SlideShare a Scribd company logo

Advanced Techniques for Federation of the AWS Management Console and Command Line Interface (CLI) - May 2017 AWS Online Tech Talks

Download as PPTX, PDF
Amazon Web Services
Amazon Web Services

The document is a presentation about SAML federation for AWS. It discusses the rationale for federation and options like SAML, introduces how to get started with initial SAML setup for AWS, covers tackling more advanced use cases like multiple AWS accounts and attribute-driven authorizations, and provides pro tips from field experience. It also includes demos of initial SAML setup, configuring multiple AWS accounts, and using SAML attributes in role assumptions.

Technology
1 of 28
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quint Van Deman – AWS Identity & Directory Services May 25th, 2017 SAML Federation for AWS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Introduction • Federation rationale & options • Getting started with SAML federation for AWS • Tackling more advanced SAML use-cases • How to select an Identity Provider • Pro tips from the field • Demos! • Q & A
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation rationale & options
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation rationale Before: After: Result: Unique credentials Single sign-on (SSO) Long-lived keys Short-term tokens One-off Naturally aligned Users Security Compliance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiple AWS federation options Amazon Cognito AWS Directory Service Security Assertion Markup Language (SAML) Custom Federation Brokers Provide API access for end user web & mobile applications Use Active Directory username and password to access AWS Management Console Use enterprise credentials for authentication and authorization into AWS Console, CLI & APIs Build your own federation bridge to support specialized use cases
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick SAML primer Identity provider Service provider Metadata (in advance) Assertion (login flow)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prior art Generally “known science”: • Basic federation with <insert your favorite identity provider here> • SSO experience for AWS Management Console users. • Federated access for AWS CLI/API.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remaining challenges Option overload: • Many accounts: direct federation or hub/spoke? • Role mapping: groups, attributes, or a combination? Solutions not yet widely published: • Attribute-driven authorizations. • Strong authentication techniques. • Resource permissions for federated users.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: Initial SAML setup for AWS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Initial SAML setup for AWS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Initial SAML setup for AWS - Recap Prerequisite: • Working SAML identity provider. Checklist: • AWS: IAM Identity Provider. • AWS: IAM role for SAML (WebSSO). • IdP: AWS Relying Party. • IdP: AWS SAML assertion attributes. • Directory: Groups per naming convention. • Workstation: CLI/API helper.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling: Multiple AWS accounts
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Option 1: “Direct Federation” (everywhere)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Option 2: “Hub and Spoke”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recommendation for multiple accounts • Preferred approach: Direct Federation. • Both solutions are technically valid and are in use. • However, direct federation offers these advantages: • The corporate directory is the sole source of truth for “who has access to what.” • Users can have access to a subset of accounts and different roles per account. • The user experience is better, particularly for new users. • CLI and API automation don’t require the “extra hop.”
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: Multiple AWS Accounts
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiple AWS Accounts
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiple AWS Accounts - Recap Prerequisite: • IAM Roles for cross account trust. Checklist: • AWS: Automation to configure IAM Identity Provider. • AWS: Automation to maintain IAM roles & policies. • IdP: Nothing to do! • Directory: Automation to create groups.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do I choose an IdP that’s right for me?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Choosing an IdP • As long as the IdP can supported the required SAML assertion attributes, it will work with AWS. • Start with some self-directed questions: • What are your needs for federation beyond AWS? • What is your preferred model: SaaS or self-hosted/managed? • Do you have existing relationships/infrastructure? • Bias towards IdPs that can support dynamic attributes.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: SAML attributes in role assumption conditions (a.k.a MFA-for-SAML)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MFA-for-SAML
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MFA-for-SAML - Recap Prerequisite: • MFA of your choice integrated with your IdP. Checklist: • IdP: Send authentication method as additional attribute in SAML assertion. • AWS: Update role assumption trust policy.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pro Tips: Lessons learned from working with many customers
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pro Tips • AWS supports multiple federation setups in parallel – experiment! • Make sure you understand who has access to modify AD group memberships. • Consistency is the key to scale – modify group memberships, not policy definitions. • Think through your tools & processes for assigning users to groups: will they scale? • Choose a persistent & unique identifier (CloudTrail).
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where to go from here Re:Invent workshop materials: http://bit.ly/2dBXMUq AWS Docs: About SAML 2.0-based Federation AWS Docs: Configuring SAML Assertions AWS Docs: Integrating 3rd Party SAML Providers AWS Security Blog: SAML API/CLI Solution AWS Whitepaper: Shibboleth + Openldap Walkthrough AWS Security Blog: ADFS How to AWS Security Blog: ADFS Multi-account How to AWS Security Blog: AWS CloudTrail for Federated Users
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Q & A
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

Recommended

SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
Amazon Web Services
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
Amazon Web Services
 
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Amazon Web Services
 
SRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSSRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWS
Amazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
Amazon Web Services
 
Jumpstart Your Digital Journey
Jumpstart Your Digital JourneyJumpstart Your Digital Journey
Jumpstart Your Digital Journey
Amazon Web Services
 
SRV422 Deep Dive on AWS Database Migration Service
SRV422 Deep Dive on AWS Database Migration ServiceSRV422 Deep Dive on AWS Database Migration Service
SRV422 Deep Dive on AWS Database Migration Service
Amazon Web Services
 
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Amazon Web Services
 

Recommended

SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
SRV418 Deep Dive on Accelerating Content, APIs, and Applications with Amazon ...
Amazon Web Services
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
Amazon Web Services
 
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Securing Your AWS Infrastructure with Edge Services - May 2017 AWS Online Tec...
Amazon Web Services
 
SRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWSSRV411 Deep Dive on Mobile Application Development with AWS
SRV411 Deep Dive on Mobile Application Development with AWS
Amazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
Amazon Web Services
 
Jumpstart Your Digital Journey
Jumpstart Your Digital JourneyJumpstart Your Digital Journey
Jumpstart Your Digital Journey
Amazon Web Services
 
SRV422 Deep Dive on AWS Database Migration Service
SRV422 Deep Dive on AWS Database Migration ServiceSRV422 Deep Dive on AWS Database Migration Service
SRV422 Deep Dive on AWS Database Migration Service
Amazon Web Services
 
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Edge Services as a Critical AWS Infrastructure Component - August 2017 AWS On...
Amazon Web Services
 
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech TalksDesign, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Amazon Web Services
 
Reactive Architectures with Microservices
Reactive Architectures with MicroservicesReactive Architectures with Microservices
Reactive Architectures with Microservices
AWS Germany
 
IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017
Amazon Web Services
 
Running Enterprise Workloads on AWS
Running Enterprise Workloads on AWSRunning Enterprise Workloads on AWS
Running Enterprise Workloads on AWS
Amazon Web Services
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
Amazon Web Services
 
Serverless Architectural Patterns and Best Practices | AWS
Serverless Architectural Patterns and Best Practices | AWSServerless Architectural Patterns and Best Practices | AWS
Serverless Architectural Patterns and Best Practices | AWS
AWS Germany
 
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
Amazon Web Services
 
Getting Started with Amazon QuickSight
Getting Started with Amazon QuickSightGetting Started with Amazon QuickSight
Getting Started with Amazon QuickSight
Amazon Web Services
 
Introducing “Well-Architected” For Developers - Technical 101
Introducing “Well-Architected” For Developers - Technical 101Introducing “Well-Architected” For Developers - Technical 101
Introducing “Well-Architected” For Developers - Technical 101
Amazon Web Services
 
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Amazon Web Services
 
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
Amazon Web Services
 
AWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-RayAWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-Ray
Eitan Sela
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
Amazon Web Services
 
Expanding your Data Center with Hybrid Cloud Infrastructure
Expanding your Data Center with Hybrid Cloud InfrastructureExpanding your Data Center with Hybrid Cloud Infrastructure
Expanding your Data Center with Hybrid Cloud Infrastructure
Amazon Web Services
 
Automate Best Practices and Operational Health for your AWS Resources
Automate Best Practices and Operational Health for your AWS ResourcesAutomate Best Practices and Operational Health for your AWS Resources
Automate Best Practices and Operational Health for your AWS Resources
Amazon Web Services
 
Maximizing Business Value as You Migrate to AWS
Maximizing Business Value as You Migrate to AWSMaximizing Business Value as You Migrate to AWS
Maximizing Business Value as You Migrate to AWS
Amazon Web Services
 
Lighting your Big Data Fire with Apache Spark
Lighting your Big Data Fire with Apache SparkLighting your Big Data Fire with Apache Spark
Lighting your Big Data Fire with Apache Spark
Amazon Web Services
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
Amazon Web Services
 

More Related Content

What's hot

Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech TalksDesign, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Amazon Web Services
 
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
Amazon Web Services
 
Getting Started with Amazon QuickSight
Getting Started with Amazon QuickSightGetting Started with Amazon QuickSight
Getting Started with Amazon QuickSight
Amazon Web Services
 
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
Amazon Web Services
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
Amazon Web Services
 

What's hot (20)

Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech TalksDesign, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
Design, Deploy, and Optimize SQL Server on AWS - June 2017 AWS Online Tech Talks
 
Reactive Architectures with Microservices
Reactive Architectures with MicroservicesReactive Architectures with Microservices
Reactive Architectures with Microservices
 
IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017
 
Running Enterprise Workloads on AWS
Running Enterprise Workloads on AWSRunning Enterprise Workloads on AWS
Running Enterprise Workloads on AWS
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Serverless Architectural Patterns and Best Practices | AWS
Serverless Architectural Patterns and Best Practices | AWSServerless Architectural Patterns and Best Practices | AWS
Serverless Architectural Patterns and Best Practices | AWS
 
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
Serverless Big Data Analytics with Amazon Athena and Amazon Quicksight - May ...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
AWS re:Invent 2016: Driving Innovation with Big Data and IoT (GPSST304)
 
Getting Started with Amazon QuickSight
Getting Started with Amazon QuickSightGetting Started with Amazon QuickSight
Getting Started with Amazon QuickSight
 
Introducing “Well-Architected” For Developers - Technical 101
Introducing “Well-Architected” For Developers - Technical 101Introducing “Well-Architected” For Developers - Technical 101
Introducing “Well-Architected” For Developers - Technical 101
 
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
 
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
AWS re:Invent 2016: Tips for Building Successful Solutions with AWS Marketpla...
 
AWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-RayAWS Lambda support for AWS X-Ray
AWS Lambda support for AWS X-Ray
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
 
Expanding your Data Center with Hybrid Cloud Infrastructure
Expanding your Data Center with Hybrid Cloud InfrastructureExpanding your Data Center with Hybrid Cloud Infrastructure
Expanding your Data Center with Hybrid Cloud Infrastructure
 
Automate Best Practices and Operational Health for your AWS Resources
Automate Best Practices and Operational Health for your AWS ResourcesAutomate Best Practices and Operational Health for your AWS Resources
Automate Best Practices and Operational Health for your AWS Resources
 
Maximizing Business Value as You Migrate to AWS
Maximizing Business Value as You Migrate to AWSMaximizing Business Value as You Migrate to AWS
Maximizing Business Value as You Migrate to AWS
 
Lighting your Big Data Fire with Apache Spark
Lighting your Big Data Fire with Apache SparkLighting your Big Data Fire with Apache Spark
Lighting your Big Data Fire with Apache Spark
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
 

Similar to Advanced Techniques for Federation of the AWS Management Console and Command Line Interface (CLI) - May 2017 AWS Online Tech Talks

Monitoring and Troubleshooting in a Serverless World - SRV303 - re:Invent 2017
Monitoring and Troubleshooting in a Serverless World - SRV303 - re:Invent 2017Monitoring and Troubleshooting in a Serverless World - SRV303 - re:Invent 2017
Monitoring and Troubleshooting in a Serverless World - SRV303 - re:Invent 2017
Amazon Web Services
 
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
Amazon Web Services
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
Amazon Web Services
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
Amazon Web Services
 

Similar to Advanced Techniques for Federation of the AWS Management Console and Command Line Interface (CLI) - May 2017 AWS Online Tech Talks (20)

Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM NinjaGPSTEC310_IAM Best Practices and Becoming an IAM Ninja
GPSTEC310_IAM Best Practices and Becoming an IAM Ninja
 
Introducing Managed Rules for AWS WAF (with a Customer Story) - AWS Online Te...
Introducing Managed Rules for AWS WAF (with a Customer Story) - AWS Online Te...Introducing Managed Rules for AWS WAF (with a Customer Story) - AWS Online Te...
Introducing Managed Rules for AWS WAF (with a Customer Story) - AWS Online Te...
 
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech TalksThe Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
The Evolution of Identity and Access Management on AWS - AWS Online Tech Talks
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Monitoring and Troubleshooting in a Serverless World - SRV303 - re:Invent 2017
Monitoring and Troubleshooting in a Serverless World - SRV303 - re:Invent 2017Monitoring and Troubleshooting in a Serverless World - SRV303 - re:Invent 2017
Monitoring and Troubleshooting in a Serverless World - SRV303 - re:Invent 2017
 
GPSTEC314-GPS From Monolithic to Serverless - Why and How to Move
GPSTEC314-GPS From Monolithic to Serverless - Why and How to MoveGPSTEC314-GPS From Monolithic to Serverless - Why and How to Move
GPSTEC314-GPS From Monolithic to Serverless - Why and How to Move
 
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
SID201_IAM for Enterprises How Vanguard strikes the Balance Between Agility, ...
 
How to Manage Multiple AWS Accounts using AWS Organizations
How to Manage Multiple AWS Accounts using AWS OrganizationsHow to Manage Multiple AWS Accounts using AWS Organizations
How to Manage Multiple AWS Accounts using AWS Organizations
 
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
How to Enable Single Sign On to Multiple AWS Accounts and Business Applicatio...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Understanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and GovernanceUnderstanding the Critical Building Blocks of AWS Identity and Governance
Understanding the Critical Building Blocks of AWS Identity and Governance
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security Team
 
MSC204_Leverage AWS Marketplace to accelerate production ready workloads
MSC204_Leverage AWS Marketplace to accelerate production ready workloadsMSC204_Leverage AWS Marketplace to accelerate production ready workloads
MSC204_Leverage AWS Marketplace to accelerate production ready workloads
 
Leverage AWS Marketplace to Accelerate Production-Ready Workloads - MSC204 - ...
Leverage AWS Marketplace to Accelerate Production-Ready Workloads - MSC204 - ...Leverage AWS Marketplace to Accelerate Production-Ready Workloads - MSC204 - ...
Leverage AWS Marketplace to Accelerate Production-Ready Workloads - MSC204 - ...
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
MBL204_Architecting Cost-Effective Mobile Backends for Scale, Security, and P...
 
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
How Amazon.com Uses AWS Management Tools - DEV340 - re:Invent 2017
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Advanced Techniques for Federation of the AWS Management Console and Command Line Interface (CLI) - May 2017 AWS Online Tech Talks

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quint Van Deman – AWS Identity & Directory Services May 25th, 2017 SAML Federation for AWS
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Introduction • Federation rationale & options • Getting started with SAML federation for AWS • Tackling more advanced SAML use-cases • How to select an Identity Provider • Pro tips from the field • Demos! • Q & A
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation rationale & options
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Federation rationale Before: After: Result: Unique credentials Single sign-on (SSO) Long-lived keys Short-term tokens One-off Naturally aligned Users Security Compliance
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiple AWS federation options Amazon Cognito AWS Directory Service Security Assertion Markup Language (SAML) Custom Federation Brokers Provide API access for end user web & mobile applications Use Active Directory username and password to access AWS Management Console Use enterprise credentials for authentication and authorization into AWS Console, CLI & APIs Build your own federation bridge to support specialized use cases
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quick SAML primer Identity provider Service provider Metadata (in advance) Assertion (login flow)
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prior art Generally “known science”: • Basic federation with <insert your favorite identity provider here> • SSO experience for AWS Management Console users. • Federated access for AWS CLI/API.
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remaining challenges Option overload: • Many accounts: direct federation or hub/spoke? • Role mapping: groups, attributes, or a combination? Solutions not yet widely published: • Attribute-driven authorizations. • Strong authentication techniques. • Resource permissions for federated users.
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: Initial SAML setup for AWS
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Initial SAML setup for AWS
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Initial SAML setup for AWS - Recap Prerequisite: • Working SAML identity provider. Checklist: • AWS: IAM Identity Provider. • AWS: IAM role for SAML (WebSSO). • IdP: AWS Relying Party. • IdP: AWS SAML assertion attributes. • Directory: Groups per naming convention. • Workstation: CLI/API helper.
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scaling: Multiple AWS accounts
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Option 1: “Direct Federation” (everywhere)
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Option 2: “Hub and Spoke”
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recommendation for multiple accounts • Preferred approach: Direct Federation. • Both solutions are technically valid and are in use. • However, direct federation offers these advantages: • The corporate directory is the sole source of truth for “who has access to what.” • Users can have access to a subset of accounts and different roles per account. • The user experience is better, particularly for new users. • CLI and API automation don’t require the “extra hop.”
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: Multiple AWS Accounts
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiple AWS Accounts
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiple AWS Accounts - Recap Prerequisite: • IAM Roles for cross account trust. Checklist: • AWS: Automation to configure IAM Identity Provider. • AWS: Automation to maintain IAM roles & policies. • IdP: Nothing to do! • Directory: Automation to create groups.
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do I choose an IdP that’s right for me?
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Choosing an IdP • As long as the IdP can supported the required SAML assertion attributes, it will work with AWS. • Start with some self-directed questions: • What are your needs for federation beyond AWS? • What is your preferred model: SaaS or self-hosted/managed? • Do you have existing relationships/infrastructure? • Bias towards IdPs that can support dynamic attributes.
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo: SAML attributes in role assumption conditions (a.k.a MFA-for-SAML)
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MFA-for-SAML
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MFA-for-SAML - Recap Prerequisite: • MFA of your choice integrated with your IdP. Checklist: • IdP: Send authentication method as additional attribute in SAML assertion. • AWS: Update role assumption trust policy.
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pro Tips: Lessons learned from working with many customers
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pro Tips • AWS supports multiple federation setups in parallel – experiment! • Make sure you understand who has access to modify AD group memberships. • Consistency is the key to scale – modify group memberships, not policy definitions. • Think through your tools & processes for assigning users to groups: will they scale? • Choose a persistent & unique identifier (CloudTrail).
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where to go from here Re:Invent workshop materials: http://bit.ly/2dBXMUq AWS Docs: About SAML 2.0-based Federation AWS Docs: Configuring SAML Assertions AWS Docs: Integrating 3rd Party SAML Providers AWS Security Blog: SAML API/CLI Solution AWS Whitepaper: Shibboleth + Openldap Walkthrough AWS Security Blog: ADFS How to AWS Security Blog: ADFS Multi-account How to AWS Security Blog: AWS CloudTrail for Federated Users
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Q & A
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!