6. What are the key characteristics of successful
customer migration-modernization look like?
7.
8.
9.
10.
11. Modernization Area Identity(AuthZ, AuthN)
Association
Automation Builder Identity
Application Architecture Identity for Apps
DevSecOps, Datalake Role driven or Attribute based
authentication & authorization
Microservices Different identity protocol
needs (oAuth, OpenID Connect,
SAML)
Operating model Role, Attribule, Team
permissioning
13. AuthN = Authentication
AuthZ = Authorization
MFA = Multi Factor Authentication
Identity
Management
Access
Management
Resource
Management
AWS Account
WHO CAN ACCESS WHAT
14. Federation
Delegating an individual’s or entity’s authentication responsibility to a
trusted external party.
Identity Provider (IDP)
Security Assertion Markup Language(SAML)
Service Provider(SP)
Relying Party(RP)
The trusted identity providers can be on-premises federation services,
corporate directories or even social identity providers like Facebook,
Google and Twitter.
15. User logs
in to portal
Corporate data center
Enterprise (identity provider) AWS (service provider)
Browser interface
Identity
store
IdP portal
1
3
2
4
5
AWS sign-in
User
authenticated
Receive
response
(SAML
assertion)
Post the SAML
assertion to sign-in
Redirected to
AWS Management
Console
Identity federation with SAML 2.
16.
17. OpenID Connect, oAuth2
OpenID Connect is an interoperable authentication protocol based on
the OAuth 2.0 family of specifications.
OAuth 2 is an authorization framework that enables applications to
obtain limited access to user accounts on an HTTP service, such as
Facebook, GitHub etc.
18. JWT
Json Web Tokens are implemented as a part of Open
ID Connect and Oauthv2.
Imagine that a user is logged in an application and
each subsequent request will include the JWT,
allowing the user to access routes, services, and
resources that are permitted with that token.
Tokens
• Identity
• Access
• Refresh
*expiration
19. SCIM & JIT
SCIM(System for Cross-domain Identity Management) is a protocol built by teams from Oracle,
Salesforce, Sailpoint and Nexus Technology.
A good example is AWS customers that want to integrate AWS SSO with Azure AD. When you
enable automatic provisioning, SCIM provisions users between clouds. The Identity is provided,
in this scenario by Azure AD, but the rules of access and resource definitions are done by the
Service Provider. Meaning you can federate AWS with Azure AD but AWS SSO Permissions
would rule for your SCIM synchronized objects.
JIT provisioning is also a method of automating user account creation for web applications, it
uses the SAML protocol to pass information from the identity provider to web applications
22. Then
Security Corporate firewall
Identity Employees
Resources Hundreds, in a few buildings
Compliance Employee passwords
Administration Centralized
Cloud Up in the sky
26. Security before the cloud Security in the cloud
Corporate data center
AWS Cloud
27. AWS IAM Basics
• IAM User
• Entity that you create in AWS, representing the person or service who uses the IAM user to
interact with AWS
• IAM Group
• Collection of IAM users (A management convenience)
• IAM Role
• Similar to a user but does not have standard long-term credentials (e.g. password or access
keys) associated with it
• An IAM User can assume a Role to take on the permissions of the role
IAM User
Role
Permissions
Policy
attached to
Request to
Assume Role
AWS STS
Temporary security
credential
AWS Identity and Access Management
28.
29. AWS Identity – Brief History
Launch Brief Detail
AWS Root User One account, One user
IAM IAM Users One account, Many users
SAML Federation Corp Directory
users
One account, Corporate
users
Switch Role Ability to switch
role
Same user switching
roles
AWS Organization
SSO Service
SSO users Many account, Many
users
SSO External Directory SSO + Corporate
directory users
Many accounts,
Corporate users
30. AWS Security Token Service STS
The AWS Security Token Service (STS) is a web service that enables you
to request temporary, limited-privilege credentials for AWS Identity
and Access Management (IAM) users or for users that you authenticate
(federated users)
39. Tag policies
• Export a cross-account, cross-region report to
easily aggregate and view tag policy compliance
• Define tag key capitalization and allowed tag values
• Apply the tag policy to entire organization, specific
organizational units, and individual accounts
Standardize the tagging of your AWS resources
Audit tagged resources
Works with AWS Organizations
New!
40. IAM users
Works best when you have:
• A relatively small number
of users (limit is 5,000)
• One AWS account, or a
relatively small number of
them
• A need for long-term
credentials
• No user directory, or no
ability to connect your
directory to AWS
• Your very first AWS
account
AWS Account
AWS Organization
AWS Account
Organizational Unit
AWS Account:
MASTER
41. AWS Single Sign-On user pool
AWS Account
AWS Organization
AWS Account
Organizational Unit
AWS Account:
MASTER
Admin ReadOnly Admin ReadOnly
Works best when you have:
• A relatively small number
of users (limit is 500)
• Simple authorization
schemes of humans into
AWS
• Rules to map groups of
users to AWS environments
• No user directory, or no
ability to connect your
directory to AWS
43. Active Directory Federation Services
Works best when you have:
• Corporate users in a
Microsoft Active Directory,
either on-premises or
managed in AWS
• An ADFS connected to your
directory
• Control over ADFS claims
• A need for granular control
over user permissions
AWS Account
AWS Organization
AWS Account
Organizational Unit
AWS Account:
MASTER
Admin ReadOnly Admin ReadOnly
ADFS
44. User logs
in to portal
Corporate data center
Enterprise (identity provider) AWS (service provider)
Browser interface
Identity
store
IdP portal
1
3
2
4
5
AWS sign-in
User
authenticated
Receive
response
(SAML
assertion)
Post the SAML
assertion to sign-in
Redirected to
AWS Management
Console
Identity federation with SAML 2.
52. Using AWS SSO with Azure Active Directory with SCIM
Azure AD
53. Authenticating to AWS: Quick decision framework
If you have an existing user
directory:
• AWS SSO with directory
integrations
• Bring your own SAML federation
(e.g., ADFS)
• Advanced use cases: Custom
federation
If you don’t have an
existing user directory:
• AWS SSO with user pools
• IAM Users
54. IAM roles for non-human access
AWS Account
Use IAM roles for access to
AWS resources from:
• Your application running
on an AWS compute
environment, e.g., EC2
instance, Lambda function,
etc.
• Permission to an AWS
service to access your
resources (not shown)
EC2 instance
Lambda
function
Amazon S3
buckets
Amazon
DynamoDB Table
60. Recommendation: Have at least these two IAM roles
AWS Account
AWS Organization
AWS Account AWS Account
Organizational Unit
AWS Account:
MASTER
Organizational Unit
Admin ReadOnly Admin ReadOnly Admin ReadOnly
Admin ReadOnly
62. Example 1: Read data from DynamoDB
EC2 instance
with IAM role
DynamoDB
table
Least-privilege
face of judgment
Read/write
data
63. Example 1: Read data from DynamoDB
EC2 instance
with IAM role
DynamoDB
table
Read/write
data
64. Example 1: Read data from DynamoDB
EC2 instance
with IAM role
DynamoDB
table
Read/write
data
65. Reading the IAM documentation page
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
66. Example 1: Read data from DynamoDB
EC2 instance
with IAM role
DynamoDB
table
Read/write
data
67. {
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-2:111122223333:table/MyTable"
]
}
dynamodb.putItem({
TableName:"MyTable",
Item: {
"Id": {
S: "a1b2c3d4"
…
});
How authorization works in AWS
EC2 instance
with IAM role
DynamoDB
table
The “PutItem” action and the “table”
resource match the Allow statement, so
the request is allowed
70. Recommendations for cross-account access
Keep it simple:
• Use resource-based policies when available
• Unless you have a specific reason to do otherwise:
• Trust the entire other account, or
• Trust the AWS Organization
• Use IAM roles if resource-based policies are not available
• Follow the above rules for their trust policies (i.e., resource-based policies for IAM roles)
71. Identity at different layers
Amazon Web
Services (AWS)
Infrastructure
Application
Builders
Operators
Users
AWS Command
Line Interface (AWS
CLI)
72. Identity for the AWS layer:
Managing console, AWS CLI, and API access
@scale
76. “Of” Infrastructure - Base primitive: IAM roles
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by
policy attached to role
Also works with AWS Lambda & Amazon Elastic Container Service (Amazon ECS)
Permissions
Role
Temporary
security
credential
Your code
Operating
system
EC2
instance
AWS resources
77. AWS Secrets Manager (e.g. conn string, config etc)
Authorized call to
Secrets Manager
DB creds loaded
DB creds
returned
Connection established
Safe
rotation
Combo provides a reliable, secure, auto-rotating solution for ALL credentials
Permissions
Role
Temporary
security
credential
Your code
Operating
system
EC2
instance
AWS resources
VPC
DBA
78. For the humans and the machines
Credentials Container
Lambda
Function
Service 1 Service 2
Service to serviceHuman to application
80. Amazon Cognito
• Application identity Swiss army knife
•Offloads identity focused undifferentiated heavy lifting
• Normalizing layer for applications
•Native and/or federated users – App doesn’t need to care
• Vends standard tokens
•CUP tokens – Accessing your APIs
•AWS Security Token Service (AWS STS) – Accessing
AWS APIs
• Clean integrations with adjacent services
•Amazon API Gateway – AuthN/Z for your APIs
•Application Load Balancer – AuthN/Z for your apps
Wikimedia Commons - By James Case from Philadelphia,
Mississippi, U.S.A.
95. Service to service in AWS using IAM
Container
Lambda
Function
Service 1 Service 2
Permissions
Role
Temporary
security
credential
Permissions
AWS takes care of credential distribution
Centrally defined authorizations in IAM policies
Resource-based policies allows access across AWS accounts
AWS Cloud
96. How authentication works in AWS
POST https://dynamodb.us-east-2.amazonaws.com/ HTTP/1.1
Host: dynamodb.us-east-2.amazonaws.com
X-Amz-Date: 20180918T150746Z
X-Amz-Target: DynamoDB_20120810.ListTables
X-Amz-Security-Token: FQoGZXIvYXdzEKH////////// …
Content-Type: application/x-amz-json-1.0
Authorization: AWS4-HMAC-SHA256
Credential=ASIAXXXXXXXXXXXXXXXX/20180918/us-east-
1/dynamodb/aws4_request, SignedHeaders=content-
type;host;x-amz-date;x-amz-security-token;x-amz-target,
Signature=c1b4bc2df0c47c86cbcfa54d932e8aaa455b6b7c38e65d84
0f722254add1ea9e
97. Service to service in AWS using Amazon Cognito (OAuth)
Container
Lambda
Function
Service 1 Service 2
Permissions
Role
AWS Cloud
CUP Token
Alignment with human based authorization
Bearer token model familiar to developers
• You perform credential distribution (using AWS primitives)
98. Attribute-based access control (ABAC)
“If the tag on the principal matches the tag
on the resource, allow, otherwise deny.”
104. Suitable for some very unique authorization usecases : Custom brokers
Custom Broker
Underlying compute
IAM role
AWS Cloud
Example Corp.
user
AuthN/Z
Determine granular
entitlements
Assess environment
and/or context
Generate session
policy
sts:AssumeRole with session policy
“on behalf of” the authorized user
105. Fine grained permissioning
AWS lake formation helps you set up a secure data lake in days. A data
lake is a centralized, curated, and secured repository that stores all
your data, both in its original form and prepared for analysis.
• You can use Lake Formation to centrally define security, governance, and
auditing policies in one place, versus doing these tasks per service
• Eliminates the need to manually configure them across security services like
AWS Identity and Access Management and AWS Key Management Service,
storage services like S3, and analytics and machine learning services like
Redshift, Athena, and (in beta) EMR for Apache Spark. This reduces the effort
in configuring policies across services and provides consistent enforcement
and compliance.
• E.g. https://aws.amazon.com/blogs/big-data/enable-fine-grained-permissions-
for-amazon-quicksight-authors-in-aws-lake-formation/