Best practices for choosing identity solutions for applications + workloads - FND215 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best practices for choosing identity
solutions for applications and workloads
Karen Haberkorn
Director, Product Management
AWS Identity
F N D 2 1 5
@AWSIdentity

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.@AWSIdentity
Identity: securing your cloud journey
Identity
management
Access
management
Resource
management

Our metaphor
Amazon Web
Services (AWS)
Infrastructure
Application
Builders
Operators
Users
AWS
Command Line Interface (AWS
CLI)

What we hear from customers
Enable the business to innovate
Agility to move fast
Give developers freedom
Prevent dangerous actions
Accountable for security posture
Cost effective solutions
Goal: Enable you to build foundation quickly while maintaining your
desired security and governance posture
Business needs Security requirements

Likely first questions
• How many AWS accounts do I need?
• How do I govern my AWS accounts?
• How do I provide access into those accounts?
• How do I keep all of my AWS resources organized and segmented?
• What permissions do my users have in those accounts?

Manage global resources at scale
Accounts AWS Organizations AWS Resource
Groups
Groupresources by
tagsor other
attributes
Central governance
and management
across AWS accounts
Asecurity and
management
boundary withinan
organization

AWS identity services
Application
Infrastructure
AWS Platform
AWS Organizations

Introducing AWS Organizations
Govern access to AWS
services, resources, and
regions
Central governance and management for multiple
AWS accounts
Configure AWS services
across multiple AWS
accounts
Automate AWS
account creation
and management
Consolidate billing across
multiple AWS accounts

What AWS accounts do I
need?
Common options:
• Per environment (dev, test, prod)
• Per business unit per environment
• Per app per environment
• Per app per region per environment
Seeking balance

AWS Organizations: Managing AWS accounts
AWS Artifact AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service
AWS Firewall Manager AWS License Manager AWS Resource
Access Manager
AWS Service Catalog AWS Single Sign-On
AWS Services natively integrated with AWS Organizations
More coming!

AWS Control Tower
The easiest way to set up and govern a secure,
compliant multi-account AWS environment

Next: Account access

Application
Infrastructure
AWS Platform
AWS Organizations AWS Single Sign-On

Introducing AWS Single Sign-On (SSO)
Centrally manage SSO access to multiple AWS accounts and
business applications for your workforce
Centrally manage
access to multiple
AWS accounts
Use your choice of
existing or cloud
native identities
Provide SSO access to
business applications

SSO: Your choice of identity store
AWS CloudCorporate data center
Active
Directory AWS Directory Service AWS Single Sign-On
Users &
Groups
Option 1: Use corporate identities by connecting to
an existing directory
AWS Cloud
AWS Single Sign-On
Users &
Groups
Option 2: Create users in AWS SSO

AWS SSO: Define and assign permission sets
Master account
Member acct 1 Member acct N
Uses AWS Organizations to retrieve your list and
structure of accounts
Define permissions using standard syntax and
tools
Policies are automatically deployed and
maintained in member accounts
Assign permission sets to selected users and
groups to grant access to accounts

AWS SSO: User experience
End user authenticates
User portal displays
accounts and business
applications they can
access
Options for console or
CLI/API access

What permissions do I give my users?
Least privilege is a journey,
not a starting point

Application
Infrastructure
AWS Platform
AWS Organizations AWS Identity and Access
Management (IAM)
AWS Single Sign-On

AWS Identity and Access Management (IAM)
Securely manage access to AWS services and resources
Authenticate and
Authorize AWS APIs
Specify policy based
permissions
Provide fine grain
access controls for
AWS actions and
resources
Provide short term
credentials for
humans, machines,
and applications

{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Development“
}
}
} ]
}
PARC model:
• Principal – Who
• Action – Can Access
• Resource – What
• Condition – Under what
conditions
IAM policy basics
P

{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": "Development“
}
}
} ]
}
“If the tag on the principal matches the tag on the
resource, allow, otherwise deny.”
Attribute based access control (ABAC)
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Department": “${aws:PrincipalTag/Department}“
}
}
} ]
}

AWS Account
AWS Account
SAML federation into AWS IAM
AWS Account
SAML federation for the AWS
Management Console, APIs, and CLI
Self-paced
workshop materials
Achieve the same core result as SSO, more ‘assembly level’

• How do I centrally authenticate users connecting to operating systems?
• How do I control which users can connect to which instances?
• How do I manage DBA access into relational database engines?
• How do I manage service accounts (non-interactive users)?

Application
Infrastructure
AWS Platform
AWS Organizations AWS Directory ServiceAWS Identity and Access
Management (IAM)
AWS Single Sign-On

Introducing: AWS Directory Services
Managed Microsoft Active Directory in the AWS cloud
Easily migrate your
directory dependent
workloads by leveraging a
managed service
Provide infrastructure
access management
without syncing
identity data
Use actual Microsoft
Active Directory integrated
with other AWS services and
applications

Leveraging Active Directory in AWS
AWS CloudCorporate data
center
Active
Directory AWS Managed AD
Users &
Groups
LDAP,
Kerberos,
Referrals
Trust
Amazon EC2
(Windows/Linux)
Amazon RDS for SQL Server
Amazon WorkSpaces
Amazon Chime Amazon WorkDocs Amazon WorkMail
Amazon QuickSight Amazon Connect
Amazon FSx
VPC AWS Managed Applications
Windows
Application
Operator
access
End user access
Domain
join
Provisioning

• How do I securely connect to AWS APIs from my infrastructure components?
• How do I managed and deploy application credentials for connecting to
relational databases?

IAM roles for AWS compute services
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by policy
attached to role
Your code
Operating
system
Amazon EC2
instance
AWS resources
Also works with AWS Lambda & Amazon Elastic Container Service (Amazon ECS)
Permissions
Role
Temporary
security credential
AWS SDKs
Amazon DynamoDB
Amazon Kinesis
Amazon Simple Storage
Service (S3)

AWS Secrets Manager
Your code
Operating
system
Amazon EC2
instance
AWS resources
Permissions
Role
Temporary
security credential
AWS SDKs
Amazon DynamoDB Amazon Kinesis
AWS Secrets Manager
VPC
Amazon RDS
DBA
AWS CloudFormation
Authorized call to
Secrets Manager DB creds
loaded
DB creds
returned
Connection
established
Safe
rotation
Combo provides a reliable, secure, auto-rotating solution for ALL credentials

• How do I add sign-up and sign-in to my applications easily?
• How do I add support for standards like OIDC or SAML?
• How do I control access to business applications for my workforce?

Application
Infrastructure
AWS Platform
Management (IAM)
Amazon CognitoAWS Single Sign-On

Introducing Amazon Cognito
Simple and secure user sign-up, sign-in, and access control for
web and mobile apps.
Offload undifferentiated
identity heavy lifting
Provide advanced
security for your apps
and users
Use standards-based
authentication
Use your choice of
existing or cloud
native identities.

Amazon Cognito
Get AWS credentials
Access AWS services
Authenticate 1
Redirect /
Post back
Access serverless backend
Federating
IdP
IdP Token
CUP TokenCUP Token
CUP Token
AWS STS
AWS STS
User pool tokens are used to
access backend resources
Identity pools provide AWS
credentials to access AWS
services
User pools authenticate users
and returns standard tokens
2
3
4
56
Amazon Cognito
Amazon API Gateway AWS Lambda
Amazon Cognito
Amazon DynamoDB Amazon Simple Storage
Service (S3)

Application
Infrastructure
AWS Platform
Management (IAM)
Amazon CognitoAWS Single Sign-On
Identity and
access
management
for your apps
& APIs
Actual Microsoft
Active Directory
as a managed
service on the
AWS Cloud
Fine-grained
access
management
for AWS
resources
Manage single
sign-on (SSO)
access to
multiple AWS
accounts and
business
applications
Central
governance and
management for
multiple AWS
accounts

Thank you!
Karen Haberkorn
karenhab@amazon.com
@AWSIdentity

Best practices for choosing identity solutions for applications + workloads - FND215 - AWS re:Inforce 2019

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Best practices for choosing identity solutions for applications + workloads - FND215 - AWS re:Inforce 2019

Ähnlich wie Best practices for choosing identity solutions for applications + workloads - FND215 - AWS re:Inforce 2019 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Best practices for choosing identity solutions for applications + workloads - FND215 - AWS re:Inforce 2019