Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity on AWS

Avatar for The Scale Factory The Scale Factory
June 21, 2016
Technology
1
110

Identity on AWS

On 21st June 2016, Jon spoke at the London DevOps Meetup about Identity on AWS.

Avatar for The Scale Factory

The Scale Factory

June 21, 2016
Tweet

More Decks by The Scale Factory

See All by The Scale Factory
re:Invent Recap (January 2025)
Avatar for The Scale Factory scalefactory
0
620
Mastering Security and Compliance on AWS
Avatar for The Scale Factory scalefactory
0
34
The AWS Foundational Technical Review for UK Police Tech
Avatar for The Scale Factory scalefactory
0
230
Application and Platform Modernisation on AWS
Avatar for The Scale Factory scalefactory
0
130
AWS Control Tower for Compliance, Governance, and taming your cloud estate
Avatar for The Scale Factory scalefactory
0
110
Disaster Recovery on AWS
Avatar for The Scale Factory scalefactory
0
170
Navigating the SaaS Transformation Journey
Avatar for The Scale Factory scalefactory
0
58
ISO 27001 on AWS
Avatar for The Scale Factory scalefactory
0
480
How does compliance drive success in SaaS sales?
Avatar for The Scale Factory scalefactory
0
360

Other Decks in Technology

See All in Technology
​Vibe Coding Year in Review. From Karpathy to Real-World Agents by Niels Rolland, CEO Paatch
Avatar for Strapi vcoisne
0
130
『OCI で学ぶクラウドネイティブ 実践 × 理論ガイド』 書籍概要
Avatar for oracle4engineer oracle4engineer
PRO
3
210
from Sakichi Toyoda to Agile
Avatar for Yasunobu Kawaguchi kawaguti
PRO
1
120
ACA でMAGI システムを社内で展開しようとした話
Avatar for Yuji Masaoka | まっぴぃ mappie_kochi
1
320
神回のメカニズムと再現方法/Mechanisms and Playbook for Kamikai scrumat2025
Avatar for moriyuya moriyuya
4
730
Performance Insights 廃止から Database Insights 利用へ/transition-from-performance-insights-to-database-insights
Avatar for emi emiki
0
240
セキュアな認可付きリモートMCPサーバーをAWSマネージドサービスでつくろう! / Let's build an OAuth protected remote MCP server based on AWS managed services
Avatar for 株式会社カミナシ kaminashi
3
310
Codexとも仲良く。CodeRabbit CLIの紹介
Avatar for Atsushi Nakatsugawa moongift
PRO
0
190
10年の共創が示す、これからの開発者と企業の関係 ~ Crossroad
Avatar for SORACOM soracom
PRO
1
730
能登半島災害現場エンジニアクロストーク 【JAWS FESTA 2025 in 金沢】
Avatar for Masakatsu Sugii ditccsugii
0
570
そのWAFのブロック、どう活かす? サービスを守るための実践的多層防御と思考法 / WAF blocks defense decision
Avatar for 株式会社カミナシ kaminashi
0
190
Developer Advocate / Community Managerなるには?
Avatar for tsho tsho
0
140

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
56
14k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
15
1.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
189
55k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.2k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
Writing Fast Ruby
Avatar for Erik Berlin sferik
629
62k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
900
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.2k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
7.9k

Transcript

  1. None

  2. IDENTITY MANAGEMENT IN AWS_ JON TOPPER | @jtopper | he/him/his

  3. IDENTITY_ LATIN LATE LATIN idem same identitas identity quality of

    being identical

  4. IDENTITY ENABLES_ Access Control Trust Delegation Audit Trail Security Compliance

  5. IAM CONCEPTS_ Root User Users Groups Roles Policies Tokens

  6. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

  7. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*",

    "Resource": "*" } ] } PowerUserAccess

  8. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] } ManageOwnCredentials

  9. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  10. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  11. EC2 ROLES_ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role { "Code" : "Success", "LastUpdated"

    : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }

  12. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  13. MULTI FACTOR AUTHENTICATION_

  14. IAM BEST PRACTICE_ User Per Individual No Root User Multi-Factor

    Auth Token Least Privilege CloudTrail

  15. CROSS-ACCOUNT ROLE ASSUMPTION_

  16. AssumeCustomerRole Bob Carla ScaleFactoryUser PowerUserAccess CUSTOMER MGMT ACCOUNT (00005) SCALE

    FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt Trust Relationship Policy

  17. CUSTOMER MGMT ACCOUNT (00005) SCALE FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt

    Trust Relationship Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
  18. None

  19. EXTERNAL SOURCE OF IDENTITY_

  20. None
  21. None

  22. ScaleFactorySSOUser PowerUserAccess Trust Relationship Policy Identity Providers https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/

  23. AWS COGNITO_

  24. None

  25. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }

  26. YOUR IAM MIGHT NEED WORK IF YOU_ Log in with

    the root account Have >1 identity for each person Don’t use MFA Hard-code tokens in app config

  27. YOU MAY BENEFIT FROM_ Role Assumption Cross-Account Access Federated Identity

    Cognito

  28. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @jtopper / @scalefactory

    [email protected]