Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity on AWS

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for The Scale Factory The Scale Factory
June 21, 2016
Technology
1
110

Identity on AWS

On 21st June 2016, Jon spoke at the London DevOps Meetup about Identity on AWS.

Avatar for The Scale Factory

The Scale Factory

June 21, 2016
Tweet

More Decks by The Scale Factory

See All by The Scale Factory
re:Invent Recap (January 2025)
Avatar for The Scale Factory scalefactory
0
650
Mastering Security and Compliance on AWS
Avatar for The Scale Factory scalefactory
0
37
The AWS Foundational Technical Review for UK Police Tech
Avatar for The Scale Factory scalefactory
0
270
Application and Platform Modernisation on AWS
Avatar for The Scale Factory scalefactory
0
150
AWS Control Tower for Compliance, Governance, and taming your cloud estate
Avatar for The Scale Factory scalefactory
0
120
Disaster Recovery on AWS
Avatar for The Scale Factory scalefactory
0
180
Navigating the SaaS Transformation Journey
Avatar for The Scale Factory scalefactory
0
66
ISO 27001 on AWS
Avatar for The Scale Factory scalefactory
0
510
How does compliance drive success in SaaS sales?
Avatar for The Scale Factory scalefactory
0
410

Other Decks in Technology

See All in Technology
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
68k
IaaS/SaaS管理における SREの実践 - SRE Kaigi 2026
Avatar for Shun bbqallstars
4
2.2k
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
Avatar for AEON aeonpeople
1
220
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
1
430
All About Sansan – for New Global Engineers
Avatar for Sansan, Inc. sansan33
PRO
1
1.3k
SREチームをどう作り、どう育てるか ― Findy横断SREのマネジメント
Avatar for adachi.ryo rvirus0817
0
220
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
Avatar for Konishi tatsuhiro tatsukoni
0
210
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
Avatar for soudai sone soudai
PRO
12
5.4k
プロダクト成長を支える開発基盤とスケールに伴う課題
Avatar for yuu26 yuu26
4
1.3k
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
Avatar for kekke-n kekke_n
1
400
usermode linux without MMU - fosdem2026 kernel devroom
Avatar for Hajime Tazaki thehajime
0
230
Greatest Disaster Hits in Web Performance
Avatar for Estela Franco guaca
0
220

Featured

See All Featured
<Decoding/> the Language of Devs - We Love SEO 2024
Avatar for Nikki Halliwell nikkihalliwell
1
130
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
Faster Mobile Websites
Avatar for Dean Hume deanohume
310
31k
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
2
250
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
240
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
Avatar for Sophie Logan marketingsoph
0
74
Organizational Design Perspectives: An Ontology of Organizational Design Elements
Avatar for Dr. Kim W Petersen kimpetersen
PRO
1
190
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.5k
How Fast Is Fast Enough? [PerfNow 2025]
Avatar for Tammy Everts tammyeverts
3
450
A Soul's Torment
Avatar for Nat Ma seathinner
5
2.2k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.4k

Transcript

  1. None

  2. IDENTITY MANAGEMENT IN AWS_ JON TOPPER | @jtopper | he/him/his

  3. IDENTITY_ LATIN LATE LATIN idem same identitas identity quality of

    being identical

  4. IDENTITY ENABLES_ Access Control Trust Delegation Audit Trail Security Compliance

  5. IAM CONCEPTS_ Root User Users Groups Roles Policies Tokens

  6. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

  7. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*",

    "Resource": "*" } ] } PowerUserAccess

  8. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] } ManageOwnCredentials

  9. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  10. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  11. EC2 ROLES_ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role { "Code" : "Success", "LastUpdated"

    : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }

  12. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  13. MULTI FACTOR AUTHENTICATION_

  14. IAM BEST PRACTICE_ User Per Individual No Root User Multi-Factor

    Auth Token Least Privilege CloudTrail

  15. CROSS-ACCOUNT ROLE ASSUMPTION_

  16. AssumeCustomerRole Bob Carla ScaleFactoryUser PowerUserAccess CUSTOMER MGMT ACCOUNT (00005) SCALE

    FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt Trust Relationship Policy

  17. CUSTOMER MGMT ACCOUNT (00005) SCALE FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt

    Trust Relationship Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
  18. None

  19. EXTERNAL SOURCE OF IDENTITY_

  20. None
  21. None

  22. ScaleFactorySSOUser PowerUserAccess Trust Relationship Policy Identity Providers https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/

  23. AWS COGNITO_

  24. None

  25. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }

  26. YOUR IAM MIGHT NEED WORK IF YOU_ Log in with

    the root account Have >1 identity for each person Don’t use MFA Hard-code tokens in app config

  27. YOU MAY BENEFIT FROM_ Role Assumption Cross-Account Access Federated Identity

    Cognito

  28. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @jtopper / @scalefactory

    [email protected]