store these Browser proxy credentials interface
  17. 17. Console Federation – Code Samplepublic string getSignInURL(Credentials federatedCredentials, String issuerURL, String consoleURL, String signInURL ) { // Create the sign-in token using temporary credentials, Access Key ID, Secret Access Key, and security token. String sessionJson = "{" + ""sessionId":"" + federatedCredentials.AccessKeyId + ""," + ""sessionKey":"" + federatedCredentials.SecretAccessKey + ""," + ""sessionToken":"" + federatedCredentials.SessionToken + """ + "}"; String getSigninTokenURL = signInURL + "?Action=getSigninToken" + "&SessionType=json&Session=" + HttpUtility.UrlEncode(sessionJson, Encoding.UTF8); WebRequest Request = WebRequest.Create(getSigninTokenURL); HttpWebResponse WebResponse = (HttpWebResponse)Request.GetResponse(); Stream data = WebResponse.GetResponseStream(); StreamReader reader = new StreamReader(data); String Response = reader.ReadToEnd(); String[] session_encrypted = Response.Split(new Char[] { :, " }); String signinToken = session_encrypted[4]; String signinTokenParameter = "&SigninToken=" + HttpUtility.UrlEncode(signinToken, Encoding.UTF8); // The issuer parameter is optional, but recommended. Use it to direct users // to your sign-in page when their session expires. String issuer_param = "&Issuer=" + HttpUtility.UrlEncode(issuerURL, Encoding.UTF8); String destination_param = "&Destination=" + HttpUtility.UrlEncode(consoleURL, Encoding.UTF8); String loginURL = signInURL + "?Action=login" + signinTokenParameter + issuer_param + destination_param; return loginURL; }
  18. 18. Choosing the right session type
  19. 19. Federated sessions Assumed-role sessions
  20. 20. Permissions Example Unrestricted access to all Action: “*” AWS Effect: Allow enabled services and account resources Resource: “*” (implicit) Action: [“s3:*”,”sts:Get*”] Access restricted by groupIAM users and user policies Effect: Allow Resource: “*” Access restricted by Action: [“s3:Get*”]Federated generating identity & Effect: Allow sessions scoped further by policies Resource: used to generate request “arn:aws:s3:::mybucket/*”Assumed- Access restricted by role Action: [“ddb:*”] assumed & scoped further role by policies used to Effect: Allow Resource:“*”sessions generate request
  21. 21. • Simple DB
  22. 22. •• https://••••
  23. 23. Code Session TimeSEC101 A Guided Tour of AWS Identity and Access Management Wednesday 11/28 2.05pmSEC302 Delegating Access to Your AWS Environment Wednesday 11/28 3.25pmMBL302 Solving Common Mobile Use Cases with the AWS Mobile Wednesday 11/28 3.25pm SDKsSEC303 TOP 10 IAM Best Practices Thursday 11/29 3pm
  24. 24. We are sincerely eager to hear your feedback on thispresentation and on re:Invent. Please fill out an evaluation form when you have a chance.