Every journey to the AWS Cloud is unique. Some customers are migrating existing applications, while others are building new applications using cloud-native services. Along each of these journeys, identity and access management helps customers protect their applications and resources. In this session, you learn how AWS identity services provide you a secure, flexible, and easy solution for managing identities and access on the AWS Cloud. With AWS identity services, you do not have to adapt to AWS. Instead, you have a choice of services designed to meet you anywhere along your journey to the AWS Cloud.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman
Business Development Manager, Identity and Directory Services, Amazon Web Services
SID201
Overview of AWS Identity, Directory,
and Access Services

2. Every AWS Cloud journey is unique.
Migrating or extending
existing infrastructure
and applications.
Building customer facing
cloud-native
applications.
Going all-in on cloud
solutions across the
organization.
Using the scale of the
AWS Cloud to solve new
challenges.
Requiring unique identity and
access management solutions.

3. What to Expect
(C) Copyright Jean-Remy Duboc and licensed for reuse under the
Creative Commons Attribution-Generic 2.0 License
Provide
mental model
Chart the
landscape
Map to
use cases
Customer
examples

4. Disambiguation
IAM
Authentication, authorization,
audit, and governance for
your cloud workloads.
Our scope for today
AWS IAM
(the service)
Authenticates and authorizes
AWS APIs.
Includes
(the subject)

5. Identity and Access Management Means …
Validate identities
securely.
Authentication
Manage access using
fine-grained policies.
Authorization
Meet compliance
requirements.
Audit/Governance

6. At All Levels
Identity and Access Management
(the subject)
AWS Management Console/APIs
AWS infrastructure
AWS applications
Your applications
Developers
Admins
Security Employees
Customers
Partners

7. Mental Model

8. Tenets
Mental model for Identity and Access Management services
Give you choice Secure, flexible,
comprehensive
Meet you
where you are

9. Benefits of AWS Identity, Directory,
and Access Services
Superior Security
Enable you to build applications and manage access more
securely in the AWS Cloud than on premises.
Increase Flexibility
Offer you options that meet you along your AWS Cloud journey
instead of forcing you to adapt to AWS.
Comprehensive
Breadth of services that help you get started quickly and are
feature rich to meet your more advanced needs over time.

10. Landscape

11. AWS Identity, Directory,
and Access Services
AWS Identity and
Access
Management
Fine-grained access
management for
AWS resources.
AWS
Organizations
Policy-based
management for
multiple AWS
accounts.
Amazon Cognito
Identity and access
management for
your apps & APIs.
AWS Single Sign-On
Manage single sign-on
(SSO) access to
multiple AWS
accounts and
business applications.
AWS Directory
Service
Actual Microsoft
Active Directory as a
managed service on
the AWS Cloud.
Amazon Cloud
Directory
Directory for
managing
hierarchical data.
AWS Secrets
Manager (NEW!)
Lifecycle
management for
secrets.

12. Broader Security Portfolio
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS SSO
AWS Directory Service
Amazon Cloud Directory
AWS Secrets Manager
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (AWS WAF)
Amazon Inspector
Amazon VPC (VPC)
AWS KMS
AWS CloudHSM
Amazon Macie
ACM
Server-Side Encryption
AWS Config Rules
AWS Lambda
Identity Detective
control
Infrastructure
security
Incident
response
Data
protection

13. Use Cases

14. Common Use Cases
Manage user access to AWS accounts and resources
• Developers signing in to the AWS Command Line Interface (AWS
CLI) or AWS Management Console.
• SecOps engineers running AWS Lambda functions.
Manage application access to data and resources
• Applications running on Amazon EC2 instances or containers that
need access to data in Amazon S3.
Manage user access to your own applications
• Users signing in to your applications using their Facebook, Twitter,
or Amazon accounts.

15. User Access to AWS Accounts & Resources
Enable users to sign in to AWS accounts using
their existing corporate credentials.
• Configure SSO access (federation) to each of
your AWS accounts using AWS IAM.
• AWS SSO helps you manage SSO access and
user permissions for multiple AWS accounts
centrally.
Define fine-grained user permissions within your
AWS accounts using IAM policies.
AWS Organizations helps you manage the use of
AWS service APIs across multiple AWS accounts.

16. AWS SSO: Define Permissions
Uses AWS Organizations to retrieve
your list and structure of accounts.
Master account
Member account #1 Member account #N
AWS OrganizationsAWS SSO
Define permissions using standard
syntax and tools.
Definitions and policies
automatically deployed and
maintained in member accounts.

17. AWS SSO: Assign Users
Master account
AWS OrganizationsAWS SSOAWS Directory
Service
Groups
Active Dir
EntitlementsDirectory connection
On-premises
Uses AWS Directory
Service to connect to
on-premises Active
Directory.
Map Active Directory
groups to defined
permissions.
Grant access to one
AWS account, an OU, or
the entire Organization.

18. AWS SSO: Login Flow
Master account
AWS SSO
AWS SSO
user portal
Groups
Active Dir
Users
Entitlements
AuthZ
On-premises
SAML
Member account
Users browse to the AWS
SSO user portal and are
authenticated using their
corporate credentials.
AWS SSO authorizes the user
based on their entitlements.
Actions and resource access
are governed by IAM policies
and Organizations SCPs.
Users are federated into an
IAM role in member account.

19. AWS Organizations: Key Concepts
A1 A2 A4
M
Master account / Administrative root
Organizational unit (OU)
AWS accounts
Service
Control
Policies
(SCPs)
AWS resources
A3
Dev Test Prod

20. AWS Organizations: Together with IAM
Allow: EC2:*Allow: S3:* Allow: SQS:*
Allow: EC2:*Allow: EC2:*
SCP IAM
permissions

21. Application Access to Data & Resources
Avoid hardcoding credentials in source code.
You can use IAM roles instead.
• AWS distributes and rotates short-term
credentials on your behalf automatically.
• IAM roles work with Amazon EC2, Amazon
EC2 containers, and AWS Lambda
functions.
You can define fine-grained permissions to
AWS resources using IAM policies.

22. AWS
resources
IAM Roles
Your code
Operating
system
EC2 instance
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by
policy attached to role
Also works with AWS Lambda & Amazon ECS

23. IAM roles provide your applications a reliable, secure,
auto-rotating solution for AWS credentials
But what about:
Database connection credentials?
Third-party API keys?
OAuth refresh tokens?
How do we avoid the back alley
exchange?
(C) Copyright A not very creative mind and licensed for reuse under
the Creative Commons Attribution-Generic 2.0 License

24. Lifecycle management for secrets such as database
credentials and API keys
Rotate Secrets
Safely
Pay as you goManage access
with fine-grained
policies
Secure and
audit secrets
centrally
Introducing AWS Secrets Manager

25. AWS Secrets Manager: Key Features
Safe rotation of
secrets
Built-in integrations,
extensible with
Lambda
On-demand or
automatic rotation
with versioning
Fine-grained access
policies
Encrypted storage Logging and
monitoring

26. AWS
resources
AWS Secrets Manger: Architecture
Your code
Operating
system
EC2 instance
Other
resources
AWS credentials
plumbed (as before)
DB creds
loaded
Safe
rotation
Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials

27. User Access to Your Own Applications
Enable users to bring their own identities
from social and enterprise identity providers
with Amazon Cognito.
• Built-in integrations for Facebook,
Google, and Amazon.
• Integrates with enterprise identity
providers that support OAuth 2.0, SAML
2.0, and OpenID Connect (OIDC).
Create cloud-native user directories with
extensible user profiles.
Secure access to your applications using
risk-based adaptive authentication (beta).

28. Amazon Cognito: Application IAM
Get AWS
credentials
Amazon Cognito
identity pool
Amazon
DynamoDB
Amazon S3
Access AWS services
Federating
IdP
Amazon Cognito
user poolUser pool authenticates users
and returns standard tokens
Amazon Cognito user pool
(CUP) tokens are used to
access your custom APIs
Identity pool provides role-
based AWS credentials to
access AWS services
Authenticate
3
CUP
token1
IdP
token
2
Redirect /
Post back
CUP
Token
5
6
Access serverless backendCUP
Token
API GW
4
Lambda

29. Amazon Cognito and API Gateway
Amazon Cognito
Identity management for your application
Amazon API Gateway
Authorize using your choice:
id token, access token, custom
Lambda microservices
AWS Lambda

30. Customer Examples

31. TIBCO
As TIBCO scaled on AWS, it wanted to
centrally manage permissions across multiple
AWS accounts.
TIBCO uses AWS Organizations service
control policies to manage service API use
across its AWS accounts.
Created Slack integration with Organizations to
enable users to deploy AWS infrastructure in
an auditable way.
AWS Organizations

32. Hixme
Provides employee benefits and insurance
solutions to businesses.
Hixme manages sensitive customer data,
requiring an authentication solution that
protects that information from unauthorized
access.
Use Amazon Cognito and AWS Lambda to
“develop a flexible, fully integrated solution that
can scale effortlessly.”
Amazon Cognito
user pools
Users with
mobile app
AWS Lambda

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in
the summit mobile app.

34. Submit Session Feedback
1. Tap the Schedule icon. 2. Select the session
you attended.
3. Tap Session
Evaluation to submit your
feedback.

35. Thank you!