Upload File

aws + sso · 2019. 11. 27. · on subset of api events aws resources aws ec2 run- -- key-name...

  • Home
  • Documents
  • AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa
17
AWS + SSO overcoming challenges

Upload: others

Post on 20-Jan-2021

4 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

AWS + SSOovercoming challenges

Page 2: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

AWS CLI w/ Roles

Page 3: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

MotivationAn SSO user (SUNet ID) inherits permissions via a an AWS Role through their membership to a Stanford Workgroup.

Page 4: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

Good news: instead of administering an account and/or IAM for each faculty member and/or RA, we just administer a single level of permission. Plus, we get all the extra security associated with leveraging SUNet (MFA, id expiration).

Motivation

Page 5: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

MotivationBad news: These Roles do not have keys associated with them making aws cli use impossible without some backend engineering

Page 6: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

SolutionProgrammatically create a temporary IAM role by following the instructions here:

https://aws.amazon.com/blogs/security/how-to-implement-a-general-solution-for-federated-apicli-access-using-saml-2-0/

Our code:

https://code.stanford.edu/morrowwr/awscli-console

https://aws.amazon.com/blogs/security/how-to-implement-a-general-solution-for-federated-apicli-access-using-saml-2-0/
https://aws.amazon.com/blogs/security/how-to-implement-a-general-solution-for-federated-apicli-access-using-saml-2-0/
https://code.stanford.edu/morrowwr/awscli-console
Page 7: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa
Page 8: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

Auto-Tagging EC2

Page 9: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

Motivation

As is, if an SSO user were to spin up an EC2 instance, the cost associated

with that instance would be difficult to parse out of total costs across all instances in the account.

However, tagging resources (EC2 instances) by unique identifier of the creator for allows for improved cost allocation purposes

Page 10: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa
Page 11: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa
Page 12: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

... granting users the permissions to manually assign tags

does not solve the problem

1. users may fail to tag

2. users may tag incorrectly

Page 13: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

SolutionProgrammatically tag EC2 Resources

AWS Lambda+S3+Cloudtrail application via AWS CloudFormation template

https://github.com/GorillaStack/auto-tag

https://github.com/GorillaStack/auto-tag
Page 14: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa
Page 15: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa
Page 16: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa
Page 17: AWS + SSO · 2019. 11. 27. · on subset of API events AWS Resources aws ec2 run- -- key-name -associate- instances --image-id MyKeyPair - -security- public-ip- address ami-c3b8d6aa

THE DEFINITIVE GUIDE FOR AWS CLOUD EC2 FAMILIES · The Definitive Guide for AWS Cloud EC2 Families 4 White Paper Two Generations of EC2 Instances Amazon introduced small EC2 instances

eG Enterprise V6 - Infrastructure Monitoring Measurements Manuals... · 2.4.3 AWS-EC2 Instance Uptime Test ..... 35 MONITORING THE AWS EC2 REGION

Hybris install telco accelerators on aws-ec2

How to Deploy Auranet Controller on a Private Cloud (AWS EC2) · 2016. 8. 9. · About AWS EC2 Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity via the

Play Framework + Docker + CircleCI + AWS + EC2 Container Service

Installing HortonWork's Hadoop on AWS EC2

AWS Meetup - Exploring ways to buy EC2 capacity

AWS EC2 Spot Instances for Mission Critical Services

Providing SSO to Amazon EC2 Apps from an On-Premises Windows

Optimizing EC2 usage on AWS

Software Defined Network SDN - uni- · PDF file•AWS::EC2::SubnetNetworkAclAssociation (p. 290) •AWS::EC2::SubnetRouteTableAssociation (p. 292) ... Software Defined Network (SDN)

Cloud Tutorial: AWS EC2 and AWS IoTlu/cse520s/slides/cloud_tutorial.pdf · Cloud Tutorial: AWS EC2 and AWS IoT TA for class CSE 520S, Fall, Aug/30/2017 Haoran Li Agenda Ø AWS EC2:

THE DEFINITIVE GUIDE FOR AWS CLOUD EC2 FAMILIES

NetIQ Identity Manager...8 Contents Part VII Deploying Identity Manager on AWS EC2 225 14Planning and Implementation of Identity Manager on AWS EC2 227

The Top 5 AWS EC2 Performance Problems - Datadog

Secure Amazon EC2 Environment with AWS IAM & Resource-Based Permissions (CPN205) | AWS re:Invent 2013

Advanced Enterprise Networking in AWS EC2 / Google

Artem Zhurbila - 2 aws - EC2

Installing Splunk Enterprise on AWS · Deploying Splunk Enterprise on AWS Instance Setting Up EC2 Instance Virtual machines on AWS EC2, also called instances, have many advantages

AWS March 2016 Webinar Series - Amazon EC2 Masterclass

Amazon EC2 Reserved Instances and Other AWS ......Amazon EC2 Reserved Instances and Other AWS Reservation Models AWS Whitepaper Introduction The cloud is well suited for variable workloads

Configuring MongoDB HA Replica Set on AWS EC2

AWS EC2 tutorial

High Performance MongoDB on Storage-Optimized AWS EC2

AWS EC2 Classic Con guration - Cohesive Networks© 2016 AWS EC2 Classic Configuration AWS EC2 Classic Setup for VNS3 2016 © 2016 Table of Contents 2 Introduction 3 ... VNS3 AWS EC2

Spark Application on AWS EC2 Cluster - Santa Clara Universitymwang2/projects/Spark_applicationOnAWS... · 2014-12-14 · Spark Application on AWS EC2 Cluster: ... dataset), mainly

AWS August Webinar Series - EC2 Spot Instances - 08192015

Spark Application on AWS EC2 Clustertwang1/studentProjects/Spark_applicationOnAWS_… · Spark Application on AWS EC2 Cluster: ... Spark with Scala and ... originally developed in

BUNGEE Quick Start Guide for AWS EC2 based elastic cloudsse.informatik.uni-wuerzburg.de/fileadmin/10030200/BUNGEE-HowTo.pdf · for AWS EC2 based elastic clouds ... 4 Installation

Webシステム(AWS EC2)稼働レポート - hinemos.info · Webシステム(AWS EC2)稼働レポート 2015年11月24日

The Top 5 AWS EC2 Performance Problems

Amazon EC2 Masterclass - AWS July 2016 Webinar Series

AWS essentials EC2

Lecture 17 & 18 Hadooping With AWS EC2

THE DEFINITIVE GUIDE FOR AWS CLOUD EC2 …...THE DEFINITIVE GUIDE FOR AWS CLOUD EC2 FAMILIES Introduction Amazon Web Services (AWS), which was officially launched in 2006, offers you