securing aws access with modern identity
TRANSCRIPT
WHITE PAPER
SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS
The Challenges Of Securing AWS Access and How To Address Them In The Modern Enterprise
Executive Summary
When operating in Amazon Web Services (AWS) it is important
to understand your responsibility when it comes to security. AWS
operates under a shared security responsibility model, where AWS is
responsible for the security of the underlying cloud infrastructure and
you, the AWS customer, are responsible for securing workloads you
deploy in AWS. IT administrators and Security Officers should educate
themselves on how to leverage AWS Identity and Access Management
(IAM) configuration to protect access to AWS resources in a way that
enhances security yet doesn’t hinder productivity.
The path to securing AWS access in the enterprise runs through
securing AWS sign-in and configuring least privilege access across
multiple accounts. The solution is elimination of passwords with
Single Sign-On (SSO) and automated provisioning of AWS roles across
all AWS accounts. This is made possible by integrating with a modern
identity solution such as OneLogin’s cloud directory. The benefits
are improved security by reducing risk of identity theft, an increase
in productivity with faster access to applications and services, and
significant savings for IT with automation and end-user self-service.
In this whitepaper we articulate the technical challenges of securing
AWS access and the value proposition of an identity platform for
the modern enterprise. In addition, we offer a brief introduction to
OneLogin and instructions on how to create a free account.
AWS Security And Enterprise SaaS Challenges
When operating in Amazon Web Services (AWS) it is important
to understand your responsibility when it comes to security. AWS
operates under a shared security responsibility model, where AWS
is responsible for the security of the underlying cloud infrastructure
and you are responsible for securing workloads you deploy in AWS.
This gives you the flexibility and agility you need to implement the
most applicable security controls for your business functions in the
AWS environment. You can tightly restrict access to environments
Content
Executive Summary
AWS Security And Enterprise SaaS
Challenges
Single-Sign On: Eliminating Passwords
And Enhancing Access Management
Automating Least Privilege Access:
Provisioning AWS Roles Across
Multiple Accounts
Putting It All Together: Modern
Identity for Cloud Apps And Services
Securing Corporate-Wide Access
OneLogin Roles & Mappings:
Automating Complex Access
Management
Summary of Value and Getting
Started With OneLogin
[email protected] | 855 .426 .7227 | onelogin .com
2
that process sensitive data, or deploy less stringent controls for
information you want to make public.
This shared security responsibility model can reduce your operational
burden in many ways, and in some cases may even improve your
default security posture without additional action on your part.
AWS security is a full set of products to meet security infrastructure
needs, such as protection from various network attacks, data storage
encryption, monitoring and logging. IT administrators should educate
themselves on ways to leverage these products, starting with AWS
Identity and Access Management (IAM) configuration to protect access
to AWS resources.
Effective security requires granular access control, and AWS IAM
provides the ability to implement a level of fine grained access. With
AWS IAM, admins are able to quickly create users and groups, and
assign each a fine-grained policy for accessing just the AWS services
and actions that the user needs. As an admin, you have the power to
give engineers the privileges they need for their tasks while restricting
them from risky actions such as restarting production instances on
EC2, modifying parts of the network configuration on VPC, or deleting
files from certain S3 accounts. These are merely examples, and what
is important to remember is that it is possible to apply a policy that
lets the engineer do exactly what she needs to do and ensure that
she cannot do things that are not part of her job, ensuring that there
are no intentional or accidental actions taken. With the functionality
provided by AWS IAM, organizations are able to implement the
right level of access controls to allow employee productivity while
maintaining the appropriate security controls.
While AWS offers a robust set of IAM tools designed to secure your
AWS account, AWS does not have organizational context such as the
reporting structure and roles, organization-wide security policies,
HR processes, and productivity needs - all critical to accurately
determine who should have access to sensitive resources at any point
in time. Authentication and authorization of employees should be
unified across all corporate applications, services and resources into
a Single Sign-On (SSO) solution, and combined with the right means
of additional security such as multi-factor authentication (MFA).
To accomplish this effectively and efficiently, administrators would
need a single integration point for applications, services, corporate
directories and security layers. Without extending AWS security to the
organization, administrators face the dual challenge of 24x7 uptime
for applications built on top of AWS, along with the task of constantly
aligning their AWS security with the organization to protect AWS
resources from both internal and external threats such as warranted or
malicious application access to sensitive data.
While AWS offers a robust
set of IAM tools designed
to secure your AWS account,
AWS does not have
organizational context which
is critical to determine access
to sensitive resources.
[email protected] | 855 .426 .7227 | onelogin .com
3
So, while AWS offers granularity and flexibility for protecting access
to all AWS platform resources, what remains critical for security
champions—such as IT administrators and Security Officers—to do is
educate themselves on how to leverage the power of AWS IAM in a
way that enhances security yet doesn’t hinder productivity. A modern
identity platform plays a big role in making that a reality.
Single-Sign On: Eliminating Passwords And Enhancing
Access Management
Identity theft accounted for 64%1 of all data breaches in the first half
of 2016. To understand the reason for it, consider the challenges of
deploying and supporting an average of 7302 SaaS applications and
services, such as Box, AWS and Slack, in the average enterprise.
As a result, companies seek to protect their sensitive data by
eliminating app-specific passwords, and govern the authentication
policy with means like IP-based restrictions, multi-factor
authentication, password policies and organizational context - e.g.
executive functions need stronger security. IT administrators are
tasked with reducing user authentication complexity and risks by
unifying all authentication into a Single Sign-On solution that applies
to all corporate employees. AWS enables you to tie an identity solution
into your AWS account to control access to your AWS resources, thus
enabling administrators to simplify and automate secure sign-in and
and access control. The first step to implementing and benefiting from
this kind of integration is to understand the power of SAML.
SAML (Security Assertion Markup Language) is an XML-based standard
which passes login information through a browser between an identity
provider server (e.g. appears to the user as a login page) and a 3rd
party web application or service. SAML provides apps with tokens
instead of credentials for logging in users. End-users only have to sign-
in once to an identity provider which can forward the secure tokens to
any app that supports SAML. Key benefits include:
1. Administrators do not need to manually align app-specific access
with the corporate directory. After a 5-minute setup for any given
app or service that supports SAML, only corporate users would
be able to login to corporate apps, with the option of advanced
policies like role-based access.
2. End-users enjoy a frictionless sign-in experience. If they are already
signed in to their corporate account, they can immediately access
1 Source: Gemalto data breach statistics, Sep 2016.2 Source: Cisco
The challenges of supporting
an average of 730 SaaS apps
in the modern enterprise lead
companies to protect their
sensitive data by eliminating
app-specific passwords, and
using advanced means like
multi-factor authentication.
[email protected] | 855 .426 .7227 | onelogin .com
4
the AWS Management Console securely and simply click through
to the desired service, significantly reducing the threat of phishing.
3. The identity provider maintains organizational integrity and verifies
that only active users are logged in. This significantly reduces the
risk of compromised accounts and minimizes orphan accounts.
Fortunately for administrators, AWS was built with highly flexible and
advanced SAML support that enables administrators to extend AWS
access to their organization, with the help of a modern identity solution.
AWS, paired with an identity solution, enables companies to
accomplish frictionless and secure SSO based on a corporate directory,
but there is another challenge: scaling this secure solution across
multiple AWS accounts, and tightening security with least privilege
access using multiple roles.
Automating Least Privilege Access: Provisioning AWS Roles Across
Multiple Accounts
When looking at a large or a fast-growing engineering organization,
companies are dealing with serious security concerns for the more
critical parts of their business. For example, engineers, technical
marketers, and solutions architects should have the freedom to spin
up test instances, but only a subset of engineers in dev operations and
tech operations roles should have any access to production instances.
This simple requirement becomes a true challenge when taking into
account complex deployments, multiple engineering departments with
different resources and needs, and requirements such as compliance
and auditing, e.g. every access must be accounted for.
To deal with this critical security requirement, companies seek a secure
access solution that separates AWS environments based on security
and productivity concerns and applies an access control policy that
takes into consideration all security and engineering needs across
the organization. With this approach in place, organizations can scale
the AWS solution across many environments, including multiple test,
staging and production accounts, as well as enable engineers to use
least privilege access when performing critical AWS tasks.
Fortunately, AWS supports highly granular user policies, even across
multiple accounts. For example, one policy could give users only read
access to a specific Amazon S3 bucket, while another policy could give
users only execute access to launch Amazon EC2 instances.
This role granularity is the IT administrator’s best friend, but it requires
extending it to the organization for role assignments to be meaningful.
AWS, paired with an identity
solution, enables companies
to accomplish frictionless
and secure SSO based on
a corporate directory.
[email protected] | 855 .426 .7227 | onelogin .com
5
This is where a full-fledged identity platform comes to the rescue,
by providing smart and flexible mapping of roles from your corporate
directory to roles in your AWS accounts. This mapping can leverage
employee metadata such as internal department or job function in
order to provide AWS with a list of AWS roles and AWS accounts that
the user is allowed to access. Then, with every new login to AWS, the
identity platform first calculates the right privileges for the user and
passes the information to AWS to provide the right level of access. This
is accomplished in real-time such that the employee metadata is always
fresh and the privileges are always true to the employee’s current role
status and organizational role.
Organizations need a strong
identity provider to leverage
organizational context for
overarching authentication
and role-based access control.
ROLE-BASED ACCESS
Active Directory OneLogin
Role: TechOps Lead
S3 Admin, VPC User,RDS Power User, Route 53 Admin
Optional external directory, such as on-premise AD
or LDAP
EC2 Power User,IAM Admin,
Route 53 User
EC2 Admin, IAM Admin, Route 53 User,
VPC Power User
Route 53 User,S3 Power User,
VPC User
Role: DevOps Engineer
Role: DevOps Lead
Role: TechOps Engineer
AWS
FIREWALL CLOUD
With the mapping of corporate metadata to AWS roles complete, users
can now sign-in to their AWS Account(s). Depending on the number of
roles and accounts the user has access to, she will be presented a list
of all accounts and roles in the AWS Management Console dashboard,
and she will be able to switch to any account and role for the task at
hand. By way of extending AWS security using organizational context,
we gain both maximum security and increased productivity.
Putting It All Together: Modern Identity for Cloud Apps And Services
We have seen how AWS enables administrators and security personnel
to protect AWS access in two key ways: Secure token-based sign-
in with SAML, and access control with granular AWS policies. In
order to streamline identity information and access control in a
way that enables fast and secure access to apps or services like
AWS, organizations need a strong identity provider to leverage
organizational context for overarching authentication and role-based
access control. Modern identity platforms can be a standalone cloud
directory for your users or a key integration point for all apps, services
and directories, and they enable Single Sign-On as well as passing of
employee metadata to apps in a number of standard ways.
[email protected] | 855 .426 .7227 | onelogin .com
6
They also support multiple security layers such as Multi-Factor
Authentication IP-based restriction. In the next few sections we will
look at how a solution like OneLogin can help you gain the level of
security and productivity that you need.
Securing Corporate-Wide Access
A key strength of OneLogin is the ease of adding a new app with
secure corporate-wide access. Within an hour, you can stand up a new
OneLogin account that is either a standalone cloud directory with
all your corporate users, or it is syncing from one or more external
directories such as Active Directory or LDAP.
OneLogin has over 5,000 pre-integrated apps, including the AWS
Management Console for a one-click access to the AWS dashboard. As
you can see in the snippet below, since the app is pre-integrated, the
only thing you need is your unique AWS account identifier which you
can find in your Amazon account.
[email protected] | 855 .426 .7227 | onelogin .com
7
You can allow select users access to the AWS Management Console within
seconds, using OneLogin’s app policy. Every user who is allowed to access
AWS can access it directly or through OneLogin’s app portal which is
customized for each user with only the apps she is allowed to use:
Interested in learning more
about single sign-on or
advanced security policies?
Visit onelogin.com/aws for
more information or request
access to OneLogin
A single click and the user is signed into AWS. At this point, only active
corporate users can sign into AWS. Companies gain both security
and productivity. With AWS specifically, access to all AWS available
accounts and services is reduced to a single access point, which can be
protected with a flexible security policy.
[email protected] | 855 .426 .7227 | onelogin .com
8
OneLogin Roles & Mappings: Automating Complex Access Management
Moreover, an identity provider like OneLogin can make it easier to
securely pass key metadata such as user identifiers and roles to
integrated apps and services, like AWS and all your other corporate
applications. This feature is often called user provisioning, and it can
take place in the background between OneLogin and other apps, or in
real-time at login, depending on the supported integration.
Only advanced identity providers, like OneLogin, can separate
application assignment from permission assignment. This gives
administrators the flexibility to do a clean application deployment so
they can configure role-based access without worrying about any users
getting immediate access, and then gradually give access to users
when approved and ready. A good rules engine uses simple conditions,
with no need for complex code-like expressions to determine whether
a user should get access.
In this OneLogin screenshot, the Active Directory group called IT
Administrators corresponds to several AWS Roles such as S3 Full
Access and Route 53 Full Access.
The end result is that through one connection, administrators are
able to utilize a centralized administrative portal to set up multiple
application rules that build on top of each other. Because these rules
Only advanced identity
providers, like OneLogin,
can separate application
assignment from permission
assignment for SaaS apps.
[email protected] | 855 .426 .7227 | onelogin .com
9
all correlate to Active Directory attributes or groups, administrators
can handle multiple employee joins, moves or leaves at scale.
An AWS multi-role provisioning functionality greatly eases the
administrative overhead to secure AWS, allowing IT to move at the speed
of the business to fulfill their mandate of delivering end-user productivity.
Summary of Value and Getting Started With OneLogin
Cloud identity platforms, like OneLogin, provide a comprehensive
solution for managing user identities both in the cloud and behind the
firewall. OneLogin integrates with cloud and on-premise apps using
open standards like SAML and OpenID, to provide services such as
Single Sign-On with Multi-Factor Authentication for web and mobile,
user provisioning into apps, multiple directory integration, and more.
OneLogin comes pre-integrated with thousands of applications.
With OneLogin, organizations have an identity provider that moves at the
speed of their business. As new applications are created or onboarded, IT
can automatically provide access to the correct users. Day 1 productivity
for new employees can be achieved in any new application, greatly
reducing time to value and increasing productivity for the business.
Learn more about user provisioning or role-based access for AWS and
activate a free OneLogin account for AWS by visiting onelogin.com/aws.
With OneLogin, organizations
have an identity provider
that moves at the speed
of their business.
[email protected] | 855 .426 .7227 | onelogin .com
10
Appendix A: How SAML Works
SAML (Security Assertion Markup Language) is an XML-based standard
which passes login information through a browser between an identity
provider server (e.g. appears to the user as a login page) and a 3rd party
web application or service. Below is a snippet of a typical SAML response.
A full response has additional attributes, a digital signature and encryption.
An AWS account is configured to accept logins via the identity
solution for single sign-on, and the identity solution is configured
with the information of the AWS account. The identity solution
authenticates the user with corporate credentials and verifies access,
and sends the user immediately to the AWS Management Console to
continue working. If the user is accessing the app from a special app
portal with all the apps she has access to, then she is already signed in
and can launch the AWS Management Console in a single click. It is a
smooth and frictionless user experience.
Behind the scenes, the user is redirected from the identity solution to
the AWS Management Console with a secure token which identifies the
user who is associated with additional meta information such as the
account identifier and permitted roles.
Service Provider(e.g. AWS)
User(e.g. via browser)
SAML 2.0 FLOWIdP-Initiated
Identity Provider(e.g. OneLogin)
Request SSO Service
Authenticate the user
Request access to service
User is logged into service
Redirect to service with SAML token SAML token isgenerated with user attributesSAML token
is verified
Auth requestis verified
[email protected] | 855 .426 .7227 | onelogin .com
11
Appendix B: How AWS Roles Work
In AWS a role is essentially a set of permissions that grant access to
actions and resources in AWS. Instead of being uniquely associated
with one person, a role is intended to be assumable by anyone who
needs it. Additionally, a role does not have any credentials associated
with it. Instead, when the identity provider requests user access to the
role temporary credentials will be issued to allow the user access to
AWS resources.
When a role is created, a permission policy is also created for the role.
This permission policy defines what actions, within the AWS account,
the role is allowed to perform. For identity providers an additional
policy is tied to the role which states which identity providers are
allowed to use the role.
SAML messages, which are used to sign-in users with user identifiers
as well as other metadata, include multiple Amazon Resource Names
(ARN) that point to permitted accounts and roles for the user. The
metadata is sourced by your identity provider based on role mappings,
and it is digitally signed by the identity provider to ensure that only a
trusted provider is signing in the user to the correct accounts and roles.
AWS IAM Policy sample. Source: AWS
[email protected] | 855 .426 .7227 | onelogin .com
12
About OneLogin, Inc.
OneLogin brings speed and integrity to the modern enterprise with an
award-winning SSO and identity-management platform. Our portfolio
of solutions secure connections across all users, all devices, and every
application, helping enterprises drive new levels of business integrity
and operational velocity across their entire app portfolios. The choice
for innovators of all sizes such as Condé Nast, Pinterest and Steelcase,
OneLogin manages and secures millions of identities across more than
200 countries around the globe. We are headquartered in San Francisco,
California. For more information, log on to www.onelogin.com, Facebook,
Twitter, or LinkedIn.
About Amazon Web Services
In 2006, Amazon Web Services (AWS) began offering IT infrastructure
services to businesses in the form of web services—now commonly known
as cloud computing. One of the key benefits of cloud computing is the
opportunity to replace up-front capital infrastructure expenses with low
variable costs that scale with your business. With the Cloud, businesses
no longer need to plan for and procure servers and other IT infrastructure
weeks or months in advance. Instead, they can instantly spin up hundreds
or thousands of servers in minutes and deliver results faster.
Today, Amazon Web Services provides a highly reliable, scalable, low-cost
infrastructure platform in the cloud that powers hundreds of thousands of
businesses in 190 countries around the world. With data center locations
in the U.S., Europe, Brazil, Singapore, Japan, and Australia, customers
across all industries are taking advantage of the benefits of AWS.