(sec307) a progressive journey through aws iam federation options
TRANSCRIPT
![Page 1: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman, Sr. IT Transformation Consultant, AWS Professional Services
Chad Wintzer, DevOps Engineering Lead, Dow Jones & Company
October 2015
SEC 307
A Progressive Journey Through
AWS IAM Federation Options:From Roles to SAML to Custom Identity Brokers
![Page 2: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/2.jpg)
What you will take away from this session
![Page 3: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/3.jpg)
What you will take away from this session
Understand your
federation options
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
![Page 4: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/4.jpg)
What you will take away from this session
Understand your
federation options
Get it right at scale
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
![Page 5: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/5.jpg)
What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
![Page 6: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/6.jpg)
What you will take away from this session
Understand your
federation options
Get it right at scale Plan your approach Tooling to
get started
(C) Copyright David Precious
and licensed for
reuse under the Creative
Commons Attribution 2.0
Generic
(C) Copyright GeographBot
Wallace and licensed for
reuse under the Creative
Commons Attribution-
ShareAlike 2.0 License
(C) Copyright BigMac and
licensed for
reuse under the Creative
Commons Attribution 3.0
License
License: Creative Commons
Public Domain Universal 1.0
![Page 7: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/7.jpg)
Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials
![Page 8: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/8.jpg)
Session prerequisites
• To get the most out of this session, you must be comfortable
with several building blocks:
• If you need to brush up, check out:
• SEC305 – Become an AWS IAM Policy Ninja in 60 Minutes or
Less
• SEC302 – IAM Best Practices to Live By
AWS IAM Roles Policies AWS STS Long-lived
credentials
Temporary
credentials
![Page 9: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/9.jpg)
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
![Page 10: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/10.jpg)
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
SEC305
SEC315
![Page 11: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/11.jpg)
AWS IAM federation: A progression of options
Cross-account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Involv
em
ent
Control
Session focusSEC305
SEC315
![Page 12: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/12.jpg)
Federation rationale
Before:
After:
Result:
![Page 13: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/13.jpg)
Federation rationale
Before:
After:
Result:
Unique credentials
Users
![Page 14: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/14.jpg)
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Users
![Page 15: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/15.jpg)
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Users Security
![Page 16: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/16.jpg)
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
Users Security
![Page 17: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/17.jpg)
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Users Security Compliance
![Page 18: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/18.jpg)
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
![Page 19: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/19.jpg)
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
![Page 20: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/20.jpg)
The journey: Federation with
Security Assertion Markup
Language (SAML)
![Page 21: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/21.jpg)
Quick SAML primer
![Page 22: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/22.jpg)
Quick SAML primer
Identity provider
![Page 23: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/23.jpg)
Quick SAML primer
Identity provider (IdP) Service provider
![Page 24: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/24.jpg)
Quick SAML primer
Identity provider Service provider
Metadata
(in advance)
![Page 25: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/25.jpg)
Quick SAML primer
Identity provider Service provider
Metadata
(in advance)
Assertion
(login flow)
![Page 26: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/26.jpg)
Basic AWS federation with SAML
• Known science, assuming:
• Few AWS accounts
• AWS Management
Console access
• Well documented:
• Whitepapers
• Blogs
• Documentation
(C) Copyright Diliff and licensed for
reuse under the Creative Commons Attribution 3.0 License
![Page 27: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/27.jpg)
AWS federation with SAML: At-scale
![Page 28: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/28.jpg)
AWS federation with SAML: At-scale
![Page 29: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/29.jpg)
AWS federation with SAML: At-scale
![Page 30: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/30.jpg)
AWS federation with SAML: At-scale
Many AWS
accounts?
![Page 31: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/31.jpg)
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of users?
![Page 32: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/32.jpg)
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Lots of users?
![Page 33: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/33.jpg)
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Lots of users?
![Page 34: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/34.jpg)
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
Lots of users?
![Page 35: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/35.jpg)
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
![Page 36: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/36.jpg)
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
![Page 37: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/37.jpg)
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy????
![Page 38: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/38.jpg)
AWS federation with SAML: at-scale
Many AWS
accounts?
Lots of AWS
IAM roles?
Multiple access
vectors?
Resource-level
permissions?
AWS CloudTrail
impacts?
Lots of users?
IdP unavailable
strategy?
Dive deep = Get it right
???
![Page 39: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/39.jpg)
AWS federation with SAML: At-scale demo
![Page 40: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/40.jpg)
AWS federation with SAML: At-scale demo
Automate onboarding
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
![Page 41: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/41.jpg)
AWS federation with SAML: At-scale demo
Automate onboarding User experience
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License
![Page 42: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/42.jpg)
AWS federation with SAML: At-scale demo
Automate onboarding User experience Under the hood
(C) Copyright Gnovick and licensed for
reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright bagera3005 and licensed
for reuse under the Creative Commons
Attribution 3.0 License
(C) Copyright Jocelyn Wallace and
licensed for reuse under the Creative
Commons Attribution-ShareAlike 2.0
License
![Page 43: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/43.jpg)
Automate onboarding
AWS federation with SAML: At-scale demo
Directory
Group
definitions
AWS account
Providers,
roles, and
policies
![Page 44: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/44.jpg)
Automate onboarding
AWS federation with SAML: At-scale demo
Key takeaways
Directory
Group
definitions
AWS account
• Automate deployment of IAM
roles and policies.
• Automate deployment of
companion directory structure.
• Keep role definitions constant
across accounts.
Providers,
roles, and
policies
![Page 45: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/45.jpg)
Smooth user experience
AWS federation with SAML: At-scale demo
AWS
SDKsAWS
CLI
![Page 46: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/46.jpg)
Smooth user experience
AWS federation with SAML: At-scale demo
Key takeaways
• Federation shouldn’t limit
access vectors.
• Getting users into groups
should be automated and
efficient.
• Don’t create a “low-to-high”
exposure in the back end.
AWS
SDKsAWS
CLI
![Page 47: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/47.jpg)
Under the hood
AWS federation with SAML: At-scale demo
IdP
configurationsAWS CloudTrail
samples
![Page 48: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/48.jpg)
Under the hood
AWS federation with SAML: At-scale demo
Key takeaways
IdP
configurationsAWS CloudTrail
samples
• Naming conventions are
critical.
• Configurations should rely on
patterns, not values.
• Think about traceability now.
• Tighter policies help reduce
AWS account sprawl.
![Page 49: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/49.jpg)
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
![Page 50: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/50.jpg)
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
![Page 51: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/51.jpg)
AWS federation with SAML: Looking beyond
• For some: SAML bliss!
• For others: Further needs.
• Alternate user mapping
• Curtail role sprawl
• Curtail group sprawl
• More granular,
contextual policies
• If so:
• Custom identity broker
![Page 52: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/52.jpg)
The journey: Federation using
a custom identity broker
![Page 53: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/53.jpg)
3+ Years on AWS
Several flagship products
run on AWS including
WSJ.com
3,000+ Amazon EC2
instances
![Page 54: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/54.jpg)
How we interact with AWS
Automate!
![Page 55: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/55.jpg)
Our journey through identity management
IAM users with
static keys
Nova v1
Basic roles
Nova v2
Resource-level
permissions,
tagging standards
Nova v3
Dynamic policy
generation
![Page 56: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/56.jpg)
Nova workflow
Bob the
Engineer
PHP web
application
Active
Directory
Look up group
membership
Corporate
SSO
Authenticate
w/ MFA
Nova
database
Group-to-role
mappings
Ask Bob which AWS
account he would like
to access based on
available roles
IAM API
sts:AssumeRole
for appropriate IAM role
Access to AWS Management Console and keys for API/CLI access
![Page 57: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/57.jpg)
Nova v1 basic roles
General roles like “Developer”
assignable to different AWS
accounts
Maps membership in AD
groups to IAM roles
Role
s
AWS accounts
![Page 58: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/58.jpg)
Nova v1 basic roles
Active Directory group
NOVA_PRODSHARED_DEVELOPER
IAM role
nova.prodshared.developer
{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateKeyPair",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSnapshot",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteNetworkInterface",
![Page 59: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/59.jpg)
Nova v2 resource-level permissions
Tagging and resource-level
permissions matured
Tagging resources by team
enabled resource-level
permissions by team
Easy expansion, no changes
necessary to Nova
Role
s
![Page 60: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/60.jpg)
Nova v2 resource-level permissions{
"Statement": [
{
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/servicename": [
"djcs/*"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateImage",
Active Directory group
NOVA_PRODSHARED_DJCS_DEV
IAM role
nova.prodshared.djcs.developer
![Page 61: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/61.jpg)
Nova v3 dynamic policy generation
EC2
instances
Amazon RDS
instanceAmazon Route 53
zone
Application: Poseidon, Lifecycle: Prod
"Effect": "Allow",
"Resource": ["*”],
"Condition": {
"StringLike": {
"ec2:ResourceTag/Application": [
”Poseidon"
]
"ec2:ResourceTag/Lifecycle": [
”Prod"
]
}
},
"Action": [
"ec2:AllocateAddress",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyImage",
"ec2:CopySnapshot",
Authenticate w/ MFA
Select AWS account
Select application
Select lifecycle
![Page 62: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/62.jpg)
Your own journey:
Rationalizing the decision-
making process
![Page 63: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/63.jpg)
Rationalizing the decision-making process
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
![Page 64: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/64.jpg)
Rationalizing the decision-making process
• Existing federation
investments?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
![Page 65: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/65.jpg)
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
![Page 66: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/66.jpg)
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
![Page 67: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/67.jpg)
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
![Page 68: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/68.jpg)
Rationalizing the decision-making process
• Existing federation
investments?
• Federation needs beyond
AWS?
• Desired level of control vs.
involvement?
• Competency and bandwidth
for application development?
(C) Copyright Marco Bellucci and licensed for
reuse under the Creative Commons Attribution 2.0 Generic
![Page 69: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/69.jpg)
SAML
Comparison: SAML vs. Custom identity broker
Custom identity broker
![Page 70: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/70.jpg)
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
![Page 71: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/71.jpg)
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
![Page 72: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/72.jpg)
SAML
Pro: Low barrier to entry
Pro: Federation beyond AWS
Con: Number of roles, groups
Con: Add’l automation to scale
Choose SAML if you want a
balanced federation approach.
Comparison: SAML vs. Custom identity broker
Custom identity broker
Pro: Granular and contextual policies
Pro: Complete control
Con: Development effort
Con: Complex evaluations
Choose a custom identity broker if
you prefer to increase federation
involvement for the ultimate control.
![Page 73: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/73.jpg)
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
![Page 74: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/74.jpg)
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
![Page 75: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/75.jpg)
Remember the principles of cloud architecture.
• Don’t overanalyze – experiment and iterate.
• Federation options are not mutually exclusive.
• Several can exist in parallel.
• Federation options use the same entities.
• Evolve your federation approach as your needs evolve.
• Right for tomorrow is not always right for today.
![Page 76: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/76.jpg)
Your own journey: Taking the
first steps
![Page 77: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/77.jpg)
Additional information
• Session resources (code and samples)
• AWS documentation
• Manage Federation
• Integrating Third-Party SAML Solution Providers with AWS
• Request Information That You Can Use for Policy Variables
• Custom Federation Broker
• AWS blogs
• Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP,
and Shibboleth
• How to Implement a General Solution for Federated API/CLI
Access Using SAML 2.0
![Page 78: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/78.jpg)
Remember to complete
your evaluations!
![Page 79: (SEC307) A Progressive Journey Through AWS IAM Federation Options](https://reader034.vdocuments.us/reader034/viewer/2022042723/588195141a28ab0d358b657f/html5/thumbnails/79.jpg)
Thank you!