Post on 24-Jun-2015
description
transcript
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::1111"
},
"Action":"sts:AssumeRole"
}
{
"Effect":"Allow",
"Action":"s3:ListBucket",
"Resource":"*"
}
Session
Access Key ID
Secret Access Key
Expiration
Session Token
AWS Account
Instances Table
User
Instances Table
Role
User
Your AWS Account
Another AWS Account
1Authenticate with
“Demo” user’s access
keys
Construct sign-in URL using
the temporary security
credentials to access the
AWS Management Console
3
Assume the
“CrossAccount” role to get
temporary
security credentials
2
Script
“CrossAccount” Role
Trusts: PM Team AWS Account
Grants: EC2 full and IAM read-only
Uses External ID
IAM/STS
My AWS Account
“Demo” IAM User
Can assume the
“CrossAccount” role
IAM/STS
PM Team AWS Account
Partner’s AWS Account
User
Instances Table
Role
External ID
Your AWS Account
ID
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::EXAMPLE-CORP-ACCOUNT-ID"},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "ID-ISSUED-BY-EXAMPLE-CORP"
}}}
Partner’s AWS Account
Customer A’s AWS Account
Customer B’s AWS Account
User
Role A
Trusts: Partner account
Role B
Trusts: Partner account
1 Use role B
2 Assume role B
3 Show customer
B’s resources
Only if External ID =
Customer A’s external ID
Only if External ID =
Customer B’s external ID
Pass customer’s external
ID while assuming role
“TrendMicro” Role
Trusts: Trend Micro AWS Account
Grants: Few EC2, ELB, Route53 actions
IAM/STS
My AWS Account1Authenticate using
access keys of IAM user
in Trend Micro’s AWS
account
Call AWS APIs using the
temporary security
credentials
3
Assume the role to get
temporary security
credentials
2
Route 53Amazon EC2 Elastic Load
Balancing
Trend Micro Deep Security for Web Apps
User
Instances Table
Role
Your AWS Account
AWS Service’s AWS Account
User
Instances Table
RoleInstance
Your AWS Account
EC2 Service’s AWS Account
Amazon
S3
Amazon
DynamoDB
Role: Allow Amazon S3
access but nothing else
Amazon EC2 Instance
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals