Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environment | AWS re:Invent 2014

4,832 views

Published on

Have you wondered how you can use your corporate directory for accessing AWS? Or how you can build an AWS-powered application accessible to the millions of users from social identity providers like Amazon, Google, or Facebook? If so, this session will give you the tools you need to get started. It will provide a variety of examples to make it easier for you to use other identity pools with AWS, as well as cover open standards like Security Assertion Markup Language (SAML). Anyone who deals with external identities won't want to miss this session.

Published in: Technology

(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environment | AWS re:Invent 2014

  1. 1. Session Access Key ID Secret Access Key Expiration Session Token
  2. 2. Customer (Identity Provider) AWS Cloud (Relying Party) AWS Management Console Browser interface Corporate directory Federation proxy 1Browse to URL 3 2 Redirect to Console 10 Generate URL9 4 List RolesRequest 8 Assume Role Response Temp Credentials - Access Key ID - Secret Access Key - Session Token 7 AssumeRole Request Create combo box 6 Federation proxy • Uses a set of IAM user credentials to make AssumeRoleRequest() • IAM user permissions only need to be able to call ListRoles & assume role • Proxy needs to securely store these credentials 5 List RolesResponse
  3. 3. Customer (Identity Provider) AWS Cloud (Relying Party) AWS Resources User Application Active Directory Federation Proxy 4 Get Federation Token Request 3 2 Amazon S3 Bucket with Objects Amazon DynamoDB Amazon EC2 Request Session 1 Receive Session6 5 Get Federation Token Response • Access Key • Secret Key • Session Token APP Federation Proxy • Uses a set of IAM user credentials to make a GetFederationTokenRequest() • IAM user permissions need to be the union of all federated user permissions • Proxy needs to securely store these privileged credentials Call AWS APIs7
  4. 4. Enterprise (Identity Provider) AWS (Service Provider) AWS Sign-in Browser interface Corporate identity store Identity provider 1User browses to Identity provider 2 Receives AuthN response 5 Redirect client AWS Management Console 3 Post to Sign-In Passing AuthN Response 4
  5. 5. AWS Cloud US-EAST-1 EU-WEST-1 AP-SOUTHEAST-1 AWS Services Amazon DynamoDB Amazon S3 Authenticate User 1 6 7 IAM EC2 Instances Token Verification 4 Web identity Provider 3 5 Check Policy Id Token 2 Mobile App
  6. 6. us-east-1 App Security Token Service DynamoDB OpenID Connect- compliant identity provider 2 4 Uses the temporary credentials to access AWS services Redirect for authentication and receive an ID token Exchange ID token for Cognito token 3 End User 1 Start using the app Cognito Exchange Cognito token for temporary AWS credentials Developer’s AWS Account 5
  7. 7. http://bit.ly/1n1z1QL http://amzn.to/11AFKtS http://amzn.to/1vlBZ6N http://bit.ly/10KUSoC http://bit.ly/1rNzWCF http://bit.ly/13vFehT http://bit.ly/1p2Ip6M
  8. 8. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

×