Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014

4,832 views

Published on

Do you have multiple AWS accounts that you want to share resources across? Considering an AWS partner offering that requires access to your AWS account? Delegation is your friend! Come learn how you can easily and securely delegate access to users in other AWS accounts, 3rd parties, or even other AWS services using delegation options available in AWS Identity and Access Management (IAM).

Published in: Technology

(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014

  1. 1. { "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::1111" }, "Action":"sts:AssumeRole" } { "Effect":"Allow", "Action":"s3:ListBucket", "Resource":"*" }
  2. 2. Session Access Key ID Secret Access Key Expiration Session Token
  3. 3. AWS Account Instances Table User
  4. 4. Instances Table Role User Your AWS Account Another AWS Account
  5. 5. 1 Authenticate with “Demo” user’s access keys Construct sign-in URL using the temporary security credentials to access the AWS Management Console 3 Assume the “CrossAccount” role to get temporary security credentials 2 Script “CrossAccount” Role Trusts: PM Team AWS Account Grants: EC2 full and IAM read-only Uses External ID IAM/STS My AWS Account “Demo” IAM User Can assume the “CrossAccount” role IAM/STS PM Team AWS Account
  6. 6. Partner’s AWS Account User Instances Table Role External ID Your AWS Account ID
  7. 7. { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::EXAMPLE-CORP-ACCOUNT-ID"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "ID-ISSUED-BY-EXAMPLE-CORP" }}}
  8. 8. Partner’s AWS Account Customer A’s AWS Account Customer B’s AWS Account User Role A Trusts: Partner account Role B Trusts: Partner account 1 Use role B 2 Assume role B 3 Show customer B’s resources Only if External ID = Customer A’s external ID Only if External ID = Customer B’s external ID Pass customer’s external ID while assuming role
  9. 9. “TrendMicro” Role Trusts: Trend Micro AWS Account Grants: Few EC2, ELB, Route53 actions IAM/STS My AWS Account1 Authenticate using access keys of IAM user in Trend Micro’s AWS account Call AWS APIs using the temporary security credentials 3 Assume the role to get temporary security credentials 2 Route 53Amazon EC2 Elastic Load Balancing Trend Micro Deep Security for Web Apps
  10. 10. User Instances Table Role Your AWS Account AWS Service’s AWS Account
  11. 11. User Instances Table RoleInstance Your AWS Account EC2 Service’s AWS Account
  12. 12. Amazon S3 Amazon DynamoDB Role: Allow Amazon S3 access but nothing else Amazon EC2 Instance
  13. 13. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

×