Upload
amazon-web-services
View
2.202
Download
0
Tags:
Embed Size (px)
DESCRIPTION
At times you may have a need to provide external entities access to resources within your AWS account. You may have users within your enterprise that want to access AWS resources without having to remember a new username and password. Alternatively, you may be creating a cloud-backed application that is used by millions of mobile users. Or you have multiple AWS accounts that you want to share resources across. Regardless of the scenario, AWS Identity and Access Management (IAM) provides a number of ways you can securely and flexibly provide delegated access to your AWS resources. Come learn how to best take advantage of these options in your AWS environment.
Citation preview
Jeff Wierer
Delegating Access to your AWS Environment
Product Manager (IAM)
Goals for this talk
Understand the technology used
to delegate access
• Sessions and the AWS Security Token
Service (STS)
• Roles and assumed-role sessions
• Federated sessions
• The differences in session types and
when to use what
Use cases we’ll cover
• API Account Access Delegation
• AWS API Federation
• AWS Management Console Federation
Let’s start with a short demo
AWS Management Console SSO Demo Setup (Sample - http://aws.amazon.com/code/4001165270590826)
Active Directory
Log into the console without a username and password!
Single Sign-On AWS Management Console
Demo
1. Logged into my Windows desktop
2. Hit an intranet web site
3. Chose the “role” I wanted to play in AWS
4. Auto-magically signed-in to the console
How did he do that??
Wait… what just happened?
Delegation basics: Sessions & the AWS Security Token Service
Sessions 101
• Allow delegating temporary access to your AWS account
• Are generated by the AWS Security Token Service
• Include temporary credentials that are used to make API calls to AWS services
Session
Access Key Id
Secret Access Key
Expiration
Session Token
Requesting a Session
Start by requesting a session from AWS STS
What’s in a Session?
Session
Access Key Id
Secret Access Key
Expiration
Session Token
Temporary Security
Credentials
Three Ways to Get Sessions
• Self-sessions (GetSessionToken)
• Federated sessions (GetFederationToken)
• Assumed-role sessions (assumeRole)
Session
Access Key Id
Secret Access Key
Expiration
Session Token
Sessions Expire
Expiration varies based on token type [Min/Max/Default] • Self (Account) [15 min / 60 min / 60 min] • Self (IAM User) [15 min / 36 hrs / 12 hrs] • Federated [15 min / 36 hrs / 12 hrs] • Assumed-role [15 min / 60 min / 60 min]
Use caching to improve your application performance
Session
Access Key Id
Secret Access Key
Expiration
Session Token
Role-based delegation: Using assumed-role sessions
What’s an IAM Role?
• Entity that defines a set of permissions for making AWS
service requests
• Not associated with a specific user or group
• Roles must be “assumed” by trusted entities, but not by a
root account
Using an IAM Role with EC2
• Allow EC2 apps to act on behalf of another entity
• Create a role, apply a policy, launch EC2 instance with role
• Credentials are automatically:
– Made available to EC2 instances
– Rotated multiple times a day
• AWS SDK transparently uses the credentials
Create a Role and Launch an EC2 Instance Demo
Benefits of Using Roles with EC2
• Eliminates use of long term credentials
• Automatic credential rotation
• Less coding – AWS SDK does all the work
Use Case: API Account Access Delegation
• Access resources across AWS accounts
• Why do you need it?
– Management visibility across all your AWS accounts
– Developer access to resources across AWS accounts
– Enables using third-party management solutions
Using IAM Roles for API Account Access Delegation
• Extended “roles for EC2” concept
– Set a policy as before
– Set a trust granting access [NEW]
• Delegate access to other AWS entities
– AWS services (such as EC2)
– IAM users within your account
– IAM users under a different account
• IAM users in one account can now
access resources in another account { "Statement": [ { "Effect": "Allow", "Action": “sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/MyRole" } ] }
How to define who can assume the role using the console
Entity can assume MyRole under account 111122223333
IAM Team Account Acct ID: 111122223333
s3-role
{ "Statement": [ { "Effect": "Allow", "Action": “s3:*", "Resource": "*" } ] }
My AWS Account Acct ID: 123456789012
Authenticate with
Jeff’s access keys
Get temporary security
credentials from s3-role
Call AWS APIs using
temporary security
credentials
{ "Statement": [ { "Effect": "Allow", "Action": “sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/s3-role" } ] }
{ "Statement": [ { "Effect":"Allow", "Principal":{"AWS":"arn:aws:iam::123456789012:root"}, "Action":"sts:AssumeRole" } ] }
API Account Access Delegation – How Does It Work?
Policy assigned to s3-role defining
who (trusted entities) can assume the role Policy assigned to Jeff granting him permission
to assume s3-role in account B
Jeff
Permissions assigned to s3-role
STS
Building a Cross-Account Amazon S3 Browser Demo
Assumed-Role Session – Code Sample public static Credentials getAssumeRoleSession(String AccessKey, String SecretKey )
{
Credentials sessionCredentials;
AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(
Accesskey, GetSecretkey,
new AmazonSecurityTokenServiceConfig());
// Store the attributes and request a new AssumeRole session (temporary security credentials)
AssumeRoleRequest request = new AssumeRoleRequest
{
DurationSeconds = 3600,
RoleArn = "arn:aws:iam::111122223333:role/s3-role",
RoleSessionName = "S3BucketBrowser"
};
AssumeRoleResponse startSessionResponse = client.AssumeRole(request);
if (startSessionResponse != null) // Check for valid security credentials or null
{
AssumeRoleResult startSessionResult = startSessionResponse.AssumeRoleResult;
sessionCredentials = startSessionResult.Credentials;
return sessionCredentials;
}
else
{
throw new Exception("S3 Browser :: Error in retrieving temporary security creds, received NULL");
}
}
API Account Access Delegation Benefits
• Use one set of credentials
• No more sharing long term credentials
• Revoke access to the role anytime you want!
Federation: Using sessions to access AWS with your
existing corporate identity
Federation Overview
• Access AWS with your existing corporate identity
• Why use federation?
– Build apps that transparently access AWS resources and APIs
– SSO to the AWS Management Console
– Eliminate “yet another password” to manage
Use Case: API Federation (Sample - http://aws.amazon.com/code/1288653099190193)
• Identity provider
– Windows Active Directory
– Privileges based on AD group membership
– AD groups include policies
• Relying party is AWS API (S3*)
• Uses federated session via GetFederationToken
AWS API Federation Walkthrough
Customer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User
Application
Active
Directory
Federation Proxy
4 Get Federation
Token Request
3
2
S3 Bucket
with Objects
Amazon
DynamoDB
Amazon
EC2
Request
Session 1
Receive
Session 6
5 Get Federation Token
Response • Access Key
• Secret Key
• Session
Token
APP Federation
Proxy
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions needs to be the
union of all federated user permissions
• Proxy needs to securely store these
privileged credentials
Call AWS APIs 7
STS
API Federation
Demo
Get Federation Session – Code Sample public Credentials GetSecurityToken(string userName, string Accesskey, string Secretkey)
{
Credentials sessionCredentials;
AmazonSecurityTokenServiceConfig config = new AmazonSecurityTokenServiceConfig();
AmazonSecurityTokenServiceClient client = new AmazonSecurityTokenServiceClient(Accesskey,Secretkey, config);
string policy = Utilities.BuildAWSPolicy(userName); // Retrieve the AWS Policy from Active Directory
GetFederationTokenRequest request = new GetFederationTokenRequest
{
DurationSeconds = 3600*8,
Name = awsUsername,
Policy = policy
};
GetFederationTokenResponse startSessionResponse = client.GetFederationToken(request);
if (startSessionResponse != null) // Check the result returned, ex: Valid security credentials or null?
{
GetFederationTokenResult startSessionResult = startSessionResponse.GetFederationTokenResult;
sessionCredentials = startSessionResult.Credentials;
return sessionCredentials;
}
else
{
throw new Exception("FederationProxy :: Error in retrieving temporary security creds, received NULL");
}
}
• Assumed-role sessions can also be used for federation
• Provides a different option for storing AWS permissions
• Allows for “separation of duties” in managing AWS permissions
• Corp admin manages: groups, users, and intranet permissions
• AWS admin creates roles & maintains policies on those roles
Using IAM Roles for Federation
Use Case: Console Federation (Sample - http://aws.amazon.com/code/4001165270590826)
• Identity provider
– Windows Active Directory
– Privileges based on AD group membership
– AD groups match the names of IAM roles
• Relying party is AWS Management Console
• Uses assumed-role session via AssumeRole
Basics of a Role-Based Federation Proxy
Acct ID: 111122223333
s3-role
{ "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }
Authenticate with access keys
Get temporary security credentials
login using temporary security credentials
{ "Statement": [ { "Effect": "Allow", "Action": ["iam:ListRoles","sts:AssumeRole"], "Resource": "arn:aws:iam::1111222233334444:role/*" } ] }
{"Statement": { "Principal": {"AWS":"arn:aws:iam::111122223333:root"}, "Condition": { "StringEquals": {"sts:externalId": “{SID1234…}"} }, "Effect": "Allow", "Action": ["sts:AssumeRole"] } }
Policy assigned to s3role defining who can assume the role Policy assigned to Proxy granting permission to ListRoles and AssumeRoles
for all roles
Proxy Server IAM User
Permissions assigned to s3-role
STS
AWS Management Console
Console Federation Walkthrough (assumeRole)
Customer (IdP) AWS Cloud (Relying Party)
AWS
Management
Console
Browser
interface
Corporate
directory
Federation
proxy
1
Browse to URL
3
2
Redirect to
Console
10
Generate URL 9
4 List RolesRequest
8 Assume Role Response
Temp Credentials • Access Key
• Secret Key
• Session Token
7 AssumeRole Request
Create combo
box
6
Federation
proxy
• Uses a set of IAM user credentials to
make AssumeRoleRequest()
• IAM user permissions only need to be
able to call ListRoles & assume role
• Proxy needs to securely store these
credentials
STS
5 List RolesResponse
Console Federation (SSO)
Demo
Console Federation – Code Sample public string getSignInURL(Credentials creds, String issuerURL, String consoleURL, String signInURL )
{
// Create the sign-in token using temporary credentials, Access Key ID, Secret Access Key, and security token.
String sessionJson = "{" +
"\"sessionId\":\"" + creds.AccessKeyId + "\"," +
"\"sessionKey\":\"" + creds.SecretAccessKey + "\"," +
"\"sessionToken\":\"" + creds.SessionToken + "\"" +
"}";
String getSigninTokenURL = signInURL + "?Action=getSigninToken" +
"&SessionType=json&Session=" +
HttpUtility.UrlEncode(sessionJson, Encoding.UTF8);
WebRequest Request = WebRequest.Create(getSigninTokenURL);
HttpWebResponse WebResponse = (HttpWebResponse)Request.GetResponse();
Stream data = WebResponse.GetResponseStream();
StreamReader reader = new StreamReader(data);
String Response = reader.ReadToEnd();
String[] session_encrypted = Response.Split(new Char[] { ':', '\"' });
String signinToken = session_encrypted[4];
String signinTokenParameter = "&SigninToken=" + HttpUtility.UrlEncode(signinToken, Encoding.UTF8);
String issuer_param = "&Issuer=" + HttpUtility.UrlEncode(issuerURL, Encoding.UTF8);
String destination_param = "&Destination=" + HttpUtility.UrlEncode(consoleURL, Encoding.UTF8);
String loginURL = signInURL + "?Action=login" + signinTokenParameter + issuer_param + destination_param;
return loginURL;
}
Federation Benefits
• Leverage your existing corporate identities
• Use the username/password you already know
• Enforce corporate policies/governance
• When employees leave, you only need to delete their corporate account
Variable Substitution
• Use cases enabled
– Easily enable users to manage their own credentials
– Easily set up access to “home folder” in S3
– Personal topics (SNS) or queues (SQS)
• Benefits
– Reduces the need for user policies
– Variables based on request context • Keys (e.g., aws:SourceIP, etc.)
• New keys (aws:username, aws:userid, aws:principaltype)
{ "Version": "2012-10-17", "Statement": [{ "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::myBucket"], "Condition": {"StringLike": {"s3:prefix":["home/${aws:username}/*"]} } }, { "Action":["s3:*"], "Effect":"Allow", "Resource": [ "arn:aws:s3:::myBucket/home/${aws:username}/*", "arn:aws:s3:::myBucket/home/${aws:username}" ] } ] }
Access Control Policy Variables
Demo
Delegation options
Choosing the right session type
Considerations When Choosing Session Type
• What services do you want to use?
• Where do you want to maintain AWS permissions
– Within your enterprise?
– Within AWS?
• How are permissions derived?
What Services Support Sessions?
Federated Assumed-Role
Security Token Service
AWS Identity and Access Management (IAM)
AWS CloudFormation
AWS Elastic Beanstalk
Amazon Elastic MapReduce
All other services
Accurate as of 4/30/2013. See http://aws.amazon.com/iam for most up to date list
Where Do You Want to Maintain AWS Permissions?
Within your enterprise
• Use federated session
• Proxy will require maximum
permissions
• Required: attach policy to the
request
Within AWS
• Use assumed-role session
• Proxy will only require listRoles &
assumeRole permissions
• Optional: attach policy to the
request
Summary: Use Cases
• Use one set of credentials
• No more sharing long term credentials
• Revoke access to the role anytime you want!
Cross-Account API Access
• Leverage your existing corporate identities
• Use the username/password you already know
• Enforce corporate policies/governance
• When employees leave, you only need to delete their corporate account
Federation
Summary: Technology
Sessions are the heart of delegation
• Use keys to sign API requests
• Use token as parameter when making requests
Request sessions (federated/assumed-role) by calling AWS STS
• Variable expiration timeframes
• Service support varies per session type
• AWS permissions derived differently
Choose the right session for the job
For More Information
• Learn more from our home page
– http://aws.amazon.com/iam
• This is the IAM forum where we hang out
– https:// forums.aws.amazon.com/forum.jspa?forumID=76
• Developer documentation
– http://aws.amazon.com/documentation/iam/