Deep Dive on AWS Single Sign-On - AWS Online Tech Talks

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Challenges in managing cloud services access • Introducing AWS SSO • Pricing and availability • Demonstration • Q &A

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How customers manage access to AWS accounts Employees • Permissions defined as policies • Attached to roles, users, and groups • Create AWS IAM users and assign permissions AWS account Permissions Amazon S3 buckets AWS Lambda functions Amazon EC2 instances Amazon RDS database instances

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Connect corporate directory Use it to control access to AWS resources through existing corporate Active Directory AWS account Permissions S3 buckets Lambda functions EC2 instances RDS database instances On-premises Microsoft Active Directory On-premises users and groups On-premises Active Directory Corporate data center

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Business scaling up Growing business • Demand for AWS resources • Different departments • Different purposes for same teams • Multiple AWS accounts provide security isolation Multiple AWS accounts

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud applications for business agility Multiple AWS accounts On-premises users Business cloud applications SSO access SSO access

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges Managing access to multiple AWS accounts and business applications is expensive, hard, and time-consuming. Managing multiple AWS accounts requires effort Hard to set up, operate, and use Numerous credentials No centralized security controls Access to business applications takes time and effort, and is expensive

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges – Managing multiple AWS accounts Managing multiple AWS accounts requires effort • Maintain a list of AWS accounts • General-purpose SSO solutions treat AWS accounts as separate applications and don’t integrate deeply • SSO Setup – Cut-and-paste configuration across consoles • New account? Repeat the setup process. Can’t scale business quickly • Set up roles in each account. Keep the roles updated • Managing user access to accounts

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges – Credentials and security control • Different password policies for different accounts and cloud applications • Numerous passwords–Password fatigue leads to weak passwords, writing down in cleartext • Access changes needs to be performed in cloud services manually • Removing access to cloud services is a manual process • Exposes critical business data to unauthorized access Numerous credentials No centralized security controls

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges – Access to business applications • Setting up SSO and troubleshooting each application typically took days • In some cases, this setup could take weeks because it required you to communicate back and forth with application vendors • Vendor changes to the application configuration results in unexpected loss of access and requires changes to configuration and troubleshooting again • Requires you to understand the nuances of SAML integration Access to business applications takes time and effort, and is expensive

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges – Hard to set up and manage • Prepackaged SSO software requires you to procure hardware and install OS and patches • Involves SSO software installation and ongoing patching and upgrade • High availability and security require expertise and time • Upfront investment and ongoing maintenance costs • Visibility into access requires manual reconciliation of data across multiple accounts, applications, and corporate directory • Hard for administrators and users to keep track of application access details Hard to set up, operate, and use

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges - Summary Managing access to multiple AWS accounts and business applications is expensive, hard, and time-consuming. Managing multiple AWS accounts requires effort Hard to set up, operate, and use Numerous credentials No centralized security controls Access to business applications takes time and effort and is expensive

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introducing AWS SSO Centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications. Centrally manage access to multiple AWS accounts Easy to enable and use Use your existing corporate identities SSO access to business applications

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Organizations – Account management A6 Development Test Production A8A1 A5 A4A3 A2 A9 A7 OU Allows you to organize AWS accounts Controls access to AWS services Apply service control policies OU OU Root

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Central access to AWS accounts Centrally manage access to multiple AWS accounts • Lists AWS accounts managed in AWS Organizations • Works with all AWS accounts and integrates deeply • SSO setup to AWS accounts is automatic. • New accounts are set up automatically • Provisions permissions into all AWS accounts • Manage access to all accounts from a central place

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SSO - Central access to AWS accounts Centrally manage access to multiple AWS accounts AWS accounts managed in AWS Organizations AWS consoles OU = Development OU = Production Manage permissions to AWS accounts SSO access Permissions AWS SSO

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SSO - Central access to AWS accounts • Connects to AWS Organizations and lists your AWS accounts • Allows filtering accounts by OU • Automatic SSO setup to AWS accounts • Centralized management of account permission sets • Define, apply, and reapply permission sets to all AWS accounts AWS accounts managed in AWS Organizations AWS consoles OU = Development OU = Production Manage permissions to AWS accounts SSO access Permissions AWS SSO

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Single password to access cloud services • Single corporate password works for cloud services • Stronger passwords improve security of cloud services • Access changes to cloud services as group membership changes in on-premises Active Directory • Immediate revocation of access to leaving employees. • Protects critical business data from unauthorized access Use your existing corporate identities

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SSO – Connect your existing Active Directory AWS accounts managed in AWS Organizations AWS consoles OU = Development OU = Production Manage permissions to AWS accounts SSO access Permissions On-premises Microsoft Active Directory On-premises users and groups On-premises Active Directory Corporate data center AD Connector/ AD Trust AWS SSO

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AD AWS SE/EE AD Managed AD 1 On-premises Service account AD AD Connector 2 On-premises 1-way or 2-way trust AD Trust 3 Corporate Active Directory connection options Corporate Active Directory

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SSO – Extends your existing business processes Groups On-Premises Active Directory Corporate data center User AWS accounts managed in AWS Organizations AWS consoles OU = Development OU = Production Map on-premises AD groups to accounts and applications

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access to business applications • Preintegrated with commonly used cloud applications • Set up using simple step-by-step instructions • Vendor changes to the application configuration are taken care by AWS • Nuances of SAML integration simplified • Configure any SAML 2.0 application using application configuration wizard SSO access to business applications

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS SSO – Application configuration wizard Pick a preintegrated application Follow step-by-step customized instructions for each application Configure SSO Assign access 1 + 1 = 2C H S E

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Supports SAML 2.0 for custom applications Supports Security Assertion Markup Language 2.0 • Configure applications not in the preintegrated list • Internal applications built by you • Internal applications supplied by partners • Seamless access to applications during migration to the AWS Cloud SAML 2.0

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Easy to enable and use Easy to enable and use • No software or hardware needed • AWS managed service • No upfront investment or ongoing maintenance costs • Highly available service • Better visibility into access of cloud services using centralized auditing • Application access is instantaneous • Users can access cloud services from a central user portal

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Central place to access • One place to find all: • AWS consoles • Business applications • Custom internal applications • Easily search and find applications • No need to distribute or remember URLs or roles • Single corporate credentials give access to cloud services

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Centralized auditing • Audit all SSO access in AWS CloudTrail • Increased visibility into users’ SSO access to AWS accounts and cloud applications

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pricing and availability • Included with your AWS accounts at no additional charge • Public Preview in the US East (N. Virginia) Region

Deep Dive on AWS Single Sign-On - AWS Online Tech Talks

Du liest eine Vorschau.

Hier ansehen

Deep Dive on AWS Single Sign-On - AWS Online Tech Talks

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Deep Dive on AWS Single Sign-On - AWS Online Tech Talks (20)

Weitere von Amazon Web Services (20)