Identity & Access Management in the Cloud

Transcript

1. Identity Management in the ☁ Sébastien Stormacq | @sebsto Technical

   Evangelist, AWS EMEA

2. Migrating or extending infrastructure Cloud-native applications Going all-in Solve new

   challenges Requiring unique identity and access management solutions. Every AWS Cloud Journey is Unique

3. Disambiguation IAM (the subject) Authentication, authorization, audit, and governance for

   your cloud workloads. Our scope for today Authenticates and authorizes AWS APIs. Includes AWS IAM (the service)

4. Identity & Access Management Means… Authen'ca'on Authorization Audit/governance Validate identities

   securely Manage access using fine-grained policies Meet compliance requirements

5. All all levels Iden'ty and Access Management (the subject) Your

   applications Your applications AWS infrastructure AWS management console/APIs Admins Security Developers Customers Employees Partners

6. Broader Security Portfolio AWS Identity and Access Management (IAM) AWS

   Organizations AWS Cognito AWS SSO AWS Directory Service Amazon Cloud Directory AWS Secrets Manager AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (AWS WAF) Amazon Inspector Amazon VPC (VPC) AWS KMS AWS CloudHSM Amazon Macie ACM Server-Side Encryption AWS Config Rules AWS Lambda Iden'ty Detective control Infrastructure security Data protection Incident response

7. Broader Security Portfolio AWS Identity and Access Management (IAM) AWS

   Organizations AWS Cognito AWS SSO AWS Directory Service Amazon Cloud Directory AWS Secrets Manager AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (AWS WAF) Amazon Inspector Amazon VPC (VPC) AWS KMS AWS CloudHSM Amazon Macie ACM Server-Side Encryption AWS Config Rules AWS Lambda Identity Detec've control Infrastructure security Data protection Incident response

8. IAM Use Cases Manage user access to AWS accounts and

   resources Manage applica'on access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.

9. IAM Use Cases Manage user access to AWS accounts and

   resources Manage application access to data and resources Manage user access to your own applica'ons Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.

10. Access to AWS Accounts & Resources aws iam create-role …

    aws iam create-user … aws iam attach-user-policy …

11. What can possibly go wrong ? aws iam create-role …

    aws iam create-user … aws iam attach-user-policy …

12. What can possibly go wrong ? aws iam create-role …

    aws iam create-user … aws iam attach-user-policy … Multi accounts strategy ? Identity federation Secret rotation ? Centralised management ? Auditability ?

13. AWS Organizations, IAM Policies & AWS SSO

14. Uses AWS Organizations to retrieve your list and structure of

    accounts. Master account Member account #1 Member account #N AWS Organizations AWS SSO Define permissions using standard syntax and tools. Definitions and policies automatically deployed and maintained in member accounts. AWS Organizations, IAM Policies & AWS SSO

15. Master account AWS Organizations AWS SSO AWS Directory Service Groups

    Active Dir Entitlements Directory connection On-premises Uses AWS Directory Service to connect to on-premises Active Directory. Map Active Directory groups to defined permissions. Grant access to one AWS account, an OU, or the entire Organization. AWS SSO : Assign Users

16. AWS SSO : Login Flow Master account AWS SSO AWS

    SSO user portal Groups Active Dir Users Entitlements AuthN AuthZ On-premises SAML Member account Users browse to the AWS SSO user portal and are authenticated using their corporate credentials. AWS SSO authorizes the user based on their entitlements. Actions and resource access are governed by IAM policies and Organizations’ SCPs. Users are federated into an IAM role in member account.

17. AWS Organizations: Key Concepts A1 A2 A4 M Master account/Administrative

    root Organizational unit (OU) AWS accounts Service Control Policies (SCPs) AWS resources A3 Dev Test Prod

18. AWS Organizations & IAM Policies Allow: S3:* Allow: SQS:* Allow:

    EC2:* Allow: EC2:* SCP IAM permissions

19. IAM Use Cases Manage user access to AWS accounts and

    resources Manage applica'on access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.

20. IAM Use Cases Manage user access to AWS accounts and

    resources Manage application access to data and resources Manage user access to your own applica'ons Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.

21. EC2 instance Profile AWS resources Your code Operating system EC2

    instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS

22. Demo Assign a role to your EC2 instances

23. What about your other secrets ?

24. AWS Secret Manager Lifecycle management for secrets such as database

    credentials and API keys Rotate secrets safely Manage access with fine-grained policies Secure and audit secrets centrally Pay as you go

25. AWS Secrets Manager : Architecture Authorized call to ASM DB

    creds loaded DB creds returned Safe rotation AWS resources Your code Operating system EC2 instance AWS credentials plumbed (as before) Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials AWS resources Connection established

26. Demo Secret manager to store and access secrets

27. IAM Use Cases Manage user access to AWS accounts and

    resources Manage application access to data and resources Manage user access to your own applica'ons Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.

28. IAM Use Cases Manage user access to AWS accounts and

    resources Manage applica'on access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.

29. Amazon Cognito AWS credentials and access control OpenID Connect and

    OAuth 2.0 Based Managed user directory Sign in with existing identities (federation) Customizable, hosted UI, or SDK

30. Amazon Cognito – Use Cases Business to Consumer Business to

    Business Business to Employee IoT Scenarios Enterprise Directory Enterprise Directory SAML Enterprise Directory SAML AWS IoT

31. Amazon Cognito Services User Pools Identity Pools

32. Amazon Cognito Services User Pools Identity Pools Sign-up/Sign-in User Profiles

    Issue Tokens Hosted UIs OAuth2/OIDC IdP SAML2 SP Federation Guest Access AWS Credentials Cross Device Sync

33. Use Cognito User Pool when You Have: 1. End users

    who want to create an account 2. End users who have an existing social or corporate account You Want: 1. Managed user directory 2. End user authentication & profiles 3. IDP for other apps 4. Federate users through OAuth2, OIDC, SAML 5. Authenticate API Access (AppSync, API Gateway)

34. Use Cognito Identity Pools when You Have: 1. End user

    that has authenticated with a social or corporate identity provider and has a token 2. End user that is unauthenticated You Want: 1. Scoped, time-bound AWS Credentials for that identity 2. Direct access to AWS services from your web or mobile app 3. To use Cognito Sync to sync user preferences and game state across devices

35. Amazon Cognito and API Gateways User pool authenticates users and

    returns standard tokens Amazon Cognito user pool (CUP) tokens are used to access your custom APIs Identity pool provides role-based AWS credentials to access AWS services 1 Amazon Cognito user pool Authenticate Federating IdP Redirect/ post back 2 Amazon DynamoDB Amazon S3 6 5 Amazon Cognito identity pool Get AWS credentials CUP token 4 API GW Access serverless backend Lambda CUP token 3 CUP token Idp token

36. Demo React web app with federated identities and secure API

    access.

37. IAM Use Cases Manage user access to AWS accounts and

    resources Manage application access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.

38. Tibco As TIBCO scaled on AWS, it wanted to centrally

    manage permissions across multiple AWS accounts. TIBCO uses AWS Organizations service control policies to manage service API use across its AWS accounts. Created Slack integration with Organizations to enable users to deploy AWS infrastructure in an auditable way. AWS organizations

39. Hixme Provides employee benefits and insurance solutions to businesses. Hixme

    manages sensitive customer data, requiring an authentication solution that protects that information from unauthorized access. Use Amazon Cognito and AWS Lambda to “develop a flexible, fully integrated solution that can scale effortlessly.” AWS Lambda Users with mobile app Amazon Cognito user pools

40. IAM Use Cases Manage user access to AWS accounts and

    resources Manage applica'on access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.

41. Thank you – leave your feeback Sébastien Stormacq | @sebsto

    Technical Evangelist, AWS EMEA