AWS Identity and Access Management Jim Scharf 7/11/2013
Jan 15, 2015
AWS Identity and Access Management Jim Scharf 7/11/2013
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Jim Scharf Director, AWS Identity and Access Management Joined AWS in 2004
Own • AWS Identity and Access Management • Authentication, Authorization • Federation
Introductions
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Enable businesses and developers to use web services* to build scalable, sophisticated applications.
*What people now call “the cloud”
AWS Mission
Free steak campaign
Facebook page
Mars exploration operations
Consumer social app
Gene sequencing Marketing web site Interactive TV apps Financial markets analytics
Web site & media sharing
Disaster recovery Media streaming Web and mobile apps
Diverse Customers, Wide Range of Use Cases
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Mission-‐criFcal Projects
Mars Rover Image processing
Video Streaming for Landing
Scale up as needed
Highly Parallel Processing
Whole World Watching One-‐Time Event
Mars Rovers OperaFons
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Panoramas of 5 Gigapixels, created on AWS in just 5 minutes!
Curiosity
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Daily Mars Rover Data Processing Window (2 hours)
Serial Process Upload Plan
Pre-‐cloud:
Parallel Process Upload Plan
Cloud:
Increased available mission planning Fme by 1.5 hours!
Mission Data Processing
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
More on NASA & AWS
AWS Re:Invent Conference, 2012 Keynote Video h\p://youtu.be/8FJ5DBLSFe4?t=11m58s
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
App Services Management
Compute Networking Storage & CDN Amazon EC2 Amazon ElasFc MapReduce Amazon ElasFc Load Balancer
Amazon Route 53 Amazon Virtual Private Cloud AWS Direct Connect
Amazon S3 Amazon Glacier Amazon EBS AWS Import/Export Amazon CloudFront
Database App Services Management Amazon RDS Amazon DynamoDB Amazon ElasFCache Amazon Redshie
Amazon CloudSearch Amazon SWF Amazon SQS (Queues) Amazon SNS (NoFficaFons) Amazon SES (Email) Amazon ElasFc Transcoder
AWS IAM Amazon CloudWatch AWS ElasFc Beanstalk AWS CloudFormaFon AWS Data Pipeline AWS OpsWorks AWS CloudHSM AWS Trusted Advisor AWS Marketplace
AWS Services
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Access control for AWS services and resources
AWS Identity and Access Management
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Difference #1
Image courtesy of: h\p://im
gsrc.hub
blesite
.org/hu/db
/images/hs-‐2005-‐01-‐a-‐full_jpg.jpg
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Scale
• $5.2B e-commerce company
• 7,800 employees
• A whole lot of servers!
Every day (on average), AWS
adds server capacity equivalent
to that entire $5.2B enterprise
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Trillions Resources
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Million+ Requests/Second
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Hundreds of Thousands
Customers in 190 countries
each with one to millions of identities
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Lots! Servers
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Global
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Difference #2
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Resources
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Cloud Services
Amazon EC2
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Instance O/S
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Cloud Services
Amazon EC2
Amazon S3
Amazon ElasFc
MapReduce
AWS Storage Gateway
Amazon DynamoDB
Amazon RDS
Amazon ElasFCache
Amazon Route 53
Amazon VPC
Amazon CloudFront
Amazon CloudWatch
Amazon ElasFc
Beanstalk
AWS CloudFormaFon
AWS IAM
Amazon SQS
Amazon SES
Amazon SNS
Amazon CloudSearch
Amazon SWF
Amazon Redshift
OpsWorks
Amazon ElasFc Transcoder
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Cloud Resources
Amazon EC2
Amazon S3
Amazon ElasFc
MapReduce
AWS Storage Gateway
Amazon DynamoDB
Amazon RDS
Amazon ElasFCache
Amazon Route 53
Amazon VPC
Amazon CloudFront
Amazon CloudWatch
Amazon ElasFc
Beanstalk
AWS CloudFormaFon
AWS IAM
Amazon SQS
Amazon SES
Amazon SNS
Amazon CloudSearch
Amazon SWF
Amazon Redshift
OpsWorks
Amazon ElasFc Transcoder
Instances Files
AMIs
Spot Instances
Volumes
Messages
Snapshots
Security Groups
ElasFc IPs Placement Groups Users
Groups Roles
Load Balancers
Autoscaling Groups Network Interfaces
Queues
Topics
Domains
Workflows
ApplicaFons
Templates DistribuFons
Buckets Stacks
Apps
Layers Clusters
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Marketplace
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Difference #3
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Customers • Individual Developers • Students
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Hear about AWS
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Create Account
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Innovate!
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Customers • Individual Developers • Students • Startups • SMBs
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
IAM • Users, Groups, Permissions
– Individual security credentials – Secure by default – Grant least privilege
• Easy to use – Graphical user interface
– Ability to script/automate (CLI & API)
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Customers • Individual Developers • Students • Startups • SMBs • Enterprises • Government
Agencies
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Control • AWS Multi-Factor Authentication
– Hardware tokens – Smartphone app tokens
• Credential management policies • Control billing, support, and AWS Marketplace
purchases
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
• HIPAA • SOC 1/SSAE 16/ISAE
3402 (formerly SAS70) • SOC 2 • SOC 3 • PCI DSS Level 1 • ISO 27001
• FedRAMP • DIACAP and FISMA • ITAR • FIPS 140-2 • CSA • MPAA
Compliance
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Federation • AWS Websites and/or APIs as relying party • Pre-packaged sample: Windows Active Directory as identity provider
SSO
AcFve Directory
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Federation • Partners are critical
http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services http://www.okta.com/aws/ http://www.symplified.com/solutions/single-sign-on-sso https://www.pingidentity.com/products/pingfederate/
• More federation support coming…
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Customers • Individual Developers • Students • Startups • SMBs • Enterprises • Government
Agencies • Mobile Developers
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Web Identity Federation
• App sign-in using 3rd party identity providers – – Facebook – Google (using OpenID Connect)
• No server-side code required
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Web Identity Federation
US
-EA
ST-1
AWS Services
STS
Access AWS Resources
IdenFty Provider Assume Role
Amazon S3 Amazon DynamoDB
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Customer Evolution
Username & Password
IAM Management UI, CLI, API
MulF-‐Factor AuthenFcaFon FederaFon & SSO
Password Strength Policy AWS Marketplace Control
Enterprise
Joe
Startup/ SMB
No addiGonal charge
Mobile
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
• Scale • Resources • Customers
Summary
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
[email protected] @jim_scharf Additional resources: • AWS Security Blog: http://blogs.aws.amazon.com/security/ • AWS IAM: http://aws.amazon.com/iam/ • AWS IAM on Twitter: @AWSIdentity
Thank You!
RegistraGon opens July 17, 9 AM PDT Last year, it sold out, so register early