Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Identity on AWS
Search
The Scale Factory
June 21, 2016
Technology
120
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Identity on AWS
On 21st June 2016, Jon spoke at the London DevOps Meetup about Identity on AWS.
The Scale Factory
June 21, 2016
More Decks by The Scale Factory
See All by The Scale Factory
re:Invent Recap (January 2025)
scalefactory
0
680
Mastering Security and Compliance on AWS
scalefactory
0
54
The AWS Foundational Technical Review for UK Police Tech
scalefactory
0
340
Application and Platform Modernisation on AWS
scalefactory
0
180
AWS Control Tower for Compliance, Governance, and taming your cloud estate
scalefactory
0
140
Disaster Recovery on AWS
scalefactory
0
230
Navigating the SaaS Transformation Journey
scalefactory
0
110
ISO 27001 on AWS
scalefactory
0
550
How does compliance drive success in SaaS sales?
scalefactory
0
470
Other Decks in Technology
See All in Technology
Empower GenAI with Agile - あなたのアジャイルが生成AIのバフになる仕組み
hageyahhoo
1
160
CIで使うClaude
iwatatomoya
0
220
cccccc
moznion
0
1.9k
product engineering with qa
nealle
0
160
Text-to-SQLをAgentCoreで実現し、生成されるSQLの精度を定量的に評価する
yakumo
2
770
アカウントが増えてからでは遅い? ~ マルチアカウント統制の勘所 ~
kenichinakamura
0
220
インフラ寄りSREでも 開発に踏み出せる〜境界を越えてユーザー体験に向き合いたい〜
sansantech
PRO
2
3.3k
Claude Code 珍プレー好プレー
shinyasaita
0
310
FinOps X 2026 Recap from Engineer Side #JapanFinOps
chacco38
0
270
美しいコードを書くためにF#を学んでみた話
yud0uhu
1
400
[2026-07-15] AI Ready なはずだったアーキテクチャと、見えてきた課題・次に目指す状態
wxyzzz
4
1.7k
AWS Blocks を触ってみた/first-tach-aws-blocks
fossamagna
2
150
Featured
See All Featured
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
1
670
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2.1k
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
800
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.3k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
490
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Fireside Chat
paigeccino
42
4k
Designing for Performance
lara
611
70k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.4k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
200
Transcript
None
IDENTITY MANAGEMENT IN AWS_ JON TOPPER | @jtopper | he/him/his
IDENTITY_ LATIN LATE LATIN idem same identitas identity quality of
being identical
IDENTITY ENABLES_ Access Control Trust Delegation Audit Trail Security Compliance
IAM CONCEPTS_ Root User Users Groups Roles Policies Tokens
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*",
"Resource": "*" } ] } PowerUserAccess
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [
"iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] } ManageOwnCredentials
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
EC2 ROLES_ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role { "Code" : "Success", "LastUpdated"
: "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
MULTI FACTOR AUTHENTICATION_
IAM BEST PRACTICE_ User Per Individual No Root User Multi-Factor
Auth Token Least Privilege CloudTrail
CROSS-ACCOUNT ROLE ASSUMPTION_
AssumeCustomerRole Bob Carla ScaleFactoryUser PowerUserAccess CUSTOMER MGMT ACCOUNT (00005) SCALE
FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt Trust Relationship Policy
CUSTOMER MGMT ACCOUNT (00005) SCALE FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt
Trust Relationship Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
None
EXTERNAL SOURCE OF IDENTITY_
None
None
ScaleFactorySSOUser PowerUserAccess Trust Relationship Policy Identity Providers https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/
AWS COGNITO_
None
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [
"dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }
YOUR IAM MIGHT NEED WORK IF YOU_ Log in with
the root account Have >1 identity for each person Don’t use MFA Hard-code tokens in app config
YOU MAY BENEFIT FROM_ Role Assumption Cross-Account Access Federated Identity
Cognito
KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @jtopper / @scalefactory
[email protected]