Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Identity on AWS
Search
The Scale Factory
June 21, 2016
Technology
1
100
Identity on AWS
On 21st June 2016, Jon spoke at the London DevOps Meetup about Identity on AWS.
The Scale Factory
June 21, 2016
Tweet
Share
More Decks by The Scale Factory
See All by The Scale Factory
re:Invent Recap (January 2025)
scalefactory
0
370
Mastering Security and Compliance on AWS
scalefactory
0
21
The AWS Foundational Technical Review for UK Police Tech
scalefactory
0
130
Application and Platform Modernisation on AWS
scalefactory
0
100
AWS Control Tower for Compliance, Governance, and taming your cloud estate
scalefactory
0
79
Disaster Recovery on AWS
scalefactory
0
150
Navigating the SaaS Transformation Journey
scalefactory
0
41
ISO 27001 on AWS
scalefactory
0
430
How does compliance drive success in SaaS sales?
scalefactory
0
300
Other Decks in Technology
See All in Technology
遷移の高速化 ヤフートップの試行錯誤
narirou
6
1.9k
Amazon Athenaから利用時のGlueのIcebergテーブルのメンテナンスについて
nayuts
0
110
【Snowflake九州ユーザー会#2】BigQueryとSnowflakeを比較してそれぞれの良し悪しを掴む / BigQuery vs Snowflake: Pros & Cons
civitaspo
2
660
JAWS DAYS 2025 アーキテクチャ道場 事前説明会 / JAWS DAYS 2025 briefing document
naospon
0
2.8k
マルチアカウント環境における組織ポリシーについて まとめてみる
nrinetcom
PRO
2
110
アジリティを高めるテストマネジメント #QiitaQualityForward
makky_tyuyan
1
350
OPENLOGI Company Profile for engineer
hr01
1
20k
2/18 Making Security Scale: メルカリが考えるセキュリティ戦略 - Coincheck x LayerX x Mercari
jsonf
0
260
Aurora PostgreSQLがCloudWatch Logsに 出力するログの課金を削減してみる #jawsdays2025
non97
1
250
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
19k
Amazon Q Developerの無料利用枠を使い倒してHello worldを表示させよう!
nrinetcom
PRO
2
120
Pwned Labsのすゝめ
ken5scal
2
570
Featured
See All Featured
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
660
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.5k
GitHub's CSS Performance
jonrohan
1030
460k
Building Adaptive Systems
keathley
40
2.4k
Typedesign – Prime Four
hannesfritz
41
2.5k
Testing 201, or: Great Expectations
jmmastey
42
7.2k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
10
540
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
13
1k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
Transcript
None
IDENTITY MANAGEMENT IN AWS_ JON TOPPER | @jtopper | he/him/his
IDENTITY_ LATIN LATE LATIN idem same identitas identity quality of
being identical
IDENTITY ENABLES_ Access Control Trust Delegation Audit Trail Security Compliance
IAM CONCEPTS_ Root User Users Groups Roles Policies Tokens
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*",
"Resource": "*" } ] } PowerUserAccess
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [
"iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] } ManageOwnCredentials
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
EC2 ROLES_ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role { "Code" : "Success", "LastUpdated"
: "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
Alice PowerUsers Bob Carla ci-server-role AmazonEC2ReadOnlyAccess AmazonS3FullAccess AdministratorAccess PowerUserAccess ci
ManageOwnCredentials
MULTI FACTOR AUTHENTICATION_
IAM BEST PRACTICE_ User Per Individual No Root User Multi-Factor
Auth Token Least Privilege CloudTrail
CROSS-ACCOUNT ROLE ASSUMPTION_
AssumeCustomerRole Bob Carla ScaleFactoryUser PowerUserAccess CUSTOMER MGMT ACCOUNT (00005) SCALE
FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt Trust Relationship Policy
CUSTOMER MGMT ACCOUNT (00005) SCALE FACTORY SSO ACCOUNT (00001) AssumeRoleCustomerMgmt
Trust Relationship Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] } { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
None
EXTERNAL SOURCE OF IDENTITY_
None
None
ScaleFactorySSOUser PowerUserAccess Trust Relationship Policy Identity Providers https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/
AWS COGNITO_
None
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [
"dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }
YOUR IAM MIGHT NEED WORK IF YOU_ Log in with
the root account Have >1 identity for each person Don’t use MFA Hard-code tokens in app config
YOU MAY BENEFIT FROM_ Role Assumption Cross-Account Access Federated Identity
Cognito
KEEP IN TOUCH_ http:/ /www.scalefactory.com/ https:/ /github.com/scalefactory @jtopper / @scalefactory
[email protected]