© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Jonathan DesrocherSecurity Solutions Architect

5.22.2015

Best Practices: Control

Access Authentication and

Authorization with AWS IAM

Today’s agenda

• AWS Security model fundamentals.

• Review of IAM core mechanics for controlling account

authentication and authorization.

• IAM Federation options.

• Integrating IAM to other AWS services.

• Best practices for implementing and scaling IAM

configuration on AWS

• Questions & Answers.

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Network

Security

Server

Security

Customer applications & contentYou get to define

your controls IN

the Cloud

AWS takes care

of the security

OF the Cloud

You

AWS And You Share Responsibility for Security

Data

Security

Access

Control

• You benefit from an environment built for the most security

sensitive organizations

• AWS manages 1800+ security controls so you don’t have to

• You get to define the right security controls for your workload

sensitivity

• You always have full ownership and control of your data

What This Means

Introducing AWS Identity and Access

Management• Enables you to control who can do what to your AWS account and

resources.

• Accept or deny any operation to your AWS based on customer-

configurable parameters.

• API calls captured in AWS CloudTrail and correlated to AWS Config

configuration items.

AWS IAM service interfaces

AWS Management

Console

Windows

PowerShell &

Command Line

Interface

AWS Software

Development Kits

Other AWS Services

AWS IAM service interfaces

AWS Management

Console

Windows

PowerShell &

Command Line

Interface

AWS Software

Development Kits

Other AWS Services

Operator Interfaces Programmer Interfaces

Getting started with IAM: Users and Groups

Getting started with IAM: User Authentication

IAM Users can be

authenticated using:

• Username/password

• API Access Keys

• Multi-factor tokens

Recent announcement: Credentials last used report

Getting started with IAM: Policies

IAM Policies manage level of

access to established identities

such as IAM Users and

Groups.

Each policy contains

statements that define user’s

privileges

IAM Policy Generator

IAM Policy Generator (cont.)

Creating IAM Policies in code

See the full article on the AWS .NET blog:

http://blogs.aws.amazon.com/net/post/Tx24U6H2IJVUUTT/Creating-Access-Policies-in-Code

public Policy GeneratePolicy(string bucket, string username, string ipAddress){

var statement = new Statement(Statement.StatementEffect.Allow);

// Allow access to the sub folder represented by the username in the bucketstatement.Resources.Add(ResourceFactory.NewS3ObjectResource(bucket, username + "/*"));

// Allow Get and Put object requests.statement.Actions = new List()

{ S3ActionIdentifiers.GetObject, S3ActionIdentifiers.PutObject };

// Lock the requests coming from the client machine.statement.Conditions.Add(ConditionFactory.NewIpAddressCondition(ipAddress));

var policy = new Policy();policy.Statements.Add(statement);

return policy;}

New IAM Policy Validation Requirements

• Effective March 2015 – for every policy creation and

update.

• See reference documentation:

http://docs.aws.amazon.com/IAM/latest/UserGuide/polici

es_policy-validator.html

New release: Managed Policies

• IAM Policies can now be a

standalone object.

• Customer can link

Managed Policies to

Users and Roles.

• AWS maintains a set of

Managed Policies for you.

• You can maintain your own

set of Managed Policies.

Visibility of API access using AWS CloudTrail logs

• AWS CloudTrail captures and aggregates API access for:

• Security analysis

• Compliance

• Troubleshooting operational

issues.

• Each AWS CloudTrail log

entry contains caller’s IAM

identity.

Leveraging AWS Security Token Service

• Provides trusted users with

temporary credentials to

AWS resources.

• STS Tokens can be

provisioned as:

• Existing IAM users

• Ad-hoc users

AWS Console Single Sign-on

Active Directory

Log into the console without a user name and password!

Console Federation using SAML (AssumeRoleWithSAML)

Enterprise (Identity Provider) AWS (Service Provider)

AWS Sign-in

Browser

interface

Corporate

identity store

Identity provider

1User

browses to

Identity provider

2 Receives

AuthN response

5 Redirect client

AWS Management

Console

3

Post to Sign-In

Passing AuthN Response

4

Leveraging IAM Roles

• Defines a set of permissions for making AWS service

requests

• Not associated with a specific user or group.

• Assumed by trusted entities such as IAM users,

accounts and AWS services such as EC2.

• Each Role is composed of:

• Trust Policy (who is allowed to assume it).

• Authorization Policy (what can that entity do).

Trust Policy

Authorization

Policy

AWS Directory Service

• Managed service that lets you:

• Connect your AWS resources with existing on-premises

Microsoft Active Directory

• Set up new standalone directory in AWS Cloud.

• Can use directory to allow federation of directory users

and groups to the AWS Management Console.

Using IAM Roles for cross-account access

Web Identity Federation (AssumeRoleWithWebIdentity)

AWS IAM

US

-EA

ST

-1

EU

-WE

ST

-1

AP

-SO

UT

HE

AS

T-1AWS Services

Amazon

DynamoDBS3

Authenticate

User 1

6

7

Token

Verification4

Web identity

Provider

3

5Check

Policy

Id Token

2

Mobile AppAmazon SQS

Integrate your application to the AWS platform

• Check out AWS Cognito for accelerating the

development of applications using external user

identities.

• Mobile applications: http://aws.amazon.com/mobile/

• AWS JavaScript in the Browser SDK:

http://aws.amazon.com/developers/getting-

started/browser/

• “Building a website that costs pennies to operate”:

https://www.youtube.com/watch?v=BgU-GDgj4SM

AWS Service Roles

• A role that you create, and authorize an AWS service to

assume on your behalf.

• Useful for maintaining control and visibility of your AWS

resources.

• For example:

• Amazon EC2 (Making API calls from instances).

• AWS Directory Service (Enabling console access from DS

users).

• AWS Lambda (enable your function to interact with

resources).

How you can use IAM features to the maximum

Avoid hard-coding

No need to put credentials into applications –

access AWS resources using IAM roles for

EC2

• Search source code for hard-coded

access keys

• Create IAM roles with least-privilege

permissions

• Use IAM roles in application

• Launch EC2 instance with role

Rotate AWS IAM access keys regularly

Shorter access key period reduces

potential impace

• Create additional access key

• Update all applications to use new key

• Validate that applications are working

• Mark previous access key as inactive

• Validate that applications still

• Delete inactive access key

Putting it all together

Root Account

IAM Users/Groups

STS Tokens

Roles (this account)

AWS Services

EC2 InstancesLambda Function

Other AWS Services

Directory Services Users

SAML/Web Identity Provider

Federated Users

Trusted Role (any account)

Other AWS Account

In summary

• IAM is about controlling who can do what to your

account and resources.

• IAM can be federated into external systems.

• IAM federation is the basis of directly integrating

applications to other AWS services.

• There are other AWS services that can be used to

configure and augment IAM such as:

• AWS CloudFormation.

• AWS Cognito.

• AWS CloudTrail.

Additional resources

• IAM product page: http://aws.amazon.com/iam

• AWS Self-Paced IAM Lab:

https://qwiklabs.com/focuses/preview/1172?locale=en

• AWS Security Blog:

https://blogs.aws.amazon.com/security/

• 2014 re:Invent security track videos:

https://www.youtube.com/playlist?list=PLhr1KZpdzukcJvl

0e65MqqwycgpkCENmg

Get training from an instructor or try the self-paced labs• http://aws.amazon.com/training/

Become AWS certified and gain recognition and visibility• http://aws.amazon.com/certification

• Demonstrate that you have skills, knowledge and expertise to design,

deploy and manage projects applications on the AWS platform.

• Prove skills and foster credibility with your employer and peers.

Choose your discipline (or do all of them!)• Solutions Architect

• Developer

• SysOps Administrator

Get training and become AWS certified in your discipline

Questions & Answers

AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new

customers about the AWS platform, best practices and new cloud services.

Details• July 1, 2015

• Chicago, Illinois

• @ McCormick Place

Featuring• New product launches

• 36+ sessions, labs, and bootcamps

• Executive and partner networking

Registration is now open• Come and see what AWS and the cloud can do for you.

CTA Script

- If you are interested in learning more about how to navigate the cloud to grow

your business - then attend the AWS Summit Chicago, July 1st.

- Register today to learn from technical sessions led by AWS engineers, hear best

practices from AWS customers and partners, and participate in some of the 30+

paid sessions and labs.

- Simply go to

https://aws.amazon.com/summits/chicago/?trkcampaign=summit_chicago_bootc

amps&trk=Webinar_slide

to register today.

- Registration is FREE.

TRACKING CODE:

- Listed above.

Thank You!