Page 1
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
SEC 201 - Access Control for the Cloud:
AWS Identity and Access Management (IAM)
Jim Scharf, AWS
November 13, 2013
Page 2
Agenda
• Overview of AWS Identity and Access
Management
• How to enforce security policies in the cloud
• How to integrate with existing directories
• Highlight new features along the way
Page 3
Identity and Access Management
Who?
What Actions?
Which Resources?
Page 4
What is AWS Identity and Access
Management?
Page 5
AWS Identity and Access Management
Access control
for AWS services and resources
that is flexible, powerful, familiar, and secure
Page 7
A show of hands…
• How many already use AWS?
• Tried AWS because of
– $: No upfront investment, free tier, low ongoing cost
– Scale: Flexible capacity, global reach
– Agility: Speed and agility, apps not ops
– Services: Amazon EC2, Amazon S3, Amazon DynamoDB,
Amazon Redshift, Amazon RDS, Amazon EMR, Amazon
CloudFront, etc.
Page 8
A show of hands…
• How many initially tried AWS because of
– Security
– Identity
Page 9
Flexible Individual Use
Page 13
Flexible Organizations
Page 14
CEO
Dev/Ops
Graeme
Greg
Development
Nate
Cicilie
Kevin
Jeff
Sales/Marketing
Anders
Erin
Brian
Finance/Accounting
Joan
Page 15
CEO
Dev/Ops Development Sales/Marketing Finance/Accounting
Administrator
access:
control all AWS
resources,
including
managing users
Full access to:
Amazon S3, Amazon
DynamoDB
+
The ability to start
(but not stop)
Amazon EC2
instances
Read-only to
Amazon S3
Account activity
and usage
reports only
Page 18
IAM
• Users, groups, permissions
– Individual security credentials
– Secure by default
– Grant least privilege
• Easy to use
– Graphical user interface
– Ability to script/automate (CLI & API)
Page 19
Flexible Enterprise
Page 21
Control
• AWS multi-factor authentication
– Hardware tokens
– Smartphone app tokens
• Credential management policies
• Control billing, support, and AWS Marketplace
purchases
Page 22
Flexible Control That Adapts with Your Needs
No additional charge
Page 23
Powerful Integrated
Page 24
AWS Identity and Access Management
Access control
for AWS services and resources
that is flexible, powerful, familiar, and secure
Page 25
Cloud Services
Amazon
EC2 Amazon
S3
Amazon
Elastic
MapReduce
AWS
Storage
Gateway
Amazon DynamoDB
Amazon
RDS
Amazon ElastiCache
Amazon
Route 53
Amazon
VPC
Amazon CloudFront
Amazon CloudWatch
AWS
Elastic
Beanstalk
AWS CloudFormation
AWS IAM
Amazon
SQS
Amazon
SES
Amazon
SNS
Amazon CloudSearch
Amazon
Simple
Workflow
Amazon Redshift
AWS
OpsWorks
Amazon Elastic
Transcoder
Page 26
Cloud Resources
Instances Files
AMIs
Spot Instances
Volumes
Messages
Snapshots
Security Groups
Elastic IPs Placement groups
Users
Groups Roles
Load Balancers
Auto Scaling groups
Network interfaces Queues
Topics
Domains
Workflows
Applications
Templates
Distributions Buckets
Stacks
Apps
Layers Clusters
Page 27
Powerful Fine-Grained
Page 28
AWS Access Control
Who?
What actions?
Which resources?
When?
Where?
How?
Page 29
Amazon EC2 Resource-Level Permissions
Example use cases:
• Ben can terminate instance i-abc12345 but not instance i-def67890
• Jeff can launch instances only in the subnet subnet-bdf2468
• Ken can use only the AMI ami-cba54321 to run instances
• A user can take any action on resources if they have the tag “sandbox=${aws:username}”
• Derek must authenticate using MFA before he can terminate instances with the tag “stack=prod”
Page 30
Amazon DynamoDB Fine-Grained Access Control
By Item
By Attribute
Or Both
Page 31
Powerful Delegation
Page 32
IAM Role
• Entity that defines a set of permissions
• Not associated with a specific user or
group
• Roles must be “assumed” by trusted
entities
Page 33
IAM Roles for Amazon EC2
• Allow Amazon EC2-based apps to act on behalf of
another entity
• Create a role, apply a policy, launch instance with role
• Credentials are automatically: – Made available to Amazon EC2 instances
– Rotated multiple times a day
• AWS SDKs transparently use the credentials
Page 34
Roles for EC2 Instances
AWS Cloud
Amazon
S3
Amazon
DynamoDB AWS IAM
Auto
Scaling
Auto
Scaling
Role: RW access
to files, rows
Page 35
Benefits of Using Roles with Amazon EC2
• Eliminates use of long-term credentials
• Automatic credential rotation
• Less coding – AWS SDK does all the work
• Easier and more Secure!
Page 37
Trillions
Resources
Page 38
Million+
Requests/Second
Page 39
Hundreds of
Thousands
Customers in 190 countries
each with one to millions of identities
Page 42
Familiar Administration
Page 45
IAM Policy Simulator
• Test the effect of access control policies before
pushing to production
• Verify and troubleshoot permissions
Page 52
Instance
Instance OS Amazon EC2
Amazon
EC2
RunInstances
IAM
Familiar Instance OS Controls
Page 53
Familiar Enterprise Federation
Page 54
Federation
• AWS websites and/or APIs as relying party
• Pre-packaged samples: Windows Active Directory, Shibboleth
Active Directory
Page 55
SSO Federation Using SAML
• STS now supports SAML 2.0
• Benefits: – Open standards
– Quicker and easier to implement federation
– Leverage existing identity management software to manage access to AWS resources
– No coding required
• AWS Management Console SSO – IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile)
– New sign-in URL that greatly simplifies SSO
https://signin.aws.amazon.com/saml<SAML AuthN response>
• API federation using new assumeRoleWithSAML operation
New
Page 56
Partner Integrations for Federation / SSO
http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services
http://www.okta.com/aws/
http://www.symplified.com/solutions/single-sign-on-sso
https://www.pingidentity.com/products/pingfederate/
http://www.cloudberrylab.com/ad-bridge.aspx http://wiki.developerforce.com/page/Configuring-SAML-SSO-to-AWS
Page 57
Familiar Web Identity Federation
Page 58
Web Identity Federation
• App sign-in using 3rd party identity providers
– Login with Amazon
– Facebook
– Google
• Apps can access data from – Amazon S3, Amazon DynamoDB, Amazon Simple Notification
Service (now with mobile push!)
• No server-side code required
Page 59
Web Identity Federation
US
-EA
ST
-1
AWS Services
STS Identity Provider Assume Role
Amazon S3 Amazon
DynamoDB
Page 61
Web Identity Federation Playground
• UI tool
• Try it out, no coding
required!
Page 62
Secure Powerful Controls
Page 63
Control Your Users
Multi-Factor
Authentication
Password/Credential
Management Policies
Page 64
Delegate Access Across Accounts
• Access resources across AWS accounts
• Why do you need it?
– Management visibility across all your AWS accounts
– Developer access to resources across AWS accounts
– Use third-party solutions, with no sharing of credentials
Page 65
[email protected] Acct ID: 111122223333
ddb-role
{ "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }]}
[email protected] Acct ID: 123456789012
{ "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]}
{ "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]}
Cross-Account Access - Setup
ddb-role trusts IAM users from the AWS
account [email protected] (123456789012)
Permissions assigned to Jeff granting him permission
to assume ddb-role in account B
IAM user: Jeff
Permissions assigned
to ddb-role
STS
Page 66
[email protected] Acct ID: 111122223333
ddb-role
[email protected] Acct ID: 123456789012 Authenticate to
AWS with
Jeff access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
Cross-Account Access - Use
IAM user: Jeff
STS
Page 68
AWS CloudTrail
Log API calls to:
Amazon EC2
Amazon EBS
Amazon VPC
Amazon RDS AWS IAM
AWS CloudTrail
Amazon Redshift
Additional services added over time…
AWS Security
Token Service
Page 69
AWS CloudTrail
• Your AWS account’s API calls logged and delivered to your Amazon S3 bucket
• Amazon SNS notifications of new log files (optional)
• Data analysis partners:
Page 70
Achieving Best Practices: Trusted Advisor
• AWS Support service – Analyzes account for issues and
recommendations
– API for integration with your tools
• Categories: – Cost savings
– Security
– Fault tolerance
– Performance
Page 71
Secure Compliance
Page 72
Regular Exhaustive 3rd Party Evaluations
Page 73
New AWS Whitepapers
• AWS Security Best Practices – http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
– Best practices on wide range of topics, including:
• Defining and categorizing assets on AWS
• Managing identities
• Implementing data security
• Securing your operating systems and applications
• Monitoring, alerting, auditing, and incident response
• Securing Data at Rest with Encryption – http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
Page 74
http://blogs.aws.amazon.com/security/
AWS Security Blog
Page 76
AWS Identity and Access Management
• Flexible – Individual use
– Organizations
– Enterprise
• Powerful – Integrated
– Fine-grained
– Delegation
– Scale
• Familiar – Administration
– Enterprise federation
– Web identity federation
• Secure – Powerful controls
– Audit
– Compliance
Page 77
For More Information
• IAM detail page: http://aws.amazon.com/iam
• AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76
• Documentation: http://aws.amazon.com/documentation/iam/
• AWS Security Blog: http://blogs.aws.amazon.com/security
• Twitter: @AWSIdentity
• Meet the IAM and Security teams: – Thursday 11/14 4pm - 6pm
– Toscana 3605
Page 78
Customers who liked this talk also may like…
• SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices
– Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503
• SEC302 - Mastering Access Control Policies – Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A
• SEC303 - Delegating Access to your AWS Environment – Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A
• SEC304 - Encryption and key management in AWS – Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406
• SEC401 - Integrate Social Login Into Mobile Apps – Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A
• SEC402 - Intrusion Detection in the Cloud – Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406
Page 79
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC201