IDENTITY MANAGEMENT IN AWS_
JON TOPPER | @jtopper | he/him/his
IDENTITY_
LATIN LATE LATIN
idem same
identitas identity quality of being
identical
IDENTITY ENABLES_
Access Control
Trust Delegation
Audit Trail
Security
Compliance
IAM CONCEPTS_
Root User
Users
Groups
Roles
Policies
Tokens
Alice
PowerUsers
Bob
Carla
ci-server-role
AmazonEC2ReadOnlyAccess
AmazonS3FullAccess
AdministratorAccess
PowerUserAccess
ci
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] }
PowerUserAccess
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] }
ManageOwnCredentials
Alice
PowerUsers
Bob
Carla
ci-server-role
AmazonEC2ReadOnlyAccess
AmazonS3FullAccess
AdministratorAccess
PowerUserAccess
ci
ManageOwnCredentials
Alice
PowerUsers
Bob
Carla
ci-server-role
AmazonEC2ReadOnlyAccess
AmazonS3FullAccess
AdministratorAccess
PowerUserAccess
ci
ManageOwnCredentials
EC2 ROLES_
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role
{ "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
Alice
PowerUsers
Bob
Carla
ci-server-role
AmazonEC2ReadOnlyAccess
AmazonS3FullAccess
AdministratorAccess
PowerUserAccess
ci
ManageOwnCredentials
MULTI FACTOR AUTHENTICATION_
IAM BEST PRACTICE_
User Per Individual
No Root User
Multi-Factor Auth Token
Least Privilege
CloudTrail
CROSS-ACCOUNT ROLE ASSUMPTION_
AssumeCustomerRole
Bob
CarlaScaleFactoryUser
PowerUserAccess
CUSTOMER MGMT ACCOUNT (00005)SCALE FACTORY SSO ACCOUNT (00001)
AssumeRoleCustomerMgmt Trust Relationship Policy
CUSTOMER MGMT ACCOUNT (00005)SCALE FACTORY SSO ACCOUNT (00001)
AssumeRoleCustomerMgmt Trust Relationship Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
EXTERNAL SOURCE OF IDENTITY_
ScaleFactorySSOUser
PowerUserAccess
Trust Relationship Policy
Identity Providers
https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/
AWS COGNITO_
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }
YOUR IAM MIGHT NEED WORK IF YOU_
Log in with the root account
Have >1 identity for each person
Don’t use MFA
Hard-code tokens in app config
YOU MAY BENEFIT FROM_
Role Assumption
Cross-Account Access
Federated Identity
Cognito
KEEP IN TOUCH_
http://www.scalefactory.com/
https://github.com/scalefactory
@jtopper / @scalefactory