Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity on AWS

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for The Scale Factory The Scale Factory
June 21, 2016
Technology
1
110

Identity on AWS

On 21st June 2016, Jon spoke at the London DevOps Meetup about Identity on AWS.

Avatar for The Scale Factory

The Scale Factory

June 21, 2016
Tweet

More Decks by The Scale Factory

See All by The Scale Factory
re:Invent Recap (January 2025)
Avatar for The Scale Factory scalefactory
0
650
Mastering Security and Compliance on AWS
Avatar for The Scale Factory scalefactory
0
37
The AWS Foundational Technical Review for UK Police Tech
Avatar for The Scale Factory scalefactory
0
270
Application and Platform Modernisation on AWS
Avatar for The Scale Factory scalefactory
0
150
AWS Control Tower for Compliance, Governance, and taming your cloud estate
Avatar for The Scale Factory scalefactory
0
120
Disaster Recovery on AWS
Avatar for The Scale Factory scalefactory
0
180
Navigating the SaaS Transformation Journey
Avatar for The Scale Factory scalefactory
0
66
ISO 27001 on AWS
Avatar for The Scale Factory scalefactory
0
510
How does compliance drive success in SaaS sales?
Avatar for The Scale Factory scalefactory
0
410

Other Decks in Technology

See All in Technology
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
Avatar for GENDA genda
4
1.2k
超初心者からでも大丈夫!オープンソース半導体の楽しみ方〜今こそ!オレオレチップをつくろう〜
Avatar for Yamada3 keropiyo
0
110
We Built for Predictability; The Workloads Didn’t Care
Avatar for Michael Stahnke stahnma
0
140
Tebiki Engineering Team Deck
Avatar for Tebiki, Inc. tebiki
0
24k
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
Avatar for kekke-n kekke_n
1
400
ZOZOにおけるAI活用の現在 ~開発組織全体での取り組みと試行錯誤~
Avatar for ZOZO Developers zozotech
PRO
5
5.2k
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
360
StrandsとNeptuneを使ってナレッジグラフを構築する
Avatar for やくも yakumo
1
110
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
Avatar for capytan capytan
6
2.7k
プロダクト成長を支える開発基盤とスケールに伴う課題
Avatar for yuu26 yuu26
4
1.3k
データの整合性を保ちたいだけなんだ
Avatar for ShoheiMitani shoheimitani
8
3.1k
AWS Network Firewall Proxyを触ってみた
Avatar for nagisa_53 nagisa53
1
220

Featured

See All Featured
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.5k
Public Speaking Without Barfing On Your Shoes - THAT 2023
Avatar for David Neal reverentgeek
1
300
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
1
240
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
240
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
490
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
191
11k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.1k
AI in Enterprises - Java and Open Source to the Rescue
Avatar for ivargrimstad ivargrimstad
0
1.1k
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
48
Test your architecture with Archunit
Avatar for Yoan thirion
1
2.1k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k

Transcript

  1. None

  2. IDENTITY MANAGEMENT IN AWS_ JON TOPPER | @jtopper | he/him/his

  3. IDENTITY_ LATIN LATE LATIN idem same identitas identity quality of

    being identical

  4. IDENTITY ENABLES_ Access Control Trust Delegation Audit Trail Security Compliance

  5. IAM CONCEPTS_ Root User Users Groups Roles Policies Tokens

  6. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

  7. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*",

    "Resource": "*" } ] } PowerUserAccess

  8. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] } ManageOwnCredentials

  9. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  10. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  11. EC2 ROLES_ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role { "Code" : "Success", "LastUpdated"

    : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }

  12. Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci

    ManageOwnCredentials

  13. MULTI FACTOR AUTHENTICATION_

  14. IAM BEST PRACTICE_ User Per Individual No Root User Multi-Factor

    Auth Token Least Privilege CloudTrail

  15. CROSS-ACCOUNT ROLE ASSUMPTION_

  16. AssumeCustomerRole Bob Carla ScaleFactoryUser PowerUserAccess CUSTOMER MGMT ACCOUNT (00005) SCALE

    FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt Trust Relationship Policy

  17. CUSTOMER MGMT ACCOUNT (00005) SCALE FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt

    Trust Relationship Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
  18. None

  19. EXTERNAL SOURCE OF IDENTITY_

  20. None
  21. None

  22. ScaleFactorySSOUser PowerUserAccess Trust Relationship Policy Identity Providers https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/

  23. AWS COGNITO_

  24. None

  25. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }

  26. YOUR IAM MIGHT NEED WORK IF YOU_ Log in with

    the root account Have >1 identity for each person Don’t use MFA Hard-code tokens in app config

  27. YOU MAY BENEFIT FROM_ Role Assumption Cross-Account Access Federated Identity

    Cognito

  28. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @jtopper / @scalefactory

    [email protected]