Page 1
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman, Sr. IT Transformation Consultant, AWS Professional Services
Chad Wintzer, DevOps Engineering Lead, Dow Jones & Company
October 2015
SEC 307
A Progressive Journey Through
AWS IAM Federation Options:From Roles to SAML to Custom Identity Brokers
Page 2
What you will take away from this session
Page 3
What you will take away from this session
Understand your
federation options
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
Page 4
What you will take away from this session
Understand your
federation options
Get it right at scale
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
Page 5
What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
Page 6
What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach Tooling to
get started
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
License: Creative Commons
Public Domain Universal 1.0
Page 7
Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials
Page 8
Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
• If you need to brush up, check out:
• SEC305 – Become an AWS IAM Policy Ninja in 60 Minutes or
Less
• SEC302 – IAM Best Practices to Live By
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials
Page 9
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
Page 10
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
SEC305
SEC315
Page 11
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
Session focusSEC305
SEC315
Page 12
Federation rationale
Before:
After:
Result:
Page 13
Federation rationale
Before:
After:
Result:
Unique credentials
Users
Page 14
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Users
Page 15
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Users Security
Page 16
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
Users Security
Page 17
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Users Security Compliance
Page 18
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
Page 19
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
Page 20
The journey: Federation with
Security Assertion Markup
Language (SAML)
Page 21
Quick SAML primer
Page 22
Quick SAML primer
Identity provider
Page 23
Quick SAML primer
Identity provider (IdP) Service provider
Page 24
Quick SAML primer
Identity provider Service provider
Metadata
(in advance)
Page 25
Quick SAML primer
Identity provider Service provider
Metadata
(in advance)
Assertion
(login flow)
Page 26
Basic AWS federation with SAML
• Known science, assuming:
• Few AWS accounts
• AWS Management
Console access
• Well documented:
• Whitepapers
• Blogs
• Documentation
(C) Copyright Diliff and licensed for
reuse under the Creative Commons Attribution 3.0 License
Page 27
AWS federation with SAML: At-scale
Page 28
AWS federation with SAML: At-scale
Page 29
AWS federation with SAML: At-scale
Page 30
AWS federation with SAML: At-scale
Many AWS
accounts?
Page 31
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of users?
Page 32
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Lots of users?
Page 33
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Lots of users?
Page 34
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
Lots of users?
Page 35
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
Page 36
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
Page 37
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy????
Page 38
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
Dive deep = Get it right
???
Page 39
AWS federation with SAML: At-scale demo
Page 40
AWS federation with SAML: At-scale demo
Automate onboarding
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
Page 41
AWS federation with SAML: At-scale demo
Automate onboarding User experience
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License
Page 42
AWS federation with SAML: At-scale demo
Automate onboarding User experience Under the hood
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright bagera3005 and licensed
for reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License
Page 43
Automate onboarding
AWS federation with SAML: At-scale demo
Directory
Group
definitions
AWS account
Providers,
roles, and
policies
Page 44
Automate onboarding
AWS federation with SAML: At-scale demo
Key takeaways
Directory
Group
definitions
AWS account
• Automate deployment of IAM
roles and policies.
• Automate deployment of
companion directory structure.
• Keep role definitions constant
across accounts.
Providers,
roles, and
policies
Page 45
Smooth user experience
AWS federation with SAML: At-scale demo
AWS
SDKsAWS
CLI
Page 46
Smooth user experience
AWS federation with SAML: At-scale demo
Key takeaways
• Federation shouldn’t limit
access vectors.
• Getting users into groups
should be automated and
efficient.
• Don’t create a “low-to-high”
exposure in the back end.
AWS
SDKsAWS
CLI
Page 47
Under the hood
AWS federation with SAML: At-scale demo
IdP
configurationsAWS CloudTrail
samples
Page 48
Under the hood
AWS federation with SAML: At-scale demo
Key takeaways
IdP
configurationsAWS CloudTrail
samples
• Naming conventions are
critical.
• Configurations should rely on
patterns, not values.
• Think about traceability now.
• Tighter policies help reduce
AWS account sprawl.
Page 49
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
Page 50
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
Page 51
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
• If so:
• Custom identity broker
Page 52
The journey: Federation using
a custom identity broker
Page 53
3+ Years on AWS
Several flagship products
run on AWS including
WSJ.com
3,000+ Amazon EC2
instances
Page 54
How we interact with AWS
Automate!
Page 55
Our journey through identity management
IAM users with
static keys
Nova v1
Basic roles
Nova v2
Resource-level
permissions,
tagging standards
Nova v3
Dynamic policy
generation
Page 56
Nova workflow
Bob the
Engineer
PHP web
application
Active
Directory
Look up group
membership
Corporate
SSO
Authenticate
w/ MFA
Nova
database
Group-to-role
mappings
Ask Bob which AWS
account he would like
to access based on
available roles
IAM API
sts:AssumeRole
for appropriate IAM role
Access to AWS Management Console and keys for API/CLI access
Page 57
Nova v1 basic roles
General roles like “Developer”
assignable to different AWS
accounts
Maps membership in AD
groups to IAM roles
Role
s
AWS accounts
Page 58
Nova v1 basic roles
Active Directory group
NOVA_PRODSHARED_DEVELOPER
IAM role
nova.prodshared.developer
{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateKeyPair",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSnapshot",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteNetworkInterface",
Page 59
Nova v2 resource-level permissions
Tagging and resource-level
permissions matured
Tagging resources by team
enabled resource-level
permissions by team
Easy expansion, no changes
necessary to Nova
Role
s
Page 60
Nova v2 resource-level permissions{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/servicename": [
"djcs/*"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
Active Directory group
NOVA_PRODSHARED_DJCS_DEV
IAM role
nova.prodshared.djcs.developer
Page 61
Nova v3 dynamic policy generation
EC2
instances
Amazon RDS
instanceAmazon Route 53
zone
Application: Poseidon, Lifecycle: Prod
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/Application": [
”Poseidon"
]
"ec2:ResourceTag/Lifecycle": [
”Prod"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
Authenticate w/ MFA
Select AWS account
Select application
Select lifecycle
Page 62
Your own journey:
Rationalizing the decision-
making process
Page 63
Rationalizing the decision-making process
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Page 64
Rationalizing the decision-making process
• Existing federation
investments?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Page 65
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Page 66
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Page 67
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Page 68
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
Page 69
SAML
Comparison: SAML vs. Custom identity broker
Custom identity broker
Page 70
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Page 71
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
Page 72
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Choose SAML if you want a
balanced federation approach.
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
Choose a custom identity broker if
you prefer to increase federation
involvement for the ultimate control.
Page 73
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
Page 74
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
Page 75
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
• Evolve your federation approach as your needs evolve.
• Right for tomorrow is not always right for today.
Page 76
Your own journey: Taking the
first steps
Page 77
Additional information
• Session resources (code and samples)
• AWS documentation
• Manage Federation
• Integrating Third-Party SAML Solution Providers with AWS
• Request Information That You Can Use for Policy Variables
• Custom Federation Broker
• AWS blogs
• Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP,
and Shibboleth
• How to Implement a General Solution for Federated API/CLI
Access Using SAML 2.0
Page 78
Remember to complete
your evaluations!