identity on aws.pdf
TRANSCRIPT
![Page 1: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/1.jpg)
![Page 2: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/2.jpg)
IDENTITY MANAGEMENT IN AWS_
JON TOPPER | @jtopper | he/him/his
![Page 3: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/3.jpg)
IDENTITY_
LATIN LATE LATIN
idem same
identitas identity quality of being
identical
![Page 4: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/4.jpg)
IDENTITY ENABLES_
Access Control
Trust Delegation
Audit Trail
Security
Compliance
![Page 5: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/5.jpg)
IAM CONCEPTS_
Root User
Users
Groups
Roles
Policies
Tokens
![Page 6: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/6.jpg)
Alice
PowerUsers
Bob
Carla
ci-server-role
AmazonEC2ReadOnlyAccess
AmazonS3FullAccess
AdministratorAccess
PowerUserAccess
ci
![Page 7: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/7.jpg)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ] }
PowerUserAccess
![Page 8: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/8.jpg)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SSHPublicKey*" ], "Resource": "arn:aws:iam::00001:user/${aws:username}" }, { "Effect": "Allow", "Action": [ "iam:ListAccount*", "iam:GetAccountSummary", "iam:GetAccountPasswordPolicy", "iam:ListUsers" ], "Resource": "*" } ] }
ManageOwnCredentials
![Page 9: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/9.jpg)
Alice
PowerUsers
Bob
Carla
ci-server-role
AmazonEC2ReadOnlyAccess
AmazonS3FullAccess
AdministratorAccess
PowerUserAccess
ci
ManageOwnCredentials
![Page 10: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/10.jpg)
Alice
PowerUsers
Bob
Carla
ci-server-role
AmazonEC2ReadOnlyAccess
AmazonS3FullAccess
AdministratorAccess
PowerUserAccess
ci
ManageOwnCredentials
![Page 11: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/11.jpg)
EC2 ROLES_
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ci-server-role
{ "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
![Page 12: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/12.jpg)
Alice
PowerUsers
Bob
Carla
ci-server-role
AmazonEC2ReadOnlyAccess
AmazonS3FullAccess
AdministratorAccess
PowerUserAccess
ci
ManageOwnCredentials
![Page 13: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/13.jpg)
MULTI FACTOR AUTHENTICATION_
![Page 14: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/14.jpg)
IAM BEST PRACTICE_
User Per Individual
No Root User
Multi-Factor Auth Token
Least Privilege
CloudTrail
![Page 15: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/15.jpg)
CROSS-ACCOUNT ROLE ASSUMPTION_
![Page 16: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/16.jpg)
AssumeCustomerRole
Bob
CarlaScaleFactoryUser
PowerUserAccess
CUSTOMER MGMT ACCOUNT (00005)SCALE FACTORY SSO ACCOUNT (00001)
AssumeRoleCustomerMgmt Trust Relationship Policy
![Page 17: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/17.jpg)
CUSTOMER MGMT ACCOUNT (00005)SCALE FACTORY SSO ACCOUNT (00001)
AssumeRoleCustomerMgmt Trust Relationship Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::00001:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": ”arn:aws:iam::00005:role/ScaleFactoryUser" } }
![Page 18: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/18.jpg)
![Page 19: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/19.jpg)
EXTERNAL SOURCE OF IDENTITY_
![Page 20: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/20.jpg)
![Page 21: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/21.jpg)
![Page 22: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/22.jpg)
ScaleFactorySSOUser
PowerUserAccess
Trust Relationship Policy
Identity Providers
https://blog.faisalmisle.com/2015/11/using-google-apps-saml-sso-to-do-one-click-login-to-aws/
![Page 23: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/23.jpg)
AWS COGNITO_
![Page 24: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/24.jpg)
![Page 25: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/25.jpg)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] }
![Page 26: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/26.jpg)
YOUR IAM MIGHT NEED WORK IF YOU_
Log in with the root account
Have >1 identity for each person
Don’t use MFA
Hard-code tokens in app config
![Page 27: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/27.jpg)
YOU MAY BENEFIT FROM_
Role Assumption
Cross-Account Access
Federated Identity
Cognito
![Page 28: Identity on AWS.pdf](https://reader034.vdocuments.us/reader034/viewer/2022042600/5870d6851a28ab5a048b9d35/html5/thumbnails/28.jpg)
KEEP IN TOUCH_
http://www.scalefactory.com/
https://github.com/scalefactory
@jtopper / @scalefactory