(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environment | AWS re:Invent...
-
Upload
amazon-web-services -
Category
Technology
-
view
1.020 -
download
1
description
Transcript of (SEC304) Bring Your Own Identities – Federating Access to Your AWS Environment | AWS re:Invent...
Session
Access Key ID
Secret Access Key
Expiration
Session Token
Customer (Identity Provider) AWS Cloud (Relying Party)
AWS
Management
Console
Browser
interface
Corporate
directory
Federation
proxy
1Browse to URL
3
2
Redirect to
Console
10
Generate URL9
4 List RolesRequest
8Assume Role Response
Temp Credentials- Access Key ID
- Secret Access Key
- Session Token
7 AssumeRole Request
Create combo
box
6
Federation
proxy
• Uses a set of IAM user credentials to
make AssumeRoleRequest()
• IAM user permissions only need to be
able to call ListRoles & assume role
• Proxy needs to securely store these
credentials
5List RolesResponse
Customer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User
Application
Active
Directory
Federation Proxy
4Get Federation
Token Request
3
2
Amazon S3
Bucket
with Objects
Amazon
DynamoDB
Amazon
EC2
Request
Session 1
Receive
Session6
5Get Federation Token
Response
• Access Key
• Secret Key
• Session Token
APP
Federation
Proxy
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions need to be the
union of all federated user permissions
• Proxy needs to securely store these
privileged credentials
Call AWS APIs7
Enterprise (Identity Provider) AWS (Service Provider)
AWS Sign-in
Browser
interface
Corporate
identity store
Identity provider
1User
browses to
Identity provider
2 Receives
AuthN response
5 Redirect client
AWS Management
Console
3
Post to Sign-In
Passing AuthN Response
4
AWS Cloud
US
-EA
ST
-1
EU
-WE
ST
-1
AP
-SO
UT
HE
AS
T-1AWS Services
Amazon
DynamoDBAmazon S3
Authenticate
User 1
6
7
IAM
EC2
Instances
Token
Verification4
Web identity
Provider
3
5
Check
Policy
Id Token
2
Mobile App
us-east-1
AppSecurity Token Service
DynamoDB
OpenID Connect-
compliant
identity provider
2
4
Uses the temporary
credentials to access
AWS services
Redirect for
authentication and
receive an ID token
Exchange ID token for
Cognito token
3End
User1
Start using the app
CognitoExchange Cognito token
for temporary AWS
credentials
Developer’s AWS Account
5
http://bit.ly/1n1z1QL
http://amzn.to/11AFKtS
http://amzn.to/1vlBZ6N
http://bit.ly/10KUSoC
http://bit.ly/1rNzWCF
http://bit.ly/13vFehT
http://bit.ly/1p2Ip6M
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals