reference architecture for identity and access management ... · reference architecture for...
TRANSCRIPT
![Page 1: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/1.jpg)
Reference Architecture for Identity and Access Management
Role Data Pattern Distribution in AWS
![Page 2: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/2.jpg)
• How you can set up and use consistent user roles across many AWS Accounts
• Use your existing company identity store
• Deploy Multi-Factor Auth (MFA)as well
What we’ll cover
![Page 3: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/3.jpg)
• Using Cloud can mean it is harder to do some of the same
stuff
• Add ‘Cloud’… and the Security Question:
• “Who is doing, or did what….” is simple to ask, but
complex to answer
Why are we looking at this
![Page 4: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/4.jpg)
• Our IAM team thought this was worth looking at
• Some Patents popped out
• Sent the plaque to my mom
• Solution components were developed that could
solve the problem
• Hadn’t really seen it deployed
In the beginning….
![Page 5: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/5.jpg)
•Using Ephemeral Users (AWS STS) and
• Knowing what a user did or can do is powerful.
• (attribution / logging)
• Saves administration (creating IAM users in AWS)
• Shows ‘who did what’ for Compliance/Security/Audit
• Decreases risk
The Design
![Page 6: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/6.jpg)
• In the meantime, lots of work was being done to
•Use a corporate identity Store (AD/Ping/Okta)
•Use Multi-Factor Authentication
• Log into an AWS Account and sub-account with an
STS User
•And log activity tied to the person who used it
State of the Market
![Page 7: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/7.jpg)
Active Directory
Azure Enterprise AppSAML Integration
On premise
https://adfs.examplecloud.com
Azure Active Directory
+Azure MFA
AWS ORG account
AWS Role
AWS Sub Account1
AWS Role
https://console.aws.amazon.com
AWS Sub Account1
AWS Role
AWS environment
Azure
SAML / Identity providerintegration
UserLogin
Azure AD Sync
Redirect
Bolted together it looks like this….
![Page 8: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/8.jpg)
Establishing Azure AD Group to AWS Role Mapping
A little Pre-Config
![Page 9: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/9.jpg)
Using StackSets to manage Sub-Account AWS Roles
Managing roles in an AWS Org Acct
![Page 10: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/10.jpg)
Step 1: Logging into your Identity Store (O365 in this case)
The Login Process
![Page 11: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/11.jpg)
Running AD Federation Services Takes you to this Screen
Step 2: Console Sign in
![Page 12: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/12.jpg)
Here is your Multi-Factor Authentication Step
Step 3: MFA (Very Important)
![Page 13: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/13.jpg)
First look at AWS Org-Level Account
Step 4: Into AWS!!!!!
![Page 14: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/14.jpg)
Sub-Account Role Access
Step 5: Switch Role to Sub-Account
![Page 15: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/15.jpg)
Cloudtrail showing STS User, Azure-role and actions tied together
AWS Console Login – Audit Trail
![Page 16: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/16.jpg)
Cloudtrail showing Sub-Account User, Role and actions tied together
AWS Sub-Account Login – Audit Trail
![Page 17: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/17.jpg)
Consuming SAML Response from Azure AD, generating STS API Keys
SAML response to get API Key
![Page 18: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/18.jpg)
CloudTrail log on API Key use
Audit Log on the API Key movement
![Page 19: Reference Architecture for Identity and Access Management ... · Reference Architecture for Identity and Access Management Role Data Pattern Distribution in AWS •How you can set](https://reader030.vdocument.in/reader030/viewer/2022040306/5ec96c4cd73aa012b17e6a94/html5/thumbnails/19.jpg)
Questions…