© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

SEC 201 - Access Control for the Cloud:

AWS Identity and Access Management (IAM)

Jim Scharf, AWS

November 13, 2013

Agenda

• Overview of AWS Identity and Access

Management

• How to enforce security policies in the cloud

• How to integrate with existing directories

• Highlight new features along the way

Identity and Access Management

Who?

What Actions?

Which Resources?

What is AWS Identity and Access

Management?

AWS Identity and Access Management

Access control

for AWS services and resources

that is flexible, powerful, familiar, and secure

Flexible

A show of hands…

• How many already use AWS?

• Tried AWS because of

– $: No upfront investment, free tier, low ongoing cost

– Scale: Flexible capacity, global reach

– Agility: Speed and agility, apps not ops

– Services: Amazon EC2, Amazon S3, Amazon DynamoDB,

Amazon Redshift, Amazon RDS, Amazon EMR, Amazon

CloudFront, etc.

A show of hands…

• How many initially tried AWS because of

– Security

– Identity

Flexible Individual Use

Hear About AWS

Create Account

Innovate!

Flexible Organizations

CEO

Dev/Ops

Graeme

Greg

Development

Nate

Cicilie

Kevin

Jeff

Sales/Marketing

Anders

Erin

Brian

Finance/Accounting

Joan

CEO

Dev/Ops Development Sales/Marketing Finance/Accounting

Administrator

access:

control all AWS

resources,

including

managing users

Full access to:

Amazon S3, Amazon

DynamoDB

+

The ability to start

(but not stop)

Amazon EC2

instances

Read-only to

Amazon S3

Account activity

and usage

reports only

IAM

IAM

• Users, groups, permissions

– Individual security credentials

– Secure by default

– Grant least privilege

• Easy to use

– Graphical user interface

– Ability to script/automate (CLI & API)

Flexible Enterprise

Control

Control

• AWS multi-factor authentication

– Hardware tokens

– Smartphone app tokens

• Credential management policies

• Control billing, support, and AWS Marketplace

purchases

Flexible Control That Adapts with Your Needs

No additional charge

Powerful Integrated

AWS Identity and Access Management

Access control

for AWS services and resources

that is flexible, powerful, familiar, and secure

Cloud Services

Amazon

EC2 Amazon

S3

Amazon

Elastic

MapReduce

AWS

Storage

Gateway

Amazon DynamoDB

Amazon

RDS

Amazon ElastiCache

Amazon

Route 53

Amazon

VPC

Amazon CloudFront

Amazon CloudWatch

AWS

Elastic

Beanstalk

AWS CloudFormation

AWS IAM

Amazon

SQS

Amazon

SES

Amazon

SNS

Amazon CloudSearch

Amazon

Simple

Workflow

Amazon Redshift

AWS

OpsWorks

Amazon Elastic

Transcoder

Cloud Resources

Instances Files

AMIs

Spot Instances

Volumes

Messages

Snapshots

Security Groups

Elastic IPs Placement groups

Users

Groups Roles

Load Balancers

Auto Scaling groups

Network interfaces Queues

Topics

Domains

Workflows

Applications

Templates

Distributions Buckets

Stacks

Apps

Layers Clusters

Powerful Fine-Grained

AWS Access Control

Who?

What actions?

Which resources?

When?

Where?

How?

Amazon EC2 Resource-Level Permissions

Example use cases:

• Ben can terminate instance i-abc12345 but not instance i-def67890

• Jeff can launch instances only in the subnet subnet-bdf2468

• Ken can use only the AMI ami-cba54321 to run instances

• A user can take any action on resources if they have the tag “sandbox=${aws:username}”

• Derek must authenticate using MFA before he can terminate instances with the tag “stack=prod”

Amazon DynamoDB Fine-Grained Access Control

By Item

By Attribute

Or Both

Powerful Delegation

IAM Role

• Entity that defines a set of permissions

• Not associated with a specific user or

group

• Roles must be “assumed” by trusted

entities

IAM Roles for Amazon EC2

• Allow Amazon EC2-based apps to act on behalf of

another entity

• Create a role, apply a policy, launch instance with role

• Credentials are automatically: – Made available to Amazon EC2 instances

– Rotated multiple times a day

• AWS SDKs transparently use the credentials

Roles for EC2 Instances

AWS Cloud

Amazon

S3

Amazon

DynamoDB AWS IAM

Auto

Scaling

Auto

Scaling

Role: RW access

to files, rows

Benefits of Using Roles with Amazon EC2

• Eliminates use of long-term credentials

• Automatic credential rotation

• Less coding – AWS SDK does all the work

• Easier and more Secure!

Powerful Scale

Trillions

Resources

Million+

Requests/Second

Hundreds of

Thousands

Customers in 190 countries

each with one to millions of identities

Lots!

Servers

Global

Familiar Administration

IAM Policy Simulator

• Test the effect of access control policies before

pushing to production

• Verify and troubleshoot permissions

Instance

Instance OS Amazon EC2

Amazon

EC2

RunInstances

IAM

Familiar Instance OS Controls

Familiar Enterprise Federation

Federation

• AWS websites and/or APIs as relying party

• Pre-packaged samples: Windows Active Directory, Shibboleth

Active Directory

SSO Federation Using SAML

• STS now supports SAML 2.0

• Benefits: – Open standards

– Quicker and easier to implement federation

– Leverage existing identity management software to manage access to AWS resources

– No coding required

• AWS Management Console SSO – IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile)

– New sign-in URL that greatly simplifies SSO

https://signin.aws.amazon.com/saml<SAML AuthN response>

• API federation using new assumeRoleWithSAML operation

New

Partner Integrations for Federation / SSO

http://www.xceedium.com/xsuite/xsuite-for-amazon-web-services

http://www.okta.com/aws/

http://www.symplified.com/solutions/single-sign-on-sso

https://www.pingidentity.com/products/pingfederate/

http://www.cloudberrylab.com/ad-bridge.aspx http://wiki.developerforce.com/page/Configuring-SAML-SSO-to-AWS

Familiar Web Identity Federation

Web Identity Federation

• App sign-in using 3rd party identity providers

– Login with Amazon

– Facebook

– Google

• Apps can access data from – Amazon S3, Amazon DynamoDB, Amazon Simple Notification

Service (now with mobile push!)

• No server-side code required

Web Identity Federation

US

-EA

ST

-1

AWS Services

STS Identity Provider Assume Role

Amazon S3 Amazon

DynamoDB

Web Identity Federation Playground

• UI tool

• Try it out, no coding

required!

Secure Powerful Controls

Control Your Users

Multi-Factor

Authentication

Password/Credential

Management Policies

Delegate Access Across Accounts

• Access resources across AWS accounts

• Why do you need it?

– Management visibility across all your AWS accounts

– Developer access to resources across AWS accounts

– Use third-party solutions, with no sharing of credentials

prod@example.com Acct ID: 111122223333

ddb-role

{ "Statement": [ { "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" }]}

dev@example.com Acct ID: 123456789012

{ "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/ddb-role" }]}

{ "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"123456789012"}, "Action":"sts:AssumeRole" }]}

Cross-Account Access - Setup

ddb-role trusts IAM users from the AWS

account dev@example.com (123456789012)

Permissions assigned to Jeff granting him permission

to assume ddb-role in account B

IAM user: Jeff

Permissions assigned

to ddb-role

STS

prod@example.com Acct ID: 111122223333

ddb-role

dev@example.com Acct ID: 123456789012 Authenticate to

AWS with

Jeff access keys

Get temporary

security credentials

for ddb-role

Call AWS APIs

using temporary

security credentials

of ddb-role

Cross-Account Access - Use

IAM user: Jeff

STS

Secure Audit

AWS CloudTrail

Log API calls to:

Amazon EC2

Amazon EBS

Amazon VPC

Amazon RDS AWS IAM

AWS CloudTrail

Amazon Redshift

Additional services added over time…

AWS Security

Token Service

AWS CloudTrail

• Your AWS account’s API calls logged and delivered to your Amazon S3 bucket

• Amazon SNS notifications of new log files (optional)

• Data analysis partners:

Achieving Best Practices: Trusted Advisor

• AWS Support service – Analyzes account for issues and

recommendations

– API for integration with your tools

• Categories: – Cost savings

– Security

– Fault tolerance

– Performance

Secure Compliance

Regular Exhaustive 3rd Party Evaluations

New AWS Whitepapers

• AWS Security Best Practices – http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

– Best practices on wide range of topics, including:

• Defining and categorizing assets on AWS

• Managing identities

• Implementing data security

• Securing your operating systems and applications

• Monitoring, alerting, auditing, and incident response

• Securing Data at Rest with Encryption – http://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf

http://blogs.aws.amazon.com/security/

AWS Security Blog

Summary

AWS Identity and Access Management

• Flexible – Individual use

– Organizations

– Enterprise

• Powerful – Integrated

– Fine-grained

– Delegation

– Scale

• Familiar – Administration

– Enterprise federation

– Web identity federation

• Secure – Powerful controls

– Audit

– Compliance

For More Information

• IAM detail page: http://aws.amazon.com/iam

• AWS forum: https://forums.aws.amazon.com/forum.jspa?forumID=76

• Documentation: http://aws.amazon.com/documentation/iam/

• AWS Security Blog: http://blogs.aws.amazon.com/security

• Twitter: @AWSIdentity

• Meet the IAM and Security teams: – Thursday 11/14 4pm - 6pm

– Toscana 3605

Customers who liked this talk also may like…

• SEC301 - Top 10 AWS Identity and Access Management (IAM) Best Practices

– Wednesday, Nov 13, 3:00 PM - 4:00 PM – Marcello 4503

• SEC302 - Mastering Access Control Policies – Wednesday, Nov 13, 4:15 PM - 5:15 PM – Venetian A

• SEC303 - Delegating Access to your AWS Environment – Thursday, Nov 14, 11:00 AM - 12:00 PM – Venetian A

• SEC304 - Encryption and key management in AWS – Friday, Nov 15, 9:00 AM - 10:00 AM – San Polo 3406

• SEC401 - Integrate Social Login Into Mobile Apps – Thursday, Nov 14, 1:30 PM - 2:30 PM – Venetian A

• SEC402 - Intrusion Detection in the Cloud – Thursday, Nov 14, 5:30 PM - 6:30 PM – Marcello 4406

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

SEC201