Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC307) A Progressive Journey Through AWS IAM Federation Options

5,728 views

Published on

AWS Identity and Access Management (IAM) offers a continuum of interfaces and configuration options that enables customers to integrate their unique organizational identity structure and operational processes to the AWS platform. In this session we will evaluate the progressive journey of federation options that most customers go through as they widen their integration with IAM. This will include best practices, lessons learned from the field, and examples of actual customer implementations, covering technologies such as SAML, LDAP, and custom identity brokers.

Published in: Technology

(SEC307) A Progressive Journey Through AWS IAM Federation Options

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quint Van Deman, Sr. IT Transformation Consultant, AWS Professional Services Chad Wintzer, DevOps Engineering Lead, Dow Jones & Company October 2015 SEC 307 A Progressive Journey Through AWS IAM Federation Options: From Roles to SAML to Custom Identity Brokers
  2. 2. What you will take away from this session
  3. 3. What you will take away from this session Understand your federation options (C) Copyright GeographBot Wallace and licensed for reuse under the Creative Commons Attribution- ShareAlike 2.0 License
  4. 4. What you will take away from this session Understand your federation options Get it right at scale (C) Copyright GeographBot Wallace and licensed for reuse under the Creative Commons Attribution- ShareAlike 2.0 License (C) Copyright BigMac and licensed for reuse under the Creative Commons Attribution 3.0 License
  5. 5. What you will take away from this session Understand your federation options Get it right at scale Plan your approach (C) Copyright David Precious and licensed for reuse under the Creative Commons Attribution 2.0 Generic (C) Copyright GeographBot Wallace and licensed for reuse under the Creative Commons Attribution- ShareAlike 2.0 License (C) Copyright BigMac and licensed for reuse under the Creative Commons Attribution 3.0 License
  6. 6. What you will take away from this session Understand your federation options Get it right at scale Plan your approach Tooling to get started (C) Copyright David Precious and licensed for reuse under the Creative Commons Attribution 2.0 Generic (C) Copyright GeographBot Wallace and licensed for reuse under the Creative Commons Attribution- ShareAlike 2.0 License (C) Copyright BigMac and licensed for reuse under the Creative Commons Attribution 3.0 License License: Creative Commons Public Domain Universal 1.0
  7. 7. Session prerequisites • To get the most out of this session, you must be comfortable with several building blocks: AWS IAM Roles Policies AWS STS Long-lived credentials Temporary credentials
  8. 8. Session prerequisites • To get the most out of this session, you must be comfortable with several building blocks: • If you need to brush up, check out: • SEC305 – Become an AWS IAM Policy Ninja in 60 Minutes or Less • SEC302 – IAM Best Practices to Live By AWS IAM Roles Policies AWS STS Long-lived credentials Temporary credentials
  9. 9. AWS IAM federation: A progression of options Cross- account trust AWS Directory Service Security Assertion Markup Language (SAML) Custom identity broker Involvement Control
  10. 10. AWS IAM federation: A progression of options Cross- account trust AWS Directory Service Security Assertion Markup Language (SAML) Custom identity broker Involvement Control SEC305 SEC315
  11. 11. AWS IAM federation: A progression of options Cross- account trust AWS Directory Service Security Assertion Markup Language (SAML) Custom identity broker Involvement Control Session focusSEC305 SEC315
  12. 12. Federation rationale Before: After: Result:
  13. 13. Federation rationale Before: After: Result: Unique credentials Users
  14. 14. Federation rationale Before: After: Result: Unique credentials Single sign-on Users
  15. 15. Federation rationale Before: After: Result: Unique credentials Single sign-on Long-lived keys Users Security
  16. 16. Federation rationale Before: After: Result: Unique credentials Single sign-on Long-lived keys Short-term tokens Users Security
  17. 17. Federation rationale Before: After: Result: Unique credentials Single sign-on Long-lived keys Short-term tokens One-off Users Security Compliance
  18. 18. Federation rationale Before: After: Result: Unique credentials Single sign-on Long-lived keys Short-term tokens One-off Naturally aligned Users Security Compliance
  19. 19. Federation rationale Before: After: Result: Unique credentials Single sign-on Long-lived keys Short-term tokens One-off Naturally aligned Users Security Compliance
  20. 20. The journey: Federation with Security Assertion Markup Language (SAML)
  21. 21. Quick SAML primer
  22. 22. Quick SAML primer Identity provider
  23. 23. Quick SAML primer Identity provider (IdP) Service provider
  24. 24. Quick SAML primer Identity provider Service provider Metadata (in advance)
  25. 25. Quick SAML primer Identity provider Service provider Metadata (in advance) Assertion (login flow)
  26. 26. Basic AWS federation with SAML • Known science, assuming: • Few AWS accounts • AWS Management Console access • Well documented: • Whitepapers • Blogs • Documentation (C) Copyright Diliff and licensed for reuse under the Creative Commons Attribution 3.0 License
  27. 27. AWS federation with SAML: At-scale
  28. 28. AWS federation with SAML: At-scale
  29. 29. AWS federation with SAML: At-scale
  30. 30. AWS federation with SAML: At-scale Many AWS accounts?
  31. 31. AWS federation with SAML: at-scale Many AWS accounts? Lots of users?
  32. 32. AWS federation with SAML: at-scale Many AWS accounts? Lots of AWS IAM roles? Lots of users?
  33. 33. AWS federation with SAML: at-scale Many AWS accounts? Lots of AWS IAM roles? Multiple access vectors? Lots of users?
  34. 34. AWS federation with SAML: at-scale Many AWS accounts? Lots of AWS IAM roles? Multiple access vectors? Resource-level permissions? Lots of users?
  35. 35. AWS federation with SAML: at-scale Many AWS accounts? Lots of AWS IAM roles? Multiple access vectors? Resource-level permissions? AWS CloudTrail impacts? Lots of users?
  36. 36. AWS federation with SAML: at-scale Many AWS accounts? Lots of AWS IAM roles? Multiple access vectors? Resource-level permissions? AWS CloudTrail impacts? Lots of users? IdP unavailable strategy?
  37. 37. AWS federation with SAML: at-scale Many AWS accounts? Lots of AWS IAM roles? Multiple access vectors? Resource-level permissions? AWS CloudTrail impacts? Lots of users? IdP unavailable strategy? ???
  38. 38. AWS federation with SAML: at-scale Many AWS accounts? Lots of AWS IAM roles? Multiple access vectors? Resource-level permissions? AWS CloudTrail impacts? Lots of users? IdP unavailable strategy? Dive deep = Get it right ???
  39. 39. AWS federation with SAML: At-scale demo
  40. 40. AWS federation with SAML: At-scale demo Automate onboarding (C) Copyright Gnovick and licensed for reuse under the Creative Commons Attribution 3.0 License
  41. 41. AWS federation with SAML: At-scale demo Automate onboarding User experience (C) Copyright Gnovick and licensed for reuse under the Creative Commons Attribution 3.0 License (C) Copyright Jocelyn Wallace and licensed for reuse under the Creative Commons Attribution-ShareAlike 2.0 License
  42. 42. AWS federation with SAML: At-scale demo Automate onboarding User experience Under the hood (C) Copyright Gnovick and licensed for reuse under the Creative Commons Attribution 3.0 License (C) Copyright bagera3005 and licensed for reuse under the Creative Commons Attribution 3.0 License (C) Copyright Jocelyn Wallace and licensed for reuse under the Creative Commons Attribution-ShareAlike 2.0 License
  43. 43. Automate onboarding AWS federation with SAML: At-scale demo Directory Group definitions AWS account Providers, roles, and policies
  44. 44. Automate onboarding AWS federation with SAML: At-scale demo Key takeaways Directory Group definitions AWS account • Automate deployment of IAM roles and policies. • Automate deployment of companion directory structure. • Keep role definitions constant across accounts. Providers, roles, and policies
  45. 45. Smooth user experience AWS federation with SAML: At-scale demo AWS SDKs AWS CLI
  46. 46. Smooth user experience AWS federation with SAML: At-scale demo Key takeaways • Federation shouldn’t limit access vectors. • Getting users into groups should be automated and efficient. • Don’t create a “low-to-high” exposure in the back end. AWS SDKs AWS CLI
  47. 47. Under the hood AWS federation with SAML: At-scale demo IdP configurations AWS CloudTrail samples
  48. 48. Under the hood AWS federation with SAML: At-scale demo Key takeaways IdP configurations AWS CloudTrail samples • Naming conventions are critical. • Configurations should rely on patterns, not values. • Think about traceability now. • Tighter policies help reduce AWS account sprawl.
  49. 49. AWS federation with SAML: Looking beyond • For some: SAML bliss!
  50. 50. AWS federation with SAML: Looking beyond • For some: SAML bliss! • For others: Further needs. • Alternate user mapping • Curtail role sprawl • Curtail group sprawl • More granular, contextual policies
  51. 51. AWS federation with SAML: Looking beyond • For some: SAML bliss! • For others: Further needs. • Alternate user mapping • Curtail role sprawl • Curtail group sprawl • More granular, contextual policies • If so: • Custom identity broker
  52. 52. The journey: Federation using a custom identity broker
  53. 53. 3+ Years on AWS Several flagship products run on AWS including WSJ.com 3,000+ Amazon EC2 instances
  54. 54. How we interact with AWS Automate!
  55. 55. Our journey through identity management IAM users with static keys Nova v1 Basic roles Nova v2 Resource-level permissions, tagging standards Nova v3 Dynamic policy generation
  56. 56. Nova workflow Bob the Engineer PHP web application Active Directory Look up group membership Corporate SSO Authenticate w/ MFA Nova database Group-to-role mappings Ask Bob which AWS account he would like to access based on available roles IAM API sts:AssumeRole for appropriate IAM role Access to AWS Management Console and keys for API/CLI access
  57. 57. Nova v1 basic roles General roles like “Developer” assignable to different AWS accounts Maps membership in AD groups to IAM roles Roles AWS accounts
  58. 58. Nova v1 basic roles Active Directory group NOVA_PRODSHARED_DEVELOPER IAM role nova.prodshared.developer { "Statement": [ { "Effect": "Allow", "Resource": ["*”], "Action": [ "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:BundleInstance", "ec2:CancelBundleTask", "ec2:CancelConversionTask", "ec2:CancelExportTask", "ec2:CancelSpotInstanceRequests", "ec2:ConfirmProductInstance", "ec2:CopyImage", "ec2:CopySnapshot", "ec2:CreateImage", "ec2:CreateInstanceExportTask", "ec2:CreateKeyPair", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSnapshot", "ec2:CreateSpotDatafeedSubscription", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteKeyPair",
  59. 59. Nova v2 resource-level permissions Tagging and resource-level permissions matured Tagging resources by team enabled resource-level permissions by team Easy expansion, no changes necessary to Nova Roles
  60. 60. Nova v2 resource-level permissions { "Statement": [ { "Effect": "Allow", "Resource": ["*”], "Condition": { "StringLike": { "ec2:ResourceTag/servicename": [ "djcs/*" ] } }, "Action": [ "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:BundleInstance", "ec2:CancelBundleTask", "ec2:CancelConversionTask", "ec2:CancelExportTask", "ec2:CancelSpotInstanceRequests", "ec2:ConfirmProductInstance", "ec2:CopyImage", "ec2:CopySnapshot", Active Directory group NOVA_PRODSHARED_DJCS_DEV IAM role nova.prodshared.djcs.developer
  61. 61. Nova v3 dynamic policy generation EC2 instances Amazon RDS instance Amazon Route 53 zone Application: Poseidon, Lifecycle: Prod "Effect": "Allow", "Resource": ["*”], "Condition": { "StringLike": { "ec2:ResourceTag/Application": [ ”Poseidon" ] "ec2:ResourceTag/Lifecycle": [ ”Prod" ] } }, "Action": [ "ec2:AllocateAddress", "ec2:AssignPrivateIpAddresses", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:BundleInstance", "ec2:CancelBundleTask", "ec2:CancelConversionTask", "ec2:CancelExportTask", "ec2:CancelSpotInstanceRequests", "ec2:ConfirmProductInstance", "ec2:CopyImage", Authenticate w/ MFA Select AWS account Select application Select lifecycle
  62. 62. Your own journey: Rationalizing the decision- making process
  63. 63. Rationalizing the decision-making process (C) Copyright Marco Bellucci and licensed for reuse under the Creative Commons Attribution 2.0 Generic
  64. 64. Rationalizing the decision-making process • Existing federation investments? (C) Copyright Marco Bellucci and licensed for reuse under the Creative Commons Attribution 2.0 Generic
  65. 65. Rationalizing the decision-making process • Existing federation investments? • Federation needs beyond AWS? (C) Copyright Marco Bellucci and licensed for reuse under the Creative Commons Attribution 2.0 Generic
  66. 66. Rationalizing the decision-making process • Existing federation investments? • Federation needs beyond AWS? • Desired level of control vs. involvement? (C) Copyright Marco Bellucci and licensed for reuse under the Creative Commons Attribution 2.0 Generic
  67. 67. Rationalizing the decision-making process • Existing federation investments? • Federation needs beyond AWS? • Desired level of control vs. involvement? • Competency and bandwidth for application development? (C) Copyright Marco Bellucci and licensed for reuse under the Creative Commons Attribution 2.0 Generic
  68. 68. Rationalizing the decision-making process • Existing federation investments? • Federation needs beyond AWS? • Desired level of control vs. involvement? • Competency and bandwidth for application development? (C) Copyright Marco Bellucci and licensed for reuse under the Creative Commons Attribution 2.0 Generic
  69. 69. SAML Comparison: SAML vs. Custom identity broker Custom identity broker
  70. 70. SAML Pro: Low barrier to entry Pro: Federation beyond AWS Comparison: SAML vs. Custom identity broker Custom identity broker Pro: Granular and contextual policies Pro: Complete control
  71. 71. SAML Pro: Low barrier to entry Pro: Federation beyond AWS Con: Number of roles, groups Con: Add’l automation to scale Comparison: SAML vs. Custom identity broker Custom identity broker Pro: Granular and contextual policies Pro: Complete control Con: Development effort Con: Complex evaluations
  72. 72. SAML Pro: Low barrier to entry Pro: Federation beyond AWS Con: Number of roles, groups Con: Add’l automation to scale Choose SAML if you want a balanced federation approach. Comparison: SAML vs. Custom identity broker Custom identity broker Pro: Granular and contextual policies Pro: Complete control Con: Development effort Con: Complex evaluations Choose a custom identity broker if you prefer to increase federation involvement for the ultimate control.
  73. 73. Remember the principles of cloud architecture. • Don’t overanalyze – experiment and iterate.
  74. 74. Remember the principles of cloud architecture. • Don’t overanalyze – experiment and iterate. • Federation options are not mutually exclusive. • Several can exist in parallel. • Federation options use the same entities.
  75. 75. Remember the principles of cloud architecture. • Don’t overanalyze – experiment and iterate. • Federation options are not mutually exclusive. • Several can exist in parallel. • Federation options use the same entities. • Evolve your federation approach as your needs evolve. • Right for tomorrow is not always right for today.
  76. 76. Your own journey: Taking the first steps
  77. 77. Additional information • Session resources (code and samples) • AWS documentation • Manage Federation • Integrating Third-Party SAML Solution Providers with AWS • Request Information That You Can Use for Policy Variables • Custom Federation Broker • AWS blogs • Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth • How to Implement a General Solution for Federated API/CLI Access Using SAML 2.0
  78. 78. Remember to complete your evaluations!
  79. 79. Thank you!

×