Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Identity on AWS
Search
The Scale Factory
June 21, 2016
Technology
1
100
Identity on AWS
On 21st June 2016, Jon spoke at the London DevOps Meetup about Identity on AWS.
The Scale Factory
June 21, 2016
Tweet
Share
More Decks by The Scale Factory
See All by The Scale Factory
re:Invent Recap (January 2025)
scalefactory
0
370
Mastering Security and Compliance on AWS
scalefactory
0
21
The AWS Foundational Technical Review for UK Police Tech
scalefactory
0
130
Application and Platform Modernisation on AWS
scalefactory
0
100
AWS Control Tower for Compliance, Governance, and taming your cloud estate
scalefactory
0
79
Disaster Recovery on AWS
scalefactory
0
150
Navigating the SaaS Transformation Journey
scalefactory
0
42
ISO 27001 on AWS
scalefactory
0
430
How does compliance drive success in SaaS sales?
scalefactory
0
300
Other Decks in Technology
See All in Technology
開発者体験を定量的に把握する手法と活用事例
ham0215
0
150
[OpsJAWS Meetup33 AIOps] Amazon Bedrockガードレールで守る安全なAI運用
akiratameto
1
140
遷移の高速化 ヤフートップの試行錯誤
narirou
6
2k
MLflowはどのようにLLMOpsの課題を解決するのか
taka_aki
0
150
Log Analytics を使った実際の運用 - Sansan Data Hub での取り組み
sansantech
PRO
0
150
Pwned Labsのすゝめ
ken5scal
2
580
Cracking the Coding Interview 6th Edition
gdplabs
14
28k
フォーイット_エンジニア向け会社紹介資料_Forit_Company_Profile.pdf
forit_tech
1
1.7k
サバイバルモード下でのエンジニアリングマネジメント
konifar
24
7.7k
困難を「一般解」で解く
fujiwara3
8
2.4k
エンジニア主導の企画立案を可能にする組織とは?
recruitengineers
PRO
1
320
Snowflake ML モデルを dbt データパイプラインに組み込む
estie
0
120
Featured
See All Featured
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.7k
Fashionably flexible responsive web design (full day workshop)
malarkey
406
66k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
RailsConf 2023
tenderlove
29
1k
The Cost Of JavaScript in 2023
addyosmani
47
7.5k
Practical Orchestrator
shlominoach
186
10k
Navigating Team Friction
lara
183
15k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
How to Think Like a Performance Engineer
csswizardry
22
1.4k
Side Projects
sachag
452
42k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
Transcript
None
IDENTITY MANAGEMENT IN AWS_ JON TOPPER | @jtopper | he/him/his
IDENTITY_ LATIN LATE LATIN idem same identitas identity quality of
being identical
IDENTITY ENABLES_ Access Control Trust Delegation Audit Trail Security Compliance
IAM CONCEPTS_ Root User Users Groups Roles Policies Tokens
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*",
"Resource": "*" } ] } PowerUserAccess
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [
"iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] } ManageOwnCredentials
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
EC2 ROLES_ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role { "Code" : "Success", "LastUpdated"
: "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
MULTI FACTOR AUTHENTICATION_
IAM BEST PRACTICE_ User Per Individual No Root User Multi-Factor
Auth Token Least Privilege CloudTrail
CROSS-ACCOUNT ROLE ASSUMPTION_
AssumeCustomerRole Bob Carla ScaleFactoryUser PowerUserAccess CUSTOMER MGMT ACCOUNT (00005) SCALE
FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt Trust Relationship Policy
CUSTOMER MGMT ACCOUNT (00005) SCALE FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt
Trust Relationship Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
None
EXTERNAL SOURCE OF IDENTITY_
None
None
ScaleFactorySSOUser PowerUserAccess Trust Relationship Policy Identity Providers https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/
AWS COGNITO_
None
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [
"dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }
YOUR IAM MIGHT NEED WORK IF YOU_ Log in with
the root account Have >1 identity for each person Don’t use MFA Hard-code tokens in app config
YOU MAY BENEFIT FROM_ Role Assumption Cross-Account Access Federated Identity
Cognito
KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @jtopper / @scalefactory
jon@scalefactory.com