SlideShare a Scribd company logo
1 of 48
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Evolving perimeters with guardrails, not gates:
Improving developer agility
Charlie Hammell
Principal Enterprise Architect
AWS
S D D 3 3 1
David Hocky
Cloud Solutions Architect
Comcast
Christopher Power
Cloud Solutions Architect
Comcast
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
AWS Identity and Access Management (IAM) primer
Role assumption and identity federation
Permissions boundaries
AWS Organizations and Service Control Policies
Comcast’s governance journey and implementation
Federated user access experience
Enabling role management at scale with permissions boundaries
AWS Organizations and Service Control Policies in practice
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Request
Actions, resources, principals,
environment data, resource data
IAM primer
Principals
Users
(and groups)
Roles
(assumed, delegated,
federated, service-linked)
Applications
Authentication
Resources
Authorization
Resource-based policies Other policies
(trust, permissions boundary)
Identity-based policies
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS STS assume role
prod@example.com
Acct ID: 111122223333
ddb-role
dev@example.com
Acct ID: 123456789012
Call AWS APIs using
temporary security
credentials of ddb-role
IAM user: Alice
Get temporary
security credentials
for ddb-role
Authenticate with
Anders’ access keys
ddb-role trusts IAM users from the
AWS account dev@example.com (123456789012)
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
Permissions assigned to Anders granting him permission
to assume ddb-role in account B
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::111122223333:role/ddb-role"
}]}
Permissions assigned to ddb-role
{ "Statement": [
{ "Action":
[
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource":"arn:aws:dynamodb:us-east-1:
123456789012:table/books"
}]}
Books
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
User logs
in to portal
Corporate data center
Enterprise (identity provider) AWS (service provider)
Browser interface
Identity store
Identity
Provider
Portal
1
3
2
4
5
AWS sign-in
User
authenticated
Receive
response
(SAML
assertion)
Post the SAML assertion
to sign-in
Redirected to AWS
Management Console
Identity federation
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permissions boundary
Limit the maximum permissions of the principals created by delegated admins
• Certain IAM permissions
(such as PutUserPolicy and
AttachRolePolicy) were essentially
god-like
• Self-service permissions
management required non-trivial
automation
• Administrator can grant previously
god-like permissions, but specify a
permissions boundary
• Allows developers the ability to
create principals and attach
policies, but only within the
boundary
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM-delegated administration
Account admin step 1: Create a permissions boundary policy preventing deletion of critical logs (CompanyBoundary)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ServiceBoundaries",
"Effect": "Allow",
"Action": [
"s3:*",
"cloudwatch:*",
"ec2:*",
"dynamodb:*",
“lambda:*”,
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": ”DenyProjectxyzS3Access",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::projectxyz",
"arn:aws:s3:::projectxyz/*"
]
}...
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM-delegated administration
Account admin step 2: Create a permissions policy allowing the creation of IAM roles, but only if CompanyBoundary is specified;
attach permissions policy to delegated IAM admin principal
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"SetPermissionsBoundary",
"Effect":"Allow",
"Action":[
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource":"arn:aws:iam::123456789012:role/AppRoles/*",
"Condition":{
"StringEquals":{
"iam:PermissionsBoundary":"arn:aws:iam::123456789012:policy/CompanyBoundary"
}
}
},
{
"Sid":"CreateAndEditPermissionsPolicy",
"Effect":"Allow",
"Action":[
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion"
],
"Resource":"arn:aws:iam::123456789012:policy/AppPolicies/*"
}
]
}
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM-delegated administration
Delegated IAM admin step 1: Create an IAM role specifying a path and a permissions boundary
aws iam create-role
--role-name MyTestAppRole
--path /AppRoles/
--permissions-boundary arn:aws:iam::123456789012:policy/CompanyBoundary
--assume-role-policy-document file://Role_Trust_Policy_Text.json
Delegated IAM admin step 2: Create a permissions policy allowing full access to Amazon S3
aws iam create-policy
--policy-name MyTestAppPermissions
--path /AppPolicies/
--policy-document file://MyTestAppPermissions.json
Delegated IAM admin step 3: Attach the policy to the newly created role
aws iam attach-role-policy
--role-name MyTestAppRole
--policy-arn arn:aws:iam::123456789012:policy/AppPolicies/MyTestAppPermissions
{
"Effect":"Allow",
"Action":"s3:*",
"Resource":"*"
}
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Effective permission
Permission policy
{
"Effect":"Allow",
"Action":"s3:*",
"Resource":"*"
}
Permissions boundary
{
"Sid": "DenyProjectxyzS3Access",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::projectxyz",
"arn:aws:s3:::projectxyz/*"
]
}...
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Effective permission
Permissions
boundary
Permissions
policy
Allow: s3:* Allow: sqs:*
Allow: ec2:*Allow: ec2:*
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
A1 A3
M Master account
Organizational unit (OU)
Service control
policies (SCPs)
Dev Test Prod
AWS accountsA5A4A2 A7A6
AWS Organizations
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCPs
• Enable you to control which AWS service APIs are accessible
• Define the list of APIs that are allowed, or
• Define the list of APIs that must be blocked
• Cannot be overridden by local administrator
• Are necessary but not sufficient!
• Effective permission on IAM user/role is the intersection between the SCP and
assigned IAM permissions
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations and permissions boundaries
sqs:*s3:*
ec2:*
sns:*
SCP
Permissions
boundary
Permissions policy
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Policy evaluation
No
Deny evaluation:
Implicit deny, look for
an explicit deny
Yes
AWS Organizations
boundaries (SCP):
Is there an allow?
Yes
Principal boundaries
(permissions
boundaries):
Is there an allow?
Yes
AWS STS assume role
policies:
Is there an allow?
Yes
Permissions:
Is there an allow?
(identity-based,
resource-based)
Final decision allow
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connectingyoutowhatmatters
Comcast creates incredible
technology and entertainment
that connects millions of people
to the moments and experiences
that matter most.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landscape
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Guiding principles
Guardrails,
not gates
Developer
experience
Scalability
Security
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Developer experience means
Agility
Ability to move quickly, scale, and change direction as necessary
Choice
Architecture, cloud services, and tooling that works for your team and use case
Native experience
Provide native access, and respect SDKs and tooling wherever possible
Support for modern development practices
Infrastructure as code, automation, CI/CD
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example
AWS Lambda
Amazon DynamoDBAmazon API Gateway
Client
Amazon CloudWatch AWS X-Ray
AWS Lambda
Role
RoleRole
User story
As a developer, I would like to
have an authenticated API that
reads properties from our
database so that I can present
relevant information to our
customers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we want to avoid
AWS Lambda
Amazon DynamoDBAmazon API Gateway
User story
As a developer, I would like to
[submit a ticket so that I can] have
an authenticated API that reads
properties from our database so
that I can present relevant
information to our customers
[after I inevitably forget something
and have to open another ticket].
Client
Amazon CloudWatch AWS X-Ray
AWS Lambda
Role
RoleRole
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our governance toolkit
Third-party
software
Custom tooling
AWS IAM AWS CloudTrail AWS Config
Amazon GuardDuty
SSO
MFA token
AWS Organizations
Accounts
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advantages to identity federation
• Single sign-on for all federated users
• Integration with enterprise MFA
• Temporary access keys/secrets (max 12 hours)
• User lifecycle tied directly to HR systems
• Consistent user credentials across all AWS accounts
• Enables move from IAM users to IAM roles for people
Federated User Access
Single sign-on, MFA
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challengeswith identity federation
• Requires highly customized SAML claims generation
• Custom tooling required to get temporary credentials for API access
• Some systems do not support temporary credentials
• Need to have a solution to manage user to account access mapping
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Comcast is addressing these challenges
• Requires highly customized SAML claims generation
• Review published sample implementation by AWS for ADFS
• Have a supportive Directory Services team!
• Custom tooling required to get temporary credentials for API access
• Built Python and Golang based CLI utilities for MacOS, Linux, and Windows
• Supports ADFS + Azure MFA SAML sign-on flow
• Some systems do not support temporary credentials
• Limited issuance of IAM users for “service” accounts with audited credential rotation
• Still ticket driven
• Need to have a solution to manage user to account access mapping
• Developed portal and API for user management backed by Active Directory
• Enforces customized role-assignment business logic
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Federated console access
• Single sign-on w/ MFA
• One URL to access console for all
AWS accounts
• Supports multiple accounts,
multiple roles
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
$ aws_login
Username: david
Password:
Waiting for MFA response
...
Please choose the role you would like to assume:
[ #]: [Account Alias] [Role Name] [AWS ARN]
[ 0]: 111122223333 Developer arn:aws:iam::111122223333:role/Developer
Selection: 0
----------------------------------------------------------------
Your new access key pair has been stored in the AWS configuration file ~/.aws/credentials under the
“saml” profile. To use this credential call the AWS CLI with the --profile option.
----------------------------------------------------------------
$ aws --profile saml sts get-caller-identity
{
"Account": "111122223333",
"UserId": "AROAXXXXXXXXXXXXX:david@domain.com",
"Arn": "arn:aws:sts::111122223333:assumed-role/Developer/david@domain.com"
}
Example federated CLI access
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role management evolution
Roles as tickets
Role vending
Native role creation
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role vending machine
AWS Lambda
Amazon API Gateway
Client AWS Lambda
AWS IAM
Role
AWS account
AWS account
AWS account
Permissions
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role: Developer (Federated)
Policies:
- PowerUserAccess
- RoleManager (Custom)
{ "Statement": [
{ "Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Effect": "Allow",
"Resource":[
"arn:aws:iam::123456789012:role/CustomRole/*
]",
"Condition": {
"ArnNotLike": {
"iam:PolicyARN":"arn:aws:iam::*:policy/Protect*"
}
}
},...]}
Role: CustomRole/MyTestRole (Vended)
Policies:
- ProtectPolicy (Custom)
{ "Statement": [
{ "Action": "iam:DetachRolePolicy"
"Effect": "Deny",
"Resource": "*",
"Condition": {
"ArnLike": {
"iam:PolicyARN": "arn:aws:iam::*:policy/Protect*"
}
}
}, other resource/service restrictions...]}
Example vended role protection
Beforepermissionsboundaries
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challengeswith role vending
• Requires thorough testing of code and policies
• Validation and error handling due to eventual consistency of IAM
• Roles need to be pre-created out-of-band before using them in AWS
• Cannot create roles with AWS Console & AWS Command Line Interface (AWS CLI)
• Breaks AWS Console wizards
• Difficult to integrate with Infrastructure-as-Code tooling such as
AWS CloudFormation and Terraform
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Comcast is addressing these challenges
• Requires thorough testing of code and policies
• Implement unit and integration tests
• Validation and error handling due to eventual consistency of IAM
• Treat role creation and policy attachment as a single transaction
• Roll-back on any step failure
• Roles need to be pre-created out-of-band before using them in AWS
• Publish internal documentation on role management
• Inner-sourced a custom Terraform provider for role vending API
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role vending works, but can we do better?
• Continued listening to app teams, focusing
on developer experience
• Agility, native experience, better support
for Infrastructure-as-Code
• How can we get there?
• … permissions boundaries
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advantages of permissions boundaries
• Native experience managing roles using AWS Console,
AWS CLI, AWS SDKs
• Less custom tooling, removes out-of-band role creation
• Supported by AWS CloudFormation and Terraform
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Native role creation with permissions boundaries
Client AWS IAM
Role
AWS account
AWS account
AWS account
Permissions
AWS Management
Console
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permissions boundary at Comcast
Rolemanagement,adeveloper’sperspective
AWSTemplateFormatVersion: "2010-09-09"
Description: ”AWS IAM Role with Permissions Boundary"
Resources:
LambdaBasicExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": { "Service": "lambda.amazonaws.com” },
"Effect": "Allow"
}
]
}
Path: "/Custom/"
RoleName: LambdaBasicExecutionRole
PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/Boundary’
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Minimal changes to tooling required
1. Add governance
permissions boundary
2. Supply a role path or
namespace the role name
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challengeswith permissions boundaries
• (Still) requires thorough testing of policies
• Boundaries are limited to a single policy (6 KB)
• Policy simulator doesn’t support permissions boundaries
• AWS Console wizards do not support supplying or setting a default permissions
boundary
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Comcast is addressing these challenges
• (Still) requires thorough testing of policies
• Implement integration tests
• Boundaries are limited to a single policy (6 KB)
• Provide multiple boundaries depending on use case
• Move additional controls to AWS Organizations and SCPs
• Policy simulator doesn’t support permissions boundaries
• Add more integration tests to validate expected behavior
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Boundaries based on graduated maturity model
Level 3
Level 2
Level 1
• Advanced users
• Certification required
• Intermediate users &
application developers,
CI/CD service roles
• Introductory users, least-
privilege service roles and
on-premise service users
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations in Practice
• Consolidated cost view, billing, and controls
• AWS CloudTrail deployment
via service integration
• Account discovery framework
What we would like to see
• More service integrations
• Support for account metadata
• Improved account lifecycle management
Just Launched!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCPs
• Protect resources and services
• Help simplify IAM policies in accounts
• Use to limit account access to services
Some limitations
• 5 SCPs per entity, 5 KB each
• Must be deliberate with design and use
• Wide blast radius
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The experience today
• Account owners can easily add and remove users from AWS
accounts
• Individuals use the AWS Console & AWS CLI in any of their
AWS accounts with one set of credentials
• Security is happy because people are using federated single
sign-on and MFA to access AWS
• Teams can manage roles natively with AWS CloudFormation
and Terraform
• Leadership is happy because teams are more productive,
have choice, and can move with agility
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s next?
SCPs
Expand use to simplify governance controls and permission boundaries
Expanded self-service SSO roles
Ability to customize federated login roles for different user personas
Launch self-service IAM users
Self-service access to manage service accounts for
access from on-premises deployments
Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Charlie Hammell
hammellc@amazon.com
David Hocky
david_hocky@comcast.com
Christopher Power
christopher_power@cable.comcast.com

More Related Content

What's hot

Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Amazon Web Services
 
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Amazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Amazon Web Services
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019  Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Amazon Web Services
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...Amazon Web Services
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Amazon Web Services
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Amazon Web Services
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Amazon Web Services
 

What's hot (20)

Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
 
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
 
An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019  Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
 
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019 The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
 

Similar to Evolving perimeters with guardrails, not gates: Improving developer agility - SDD331 - AWS re:Inforce 2019

Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Amazon Web Services
 
Identity and Access Management and Directory Services
Identity and Access Management and Directory ServicesIdentity and Access Management and Directory Services
Identity and Access Management and Directory ServicesAmazon Web Services
 
AWS Identity Access Management
AWS Identity Access ManagementAWS Identity Access Management
AWS Identity Access ManagementRichard Harvey
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Amazon Web Services
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...Amazon Web Services
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Amazon Web Services
 
So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?Amazon Web Services
 
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfDesign for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfAmazon Web Services
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
 
Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Amazon Web Services
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...Amazon Web Services
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Amazon Web Services
 
What's New in AWS Security Features
What's New in AWS Security FeaturesWhat's New in AWS Security Features
What's New in AWS Security FeaturesAmazon Web Services
 

Similar to Evolving perimeters with guardrails, not gates: Improving developer agility - SDD331 - AWS re:Inforce 2019 (20)

Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
Identity and Access Management and Directory Services
Identity and Access Management and Directory ServicesIdentity and Access Management and Directory Services
Identity and Access Management and Directory Services
 
AWS Identity Access Management
AWS Identity Access ManagementAWS Identity Access Management
AWS Identity Access Management
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
 
Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...Identity and access control for custom enterprise applications - SDD412 - AWS...
Identity and access control for custom enterprise applications - SDD412 - AWS...
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?So You've Got ATO - Are You Sure You are Secure?
So You've Got ATO - Are You Sure You are Secure?
 
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfDesign for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
 
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...
 
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - ...
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...
 
What's New in AWS Security Features
What's New in AWS Security FeaturesWhat's New in AWS Security Features
What's New in AWS Security Features
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Evolving perimeters with guardrails, not gates: Improving developer agility - SDD331 - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Evolving perimeters with guardrails, not gates: Improving developer agility Charlie Hammell Principal Enterprise Architect AWS S D D 3 3 1 David Hocky Cloud Solutions Architect Comcast Christopher Power Cloud Solutions Architect Comcast
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda AWS Identity and Access Management (IAM) primer Role assumption and identity federation Permissions boundaries AWS Organizations and Service Control Policies Comcast’s governance journey and implementation Federated user access experience Enabling role management at scale with permissions boundaries AWS Organizations and Service Control Policies in practice
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Request Actions, resources, principals, environment data, resource data IAM primer Principals Users (and groups) Roles (assumed, delegated, federated, service-linked) Applications Authentication Resources Authorization Resource-based policies Other policies (trust, permissions boundary) Identity-based policies
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS STS assume role prod@example.com Acct ID: 111122223333 ddb-role dev@example.com Acct ID: 123456789012 Call AWS APIs using temporary security credentials of ddb-role IAM user: Alice Get temporary security credentials for ddb-role Authenticate with Anders’ access keys ddb-role trusts IAM users from the AWS account dev@example.com (123456789012) { "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]} Permissions assigned to Anders granting him permission to assume ddb-role in account B { "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]} Permissions assigned to ddb-role { "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource":"arn:aws:dynamodb:us-east-1: 123456789012:table/books" }]} Books
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. User logs in to portal Corporate data center Enterprise (identity provider) AWS (service provider) Browser interface Identity store Identity Provider Portal 1 3 2 4 5 AWS sign-in User authenticated Receive response (SAML assertion) Post the SAML assertion to sign-in Redirected to AWS Management Console Identity federation
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Permissions boundary Limit the maximum permissions of the principals created by delegated admins • Certain IAM permissions (such as PutUserPolicy and AttachRolePolicy) were essentially god-like • Self-service permissions management required non-trivial automation • Administrator can grant previously god-like permissions, but specify a permissions boundary • Allows developers the ability to create principals and attach policies, but only within the boundary
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM-delegated administration Account admin step 1: Create a permissions boundary policy preventing deletion of critical logs (CompanyBoundary) { "Version": "2012-10-17", "Statement": [ { "Sid": "ServiceBoundaries", "Effect": "Allow", "Action": [ "s3:*", "cloudwatch:*", "ec2:*", "dynamodb:*", “lambda:*”, "iam:ListUsers" ], "Resource": "*" }, { "Sid": ”DenyProjectxyzS3Access", "Effect": "Deny", "Action": "s3:*", "Resource": [ "arn:aws:s3:::projectxyz", "arn:aws:s3:::projectxyz/*" ] }...
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM-delegated administration Account admin step 2: Create a permissions policy allowing the creation of IAM roles, but only if CompanyBoundary is specified; attach permissions policy to delegated IAM admin principal { "Version":"2012-10-17", "Statement":[ { "Sid":"SetPermissionsBoundary", "Effect":"Allow", "Action":[ "iam:CreateRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource":"arn:aws:iam::123456789012:role/AppRoles/*", "Condition":{ "StringEquals":{ "iam:PermissionsBoundary":"arn:aws:iam::123456789012:policy/CompanyBoundary" } } }, { "Sid":"CreateAndEditPermissionsPolicy", "Effect":"Allow", "Action":[ "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion" ], "Resource":"arn:aws:iam::123456789012:policy/AppPolicies/*" } ] }
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM-delegated administration Delegated IAM admin step 1: Create an IAM role specifying a path and a permissions boundary aws iam create-role --role-name MyTestAppRole --path /AppRoles/ --permissions-boundary arn:aws:iam::123456789012:policy/CompanyBoundary --assume-role-policy-document file://Role_Trust_Policy_Text.json Delegated IAM admin step 2: Create a permissions policy allowing full access to Amazon S3 aws iam create-policy --policy-name MyTestAppPermissions --path /AppPolicies/ --policy-document file://MyTestAppPermissions.json Delegated IAM admin step 3: Attach the policy to the newly created role aws iam attach-role-policy --role-name MyTestAppRole --policy-arn arn:aws:iam::123456789012:policy/AppPolicies/MyTestAppPermissions { "Effect":"Allow", "Action":"s3:*", "Resource":"*" }
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Effective permission Permission policy { "Effect":"Allow", "Action":"s3:*", "Resource":"*" } Permissions boundary { "Sid": "DenyProjectxyzS3Access", "Effect": "Deny", "Action": "s3:*", "Resource": [ "arn:aws:s3:::projectxyz", "arn:aws:s3:::projectxyz/*" ] }...
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Effective permission Permissions boundary Permissions policy Allow: s3:* Allow: sqs:* Allow: ec2:*Allow: ec2:*
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. A1 A3 M Master account Organizational unit (OU) Service control policies (SCPs) Dev Test Prod AWS accountsA5A4A2 A7A6 AWS Organizations
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. SCPs • Enable you to control which AWS service APIs are accessible • Define the list of APIs that are allowed, or • Define the list of APIs that must be blocked • Cannot be overridden by local administrator • Are necessary but not sufficient! • Effective permission on IAM user/role is the intersection between the SCP and assigned IAM permissions
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations and permissions boundaries sqs:*s3:* ec2:* sns:* SCP Permissions boundary Permissions policy
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Policy evaluation No Deny evaluation: Implicit deny, look for an explicit deny Yes AWS Organizations boundaries (SCP): Is there an allow? Yes Principal boundaries (permissions boundaries): Is there an allow? Yes AWS STS assume role policies: Is there an allow? Yes Permissions: Is there an allow? (identity-based, resource-based) Final decision allow
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Connectingyoutowhatmatters Comcast creates incredible technology and entertainment that connects millions of people to the moments and experiences that matter most.
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Landscape
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Guiding principles Guardrails, not gates Developer experience Scalability Security
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer experience means Agility Ability to move quickly, scale, and change direction as necessary Choice Architecture, cloud services, and tooling that works for your team and use case Native experience Provide native access, and respect SDKs and tooling wherever possible Support for modern development practices Infrastructure as code, automation, CI/CD
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Example AWS Lambda Amazon DynamoDBAmazon API Gateway Client Amazon CloudWatch AWS X-Ray AWS Lambda Role RoleRole User story As a developer, I would like to have an authenticated API that reads properties from our database so that I can present relevant information to our customers
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What we want to avoid AWS Lambda Amazon DynamoDBAmazon API Gateway User story As a developer, I would like to [submit a ticket so that I can] have an authenticated API that reads properties from our database so that I can present relevant information to our customers [after I inevitably forget something and have to open another ticket]. Client Amazon CloudWatch AWS X-Ray AWS Lambda Role RoleRole
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Our governance toolkit Third-party software Custom tooling AWS IAM AWS CloudTrail AWS Config Amazon GuardDuty SSO MFA token AWS Organizations Accounts
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Advantages to identity federation • Single sign-on for all federated users • Integration with enterprise MFA • Temporary access keys/secrets (max 12 hours) • User lifecycle tied directly to HR systems • Consistent user credentials across all AWS accounts • Enables move from IAM users to IAM roles for people Federated User Access Single sign-on, MFA
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challengeswith identity federation • Requires highly customized SAML claims generation • Custom tooling required to get temporary credentials for API access • Some systems do not support temporary credentials • Need to have a solution to manage user to account access mapping
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How Comcast is addressing these challenges • Requires highly customized SAML claims generation • Review published sample implementation by AWS for ADFS • Have a supportive Directory Services team! • Custom tooling required to get temporary credentials for API access • Built Python and Golang based CLI utilities for MacOS, Linux, and Windows • Supports ADFS + Azure MFA SAML sign-on flow • Some systems do not support temporary credentials • Limited issuance of IAM users for “service” accounts with audited credential rotation • Still ticket driven • Need to have a solution to manage user to account access mapping • Developed portal and API for user management backed by Active Directory • Enforces customized role-assignment business logic
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Federated console access • Single sign-on w/ MFA • One URL to access console for all AWS accounts • Supports multiple accounts, multiple roles
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. $ aws_login Username: david Password: Waiting for MFA response ... Please choose the role you would like to assume: [ #]: [Account Alias] [Role Name] [AWS ARN] [ 0]: 111122223333 Developer arn:aws:iam::111122223333:role/Developer Selection: 0 ---------------------------------------------------------------- Your new access key pair has been stored in the AWS configuration file ~/.aws/credentials under the “saml” profile. To use this credential call the AWS CLI with the --profile option. ---------------------------------------------------------------- $ aws --profile saml sts get-caller-identity { "Account": "111122223333", "UserId": "AROAXXXXXXXXXXXXX:david@domain.com", "Arn": "arn:aws:sts::111122223333:assumed-role/Developer/david@domain.com" } Example federated CLI access
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Role management evolution Roles as tickets Role vending Native role creation
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Role vending machine AWS Lambda Amazon API Gateway Client AWS Lambda AWS IAM Role AWS account AWS account AWS account Permissions
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Role: Developer (Federated) Policies: - PowerUserAccess - RoleManager (Custom) { "Statement": [ { "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Effect": "Allow", "Resource":[ "arn:aws:iam::123456789012:role/CustomRole/* ]", "Condition": { "ArnNotLike": { "iam:PolicyARN":"arn:aws:iam::*:policy/Protect*" } } },...]} Role: CustomRole/MyTestRole (Vended) Policies: - ProtectPolicy (Custom) { "Statement": [ { "Action": "iam:DetachRolePolicy" "Effect": "Deny", "Resource": "*", "Condition": { "ArnLike": { "iam:PolicyARN": "arn:aws:iam::*:policy/Protect*" } } }, other resource/service restrictions...]} Example vended role protection Beforepermissionsboundaries
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challengeswith role vending • Requires thorough testing of code and policies • Validation and error handling due to eventual consistency of IAM • Roles need to be pre-created out-of-band before using them in AWS • Cannot create roles with AWS Console & AWS Command Line Interface (AWS CLI) • Breaks AWS Console wizards • Difficult to integrate with Infrastructure-as-Code tooling such as AWS CloudFormation and Terraform
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How Comcast is addressing these challenges • Requires thorough testing of code and policies • Implement unit and integration tests • Validation and error handling due to eventual consistency of IAM • Treat role creation and policy attachment as a single transaction • Roll-back on any step failure • Roles need to be pre-created out-of-band before using them in AWS • Publish internal documentation on role management • Inner-sourced a custom Terraform provider for role vending API
  • 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Role vending works, but can we do better? • Continued listening to app teams, focusing on developer experience • Agility, native experience, better support for Infrastructure-as-Code • How can we get there? • … permissions boundaries
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Advantages of permissions boundaries • Native experience managing roles using AWS Console, AWS CLI, AWS SDKs • Less custom tooling, removes out-of-band role creation • Supported by AWS CloudFormation and Terraform
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Native role creation with permissions boundaries Client AWS IAM Role AWS account AWS account AWS account Permissions AWS Management Console
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Permissions boundary at Comcast Rolemanagement,adeveloper’sperspective AWSTemplateFormatVersion: "2010-09-09" Description: ”AWS IAM Role with Permissions Boundary" Resources: LambdaBasicExecutionRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com” }, "Effect": "Allow" } ] } Path: "/Custom/" RoleName: LambdaBasicExecutionRole PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/Boundary’ ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" Minimal changes to tooling required 1. Add governance permissions boundary 2. Supply a role path or namespace the role name
  • 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challengeswith permissions boundaries • (Still) requires thorough testing of policies • Boundaries are limited to a single policy (6 KB) • Policy simulator doesn’t support permissions boundaries • AWS Console wizards do not support supplying or setting a default permissions boundary
  • 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How Comcast is addressing these challenges • (Still) requires thorough testing of policies • Implement integration tests • Boundaries are limited to a single policy (6 KB) • Provide multiple boundaries depending on use case • Move additional controls to AWS Organizations and SCPs • Policy simulator doesn’t support permissions boundaries • Add more integration tests to validate expected behavior
  • 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Boundaries based on graduated maturity model Level 3 Level 2 Level 1 • Advanced users • Certification required • Intermediate users & application developers, CI/CD service roles • Introductory users, least- privilege service roles and on-premise service users
  • 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Organizations in Practice • Consolidated cost view, billing, and controls • AWS CloudTrail deployment via service integration • Account discovery framework What we would like to see • More service integrations • Support for account metadata • Improved account lifecycle management Just Launched!
  • 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. SCPs • Protect resources and services • Help simplify IAM policies in accounts • Use to limit account access to services Some limitations • 5 SCPs per entity, 5 KB each • Must be deliberate with design and use • Wide blast radius
  • 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The experience today • Account owners can easily add and remove users from AWS accounts • Individuals use the AWS Console & AWS CLI in any of their AWS accounts with one set of credentials • Security is happy because people are using federated single sign-on and MFA to access AWS • Teams can manage roles natively with AWS CloudFormation and Terraform • Leadership is happy because teams are more productive, have choice, and can move with agility
  • 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s next? SCPs Expand use to simplify governance controls and permission boundaries Expanded self-service SSO roles Ability to customize federated login roles for different user personas Launch self-service IAM users Self-service access to manage service accounts for access from on-premises deployments
  • 48. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Charlie Hammell hammellc@amazon.com David Hocky david_hocky@comcast.com Christopher Power christopher_power@cable.comcast.com