Jeff Wierer

Delegating Access to your AWS Environment

Product Manager (IAM)

Goals for this talk

Understand the technology used

to delegate access

• Sessions and the AWS Security Token

Service (STS)

• Roles and assumed-role sessions

• Federated sessions

• The differences in session types and

when to use what

Use cases we’ll cover

• API Account Access Delegation

• AWS API Federation

• AWS Management Console Federation

Let’s start with a short demo

AWS Management Console SSO Demo Setup (Sample - http://aws.amazon.com/code/4001165270590826)

Active Directory

Log into the console without a username and password!

Single Sign-On AWS Management Console

Demo

1. Logged into my Windows desktop

2. Hit an intranet web site

3. Chose the “role” I wanted to play in AWS

4. Auto-magically signed-in to the console

How did he do that??

Wait… what just happened?

Delegation basics: Sessions & the AWS Security Token Service

Sessions 101

• Allow delegating temporary access to your AWS account

• Are generated by the AWS Security Token Service

• Include temporary credentials that are used to make API calls to AWS services

Session

Access Key Id

Secret Access Key

Expiration

Session Token

Requesting a Session

Start by requesting a session from AWS STS

What’s in a Session?

Session

Access Key Id

Secret Access Key

Expiration

Session Token

Temporary Security

Credentials

Three Ways to Get Sessions

• Self-sessions (GetSessionToken)

• Federated sessions (GetFederationToken)

• Assumed-role sessions (assumeRole)

Session

Access Key Id

Secret Access Key

Expiration

Session Token

Sessions Expire

Expiration varies based on token type [Min/Max/Default] • Self (Account) [15 min / 60 min / 60 min] • Self (IAM User) [15 min / 36 hrs / 12 hrs] • Federated [15 min / 36 hrs / 12 hrs] • Assumed-role [15 min / 60 min / 60 min]

Use caching to improve your application performance

Session

Access Key Id

Secret Access Key

Expiration

Session Token

Role-based delegation: Using assumed-role sessions

What’s an IAM Role?

• Entity that defines a set of permissions for making AWS

service requests

• Not associated with a specific user or group

• Roles must be “assumed” by trusted entities, but not by a

root account

Using an IAM Role with EC2

• Allow EC2 apps to act on behalf of another entity

• Create a role, apply a policy, launch EC2 instance with role

• Credentials are automatically:

– Made available to EC2 instances

– Rotated multiple times a day

• AWS SDK transparently uses the credentials

Create a Role and Launch an EC2 Instance Demo

Benefits of Using Roles with EC2

• Eliminates use of long term credentials

• Automatic credential rotation

• Less coding – AWS SDK does all the work

Use Case: API Account Access Delegation

• Access resources across AWS accounts

• Why do you need it?

– Management visibility across all your AWS accounts

– Developer access to resources across AWS accounts

– Enables using third-party management solutions

Using IAM Roles for API Account Access Delegation

• Extended “roles for EC2” concept

– Set a policy as before

– Set a trust granting access [NEW]

• Delegate access to other AWS entities

– AWS services (such as EC2)

– IAM users within your account

– IAM users under a different account

• IAM users in one account can now

access resources in another account { "Statement": [ { "Effect": "Allow", "Action": “sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/MyRole" } ] }

How to define who can assume the role using the console

Entity can assume MyRole under account 111122223333

IAM Team Account Acct ID: 111122223333

s3-role

{ "Statement": [ { "Effect": "Allow", "Action": “s3:*", "Resource": "*" } ] }

My AWS Account Acct ID: 123456789012

Authenticate with

Jeff’s access keys

Get temporary security

credentials from s3-role

Call AWS APIs using

temporary security

credentials

{ "Statement": [ { "Effect": "Allow", "Action": “sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/s3-role" } ] }

{ "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"arn:aws:iam::123456789012:root"}, "Action":"sts:AssumeRole" } ] }

API Account Access Delegation – How Does It Work?

Policy assigned to s3-role defining

who (trusted entities) can assume the role Policy assigned to Jeff granting him permission

to assume s3-role in account B

Jeff

Permissions assigned to s3-role

STS

Building a Cross-Account Amazon S3 Browser Demo

Assumed-Role Session – Code Sample public static Credentials getAssumeRoleSession(String AccessKey, String SecretKey )

{

Credentials sessionCredentials;

AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(

Accesskey, GetSecretkey,

new AmazonSecurityTokenServiceConfig());

// Store the attributes and request a new AssumeRole session (temporary security credentials)

AssumeRoleRequest request = new AssumeRoleRequest

{

DurationSeconds = 3600,

RoleArn = "arn:aws:iam::111122223333:role/s3-role",

RoleSessionName = "S3BucketBrowser"

};

AssumeRoleResponse startSessionResponse = client.AssumeRole(request);

if (startSessionResponse != null) // Check for valid security credentials or null

{

AssumeRoleResult startSessionResult = startSessionResponse.AssumeRoleResult;

sessionCredentials = startSessionResult.Credentials;

return sessionCredentials;

}

else

{

throw new Exception("S3 Browser :: Error in retrieving temporary security creds, received NULL");

}

}

API Account Access Delegation Benefits

• Use one set of credentials

• No more sharing long term credentials

• Revoke access to the role anytime you want!

Federation: Using sessions to access AWS with your

existing corporate identity

Federation Overview

• Access AWS with your existing corporate identity

• Why use federation?

– Build apps that transparently access AWS resources and APIs

– SSO to the AWS Management Console

– Eliminate “yet another password” to manage

Use Case: API Federation (Sample - http://aws.amazon.com/code/1288653099190193)

• Identity provider

– Windows Active Directory

– Privileges based on AD group membership

– AD groups include policies

• Relying party is AWS API (S3*)

• Uses federated session via GetFederationToken

AWS API Federation Walkthrough

Customer (Identity Provider) AWS Cloud (Relying Party)

AWS Resources

User

Application

Active

Directory

Federation Proxy

4 Get Federation

Token Request

3

2

S3 Bucket

with Objects

Amazon

DynamoDB

Amazon

EC2

Request

Session 1

Receive

Session 6

5 Get Federation Token

Response • Access Key

• Secret Key

• Session

Token

APP Federation

Proxy

• Uses a set of IAM user credentials to

make a GetFederationTokenRequest()

• IAM user permissions needs to be the

union of all federated user permissions

• Proxy needs to securely store these

privileged credentials

Call AWS APIs 7

STS

API Federation

Demo

Get Federation Session – Code Sample public Credentials GetSecurityToken(string userName, string Accesskey, string Secretkey)

{

Credentials sessionCredentials;

AmazonSecurityTokenServiceConfig config = new AmazonSecurityTokenServiceConfig();

AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(Accesskey,Secretkey, config);

string policy = Utilities.BuildAWSPolicy(userName); // Retrieve the AWS Policy from Active Directory

GetFederationTokenRequest request = new GetFederationTokenRequest

{

DurationSeconds = 3600*8,

Name = awsUsername,

Policy = policy

};

GetFederationTokenResponse startSessionResponse = client.GetFederationToken(request);

if (startSessionResponse != null) // Check the result returned, ex: Valid security credentials or null?

{

GetFederationTokenResult startSessionResult = startSessionResponse.GetFederationTokenResult;

sessionCredentials = startSessionResult.Credentials;

return sessionCredentials;

}

else

{

throw new Exception("FederationProxy :: Error in retrieving temporary security creds, received NULL");

}

}

• Assumed-role sessions can also be used for federation

• Provides a different option for storing AWS permissions

• Allows for “separation of duties” in managing AWS permissions

• Corp admin manages: groups, users, and intranet permissions

• AWS admin creates roles & maintains policies on those roles

Using IAM Roles for Federation

Use Case: Console Federation (Sample - http://aws.amazon.com/code/4001165270590826)

• Identity provider

– Windows Active Directory

– Privileges based on AD group membership

– AD groups match the names of IAM roles

• Relying party is AWS Management Console

• Uses assumed-role session via AssumeRole

Basics of a Role-Based Federation Proxy

Acct ID: 111122223333

s3-role

{ "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }

Authenticate with access keys

Get temporary security credentials

login using temporary security credentials

{ "Statement": [ { "Effect": "Allow", "Action": ["iam:ListRoles","sts:AssumeRole"], "Resource": "arn:aws:iam::1111222233334444:role/*" } ] }

{"Statement": { "Principal": {"AWS":"arn:aws:iam::111122223333:root"}, "Condition": { "StringEquals": {"sts:externalId": “{SID1234…}"} }, "Effect": "Allow", "Action": ["sts:AssumeRole"] } }

Policy assigned to s3role defining who can assume the role Policy assigned to Proxy granting permission to ListRoles and AssumeRoles

for all roles

Proxy Server IAM User

Permissions assigned to s3-role

STS

AWS Management Console

Console Federation Walkthrough (assumeRole)

Customer (IdP) AWS Cloud (Relying Party)

AWS

Management

Console

Browser

interface

Corporate

directory

Federation

proxy

1

Browse to URL

3

2

Redirect to

Console

10

Generate URL 9

4 List RolesRequest

8 Assume Role Response

Temp Credentials • Access Key

• Secret Key

• Session Token

7 AssumeRole Request

Create combo

box

6

Federation

proxy

• Uses a set of IAM user credentials to

make AssumeRoleRequest()

• IAM user permissions only need to be

able to call ListRoles & assume role

• Proxy needs to securely store these

credentials

STS

5 List RolesResponse

Console Federation (SSO)

Demo

Console Federation – Code Sample public string getSignInURL(Credentials creds, String issuerURL, String consoleURL, String signInURL )

{

// Create the sign-in token using temporary credentials, Access Key ID, Secret Access Key, and security token.

String sessionJson = "{" +

"\"sessionId\":\"" + creds.AccessKeyId + "\"," +

"\"sessionKey\":\"" + creds.SecretAccessKey + "\"," +

"\"sessionToken\":\"" + creds.SessionToken + "\"" +

"}";

String getSigninTokenURL = signInURL + "?Action=getSigninToken" +

"&SessionType=json&Session=" +

HttpUtility.UrlEncode(sessionJson, Encoding.UTF8);

WebRequest Request = WebRequest.Create(getSigninTokenURL);

HttpWebResponse WebResponse = (HttpWebResponse)Request.GetResponse();

Stream data = WebResponse.GetResponseStream();

StreamReader reader = new StreamReader(data);

String Response = reader.ReadToEnd();

String[] session_encrypted = Response.Split(new Char[] { ':', '\"' });

String signinToken = session_encrypted[4];

String signinTokenParameter = "&SigninToken=" + HttpUtility.UrlEncode(signinToken, Encoding.UTF8);

String issuer_param = "&Issuer=" + HttpUtility.UrlEncode(issuerURL, Encoding.UTF8);

String destination_param = "&Destination=" + HttpUtility.UrlEncode(consoleURL, Encoding.UTF8);

String loginURL = signInURL + "?Action=login" + signinTokenParameter + issuer_param + destination_param;

return loginURL;

}

Federation Benefits

• Leverage your existing corporate identities

• Use the username/password you already know

• Enforce corporate policies/governance

• When employees leave, you only need to delete their corporate account

Variable Substitution

• Use cases enabled

– Easily enable users to manage their own credentials

– Easily set up access to “home folder” in S3

– Personal topics (SNS) or queues (SQS)

• Benefits

– Reduces the need for user policies

– Variables based on request context • Keys (e.g., aws:SourceIP, etc.)

• New keys (aws:username, aws:userid, aws:principaltype)

{ "Version": "2012-10-17", "Statement": [{ "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::myBucket"], "Condition": {"StringLike": {"s3:prefix":["home/${aws:username}/*"]} } }, { "Action":["s3:*"], "Effect":"Allow", "Resource": [ "arn:aws:s3:::myBucket/home/${aws:username}/*", "arn:aws:s3:::myBucket/home/${aws:username}" ] } ] }

Access Control Policy Variables

Demo

Delegation options

Choosing the right session type

Considerations When Choosing Session Type

• What services do you want to use?

• Where do you want to maintain AWS permissions

– Within your enterprise?

– Within AWS?

• How are permissions derived?

What Services Support Sessions?

Federated Assumed-Role

Security Token Service

AWS Identity and Access Management (IAM)

AWS CloudFormation

AWS Elastic Beanstalk

Amazon Elastic MapReduce

All other services

Accurate as of 4/30/2013. See http://aws.amazon.com/iam for most up to date list

Where Do You Want to Maintain AWS Permissions?

Within your enterprise

• Use federated session

• Proxy will require maximum

permissions

• Required: attach policy to the

request

Within AWS

• Use assumed-role session

• Proxy will only require listRoles &

assumeRole permissions

• Optional: attach policy to the

request

Summary: Use Cases

• Use one set of credentials

• No more sharing long term credentials

• Revoke access to the role anytime you want!

Cross-Account API Access

• Leverage your existing corporate identities

• Use the username/password you already know

• Enforce corporate policies/governance

• When employees leave, you only need to delete their corporate account

Federation

Summary: Technology

Sessions are the heart of delegation

• Use keys to sign API requests

• Use token as parameter when making requests

Request sessions (federated/assumed-role) by calling AWS STS

• Variable expiration timeframes

• Service support varies per session type

• AWS permissions derived differently

Choose the right session for the job

For More Information

• Learn more from our home page

– http://aws.amazon.com/iam

• This is the IAM forum where we hang out

– https:// forums.aws.amazon.com/forum.jspa?forumID=76

• Developer documentation

– http://aws.amazon.com/documentation/iam/