Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity on AWS

Avatar for The Scale Factory The Scale Factory
June 21, 2016
Technology
1
100

Identity on AWS

On 21st June 2016, Jon spoke at the London DevOps Meetup about Identity on AWS.
Avatar for The Scale Factory

The Scale Factory

June 21, 2016
Tweet

More Decks by The Scale Factory

See All by The Scale Factory
re:Invent Recap (January 2025)
Avatar for The Scale Factory scalefactory
0
450
Mastering Security and Compliance on AWS
Avatar for The Scale Factory scalefactory
0
29
The AWS Foundational Technical Review for UK Police Tech
Avatar for The Scale Factory scalefactory
0
180
Application and Platform Modernisation on AWS
Avatar for The Scale Factory scalefactory
0
120
AWS Control Tower for Compliance, Governance, and taming your cloud estate
Avatar for The Scale Factory scalefactory
0
97
Disaster Recovery on AWS
Avatar for The Scale Factory scalefactory
0
160
Navigating the SaaS Transformation Journey
Avatar for The Scale Factory scalefactory
0
55
ISO 27001 on AWS
Avatar for The Scale Factory scalefactory
0
470
How does compliance drive success in SaaS sales?
Avatar for The Scale Factory scalefactory
0
330

Other Decks in Technology

See All in Technology
“社内”だけで完結していた私が、AWS Community Builder になるまで
Avatar for nagisa_53 nagisa53
1
380
Understanding_Thread_Tuning_for_Inference_Servers_of_Deep_Models.pdf
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
120
AIのAIによるAIのための出力評価と改善
Avatar for たまねぎ chocoyama
2
550
PHPでWebブラウザのレンダリングエンジンを実装する
Avatar for ディップ株式会社 dip_tech
PRO
0
200
監視のこれまでとこれから/sakura monitoring seminar 2025
Avatar for FUJIWARA Shunichiro fujiwara3
11
3.9k
2年でここまで成長!AWSで育てたAI Slack botの軌跡
Avatar for iwamot iwamot
PRO
4
700
Postman AI エージェントビルダー最新情報
Avatar for 草薙昭彦 nagix
0
110
5min GuardDuty Extended Threat Detection EKS
Avatar for takakuni takakuni
0
140
AWS Summit Japan 2025 Community Stage - App workflow automation by AWS Step Functions
Avatar for matsuihidetoshi matsuihidetoshi
1
260
A2Aのクライアントを自作する
Avatar for Ryunosuke Iwai rynsuke
1
170
Node-RED × MCP 勉強会 vol.1
Avatar for 1ft-seabass 1ftseabass
PRO
0
140
OpenHands🤲にContributeしてみた
Avatar for kotauchisunsun kotauchisunsun
1
430

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
30
2.1k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
46
9.6k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
15
1.5k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
36
2.8k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
160
23k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
22k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
351
20k
How GitHub (no longer) Works
Avatar for Zach Holman holman
314
140k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
299
21k
Code Review Best Practice
Avatar for Trisha Gee trishagee
68
18k
Docker and Python
Avatar for Tania Allard trallard
44
3.4k
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
28
5.4k

Transcript

  1. None

  2. IDENTITY MANAGEMENT IN AWS_ JON TOPPER | @jtopper | he/him/his

  3. IDENTITY_ LATIN LATE LATIN idem same identitas identity quality of

    being identical

  4. IDENTITY ENABLES_ Access Control Trust Delegation Audit Trail Security Compliance

  5. IAM CONCEPTS_ Root User Users Groups Roles Policies Tokens

  6. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

  7. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*",

    "Resource": "*" } ] } PowerUserAccess

  8. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] } ManageOwnCredentials

  9. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  10. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  11. EC2 ROLES_ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role { "Code" : "Success", "LastUpdated"

    : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }

  12. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  13. MULTI FACTOR AUTHENTICATION_

  14. IAM BEST PRACTICE_ User Per Individual No Root User Multi-Factor

    Auth Token Least Privilege CloudTrail

  15. CROSS-ACCOUNT ROLE ASSUMPTION_

  16. AssumeCustomerRole Bob Carla ScaleFactoryUser PowerUserAccess CUSTOMER MGMT ACCOUNT (00005) SCALE

    FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt Trust Relationship Policy

  17. CUSTOMER MGMT ACCOUNT (00005) SCALE FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt

    Trust Relationship Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
  18. None

  19. EXTERNAL SOURCE OF IDENTITY_

  20. None
  21. None

  22. ScaleFactorySSOUser PowerUserAccess Trust Relationship Policy Identity Providers https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/

  23. AWS COGNITO_

  24. None

  25. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }

  26. YOUR IAM MIGHT NEED WORK IF YOU_ Log in with

    the root account Have >1 identity for each person Don’t use MFA Hard-code tokens in app config

  27. YOU MAY BENEFIT FROM_ Role Assumption Cross-Account Access Federated Identity

    Cognito

  28. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @jtopper / @scalefactory

    [email protected]