Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity on AWS

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for The Scale Factory The Scale Factory
June 21, 2016
Technology
120
1

Identity on AWS

On 21st June 2016, Jon spoke at the London DevOps Meetup about Identity on AWS.

Avatar for The Scale Factory

The Scale Factory

June 21, 2016

More Decks by The Scale Factory

See All by The Scale Factory
re:Invent Recap (January 2025)
Avatar for The Scale Factory scalefactory
0
670
Mastering Security and Compliance on AWS
Avatar for The Scale Factory scalefactory
0
49
The AWS Foundational Technical Review for UK Police Tech
Avatar for The Scale Factory scalefactory
0
330
Application and Platform Modernisation on AWS
Avatar for The Scale Factory scalefactory
0
180
AWS Control Tower for Compliance, Governance, and taming your cloud estate
Avatar for The Scale Factory scalefactory
0
140
Disaster Recovery on AWS
Avatar for The Scale Factory scalefactory
0
220
Navigating the SaaS Transformation Journey
Avatar for The Scale Factory scalefactory
0
94
ISO 27001 on AWS
Avatar for The Scale Factory scalefactory
0
550
How does compliance drive success in SaaS sales?
Avatar for The Scale Factory scalefactory
0
460

Other Decks in Technology

See All in Technology
Socrates × Looker 〜セマンティックレイヤーで進化するデータ分析エージェント〜
Avatar for Uchide Hiroki(ucchi-) hanon52_
0
160
ブロックチェーン / Blockchain
Avatar for Kenji Saito ks91
PRO
0
110
OCI Oracle AI Database Services新機能アップデート(2026/03-2026/05)
Avatar for oracle4engineer oracle4engineer
PRO
0
280
Amazon Bedrock AgentCore ワークショップ JAWS UG TOHOKU / amazon-bedrock-agentcore-workshop-jawsug-tohoku-2026
Avatar for geeawa gawa
8
390
AI-DLCを活用した高品質・安全なAI駆動開発実践 / AI Driven Development with AI-DLC
Avatar for 吉田真吾 yoshidashingo
0
140
AI活用を推進するために ファインディが下した、一つの小さな決断
Avatar for starfish719 starfish719
0
260
データ基盤をDataformで整えた話 〜 開発環境を添えて 〜
Avatar for Takanobu Nozawa takapy
0
120
Agentic Web
Avatar for dynamis dynamis
1
160
生成 AI × MCP で切り拓く次世代 SRE!自律型運用への挑戦と開発者体験の進化
Avatar for _awache _awache
0
160
Databricks における 生成AIガバナンスの実践
Avatar for Takaaki Yayoi taka_aki
1
340
個人最適 から 全体最適 へ AI情報共有会・AIギルド・AI-DLC で進める カンリーの組織展開
Avatar for ふくだ(fukuda ryu) rfdnxbro
0
1.8k
Databricks 月刊サービスアップデート 2026年05月号
Avatar for ちょし tyosi1212
0
210

Featured

See All Featured
How to build an LLM SEO readiness audit: a practical framework
Avatar for Nick Samuel nmsamuel
1
770
Embracing the Ebb and Flow
Avatar for Simon Collison colly
88
5.1k
Impact Scores and Hybrid Strategies: The future of link building
Avatar for Tamara Novitovic tamaranovitovic
0
300
The browser strikes back
Avatar for Jono Alderson jonoalderson
0
1.1k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
Avatar for Mfonobong Umondia mfonobong
2
430
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.5k
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
190
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.6k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
52k
Groundhog Day: Seeking Process in Gaming for Health
Avatar for Sebastian Deterding codingconduct
0
200
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.5k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
Avatar for Kenny Baas-Schwegler baasie
0
390

Transcript

  1. None

  2. IDENTITY MANAGEMENT IN AWS_ JON TOPPER | @jtopper | he/him/his

  3. IDENTITY_ LATIN LATE LATIN idem same identitas identity quality of

    being identical

  4. IDENTITY ENABLES_ Access Control Trust Delegation Audit Trail Security Compliance

  5. IAM CONCEPTS_ Root User Users Groups Roles Policies Tokens

  6. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

  7. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*",

    "Resource": "*" } ] } PowerUserAccess

  8. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] } ManageOwnCredentials

  9. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  10. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  11. EC2 ROLES_ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role { "Code" : "Success", "LastUpdated"

    : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }

  12. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  13. MULTI FACTOR AUTHENTICATION_

  14. IAM BEST PRACTICE_ User Per Individual No Root User Multi-Factor

    Auth Token Least Privilege CloudTrail

  15. CROSS-ACCOUNT ROLE ASSUMPTION_

  16. AssumeCustomerRole Bob Carla ScaleFactoryUser PowerUserAccess CUSTOMER MGMT ACCOUNT (00005) SCALE

    FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt Trust Relationship Policy

  17. CUSTOMER MGMT ACCOUNT (00005) SCALE FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt

    Trust Relationship Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
  18. None

  19. EXTERNAL SOURCE OF IDENTITY_

  20. None
  21. None

  22. ScaleFactorySSOUser PowerUserAccess Trust Relationship Policy Identity Providers https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/

  23. AWS COGNITO_

  24. None

  25. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }

  26. YOUR IAM MIGHT NEED WORK IF YOU_ Log in with

    the root account Have >1 identity for each person Don’t use MFA Hard-code tokens in app config

  27. YOU MAY BENEFIT FROM_ Role Assumption Cross-Account Access Federated Identity

    Cognito

  28. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @jtopper / @scalefactory

    [email protected]