SlideShare a Scribd company logo

AWS identity services - Enabling & securing your cloud journey - SEC202 - Santa Clara AWS Summit.pdf

Amazon Web Services
Amazon Web Services

Throughout your journey to the AWS Cloud, you will encounter and rely on a number of AWS identity services. In this session, we provide an overview of AWS identity services within the context of a typical cloud journey. Learn about each service, the capabilities it provides, and how the services fit and work together to provide you with a robust foundation and enable you to advance your journey with confidence and speed. Finally, we take a deeper look at a number of identity-based use cases, where the power and programmability of the cloud is radically simplifying implementation and strengthening security.

1 of 63
Download to read offline
S U M M I T SA NTA CLA R A
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T An overview of AWS identity services: enabling and securing your cloud journey Quint Van Deman Business Development Manager, Identity & Directory Services Amazon Web Services S E C 2 0 2
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Calibration
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads Our scope for today AWS Identity and Access Management (IAM) (the service) Authenticates and authorizes AWS APIs Includes (the subject)
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Our backdrop: Typical journey to AWS TIME VALUE
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Our goal: Shrinking the foundation
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Our metaphor AWS Infrastructure Application Builders Operators Users AWS Command Line Interface (AWS CLI)
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Likely first questions • How many AWS accounts do I need? • How do I govern my AWS accounts? • How do I provide access into those accounts? • What permissions do my users have in those accounts?
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing AWS Organizations Govern access to AWS services, resources, and regions Central governance and management for multiple AWS accounts Configure AWS services across multiple AWS accounts Automate AWS account creation and management Consolidate billing across multiple AWS accounts
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Primer: AWS accounts What really is an AWS account? • A container for AWS resources • A clear isolation boundary for: • Administration • Network access • Permissions/Resource sharing You can have any number of AWS accounts you want (within limits) One account designated as the master account, others are member accounts
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T What AWS accounts do I need? AWS opinionated views, solutions, and services
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T What AWS accounts do I need? Common options: • Per environment (dev, test, prod) • Per business unit per environment • Per app per environment • Per app per region per environment Seek a reasonable balance: • Isolation vs. maturity • Evolve over time Refining your own opinion
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS Organizations: Governing AWS accounts AWS Organizations Service control policies Service control policies us-east-1 us-west-2 ap-south-1 AWS account
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS Organizations: Managing AWS accounts AWS Artifact AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service AWS Firewall Manager AWS License Manager AWS Resource Access Manager AWS Service Catalog AWS Single Sign-On AWS Services that you can use with AWS Organizations More coming!
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Next: Account access
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS SSO
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing AWS Single Sign-On (AWS SSO) Centrally manage SSO access to multiple AWS accounts and business applications for your workforce Centrally manage access to multiple AWS accounts Easy to enable and use Use your choice of existing or cloud native identities Provide SSO access to business applications
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS SSO: Your choice of identity store AWS CloudCorporate data center Active Directory AWS Directory Service AWS SSO Users & Groups Option 1: Use corporate identities by connecting to and existing directory AWS Cloud AWS SSO Users & Groups Option 2: Create users in AWS SSO
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS SSO: Define permission sets Master account Member acct 1 Member acct N Uses AWS Organizations to retrieve your list and structure of accounts. Define permissions using standard syntax and tools. Definitions and policies automatically deployed and maintained in member accounts.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS SSO: Assign permission sets Master account Select users or groups Select desired permission set Grant access to one AWS account, an OU, or the entire Organization
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS SSO: User experience User authenticates Permission sets they’ve been granted Options for console or CLI/API access Access other business applications
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T What permissions do I give my users? Least privilege is a journey, not a starting point
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations IAMAWS SSO
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing AWS Identity and Access Management (IAM) Securely manage access to AWS services and resources Authenticateand authorize AWS APIs Specify policy-based permissions Provide fine-grained access controls for AWS actions and resources Provide short-term credentials for humans, machines, and applications
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. IAM policy basics PARC model: • Principal – Who • Action – Can access • Resource – What • Condition – Under what conditions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Department": "Development“ } } } ] } P
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Short-term credential basics Macro pattern 1: Trust-based exchange Macro pattern 2: AWS delivered credentials Sourcecredential Time bound credentials returned Assuming a role through pre- established trust AWS compute service Provideidentity by passing a role Time bound credentials delivered and rotated
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Further exploration Understanding IAM primitives Understanding IAM policy AWS re:Invent 2018: A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) AWS re:Invent 2018: Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS account AWS account SAML federation into IAM AWS account SAML federation for the AWS Management Console, APIs, and CLI Self-paced workshop materials Achieve the same core result as SSO, more assembly level
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T It doesn’t depend So you want to manage access for a whole bunch of users into a whole bunch of roles in a whole bunch of AWS accounts? Based on features available as of March 2019; will change based on future launches.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Cloud builders: Ready to get building! AWS account VPC Amazon RDS Amazon EC2 Application “Control plane” – AWS APIs (creating, terminating, etc.) Builder Operator DBA “Data plane” – VPC connections (SSH, RDP, Database clients, etc.)
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Likely first questions • How do I centrally authenticate users connecting to operating systems? • How do I control which users can connect to which instances? • How do I manage DBA access into relational database engines? • How do I manage service accounts (non-interactiveusers)?
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS Directory ServiceIAMAWS SSO
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing: AWS Directory Service Managed Microsoft Active Directory in the AWS Cloud Easily migrate your directory-dependent workloads by leveraging a managed service Provide infrastructure access management without syncing identity data Use actual Microsoft Active Directory integrated with other AWS services and applications
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Establishing Active Directory in AWS AWS CloudCorporate data center Active Directory AWS Managed Microsoft AD Users & Groups LDAP, Kerberos, Referrals Trust Option 1: AWS Managed Microsoft AD with Trust Option 2: AD Connector with Service Principal AWS CloudCorporate data center Active Directory AD Connector Users & Groups LDAP, Kerberos Service princ. Option 3: Stand alone AWS Managed Microsoft AD AWS Cloud AWS Managed Microsoft AD Users & Groups Option X: Combinations of the above Option 4: Active Directory on EC2 with Replication AWS CloudCorporate data center Active Directory Self-managed Active Directory Users & Groups Replication
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Leveraging Active Directory in AWS AWS CloudCorporate data center Active Directory AWS Managed MicrosoftAD Users & Groups LDAP, Kerberos, Referrals Trust Amazon EC2 (Windows/Linux) Amazon RDS for SQL Server Amazon WorkSpaces Amazon Chime Amazon WorkDocs Amazon WorkMail Amazon QuickSight Amazon Connect Amazon FSx VPC AWS managed applications Windows application Operator access User access Domain join Provisioning
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T It doesn’t depend Operator access to EC2 Op System Operator access to Amazon RDS SQL Server User access to AWS managed applications Amazon FSx User access to apps on EC2 Managed Active Directory w/2-way trust Managed Active Directory w/1-way trust AD Connector AWS ManagedMicrosoft AD (standalone) Self-managed Active Directory on EC2 Choosing the right option to extend Active Directory domain services into AWS Current as of March 2019. Always consult documentationfor latest information.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Further exploration AWS Managed Microsoft AD deep dive AWS re:Invent 2018: Microsoft Active Directory Deep Dive (WIN303-R1)
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Identity for the infrastructure: Future steps Traditional Utopia • Domain joining
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Likely first questions • How do I securely connect to AWS APIs from my infrastructure components? • How do I managed and deploy application credentials for connecting to relational databases?
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Deeper look: IAM roles for AWS compute services AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Your code Operating system Amazon EC2 instance AWS resources Also works with AWS Lambda & Amazon Elastic Container Service (Amazon ECS) Permissions Role Temporary security credential AWS SDKs Amazon DynamoDB Amazon Kinesis Amazon S3
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Accessing your resources IAM roles provide your applications a reliable, secure, auto-rotating solution for AWS credentials But what about: Database connection credentials? Third-party API keys? OAuth refresh tokens? How do we avoid the back alley exchange?
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS Secrets ManagerAWS Directory ServiceIAMAWS SSO
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing AWS Secrets Manager Lifecycle management for secrets, such as database credentials and API keys Rotate secrets safely Pay as you goManage access with fine- grained policies Secure and audit secrets centrally
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS Secrets Manager Your code Operating system EC2 instance AWS resources Permissions Role Temporary security credential AWS SDKs Amazon DynamoDB Amazon Kinesis AWS Secrets Manager VPC Amazon RDS DBA AWS CloudFormation Authorized call to Secrets Manager DB creds loaded DB creds returned Connection established Safe rotation Combo provides a reliable, secure, auto-rotating solution for all credentials
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Further exploration Secrets Manager workshop
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Applications: Ready for users! AWS account VPC Amazon RDS Amazon EC2 Application Resource access: Relational databases Builder Operator DBA API access: AWS servicesAmazon S3 AWS Secrets Manager User
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Likely first questions • How do I add sign-up and sign-in to my applications easily? • How do I add support for standards like OIDC or SAML? • How do I control access to business applications for my workforce?
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS Secrets ManagerAWS Directory ServiceIAM Amazon CognitoAWS SSO
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing Amazon Cognito Simple and secure user sign-up, sign-in, and access control for web and mobile apps Offload undifferentiated identity heavy lifting Provide advanced security for your apps and users Use standards-based authentication Use your choice of existing or cloud native identities
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Amazon Cognito Get AWS credentials Access AWS services Authenticate 1 Redirect / Post back Access serverless backend Federating IdP IdPToken CUP TokenCUP Token CUP Token AWSSTS AWSSTS User pool tokens are used to access backend resources Identity pools provide AWS credentials to access AWS services User pools authenticate users and returns standard tokens 2 3 4 56 Amazon Cognito Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB Amazon S3
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Further exploration Serverless Authenticationand Authorization session Serverless Authenticationand Authorization workshop
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Revisiting where we got ahead of ourselves, part 1 AWS CloudCorporate data center Active Directory AWS Managed MicrosoftAD Users & Groups LDAP, Kerberos, Referrals Trust VPC CustomSAML enabled application User access AWS SSO Custom SAML enabled application Internet SaaS application AWS SSO user portal AWS SSO: User access to business applications
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Revisiting where we got ahead of ourselves, part 2 AWS CloudCorporate data center Active Directory AWS Managed MicrosoftAD Users & Groups LDAP, Kerberos, Referrals Trust Amazon EC2 (Windows/Linux) Amazon WorkSpaces Amazon Chime Amazon WorkDocs Amazon WorkMail Amazon QuickSight Amazon Connect VPC AWS managed applications Windows Application User access AWS Directory Service: User access to windowsapplications and AWS managed applications
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS Secrets ManagerAWS Directory ServiceIAM Amazon CognitoAWS SSO Lifecycle managementfor secrets Identity and access management for your apps & APIs Actual Microsoft Active Directory as a managed service on the AWS Cloud Fine-grained access management for AWS resources Manage single sign-on (SSO) access to multiple AWS accounts and business applications Central governance and management for multiple AWS accounts
Thank you! S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Quint Van Deman Find me on LinkedIn
S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.

Recommended

Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Amazon Web Services
 
Developing Modern Applications in the Cloud
Developing Modern Applications in the CloudDeveloping Modern Applications in the Cloud
Developing Modern Applications in the Cloud
Amazon Web Services
 
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
Amazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 
A tale of two customers - Simplified data protection with Veeam, N2WS & AWS -...
A tale of two customers - Simplified data protection with Veeam, N2WS & AWS -...A tale of two customers - Simplified data protection with Veeam, N2WS & AWS -...
A tale of two customers - Simplified data protection with Veeam, N2WS & AWS -...
Amazon Web Services
 
AWS networking fundamentals - SVC303 - Santa Clara AWS Summit
AWS networking fundamentals - SVC303 - Santa Clara AWS SummitAWS networking fundamentals - SVC303 - Santa Clara AWS Summit
AWS networking fundamentals - SVC303 - Santa Clara AWS Summit
Amazon Web Services
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Amazon Web Services
 
Journey into the Cloud with VMware Cloud on AWS: Deep Dive - CMP303 - Anaheim...
Journey into the Cloud with VMware Cloud on AWS: Deep Dive - CMP303 - Anaheim...Journey into the Cloud with VMware Cloud on AWS: Deep Dive - CMP303 - Anaheim...
Journey into the Cloud with VMware Cloud on AWS: Deep Dive - CMP303 - Anaheim...
Amazon Web Services
 

Recommended

Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Simplify compliance & improve operational efficiency with AWS - SVC302 - Sant...
Amazon Web Services
 
Developing Modern Applications in the Cloud
Developing Modern Applications in the CloudDeveloping Modern Applications in the Cloud
Developing Modern Applications in the Cloud
Amazon Web Services
 
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
Amazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 
A tale of two customers - Simplified data protection with Veeam, N2WS & AWS -...
A tale of two customers - Simplified data protection with Veeam, N2WS & AWS -...A tale of two customers - Simplified data protection with Veeam, N2WS & AWS -...
A tale of two customers - Simplified data protection with Veeam, N2WS & AWS -...
Amazon Web Services
 
AWS networking fundamentals - SVC303 - Santa Clara AWS Summit
AWS networking fundamentals - SVC303 - Santa Clara AWS SummitAWS networking fundamentals - SVC303 - Santa Clara AWS Summit
AWS networking fundamentals - SVC303 - Santa Clara AWS Summit
Amazon Web Services
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Amazon Web Services
 
Journey into the Cloud with VMware Cloud on AWS: Deep Dive - CMP303 - Anaheim...
Journey into the Cloud with VMware Cloud on AWS: Deep Dive - CMP303 - Anaheim...Journey into the Cloud with VMware Cloud on AWS: Deep Dive - CMP303 - Anaheim...
Journey into the Cloud with VMware Cloud on AWS: Deep Dive - CMP303 - Anaheim...
Amazon Web Services
 
Twelve-Factor serverless applications - MAD311 - Chicago AWS Summit
Twelve-Factor serverless applications - MAD311 - Chicago AWS SummitTwelve-Factor serverless applications - MAD311 - Chicago AWS Summit
Twelve-Factor serverless applications - MAD311 - Chicago AWS Summit
Amazon Web Services
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
Amazon Web Services
 
Database Freedom - ADB304 - Santa Clara AWS Summit
Database Freedom - ADB304 - Santa Clara AWS SummitDatabase Freedom - ADB304 - Santa Clara AWS Summit
Database Freedom - ADB304 - Santa Clara AWS Summit
Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Amazon Web Services
 
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Amazon Web Services
 
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Amazon Web Services
 
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
Amazon Web Services
 
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
Amazon Web Services
 
Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019
Amazon Web Services
 
Scalable serverless architectures using event-driven design - MAD301 - Atlant...
Scalable serverless architectures using event-driven design - MAD301 - Atlant...Scalable serverless architectures using event-driven design - MAD301 - Atlant...
Scalable serverless architectures using event-driven design - MAD301 - Atlant...
Amazon Web Services
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
Amazon Web Services
 
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS SummitTwelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
Amazon Web Services
 
AWS Foundational Services - AWSome Day Philadelphia 2019
AWS Foundational Services - AWSome Day Philadelphia 2019AWS Foundational Services - AWSome Day Philadelphia 2019
AWS Foundational Services - AWSome Day Philadelphia 2019
Amazon Web Services
 
.NET on AWS
.NET on AWS.NET on AWS
.NET on AWS
Amazon Web Services
 
AWSome Day Brasil - Março 2020
AWSome Day Brasil - Março 2020AWSome Day Brasil - Março 2020
AWSome Day Brasil - Março 2020
Amazon Web Services LATAM
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Amazon Web Services
 
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
Amazon Web Services
 
AWSome Day Nairobi 2019
AWSome Day Nairobi 2019AWSome Day Nairobi 2019
AWSome Day Nairobi 2019
Amazon Web Services
 
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Amazon Web Services
 
Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Amazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
Amazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
Amazon Web Services
 

More Related Content

What's hot

Twelve-Factor serverless applications - MAD311 - Chicago AWS Summit
Twelve-Factor serverless applications - MAD311 - Chicago AWS SummitTwelve-Factor serverless applications - MAD311 - Chicago AWS Summit
Twelve-Factor serverless applications - MAD311 - Chicago AWS Summit
Amazon Web Services
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
Amazon Web Services
 
Database Freedom - ADB304 - Santa Clara AWS Summit
Database Freedom - ADB304 - Santa Clara AWS SummitDatabase Freedom - ADB304 - Santa Clara AWS Summit
Database Freedom - ADB304 - Santa Clara AWS Summit
Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Amazon Web Services
 
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Amazon Web Services
 
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Amazon Web Services
 
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
Amazon Web Services
 
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
Amazon Web Services
 
Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019
Amazon Web Services
 
Scalable serverless architectures using event-driven design - MAD301 - Atlant...
Scalable serverless architectures using event-driven design - MAD301 - Atlant...Scalable serverless architectures using event-driven design - MAD301 - Atlant...
Scalable serverless architectures using event-driven design - MAD301 - Atlant...
Amazon Web Services
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
Amazon Web Services
 
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS SummitTwelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
Amazon Web Services
 
AWS Foundational Services - AWSome Day Philadelphia 2019
AWS Foundational Services - AWSome Day Philadelphia 2019AWS Foundational Services - AWSome Day Philadelphia 2019
AWS Foundational Services - AWSome Day Philadelphia 2019
Amazon Web Services
 
.NET on AWS
.NET on AWS.NET on AWS
.NET on AWS
Amazon Web Services
 
AWSome Day Brasil - Março 2020
AWSome Day Brasil - Março 2020AWSome Day Brasil - Março 2020
AWSome Day Brasil - Março 2020
Amazon Web Services LATAM
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Amazon Web Services
 
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
Amazon Web Services
 
AWSome Day Nairobi 2019
AWSome Day Nairobi 2019AWSome Day Nairobi 2019
AWSome Day Nairobi 2019
Amazon Web Services
 
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Amazon Web Services
 
Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Amazon Web Services
 

What's hot (20)

Twelve-Factor serverless applications - MAD311 - Chicago AWS Summit
Twelve-Factor serverless applications - MAD311 - Chicago AWS SummitTwelve-Factor serverless applications - MAD311 - Chicago AWS Summit
Twelve-Factor serverless applications - MAD311 - Chicago AWS Summit
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
 
Database Freedom - ADB304 - Santa Clara AWS Summit
Database Freedom - ADB304 - Santa Clara AWS SummitDatabase Freedom - ADB304 - Santa Clara AWS Summit
Database Freedom - ADB304 - Santa Clara AWS Summit
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
Compliance automation: Set it up fast, then code it your way - GRC330-R - AWS...
 
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
Building Enterprise Solutions with Blockchain and Ledger Technology - SVC202 ...
 
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
Accelerating your Cloud Migration with VMware Cloud on AWS - SVC210 - Atlanta...
 
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
Enable Agile Development with Amazon Linux WorkSpaces and WorkLink - SVC203 -...
 
Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019Design with ops in mind | AWS Summit Tel Aviv 2019
Design with ops in mind | AWS Summit Tel Aviv 2019
 
Scalable serverless architectures using event-driven design - MAD301 - Atlant...
Scalable serverless architectures using event-driven design - MAD301 - Atlant...Scalable serverless architectures using event-driven design - MAD301 - Atlant...
Scalable serverless architectures using event-driven design - MAD301 - Atlant...
 
從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全從業人員指南-如何像技術專家一樣守護您的雲端安全
從業人員指南-如何像技術專家一樣守護您的雲端安全
 
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS SummitTwelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
Twelve-Factor Serverless Applications - MAD303 - Anaheim AWS Summit
 
AWS Foundational Services - AWSome Day Philadelphia 2019
AWS Foundational Services - AWSome Day Philadelphia 2019AWS Foundational Services - AWSome Day Philadelphia 2019
AWS Foundational Services - AWSome Day Philadelphia 2019
 
.NET on AWS
.NET on AWS.NET on AWS
.NET on AWS
 
AWSome Day Brasil - Março 2020
AWSome Day Brasil - Março 2020AWSome Day Brasil - Março 2020
AWSome Day Brasil - Março 2020
 
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
Secure Your Data with Recommended Best Practices Enabled by AWS Security and ...
 
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
Move desktops & applications to AWS with Amazon WorkSpaces & AppStream 2.0 - ...
 
AWSome Day Nairobi 2019
AWSome Day Nairobi 2019AWSome Day Nairobi 2019
AWSome Day Nairobi 2019
 
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
Introduction to AWS OutIntroduction to AWS Outposts - CMP203 - Chicago AWS Su...
 
Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...Using automation to drive continuous-compliance best practices - SVC309 - Chi...
Using automation to drive continuous-compliance best practices - SVC309 - Chi...
 

Similar to AWS identity services - Enabling & securing your cloud journey - SEC202 - Santa Clara AWS Summit.pdf

AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
Amazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
Amazon Web Services
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
Amazon Web Services
 
So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?
Amazon Web Services
 
Identity and Access Management and Directory Services
Identity and Access Management and Directory ServicesIdentity and Access Management and Directory Services
Identity and Access Management and Directory Services
Amazon Web Services
 
AWS Identity Access Management
AWS Identity Access ManagementAWS Identity Access Management
AWS Identity Access Management
Richard Harvey
 
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summits
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
Amazon Web Services
 
Architecting security and governance across your AWS environment
Architecting security and governance across your AWS environmentArchitecting security and governance across your AWS environment
Architecting security and governance across your AWS environment
Amazon Web Services
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
Amazon Web Services
 
AWSome Day 2019 - Detroit
AWSome Day 2019 - DetroitAWSome Day 2019 - Detroit
AWSome Day 2019 - Detroit
Amazon Web Services
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
Amazon Web Services
 
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Amazon Web Services
 
AWS Introduction & History - AWSome Day Philadelphia 2019
AWS Introduction & History - AWSome Day Philadelphia 2019AWS Introduction & History - AWSome Day Philadelphia 2019
AWS Introduction & History - AWSome Day Philadelphia 2019
Amazon Web Services
 
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
Amazon Web Services
 
Scale - Best Practices for Migrating your Microsoft Workloads to AWS
Scale - Best Practices for Migrating your Microsoft Workloads to AWSScale - Best Practices for Migrating your Microsoft Workloads to AWS
Scale - Best Practices for Migrating your Microsoft Workloads to AWS
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 

Similar to AWS identity services - Enabling & securing your cloud journey - SEC202 - Santa Clara AWS Summit.pdf (20)

AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ch...
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?
 
Identity and Access Management and Directory Services
Identity and Access Management and Directory ServicesIdentity and Access Management and Directory Services
Identity and Access Management and Directory Services
 
AWS Identity Access Management
AWS Identity Access ManagementAWS Identity Access Management
AWS Identity Access Management
 
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
AWS Summit Singapore 2019 | Next Generation Audit & Compliance - Learn how RH...
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Architecting security and governance across your AWS environment
Architecting security and governance across your AWS environmentArchitecting security and governance across your AWS environment
Architecting security and governance across your AWS environment
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
 
AWSome Day 2019 - Detroit
AWSome Day 2019 - DetroitAWSome Day 2019 - Detroit
AWSome Day 2019 - Detroit
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
 
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
Accelerating Cloud Adoption in Federal Government and Regulated Sectors with ...
 
AWS Introduction & History - AWSome Day Philadelphia 2019
AWS Introduction & History - AWSome Day Philadelphia 2019AWS Introduction & History - AWSome Day Philadelphia 2019
AWS Introduction & History - AWSome Day Philadelphia 2019
 
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud JourneyHow You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
How You Can Use AWS Identity Services to Be Successful on Your AWS Cloud Journey
 
Scale - Best Practices for Migrating your Microsoft Workloads to AWS
Scale - Best Practices for Migrating your Microsoft Workloads to AWSScale - Best Practices for Migrating your Microsoft Workloads to AWS
Scale - Best Practices for Migrating your Microsoft Workloads to AWS
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

AWS identity services - Enabling & securing your cloud journey - SEC202 - Santa Clara AWS Summit.pdf

  • 1. S U M M I T SA NTA CLA R A
  • 2. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T An overview of AWS identity services: enabling and securing your cloud journey Quint Van Deman Business Development Manager, Identity & Directory Services Amazon Web Services S E C 2 0 2
  • 3. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 4. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Calibration
  • 5. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads Our scope for today AWS Identity and Access Management (IAM) (the service) Authenticates and authorizes AWS APIs Includes (the subject)
  • 6. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Our backdrop: Typical journey to AWS TIME VALUE
  • 7. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Our goal: Shrinking the foundation
  • 8. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Our metaphor AWS Infrastructure Application Builders Operators Users AWS Command Line Interface (AWS CLI)
  • 9. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 10. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Likely first questions • How many AWS accounts do I need? • How do I govern my AWS accounts? • How do I provide access into those accounts? • What permissions do my users have in those accounts?
  • 11. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations
  • 12. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing AWS Organizations Govern access to AWS services, resources, and regions Central governance and management for multiple AWS accounts Configure AWS services across multiple AWS accounts Automate AWS account creation and management Consolidate billing across multiple AWS accounts
  • 13. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Primer: AWS accounts What really is an AWS account? • A container for AWS resources • A clear isolation boundary for: • Administration • Network access • Permissions/Resource sharing You can have any number of AWS accounts you want (within limits) One account designated as the master account, others are member accounts
  • 14. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T What AWS accounts do I need? AWS opinionated views, solutions, and services
  • 15. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T What AWS accounts do I need? Common options: • Per environment (dev, test, prod) • Per business unit per environment • Per app per environment • Per app per region per environment Seek a reasonable balance: • Isolation vs. maturity • Evolve over time Refining your own opinion
  • 16. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS Organizations: Governing AWS accounts AWS Organizations Service control policies Service control policies us-east-1 us-west-2 ap-south-1 AWS account
  • 17. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS Organizations: Managing AWS accounts AWS Artifact AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service AWS Firewall Manager AWS License Manager AWS Resource Access Manager AWS Service Catalog AWS Single Sign-On AWS Services that you can use with AWS Organizations More coming!
  • 18. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Next: Account access
  • 19. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS SSO
  • 20. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing AWS Single Sign-On (AWS SSO) Centrally manage SSO access to multiple AWS accounts and business applications for your workforce Centrally manage access to multiple AWS accounts Easy to enable and use Use your choice of existing or cloud native identities Provide SSO access to business applications
  • 21. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS SSO: Your choice of identity store AWS CloudCorporate data center Active Directory AWS Directory Service AWS SSO Users & Groups Option 1: Use corporate identities by connecting to and existing directory AWS Cloud AWS SSO Users & Groups Option 2: Create users in AWS SSO
  • 22. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS SSO: Define permission sets Master account Member acct 1 Member acct N Uses AWS Organizations to retrieve your list and structure of accounts. Define permissions using standard syntax and tools. Definitions and policies automatically deployed and maintained in member accounts.
  • 23. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS SSO: Assign permission sets Master account Select users or groups Select desired permission set Grant access to one AWS account, an OU, or the entire Organization
  • 24. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS SSO: User experience User authenticates Permission sets they’ve been granted Options for console or CLI/API access Access other business applications
  • 25. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T What permissions do I give my users? Least privilege is a journey, not a starting point
  • 26. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations IAMAWS SSO
  • 27. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing AWS Identity and Access Management (IAM) Securely manage access to AWS services and resources Authenticateand authorize AWS APIs Specify policy-based permissions Provide fine-grained access controls for AWS actions and resources Provide short-term credentials for humans, machines, and applications
  • 28. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. IAM policy basics PARC model: • Principal – Who • Action – Can access • Resource – What • Condition – Under what conditions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Department": "Development“ } } } ] } P
  • 29. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Short-term credential basics Macro pattern 1: Trust-based exchange Macro pattern 2: AWS delivered credentials Sourcecredential Time bound credentials returned Assuming a role through pre- established trust AWS compute service Provideidentity by passing a role Time bound credentials delivered and rotated
  • 30. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Further exploration Understanding IAM primitives Understanding IAM policy AWS re:Invent 2018: A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) AWS re:Invent 2018: Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1)
  • 31. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS account AWS account SAML federation into IAM AWS account SAML federation for the AWS Management Console, APIs, and CLI Self-paced workshop materials Achieve the same core result as SSO, more assembly level
  • 32. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T It doesn’t depend So you want to manage access for a whole bunch of users into a whole bunch of roles in a whole bunch of AWS accounts? Based on features available as of March 2019; will change based on future launches.
  • 33. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Cloud builders: Ready to get building! AWS account VPC Amazon RDS Amazon EC2 Application “Control plane” – AWS APIs (creating, terminating, etc.) Builder Operator DBA “Data plane” – VPC connections (SSH, RDP, Database clients, etc.)
  • 34. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 35. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Likely first questions • How do I centrally authenticate users connecting to operating systems? • How do I control which users can connect to which instances? • How do I manage DBA access into relational database engines? • How do I manage service accounts (non-interactiveusers)?
  • 36. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS Directory ServiceIAMAWS SSO
  • 37. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing: AWS Directory Service Managed Microsoft Active Directory in the AWS Cloud Easily migrate your directory-dependent workloads by leveraging a managed service Provide infrastructure access management without syncing identity data Use actual Microsoft Active Directory integrated with other AWS services and applications
  • 38. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Establishing Active Directory in AWS AWS CloudCorporate data center Active Directory AWS Managed Microsoft AD Users & Groups LDAP, Kerberos, Referrals Trust Option 1: AWS Managed Microsoft AD with Trust Option 2: AD Connector with Service Principal AWS CloudCorporate data center Active Directory AD Connector Users & Groups LDAP, Kerberos Service princ. Option 3: Stand alone AWS Managed Microsoft AD AWS Cloud AWS Managed Microsoft AD Users & Groups Option X: Combinations of the above Option 4: Active Directory on EC2 with Replication AWS CloudCorporate data center Active Directory Self-managed Active Directory Users & Groups Replication
  • 39. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Leveraging Active Directory in AWS AWS CloudCorporate data center Active Directory AWS Managed MicrosoftAD Users & Groups LDAP, Kerberos, Referrals Trust Amazon EC2 (Windows/Linux) Amazon RDS for SQL Server Amazon WorkSpaces Amazon Chime Amazon WorkDocs Amazon WorkMail Amazon QuickSight Amazon Connect Amazon FSx VPC AWS managed applications Windows application Operator access User access Domain join Provisioning
  • 40. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T It doesn’t depend Operator access to EC2 Op System Operator access to Amazon RDS SQL Server User access to AWS managed applications Amazon FSx User access to apps on EC2 Managed Active Directory w/2-way trust Managed Active Directory w/1-way trust AD Connector AWS ManagedMicrosoft AD (standalone) Self-managed Active Directory on EC2 Choosing the right option to extend Active Directory domain services into AWS Current as of March 2019. Always consult documentationfor latest information.
  • 41. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Further exploration AWS Managed Microsoft AD deep dive AWS re:Invent 2018: Microsoft Active Directory Deep Dive (WIN303-R1)
  • 42. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Identity for the infrastructure: Future steps Traditional Utopia • Domain joining
  • 43. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 44. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Likely first questions • How do I securely connect to AWS APIs from my infrastructure components? • How do I managed and deploy application credentials for connecting to relational databases?
  • 45. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Deeper look: IAM roles for AWS compute services AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Your code Operating system Amazon EC2 instance AWS resources Also works with AWS Lambda & Amazon Elastic Container Service (Amazon ECS) Permissions Role Temporary security credential AWS SDKs Amazon DynamoDB Amazon Kinesis Amazon S3
  • 46. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Accessing your resources IAM roles provide your applications a reliable, secure, auto-rotating solution for AWS credentials But what about: Database connection credentials? Third-party API keys? OAuth refresh tokens? How do we avoid the back alley exchange?
  • 47. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS Secrets ManagerAWS Directory ServiceIAMAWS SSO
  • 48. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing AWS Secrets Manager Lifecycle management for secrets, such as database credentials and API keys Rotate secrets safely Pay as you goManage access with fine- grained policies Secure and audit secrets centrally
  • 49. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS Secrets Manager Your code Operating system EC2 instance AWS resources Permissions Role Temporary security credential AWS SDKs Amazon DynamoDB Amazon Kinesis AWS Secrets Manager VPC Amazon RDS DBA AWS CloudFormation Authorized call to Secrets Manager DB creds loaded DB creds returned Connection established Safe rotation Combo provides a reliable, secure, auto-rotating solution for all credentials
  • 50. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Further exploration Secrets Manager workshop
  • 51. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Applications: Ready for users! AWS account VPC Amazon RDS Amazon EC2 Application Resource access: Relational databases Builder Operator DBA API access: AWS servicesAmazon S3 AWS Secrets Manager User
  • 52. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 53. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Likely first questions • How do I add sign-up and sign-in to my applications easily? • How do I add support for standards like OIDC or SAML? • How do I control access to business applications for my workforce?
  • 54. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS Secrets ManagerAWS Directory ServiceIAM Amazon CognitoAWS SSO
  • 55. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Introducing Amazon Cognito Simple and secure user sign-up, sign-in, and access control for web and mobile apps Offload undifferentiated identity heavy lifting Provide advanced security for your apps and users Use standards-based authentication Use your choice of existing or cloud native identities
  • 56. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Amazon Cognito Get AWS credentials Access AWS services Authenticate 1 Redirect / Post back Access serverless backend Federating IdP IdPToken CUP TokenCUP Token CUP Token AWSSTS AWSSTS User pool tokens are used to access backend resources Identity pools provide AWS credentials to access AWS services User pools authenticate users and returns standard tokens 2 3 4 56 Amazon Cognito Amazon API Gateway AWS Lambda Amazon Cognito Amazon DynamoDB Amazon S3
  • 57. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Further exploration Serverless Authenticationand Authorization session Serverless Authenticationand Authorization workshop
  • 58. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Revisiting where we got ahead of ourselves, part 1 AWS CloudCorporate data center Active Directory AWS Managed MicrosoftAD Users & Groups LDAP, Kerberos, Referrals Trust VPC CustomSAML enabled application User access AWS SSO Custom SAML enabled application Internet SaaS application AWS SSO user portal AWS SSO: User access to business applications
  • 59. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T Revisiting where we got ahead of ourselves, part 2 AWS CloudCorporate data center Active Directory AWS Managed MicrosoftAD Users & Groups LDAP, Kerberos, Referrals Trust Amazon EC2 (Windows/Linux) Amazon WorkSpaces Amazon Chime Amazon WorkDocs Amazon WorkMail Amazon QuickSight Amazon Connect VPC AWS managed applications Windows Application User access AWS Directory Service: User access to windowsapplications and AWS managed applications
  • 60. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.
  • 61. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.S UM M I T AWS identity services Application Infrastructure AWS platform AWS Organizations AWS Secrets ManagerAWS Directory ServiceIAM Amazon CognitoAWS SSO Lifecycle managementfor secrets Identity and access management for your apps & APIs Actual Microsoft Active Directory as a managed service on the AWS Cloud Fine-grained access management for AWS resources Manage single sign-on (SSO) access to multiple AWS accounts and business applications Central governance and management for multiple AWS accounts
  • 62. Thank you! S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. Quint Van Deman Find me on LinkedIn
  • 63. S UM M I T © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved.