Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

SID344-Soup to Nuts Identity Federation for AWS

1.809 Aufrufe

Veröffentlicht am

AWS offers customers multiple solutions for federating identities on the AWS Cloud. In this session, we will embark on a tour of these solutions and the use cases they support. Along the way, we will dive deep with demonstrations and best practices to help you be successful managing identies on the AWS Cloud. We will cover how and when to use Security Assertion Markup Language 2.0 (SAML), OpenID Connect (OIDC), and other AWS native federation mechanisms. You will learn how these solutions enable federated access to the AWS Management Console, APIs, and CLI, AWS Infrastructure and Managed Services, your web and mobile applications running on the AWS Cloud, and much more.

SID344-Soup to Nuts Identity Federation for AWS

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Q u i n t V a n D e m a n B u s i n e s s D e v e l o p m e n t M a n a g e r , I d e n t i t y & D i r e c t o r y S e r v i c e s S I D 3 4 4 Soup to Nuts: Identity Federation for AWS November 27, 2017
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Build consistent vernacular and mental model Tour the major federation bridges across AWS Fun and lively session with demos Links to key content and patterns What to expect (C) Copyright Jean-Remy Duboc and licensed for reuse under the Creative Commons Attribution-Generic 2.0 License By Adam.J.W.C. (Own work) [CC BY 3.0 (http://creativecommons.org/licenses/by/3.0], via Wikimedia Commons
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building a consistent vernacular and mental model
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What do we mean when we say “federation”?
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. I d e n t i t y c o n s u m e r sI d e n t i t y p r o v i d e r s Definition (for today) Stores identities Authentication Authorization (Coarse) Authorization (Fine) Trust Stores references Protocols No Sync
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rationale Users Security Compliance Before After Unique credentials 1:Many reuse Credentials everywhere Centrally managed Bespoke Unified Result
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understanding planes of access Amazon EC2 Control plane—AWS API (e.g. ec2:StartInstance) Data plane—Amazon VPC connection (e.g., SSH, RDP) Different: • Paths • Credentials • Protocols
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understanding planes of access Amazon DynamoDB Control plane—AWS API (e.g. dynamodb:CreateTable) Data plane—AWS API (e.g. dynamodb:GetItem) Same: • Path • Credential • Protocol
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mental model Evaluation SelectionUse cases Blueprints
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bridge #1: Security assertion markup language (SAML)
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAML primer Service provider (SP) Metadata (in advance) Assertion Identity provider (IdP) AuthN & AuthZ User
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAML federation SAML Internal AD SAML IdP Amazon Cognito Console API CLI Data plane APIs
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAML federation Demonstrations
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAML demo review Amazon S3 permissions Many AWS accounts Custom durations MFA for SAML http://bit.ly/2dBXMUq SAML federation for the AWS Management Console, APIs, and CLI Self-paced workshop materials (all this and much more)
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAML demo review SAML federation for an Amazon Cognito- enabled web application and custom API (using Amazon API Gateway) Amazon Cognito documentation (includes sample code) http://amzn.to/2wSH4IC CloudFront Amazon S3 SPA Amazon Cognito Amazon Cognito SAML IdP Assertion Tokens API Gateway (Chalice)
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAML federation SAML Internal AD SAML IdP Amazon Cognito Console API CLI Data plane APIs Amazon Redshift Amazon RDS (Aurora, MySQL) Amazon QuickSight Amazon AppStream SaaS Apps (Outside AWS)
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bridge #2: OpenID Connect (OIDC)
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OIDC primer Relying Party (RP) Metadata & Registration (in advance) Tokens OpenID provider (OP) User AuthN & AuthZ
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OIDC federation SAML OIDC OIDCExternal Internal AD OIDC OP SAML IdP Amazon Cognito Amazon Redshift Amazon RDS (Aurora, MySQL) Amazon QuickSight Amazon AppStream Apps Data plane APIs SaaS Apps (Outside AWS) Console API CLI
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OIDC federation Demonstrations
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OIDC demo review OIDC federation for an Amazon Cognito- enabled web app and custom API (using Amazon API Gateway) Amazon Cognito documentation (includes sample code) CloudFront Amazon S3 SPA Amazon Cognito Amazon Cognito OP Tokens API Gateway (Chalice) Tokens http://amzn.to/2wSH4IC
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OIDC demo review OIDC federation for an Amazon Cognito- enabled backend application and external API Amazon Cognito documentation Cognito Tokens Systems Manager Parameter Store External API http://amzn.to/2grl7NV
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Cognito: Related session For even more details and demonstrations, check out: SID332 11/30/17 (Thursday) 1:45 PM—MGM, Level 3, Premiere Ballroom 314 Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bridge #3: Active Directory trust with Kerberos
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AD trust/Kerberos primer On-premises Active Directory Domain Controller AWS Directory Service For Microsoft Active Directory Kerberos-enabled resource AD Forest Trust Domain Join User Group Add group membership
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AD trust SAML OIDC OIDC AD Trust External Internal AD OIDC OP SAML IdP Amazon Cognito Amazon Redshift Amazon RDS (Aurora, MySQL) Amazon QuickSight Amazon AppStream Apps Data plane APIs Windows/ Amazon EC2 Amazon WorkSpaces Amazon RDS (SQL Server) Amazon WorkDocs Amazon WorkMail SaaS Apps (Outside AWS) Console API CLI
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AD trust: Related sessions For demonstrations, check out these related sessions: WIN311 11/28/17 (Tuesday) 1:00 PM—MGM, Level 3, Premiere 301 Unified Access Management with AWS Managed Services for Microsoft Active Directory WIN403 11/30/17 (Thursday) 3:15 PM—MGM, Level 1, Grand Ballroom 113 AWS Directory Service for Microsoft Active Directory Deep Dive
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AD trust details for Windows/Amazon EC2 Use on-premises AD identities for authentication and authorization in Windows/Amazon EC2 AWS Directory Service documentation On-premises Active Directory Domain Controller AWS Directory Service For Microsoft Active Directory Domain joined Windows Amazon EC2 instance AD Forest Trust Domain Join User Group Add group membership http://amzn.to/2ysq4Ns
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AD trust details for Amazon WorkSpaces Use on-premises AD identities to provision and access Amazon WorkSpaces Amazon WorkSpaces documentation On-premises Active Directory Domain Controller AWS Directory Service For Microsoft Active Directory AD Forest Trust User Admin Search & Provision Domain Join Login (AuthN & AuthZ) http://amzn.to/2x6IcZB
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bridge #4: AWS cross-account (XA) trust
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS XA trust primer Target AWS account IAM Role Permission Policy: Controls access to AWS services & resources Trust Policy: Specifies the Principals who can assume the role, and a shared secret (external id) Source AWS account IAM Role IAM User Permission Policy: Allows sts:AssumeRole to remote role (in target) sts:AssumeRole Short-term credential Invoke AWS APIs Access Mgmt Console (You) (External entity)(or vice versa) Note: AWS XA trusts also support many other use cases
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross-account trust Cross- account trust Amazon Cognito Amazon Redshift Amazon RDS (Aurora, MySQL) Amazon QuickSight Amazon AppStream Data plane APIs Windows/ Amazon EC2 Amazon WorkSpaces Amazon RDS (SQL Server) Amazon WorkDocs Amazon WorkMail SaaS Apps (Outside AWS) Console API CLI External Apps AWS Credential
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cross-account trust details Use AWS credentials from one account to federate into another account IAM documentation aws sts assume-role --role-arn arn:aws:iam::012345678912:role/RoleName --role-session-name use_traceable_name --external-id mysharedsecret { "AssumedRoleUser": { "AssumedRoleId": "XXXXXXXXXXXXXXXXXXXXX:use_traceable_name", "Arn": “<roleARN>/use_traceable_name" }, "Credentials": { "SecretAccessKey": "ssssssssssssssssssssssssssssssssssssssss", "SessionToken": "ttttttttttttttttttttttttttttttttttttttttttt", "Expiration": "2017-10-19T00:01:38Z", "AccessKeyId": "aaaaaaaaaaaaaaaaaaaaaaa" } } http://amzn.to/2zzwE2n
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bridge #5: Custom federation broker
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom federation broker primer Broker Credential User Entitlements and policies sts:AssumeRole (or) sts:GetFederationToken Scoping policy Short-term credential authN & authZ Note: mostly a legacy mechanism
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom broker Cross- account trust Custom Amazon Cognito Amazon Redshift Amazon RDS (Aurora, MySQL) Amazon QuickSight Amazon AppStream Data plane APIs SaaS Apps (Outside AWS) Console API CLI External Apps BrokerCredential AWS Cred Windows/ Amazon EC2 Amazon WorkSpaces Amazon RDS (SQL Server) Amazon WorkDocs Amazon WorkMail
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wrap-up
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summary SAML OIDC AD Trust XA Trust Custom Many bridges, for different: • Planes of access • Protocols • Source credentials Remember our mental model:
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remaining white space CC0 Public Domain - Free for commercial use http://maxpixel.freegreatpicture.com/Shadow-White-Space-Renovate-Blank-Renovated-Light-763247
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other helpful links • SAML: • Amazon Redshift—http://amzn.to/2yxWX98 • Amazon RDS, MySQL, and Amazon Aurora—http://amzn.to/2gjBDvP • Amazon AppStream 2.0—http://amzn.to/2gkU17q • Amazon QuickSight—http://amzn.to/2xPfyf3 • OIDC: • Amazon Cognito Federated Identities—http://amzn.to/2gl3yvp • sts:AssumeRoleWithWebIdentity—http://amzn.to/2yTcOCr • AD trust: • Amazon RDS SQL Server—http://amzn.to/2glehop • WorkDocs—http://amzn.to/2x6CNBz • WorkMail—http://amzn.to/2kZFxyZ • AWS IAM cross-account trust—http://amzn.to/2kZvRon • Custom federation broker—http://amzn.to/2yyqzov • Chalice (Python serverless framework for AWS)—https://github.com/aws/chalice
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×