Jim Scharf, Amazon
What’s different in providing identity and access management for one of the largest cloud providers, some of the key technology and design decisions made along the way, and how AWS is working to make it even easier to federate with existing social and enterprise identity providers.
9. Last Year @CIS…
Discussed things that made AWS
Identity and Access Management a bit
different from traditional corporate IAM:
– Scale
– Resources
– Customers
10. AWS Identity and Access Management
http://aws.amazon.com/iam
55-min Talk:
http://bit.ly/1eZrtbX
Two Minute Overview:
http://youtu.be/Ul6FW4UANGc
11. The Cloud isn’t an ‘All or Nothing’ Choice
Corporate
Data Centers
On-Premises
Resources
Cloud
Resources
IntegrationSAML 2.0
18. Delivering on the promise of
desktop virtualization
• Infrastructure & admin tools
• End user desktop and mobile
apps
Fully managed, secure
document storage and sharing
service for the Enterprise
• Share documents and folders
• Corporate directory integration
• Set user sharing policies
• Audit logs for document and user
activity
25. Store app data, preferences & state
Work offline via local data store
Seamlessly sync across devices
Amazon Cognito and Sync
26. Implement security best practices
Safeguard AWS credentials
Set granular access permissions
on AWS resources
Amazon Cognito and Security
27. Fully Integrated AWS Mobile SDK
• No back-end programming required
• Common authentication mechanism across
all services
• Automatically handle intermittent network
connections
• Cross-platform Support: Android, iOS, Fire
OS
• Secure access to global AWS services
28. Identity Requirements: Mobile Apps
Mobile:
Enterprise
Mobile:
Consumer
Identities Employees Consumers
Scale 10 – 100K+ 1 M – 1B
Identity
Providers
Corporate Web/Social
Security
Controls
Enterprise
controls,
security, audit
Auto per-user
isolation
Admin/
Integration
Needs
Simple
programming
model,
Federation
A few lines of
client-side
code
30. Amazon Cognito for Unauthenticated Identities
Unique Identifier for Your “Things”
“Headless” connected devices can also
securely access cloud services.
Save Data to the Cloud
Save app and device data to the cloud and
merge them after login
Guest User Access
Securely access AWS resources and leverage
app features without the need to create an
account or logging in
Visitor
Preferences
Cognito
Store
Guest
EC2
S3
DynamoDB
Kinesis
31. Identity Requirements: Internet of Things
IoT
Identities Devices
Scale 50 B
Identity
Providers
Web/Social/
Personal?
Security
Controls
Varies
Admin/
Integration
Needs
Class/attribute
based controls
37. Identity Requirements
Infrastructure Platform Applications Mobile:
Enterprise
Mobile:
Consumer
IoT
Identities IT, DevOps Developers Employees Employees Consumers Devices
Scale 1 – 100+ 1 – 1,000+ 10 – 100K+ 10 – 100K+ 1 M – 1B 50 B
Identity
Providers
Cloud Provider,
Corporate
Cloud
Provider,
Corporate,
Web/Social
Corporate Corporate Web/Social Web/
Social/
Personal?
Security
Controls
Privileged user
controls
Start open,
then tighten
Enterprise
controls,
security, audit
Enterprise
controls,
security, audit
Auto per-user
isolation
Varies
Admin/
Integration
Needs
Federation Simple
programming
model
Federation Simple
programming
model,
Federation
A few lines of
client-side
code
Class/
attribute
based
controls
38. Challenges
• Billions of identities
• Millions of authentications/second, latencies ~1ms
• Becomes a large scale distributed systems challenge
• Authorizing trillions of resources
• Audit becomes a big data problem
• Global, high-availability system
• Constant tension of security vs. eventual consistency