AD Authenticate All The Things

Transcript

1. AD  Authenticate  the  AWS  Management  Console Alan  Williams Enterprise  Architect

   Advanced  AWS  Meetup – June  2015

2. ©  2015   Autodesk § Technology  Generalist § Background  in

    Infrastructure § @  Autodesk  ~10  years § Spoken  at  OpenWorld,  .conf and  re:Invent § AWS  user  for  ~5  years § Motorcyclist § Soft  spot  for  pit  bulls   § @alanwill on   Who  Am  I?

3. ©  2015   Autodesk § Leader  in  3D  design,  engineering

    and   entertainment  software § Introduced  AutoCAD  in  1982 § Empowering  the  Maker  movement § Helping  our  customers  imagine,  design   and  create  a  better  world § ~11,000  global  employees Who  is  Autodesk?

4. autodesk.com/careers

5. ©  2015   Autodesk § Problem § Solution § Demo

   § How § Benefits § Next Agenda

6. Problem

7. ©  2015   Autodesk § Identity  Management § Too  many

   § Lots  of  AWS  accounts § Access  Control § Too  complex  to  manage § Too  difficult  to  enforce § Inconvenient § What’s  my  password? Problem

8. Solution

9. ©  2015   Autodesk

10. ©  2015   Autodesk § AWS  Federated  Logins § IAM

     Identity  Providers § On-­premises  Identity  Provider § PingFederate,  Okta etc… § On-­premises  Identity  Store § Active  Directory § SAML   § Security  Assertion  Markup  Language Solution

11. Demo

12. How (the  gory  details)

13. ©  2015   Autodesk Workflow *Diagram  adapted  from AWS  STS

     documentation for  Autodesk  relevance http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-­SAML.html

14. ©  2015   Autodesk § Go  to  IdP page §

    Example:  https://aws.company.com § Enter  AD  credentials § jdoe /  ******** #1  – IdP Initiated  SSO

15. ©  2015   Autodesk § AD   § Validates  credentials

    § Responds  with  all  user’s  security  groups  to  IdP § IdP § Applies  filters  and  performs  field  extraction § Sends  to  client  AWS  account(s)  +  IAM  role(s)  in   SAML  assertion   #2/3  – Authentication

16. ©  2015   Autodesk AD  Security  Group  Naming  Convention

17. ©  2015   Autodesk § Client  posts  assertion  to  AWS

     SSO   endpoint § AWS  validates  request  and  matches  AWS   account  numbers  and  roles § Presents  list  of  AWS  accounts  to  user  for   sign  in #4/5/6  -­ Authorization

18. ©  2015   Autodesk

19. ©  2015   Autodesk

20. How (on  the  AWS  end)

21. ©  2015   Autodesk Create  IAM  Identity  Provider

22. ©  2015   Autodesk Create  IAM  Identity  Provider

23. ©  2015   Autodesk Create  IAM  Identity  Provider

24. ©  2015   Autodesk Create  IAM  Identity  Provider

25. ©  2015   Autodesk Create  IAM  Identity  Provider

26. ©  2015   Autodesk Create  an  IAM  Role

27. ©  2015   Autodesk Create  IAM  Role

28. ©  2015   Autodesk Create  IAM  Role

29. ©  2015   Autodesk Create  IAM  Role

30. ©  2015   Autodesk Create  IAM  Role

31. ©  2015   Autodesk

32. ©  2015   Autodesk Role  Name Example  IAM  Role  Policy

    Account-­Admin AdministratorAccess Policy Account-­ReadOnly ReadOnlyAccess Policy Application-­Admins PowerUserAccess Policy Database-­Admins AmazonRDSFullAccess +   AmazonRedshiftFullAccess Policies Network-­Admins AmazonVPCFullAccess +   AWSDirectConnectFullAccess Policies Security-­Admins SecurityAudit Policy Server-­Admins AmazonEC2FullAccess Policy Optional:  Multiple  Roles

33. ©  2015   Autodesk Optional:  Multiple  Roles,  same  account

34. ©  2015   Autodesk Optional:  Two  Factor  Authentication

35. ©  2015   Autodesk § Create  AD  Security  Groups  

    § following  naming  convention § Create  IAM  Identity  Provider § Create  IAM  Roles On-­boarding  New  Accounts

36. ©  2015   Autodesk § AD  security  group  membership §

    Role  based  access  control Managing  Access

37. Benefits

38. ©  2015   Autodesk § Standardized  authentication § Improved  security

    § Convenient  user  experience § Flexible § Scalable  to  100s+  accounts Benefits

39. What’s   Next

40. ©  2015   Autodesk § IAM  Keys  Vending  Machine §

    Access/Secret  Key  self  service  portal § Temporary,  expires  in  24  hours Next  Steps

41. ©  2015   Autodesk § Using  Identity  Providers § http://goo.gl/qf7NpN

    § Using  SAML  Providers § http://goo.gl/cBMswu § IAM  Federated  User  Access § http://goo.gl/5nIMt9 Documentation  Resources

42. ©  2015   Autodesk

43. Autodesk   is  a  registered   trademark  of  Autodesk,  

    Inc.,   and/or   its  subsidiaries   and/or   affiliates   in  the   USA  and/or   other   countries.   All  other   brand   names,  product   names,  or  trademarks  belong   to   their  respective   holders.   Autodesk   reserves  the  right  to  alter  product   and   services  offerings,   and  specifications   and   pricing at any  time  without   notice,   and   is  not  responsible   for  typographical   or   graphical   errors  that   may  appear   in  this  document. ©  2015   Autodesk.    All  rights  reserved.