Every journey to the AWS Cloud is unique. Some customers are migrating existing applications, while others are building new applications using cloud-native services. Along each journey, identity and access management helps customers protect their applications and resources. Come to this session and learn how AWS identity services provide you with a secure, flexible, and easy solution for managing identities and access on the AWS Cloud. With AWS identity services, you do not have to adapt to AWS. Instead, you have a choice of services designed to meet you anywhere along your journey to the AWS Cloud.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman
Business Development Manager, Identity and Directory Services, Amazon Web Services
SID201
AWS Identity, Directory, and Access Services:
An Overview

2. Every AWS Cloud journey is unique.
Migrating or extending
existing infrastructure and
applications
Building customer-facing
cloud-native applications
Going all-in on cloud
solutions across the
organization
Using the scale of the AWS
Cloud to solve new
challenges
Requiring unique Identity and Access Management solutions

3. What to expect
(C) Copyright Jean-Remy Duboc and licensed for reuse under the Creative
Commons Attribution-Generic 2.0 License
Provide
mental model
Chart the
landscape
Map to
use cases
Customer
examples

4. Disambiguation
IAM
Authentication, authorization, audit, and
governance for your cloud workloads
Our scope for today
AWS IAM
(the service)
Authenticates and authorizes
AWS APIs
Includes
(the subject)

5. Identity & Access Management means …
Validate identities securely
Authentication
Manage access using fine-
grained policies
Authorization
Meet compliance
requirements
Audit / Governance

6. At all levels
Identity and Access Management
(the subject)
AWS Management Console / APIs
AWS infrastructure
AWS applications
Your applications
Developers
Admins
Security Employees
Customers
Partners

7. Mental Model

8. Tenets
Mental model for Identity and Access Management Services
Give you choices Secure, flexible,
comprehensive
Meet you where you
are

9. Benefits of AWS Identity, Directory, & Access Services
Superior Security
Enable you to build applications and manage access more securely in
the AWS Cloud than on premises
Comprehensive
Breadth of services that help you get started quickly and are feature-
rich to meet your more advanced needs over time
Increase Flexibility
Offer you options that meet you along your AWS Cloud journey
instead of forcing you to adapt to AWS

10. Landscape

11. AWS Identity, Directory, & Access Services
AWS Identity and
Access Management
Fine-grained access
management for AWS
resources
AWS
Organizations
Policy-based
management for
multiple AWS accounts
Amazon Cognito
Identity and access
management for your
apps & APIs
AWS Single Sign-On
Manage single sign-on
(SSO) access to multiple
AWS accounts and
business applications
AWS Directory Service
Actual Microsoft Active
Directory as a managed
service on the AWS
Cloud
Amazon Cloud
Directory
Directory for managing
hierarchical data
AWS Secrets
Manager (NEW!)
Lifecycle
management for
secrets

12. Broader security portfolio
• AWS Identity & Access
Management (IAM)
• AWS Organizations
• Amazon Cognito
• AWS SSO
• AWS Directory Service
• Amazon Cloud Directory
• AWS Secrets Manager
• AWS CloudTrail
• AWS Config
• Amazon
CloudWatch
• Amazon GuardDuty
• VPC Flow Logs
• Amazon EC2
Systems Manager
• AWS Shield
• AWS Web Application
Firewall (AWS WAF)
• Amazon Inspector
• Amazon VPC (VPC)
• AWS KMS
• AWS CloudHSM
• Amazon Macie
• ACM
• Server-Side
Encryption
• AWS Config Rules
• AWS Lambda
Identity Detective
control
Infrastructure
security
Incident
response
Data
protection

13. Use Cases

14. Common Use Cases
Manage user access to AWS accounts and resources
• Developers signing in to the AWS Command Line Interface (AWS CLI) or
AWS Management Console
• SecOps engineers running AWS Lambda functions
Manage application access to data and resources
• Applications running on Amazon EC2 instances or containers that need
access to data in Amazon S3
Manager user access to your own applications
• Users signing in to your applications using their Facebook, Twitter, or
Amazon accounts

15. #1 − User Access to AWS Accounts & Resources
▪ Enable users to sign in to AWS accounts using their
existing corporate credentials:
▪ Configure SSO access (federation) to each of your
AWS accounts using AWS IAM
▪ AWS SSO helps you manage SSO access and user
permissions for multiple AWS accounts centrally
▪ Define fine-grained user permissions within your
AWS accounts using IAM policies
▪ AWS Organizations helps you manage the use of
AWS service APIs across multiple AWS accounts

16. AWS SSO: Define Permissions
• Uses AWS Organizations to retrieve
your list and structure of accounts.
Master account
Member account #1 Member account #N
AWS OrganizationsAWS SSO
• Define permissions using standard
syntax and tools
• Definitions and policies
automatically deployed and
maintained in member accounts

17. AWS SSO: Assign Users
Master account
AWS OrganizationsAWS SSOAWS Directory
Service
Groups
Active Dir
EntitlementsDirectory connection
On-premises
Uses AWS Directory Service
to connect to on-premises
Active Directory
Map Active Directory groups
to defined permissions
Grant access to one AWS
account, an OU, or the
entire organization

18. AWS SSO: Login Flow
Master account
AWS SSO
AWS SSO
user portal
Groups
Active Dir
Users
Entitlements
AuthZ
On premises
SAML
Member account
• Users browse to the AWS SSO
user portal and are
authenticated using their
corporate credentials
• AWS SSO authorizes the user
based on their entitlements
• Users are federated into an
IAM role in member account
• Actions and resource access
are governed by IAM policies
and Organizations SCPs

19. AWS Organizations: Key Concepts
A1 A2 A4
M
Master account / Administrative root
Organizational unit (OU)
AWS accounts
Service
Control
Policies (SCPs)
AWS resources
A3
Dev Test Prod

20. AWS Organizations: Together with IAM
Allow: EC2:*Allow: S3:* Allow: SQS:*
Allow: EC2:*Allow: EC2:*
SCP IAM
permissions

21. #2 − Application Access to Data & Resources
▪ Avoid hardcoding credentials in source code
▪ You can use IAM roles instead:
• AWS distributes and rotates short-term
credentials on your behalf automatically
• IAM roles work with Amazon EC2, Amazon
EC2 containers, and AWS Lambda functions
▪ You can define fine-grained permissions to AWS
resources using IAM policies

22. AWS resources
IAM Roles
Your code
Operating
system
EC2 instance
AWS credentials auto-
delivered and rotated
AWS credentials auto-
discovered and used
Access controlled by policy
attached to role
Also works with AWS Lambda & Amazon ECS

23. IAM roles provide your applications with a:
Reliable, secure, auto-rotating solution for AWS credentials
But what about:
• Database connection credentials?
• Third-party API keys?
• OAuth refresh tokens?
(C) Copyright A not very creative mind and licensed for reuse under the
Creative Commons Attribution-Generic 2.0 License
How do we avoid the back alley exchange?

24. Lifecycle management for secrets
such as database credentials and API keys
Rotate secrets safely Pay as you goManage access with
fine-grained policies
Secure and audit
secrets centrally
AWS Secrets Manager

25. AWS Secrets Manager: Key Features
Safe rotation
of secrets
Built-in integrations,
extensible with Lambda
On-demand or automatic
rotation with versioning
Fine-grained
access policies
Encrypted storage Logging and monitoring

26. AWS resources
AWS Secrets Manager: Architecture
Your code
Operating
system
EC2 instance
Other resources
AWS credentials
plumbed (as before)
DB creds
loaded
Safe
rotation
Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials

27. #3 − User Access to Your Own Applications
▪ Enable users to bring their own identities
from social and enterprise identity providers
with Amazon Cognito
▪ Built-in integrations for Facebook,
Google, and Amazon
▪ Integrates with enterprise identity
providers that support OAuth 2.0, SAML
2.0, and OpenID Connect (OIDC)
▪ Create cloud-native user directories with
extensible user profiles
▪ Secure access to your applications with
protection for:
▪ Unusual sign-in activity
▪ Compromised credentials

28. Amazon Cognito: Application IAM
Get AWS
credentials
Amazon Cognito
identity pool
Amazon
DynamoDB
Amazon S3
Access AWS services
Federating
IdP
Amazon Cognito
user pool• User pool authenticates users and
returns standard tokens
• Amazon Cognito user pool (CUP)
tokens are used to access your
custom APIs
• Identity pool provides role-based
AWS credentials to access AWS
services
Authenticate
3
CUP
token1
IdP
token
2
Redirect /
Postback
CUP
Token
5
6
Access serverless backendCUP
Token
API GW
4
Lambda

29. Amazon Cognito and Amazon API Gateway
Amazon Cognito
Identity management for your application
API Gateway
Authorize using your choice:
ID token, access token, custom
Lambda microservices
AWS Lambda

30. Customer Examples

31. TIBCO
As TIBCO scaled on AWS, it wanted to centrally
manage permissions across multiple AWS accounts.
TIBCO uses AWS Organizations service control
policies to manage service API use across its AWS
accounts.
Created Slack integration with Organizations to
enable users to deploy AWS infrastructure in an
auditable way.
AWS Organizations

32. Hixme
Provides employee benefits and insurance
solutions to businesses.
Hixme manages sensitive customer data, requiring
an authentication solution that protects that
information from unauthorized access.
Uses Amazon Cognito and AWS Lambda to
“develop a flexible, fully integrated solution that
can scale effortlessly.”
Amazon Cognito
user pools
Users with
mobile app
AWS Lambda

33. Submit Session Feedback
1. Tap the Schedule icon.
2. Select the session you
attended.
3. Tap Session Evaluation to
submit your feedback.

34. Thank you!