Date post: | 14-Apr-2017 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 4,847 times |
Download: | 2 times |
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rob Moncur, AWS Senior Product Manager
Sonya Ryherd, Cox Automotive Senior Systems Engineer
October 2015
SEC315
AWS Directory Service
Deep Dive
What to expect from this session
• How can I use AWS Directory Service?
• Demo: Setting up a directory quickly and easily
• Demo: Domain join Windows and Linux
• Federation with Directory Service
• Discussion and demo with Sonya Ryherd from Cox Automotive
• WorkSpaces, WorkDocs, WorkMail integration
• Demo: Login and SSO with WorkSpaces and WorkDocs
• A few things to keep in mind
• Q&A in the AWS Security Booth
Managing servers at scale is difficult
New directory in AWS
What is AWS Directory Service?
Connect existing directory to AWS
Simple AD AD ConnectorBased on Samba 4 Custom federation proxy
On-premises
Demo 1: Setting up a new directory
Simple AD
Demo 2: Joining instances to a directory
Simple AD
EC2 Windows
EC2 Linux
Joining your Linux instance#Step 1 - Log in to the instance
ssh -i "tuesday-demo.pem" [email protected]
#Step 2 - Make any updates, install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
#Step 3 - Join the instance to the directory
sudo realm join -U [email protected] tuesday.mydirectory.com --verbose
#Step 4 - Edit the config file
sudo vi /etc/ssh/sshd_config
PasswordAuthentication yes
#Start SSSD
sudo service sssd start
#Step 5 - Restart the instance - from the AWS Console. Log back in.
#Step 6 - Add the domain administrators group from the example.com domain.
sudo visudo -f /etc/sudoers
%Domain\ [email protected] ALL=(ALL:ALL) ALL
#Step 7 - approve a login
sudo realm permit [email protected]
sudo realm permit [email protected]
#Step 8 - login using a linux user
ssh [email protected]@xxx.xxx.xxx.xxx
Managing federation to AWS
• Set up and manage SAML infrastructure
• Assign roles to users manually
• Now it is easier to set up federation
AD
Sonya Ryherd, Sr. Systems Engineer
Who is Cox Automotive?
Our account hierarchy
Virtual private cloud (VPC)
AWS application accounts
AWS account – shared services
Billing account Master billing account
Productionmanagement
Application #1
VPC #1 VPC #2
Application #2
VPC #1
Nonproduction management
Application #1
VPC #1 VPC #2 VPC #3
Application #2
VPC #1 VPC #2
Account access nightmare
• No centralized access management
• Multiple IAM users required to manage each application
• Users confused – What account/role/URL do I use to manage Application X?
AWS account 2 AWS account 3 AWS account 4AWS account 1
IAM IAM IAM IAM
AWS account 5
IAM
AWS account 6
IAM
AWS account 7
IAM
AWS account 8
IAM
3 – AssumeRole into
the AWS
Management
Console
1) Assign IAM roles to AD users
AD Connector federation
2) AD users log in via access URL
2 – LDAP and
Kerberos requests
proxied over VPN
AD
1 – Log in using AD
credentials
AD
User1
User2
Group1
ReadOnly
Admin
S3-Access
via AWS Directory Service console mycompany.awsapps.com/console
Cross-account access
Cross Account Access Demo - Video
AD Connector
AD
CAA-AdministratorAccessRole
CAA-NetworkAccessRole
CAA-CloudEngineerRole
CAA-ReadOnlyAccessRole
NetworkAccessRole - “Action”:[stsAssumeRole],
“Resource”: “arn:aws:iam::[account1-id]:role/IAM-1-NetworkAccessRole-*
“Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-*
“Resource”: “arn:aws:iam::[account2-id]:role/IAM-1-NetworkAccessRole-*
Management
account
1
2
3
Application account
4
Switch role
AdministratorAccessRole
NetworkAccessRole
CloudEngineerRole
ReadOnlyAccessRole
Trusted entities: Assume role policy document“Principal”:
“AWS”:“arn:aws:iam::[management-account-id]:role/CAA-NetworkAccessRole”
“Action”: “sts:AssumeRole”
mycompany.awsapps.com/console
Directory Services / Cross Account Access Demo - Video
Retrieving tokens for API access with ALKS
ALKS
Windows Active Directory
Browser interface
2
1
4
User
browses to
a URL
3
Redirect to
AWS Management Console7
Pop-up
showing keys
6
5
8
GetFederatedTokens
Request tokens
ALKS Demonstration
ALKS Demo - Video
https://github.com/AirLiftKeyServices/ALKS
AWS Applications integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Simple AD/AD Connector
AWS Applications integration
Access URL
https://mycompany.awsapps.com
Demo 5: WorkSpaces and WorkDocs SSO
Simple AD
EC2 Windows
EC2 Linux
WorkSpace
WorkDocs site
Things to keep in mind
Samba 4 compatibility
• Users: 500 (small) / 5,000 (large)
• ADUC compatibility – Use Windows Server 2008 R2
• Windows PowerShell cmdlets not supported
• Schema extensions not supported
• Domain forest/trust not supported
• Only 2 domain controllers
• No LDAP-S
• No MFA
AD Connector
• A federation mechanism to AWS
• A pure proxy – No information is cached
• Not a way around your firewall
• Availability is tied to your on-premises network
• Set up a domain controller in your VPC
APIs + AWS CloudTrail
• Create and configure via API
• API calls logged in CloudTrail
Demo 6: Create directory via AWS CLI
Regional availability
Get started today!
Visit our website
aws.amazon.com/directoryservice
30-day free trial
for small directories
Remember to complete
your evaluations!
Thank you!
Q&A in the AWS Security Booth
Related Sessions
Demo 1: Create a new Simple AD
Demo 2: EC2 Windows
Seamless Domain Join
Demo 2: Domain Join EC2 Linux Instance
#Step 1 - Log in to the instance
ssh -i "tuesday-demo.pem" [email protected]
#Step 2 - Make any updates, install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
#Step 3 - Join the instance to the directory
sudo realm join -U [email protected] tuesday.mydirectory.com --verbose
#Step 4 - Edit the config file
sudo vi /etc/ssh/sshd_config
PasswordAuthentication yes
#Start SSSD
sudo service sssd start
#Step 5 - Restart the instance - from the AWS Console. Log back in.
#Step 6 - Add the domain administrators group from the example.com domain.
sudo visudo -f /etc/sudoers
%Domain\ [email protected] ALL=(ALL:ALL) ALL
#Step 7 - approve a login
sudo realm permit [email protected]
sudo realm permit [email protected]
#Step 8 - login using a linux user
ssh [email protected]@xxx.xxx.xxx.xxx
Demo 5: WorkSpaces + WorkDocs SSO
Demo 6: Create a directory via CLI