identity on aws.pdf

IDENTITY MANAGEMENT IN AWS_

JON TOPPER | @jtopper | he/him/his

IDENTITY_

LATIN LATE LATIN

idem same

identitas identity quality of being

identical

IDENTITY ENABLES_

Access Control

Trust Delegation

Audit Trail

Security

Compliance

IAM CONCEPTS_

Root User

Users

Groups

Roles

Policies

Tokens

Alice

PowerUsers

Bob

Carla

ci-server-role

AmazonEC2ReadOnlyAccess

AmazonS3FullAccess

AdministratorAccess

PowerUserAccess

ci

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] }

PowerUserAccess

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] }

ManageOwnCredentials

Alice

PowerUsers

Bob

Carla

ci-server-role

AmazonEC2ReadOnlyAccess

AmazonS3FullAccess

AdministratorAccess

PowerUserAccess

ci

ManageOwnCredentials

Alice

PowerUsers

Bob

Carla

ci-server-role

AmazonEC2ReadOnlyAccess

AmazonS3FullAccess

AdministratorAccess

PowerUserAccess

ci

ManageOwnCredentials

EC2 ROLES_

$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role

{ "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }

Alice

PowerUsers

Bob

Carla

ci-server-role

AmazonEC2ReadOnlyAccess

AmazonS3FullAccess

AdministratorAccess

PowerUserAccess

ci

ManageOwnCredentials

MULTI FACTOR AUTHENTICATION_

IAM BEST PRACTICE_

User Per Individual

No Root User

Multi-Factor Auth Token

Least Privilege

CloudTrail

CROSS-ACCOUNT ROLE ASSUMPTION_

AssumeCustomerRole

Bob

CarlaScaleFactoryUser

PowerUserAccess

CUSTOMER MGMT ACCOUNT (00005)SCALE FACTORY SSO ACCOUNT (00001)

AssumeRoleCustomerMgmt Trust Relationship Policy

CUSTOMER MGMT ACCOUNT (00005)SCALE FACTORY SSO ACCOUNT (00001)

AssumeRoleCustomerMgmt Trust Relationship Policy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }

EXTERNAL SOURCE OF IDENTITY_

ScaleFactorySSOUser

PowerUserAccess

Trust Relationship Policy

Identity Providers

https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/

AWS COGNITO_

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }

YOUR IAM MIGHT NEED WORK IF YOU_

Log in with the root account

Have >1 identity for each person

Don’t use MFA

Hard-code tokens in app config

YOU MAY BENEFIT FROM_

Role Assumption

Cross-Account Access

Federated Identity

Cognito

KEEP IN TOUCH_

http://www.scalefactory.com/

https://github.com/scalefactory

@jtopper / @scalefactory

jon@scalefactory.com