Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Identity & Access Management in the Cloud

Identity & Access Management in the Cloud

Identity and access management helps customers protect their applications and resources. In this session, learn how AWS identity services are evolving to provide you with a secure, flexible, and easy solution for managing identities and access on the AWS Cloud.

More Decks by Sébastien Stormacq - AWS Developer Advocate

Other Decks in Technology

Transcript

  1. Migrating or extending infrastructure Cloud-native applications Going all-in Solve new

    challenges Requiring unique identity and access management solutions. Every AWS Cloud Journey is Unique
  2. Disambiguation IAM (the subject) Authentication, authorization, audit, and governance for

    your cloud workloads. Our scope for today Authenticates and authorizes AWS APIs. Includes AWS IAM (the service)
  3. Identity & Access Management Means… Authen'ca'on Authorization Audit/governance Validate identities

    securely Manage access using fine-grained policies Meet compliance requirements
  4. All all levels Iden'ty and Access Management (the subject) Your

    applications Your applications AWS infrastructure AWS management console/APIs Admins Security Developers Customers Employees Partners
  5. Broader Security Portfolio AWS Identity and Access Management (IAM) AWS

    Organizations AWS Cognito AWS SSO AWS Directory Service Amazon Cloud Directory AWS Secrets Manager AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (AWS WAF) Amazon Inspector Amazon VPC (VPC) AWS KMS AWS CloudHSM Amazon Macie ACM Server-Side Encryption AWS Config Rules AWS Lambda Iden'ty Detective control Infrastructure security Data protection Incident response
  6. Broader Security Portfolio AWS Identity and Access Management (IAM) AWS

    Organizations AWS Cognito AWS SSO AWS Directory Service Amazon Cloud Directory AWS Secrets Manager AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (AWS WAF) Amazon Inspector Amazon VPC (VPC) AWS KMS AWS CloudHSM Amazon Macie ACM Server-Side Encryption AWS Config Rules AWS Lambda Identity Detec've control Infrastructure security Data protection Incident response
  7. IAM Use Cases Manage user access to AWS accounts and

    resources Manage applica'on access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.
  8. IAM Use Cases Manage user access to AWS accounts and

    resources Manage application access to data and resources Manage user access to your own applica'ons Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.
  9. Access to AWS Accounts & Resources aws iam create-role …

    aws iam create-user … aws iam attach-user-policy …
  10. What can possibly go wrong ? aws iam create-role …

    aws iam create-user … aws iam attach-user-policy …
  11. What can possibly go wrong ? aws iam create-role …

    aws iam create-user … aws iam attach-user-policy … Multi accounts strategy ? Identity federation Secret rotation ? Centralised management ? Auditability ?
  12. Uses AWS Organizations to retrieve your list and structure of

    accounts. Master account Member account #1 Member account #N AWS Organizations AWS SSO Define permissions using standard syntax and tools. Definitions and policies automatically deployed and maintained in member accounts. AWS Organizations, IAM Policies & AWS SSO
  13. Master account AWS Organizations AWS SSO AWS Directory Service Groups

    Active Dir Entitlements Directory connection On-premises Uses AWS Directory Service to connect to on-premises Active Directory. Map Active Directory groups to defined permissions. Grant access to one AWS account, an OU, or the entire Organization. AWS SSO : Assign Users
  14. AWS SSO : Login Flow Master account AWS SSO AWS

    SSO user portal Groups Active Dir Users Entitlements AuthN AuthZ On-premises SAML Member account Users browse to the AWS SSO user portal and are authenticated using their corporate credentials. AWS SSO authorizes the user based on their entitlements. Actions and resource access are governed by IAM policies and Organizations’ SCPs. Users are federated into an IAM role in member account.
  15. AWS Organizations: Key Concepts A1 A2 A4 M Master account/Administrative

    root Organizational unit (OU) AWS accounts Service Control Policies (SCPs) AWS resources A3 Dev Test Prod
  16. IAM Use Cases Manage user access to AWS accounts and

    resources Manage applica'on access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.
  17. IAM Use Cases Manage user access to AWS accounts and

    resources Manage application access to data and resources Manage user access to your own applica'ons Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.
  18. EC2 instance Profile AWS resources Your code Operating system EC2

    instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS
  19. AWS Secret Manager Lifecycle management for secrets such as database

    credentials and API keys Rotate secrets safely Manage access with fine-grained policies Secure and audit secrets centrally Pay as you go
  20. AWS Secrets Manager : Architecture Authorized call to ASM DB

    creds loaded DB creds returned Safe rotation AWS resources Your code Operating system EC2 instance AWS credentials plumbed (as before) Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials AWS resources Connection established
  21. IAM Use Cases Manage user access to AWS accounts and

    resources Manage application access to data and resources Manage user access to your own applica'ons Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.
  22. IAM Use Cases Manage user access to AWS accounts and

    resources Manage applica'on access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.
  23. Amazon Cognito AWS credentials and access control OpenID Connect and

    OAuth 2.0 Based Managed user directory Sign in with existing identities (federation) Customizable, hosted UI, or SDK
  24. Amazon Cognito – Use Cases Business to Consumer Business to

    Business Business to Employee IoT Scenarios Enterprise Directory Enterprise Directory SAML Enterprise Directory SAML AWS IoT
  25. Amazon Cognito Services User Pools Identity Pools Sign-up/Sign-in User Profiles

    Issue Tokens Hosted UIs OAuth2/OIDC IdP SAML2 SP Federation Guest Access AWS Credentials Cross Device Sync
  26. Use Cognito User Pool when You Have: 1. End users

    who want to create an account 2. End users who have an existing social or corporate account You Want: 1. Managed user directory 2. End user authentication & profiles 3. IDP for other apps 4. Federate users through OAuth2, OIDC, SAML 5. Authenticate API Access (AppSync, API Gateway)
  27. Use Cognito Identity Pools when You Have: 1. End user

    that has authenticated with a social or corporate identity provider and has a token 2. End user that is unauthenticated You Want: 1. Scoped, time-bound AWS Credentials for that identity 2. Direct access to AWS services from your web or mobile app 3. To use Cognito Sync to sync user preferences and game state across devices
  28. Amazon Cognito and API Gateways User pool authenticates users and

    returns standard tokens Amazon Cognito user pool (CUP) tokens are used to access your custom APIs Identity pool provides role-based AWS credentials to access AWS services 1 Amazon Cognito user pool Authenticate Federating IdP Redirect/ post back 2 Amazon DynamoDB Amazon S3 6 5 Amazon Cognito identity pool Get AWS credentials CUP token 4 API GW Access serverless backend Lambda CUP token 3 CUP token Idp token
  29. IAM Use Cases Manage user access to AWS accounts and

    resources Manage application access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.
  30. Tibco As TIBCO scaled on AWS, it wanted to centrally

    manage permissions across multiple AWS accounts. TIBCO uses AWS Organizations service control policies to manage service API use across its AWS accounts. Created Slack integration with Organizations to enable users to deploy AWS infrastructure in an auditable way. AWS organizations
  31. Hixme Provides employee benefits and insurance solutions to businesses. Hixme

    manages sensitive customer data, requiring an authentication solution that protects that information from unauthorized access. Use Amazon Cognito and AWS Lambda to “develop a flexible, fully integrated solution that can scale effortlessly.” AWS Lambda Users with mobile app Amazon Cognito user pools
  32. IAM Use Cases Manage user access to AWS accounts and

    resources Manage applica'on access to data and resources Manage user access to your own applications Developers signing in to the AWS Command Line Interface (AWS CLI) or AWS Management Console. SecOps engineers running AWS Lambda functions. Applications running on Amazon EC2 instances or containers that need access to data in Amazon S3. Users signing in to your applications using their App, Facebook, Twitter, or Amazon accounts.