Demystifying identity on AWS

Demystifying Identity @ AWS
IdentitydiscussionfromEnterpriseCustomers/workloadpov/focus
Amit Jha , Developer Advocate
@amitkjha_rjn
https://www.linkedin.com/in/amitjhanyc/

Agenda
Enterprise Cloud – Trends (Modernization) Overview
Basics of Identity on AWS
Federation, OpenID Connect, OAuth2
Use cases, use cases and Identity solution options..
Q&A

Enterprise customer – Begin their journey to the cloud

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Initial Enterprise Setup - AWS Control Tower(Multiacctmodel)
Set up an AWS
landing zone
Establish
guardrails
Automate compliant
account provisioning
Centralize
identity
and access
Manage
continuously

What are the key characteristics of successful
customer migration-modernization look like?

Modernization Area Identity(AuthZ, AuthN)
Association
Automation Builder Identity
Application Architecture Identity for Apps
DevSecOps, Datalake Role driven or Attribute based
authentication & authorization
Microservices Different identity protocol
needs (oAuth, OpenID Connect,
SAML)
Operating model Role, Attribule, Team
permissioning

Corporate vs Consumer Identities
Corporate Consumers
Quick…Identity Basics

AuthN = Authentication
AuthZ = Authorization
MFA = Multi Factor Authentication
Identity
Management
Access
Management
Resource
Management
AWS Account
WHO CAN ACCESS WHAT

Federation
Delegating an individual’s or entity’s authentication responsibility to a
trusted external party.
Identity Provider (IDP)
Security Assertion Markup Language(SAML)
Service Provider(SP)
Relying Party(RP)
The trusted identity providers can be on-premises federation services,
corporate directories or even social identity providers like Facebook,
Google and Twitter.

User logs
in to portal
Corporate data center
Enterprise (identity provider) AWS (service provider)
Browser interface
Identity
store
IdP portal
1
3
2
4
5
AWS sign-in
User
authenticated
Receive
response
(SAML
assertion)
Post the SAML
assertion to sign-in
Redirected to
AWS Management
Console
Identity federation with SAML 2.

OpenID Connect, oAuth2
OpenID Connect is an interoperable authentication protocol based on
the OAuth 2.0 family of specifications.
OAuth 2 is an authorization framework that enables applications to
obtain limited access to user accounts on an HTTP service, such as
Facebook, GitHub etc.

JWT
Json Web Tokens are implemented as a part of Open
ID Connect and Oauthv2.
Imagine that a user is logged in an application and
each subsequent request will include the JWT,
allowing the user to access routes, services, and
resources that are permitted with that token.
Tokens
• Identity
• Access
• Refresh
*expiration

SCIM & JIT
SCIM(System for Cross-domain Identity Management) is a protocol built by teams from Oracle,
Salesforce, Sailpoint and Nexus Technology.
A good example is AWS customers that want to integrate AWS SSO with Azure AD. When you
enable automatic provisioning, SCIM provisions users between clouds. The Identity is provided,
in this scenario by Azure AD, but the rules of access and resource definitions are done by the
Service Provider. Meaning you can federate AWS with Azure AD but AWS SSO Permissions
would rule for your SCIM synchronized objects.
JIT provisioning is also a method of automating user account creation for web applications, it
uses the SAML protocol to pass information from the identity provider to web applications

Security before the cloud


Then
Security Corporate firewall
Identity Employees
Resources Hundreds, in a few buildings
Compliance Employee passwords
Administration Centralized
Cloud Up in the sky

Disruptors
Mobile
Consumerization of IT
Globalization
IoT
New privacy laws
Microservices
SaaS applications
Cloud

Security before the cloud Security in the cloud
 AWS Cloud

AWS IAM Basics
• IAM User
• Entity that you create in AWS, representing the person or service who uses the IAM user to
interact with AWS
• IAM Group
• Collection of IAM users (A management convenience)
• IAM Role
• Similar to a user but does not have standard long-term credentials (e.g. password or access
keys) associated with it
• An IAM User can assume a Role to take on the permissions of the role
IAM User
Role
Permissions
Policy
attached to
Request to
Assume Role
AWS STS
Temporary security
credential
AWS Identity and Access Management

AWS Identity – Brief History
Launch Brief Detail
AWS Root User One account, One user
IAM IAM Users One account, Many users
SAML Federation Corp Directory
users
One account, Corporate
users
Switch Role Ability to switch
role
Same user switching
roles
AWS Organization
SSO Service
SSO users Many account, Many
users
SSO External Directory SSO + Corporate
directory users
Many accounts,
Corporate users

AWS Security Token Service STS
The AWS Security Token Service (STS) is a web service that enables you
to request temporary, limited-privilege credentials for AWS Identity
and Access Management (IAM) users or for users that you authenticate
(federated users)

© 2020, Amazon Web Services, Inc. or its Affiliates.
Quick Demo .NET SDK – IAM Manipulation
IDE
integration
AWS Toolkit for
Visual Studio
AWS Toolkit for
Visual Studio Code
Programmable
SDK
Command
line tools
AWS Tools for
PowerShell
AWS SAM for
Windows
AWS CLI
‘dotnet’ CLI
extensions
CI/CD
integration
AWS Tools for
Azure DevOps
AWS CodePipline/
CodeBuildAWS CDK
for .NET
AWS Toolkit for
Rider
AWS SDK
for .NET

Accounts in AWS
AWS Account
AWS Organization
AWS Account AWS Account
Organizational Unit
AWS Account:
MASTER
Organizational Unit

Security invariants with AWS Organizations
AWS Cloud
AWS Organization
Organization Unit
Account
Region: us-east-1
Region: us-east-2
Region: ap-southeast-1
Region: eu-west-1
…
Service Control Policy:
Region Restriction

Simplifying the complexity
Managing resources at scale can be broken down into three steps

Tag policies
• Export a cross-account, cross-region report to
easily aggregate and view tag policy compliance
• Define tag key capitalization and allowed tag values
• Apply the tag policy to entire organization, specific
organizational units, and individual accounts
Standardize the tagging of your AWS resources
Audit tagged resources
Works with AWS Organizations
New!

IAM users
Works best when you have:
• A relatively small number
of users (limit is 5,000)
• One AWS account, or a
relatively small number of
them
• A need for long-term
credentials
• No user directory, or no
ability to connect your
directory to AWS
• Your very first AWS
account
AWS Account
AWS Organization
AWS Account
Organizational Unit
AWS Account:
MASTER

AWS Single Sign-On user pool
AWS Account
AWS Organization
AWS Account
Organizational Unit
AWS Account:
MASTER
Admin ReadOnly Admin ReadOnly
• A relatively small number
of users (limit is 500)
• Simple authorization
schemes of humans into
AWS
• Rules to map groups of
users to AWS environments
• No user directory, or no
ability to connect your
directory to AWS

Azure AD
Enterprise customer requests

Active Directory Federation Services
• Corporate users in a
Microsoft Active Directory,
either on-premises or
managed in AWS
• An ADFS connected to your
directory
• Control over ADFS claims
• A need for granular control
over user permissions
AWS Account
AWS Organization
AWS Account
Organizational Unit
AWS Account:
MASTER
Admin ReadOnly Admin ReadOnly
ADFS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD on AWS supports many options
Run or extend AD-dependent
workloads onto EC2 or AWS
Managed Services
Actual Microsoft AD, HIPAA and
PCI Eligible, Trust support,
Group-based policies, SSO,
Seamless domain join, AWS
Management Console
Federation, Daily snapshots
A modern, hybrid approach
to AD that shares privileges
and data from on-premises
AD to AWS Managed
Microsoft AD on AWS
AD as a Managed Service True hybrid AD AD-enabled cloud

Use case #1: Amazon EC2 - Windows and Linux instances
High Fidelity
• Workloads: SharePoint Server, .NET Apps, SQL Server Always-On, Amazon
EC2 Linux
• Active Directory security groups to control AWS resource access (RBAC or
ABAC)
• Create GPO’s for
• standardizing settings & configurations
• managing Amazon EC2 instances and Amazon WorkSpaces
• Schema extension for customized applications
• LDAPS and read/write LDAP
• Kerberos delegation
• Amazon EC2 Seamless domain join (Windows and Linux*)
• Cross Account and cross VPC support
* Release expected

Use case #2: AWS Managed Services
• Centrally Managed Services - Windows file server and db’s
• Scale deployments across multiple accounts and VPC’s
• Flexibility to choose between on-prem or cloud identities
• Seamless integration with your existing Active Directory
• Supported Services
• Amazon RDS for SQL Server
• Amazon RDS for PostgreSQL
• Amazon RDS for Oracle
• Amazon RDS for MySQL
• Amazon FSx for Windows File Server

Use case #3: AWS Single Sign-On
• Create Workforce Identities once
• Provision and Sync users via SCIM
• Centrally Manage Identities
• On-premises AD, AD on AWS EC2, AWS Managed Microsoft AD
• AWS SSO, Okta, Ping Identity, OneLogin, Azure AD
• Centrally Manage AWS access
• Preferred interface via SAML: AWS Management Console, CLIv2, AWS mobile app
• SSO access across all AWS accounts in your organization, and business apps - for
employees, contractors, business partners
• Smart Sign-in Security with Authenticator applications
• Authy, Google Authenticator
• AWS SSO (native) Integrated apps
• Amazon SageMaker
• AWS IoT Core
• AWS Management Console

Use case #4: AWS Applications
• Use a centrally managed Identity store
• Use Active Directory security groups for controlled access
• Remote desktop access, file or folder permissions
• AWS application access
• Amazon Chime
• Amazon WorkMail
• Amazon Connect
• Amazon Client VPN
• Amazon QuickSite
• Amazon WorkSpaces
• Amazon AppStream 2.0
• Amazon Workdocs

AWS SSO with AWS Directory Service
AWS Cloud
VPC

Provisioning and AWS application integration
1
2
3
4

Using AWS SSO with Azure Active Directory with SCIM
Azure AD

Authenticating to AWS: Quick decision framework
If you have an existing user
directory:
• AWS SSO with directory
integrations
• Bring your own SAML federation
(e.g., ADFS)
• Advanced use cases: Custom
federation
If you don’t have an
existing user directory:
• AWS SSO with user pools
• IAM Users

IAM roles for non-human access
AWS Account
Use IAM roles for access to
AWS resources from:
• Your application running
on an AWS compute
environment, e.g., EC2
instance, Lambda function,
etc.
• Permission to an AWS
service to access your
resources (not shown)
EC2 instance
Lambda
function
Amazon S3
buckets
Amazon
DynamoDB Table

Creating IAM roles for non-human access

Assigning AWS managed policies

Recommendation: Have at least these two IAM roles
AWS Account
AWS Organization
Organizational Unit
AWS Account:
MASTER
Organizational Unit
Admin ReadOnly Admin ReadOnly Admin ReadOnly
Admin ReadOnly

Example 1: Read data from DynamoDB
EC2 instance
with IAM role
DynamoDB
table

Least-privilege
face of judgment
Read/write
data

EC2 instance
with IAM role
DynamoDB
table

Read/write
data

EC2 instance
with IAM role
DynamoDB
table

Read/write
data

Reading the IAM documentation page
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html

EC2 instance
with IAM role
DynamoDB
table

Read/write
data

{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-2:111122223333:table/MyTable"
]
}
dynamodb.putItem({
TableName:"MyTable",
Item: {
"Id": {
S: "a1b2c3d4"
…
});
How authorization works in AWS
EC2 instance
with IAM role
DynamoDB
table
The “PutItem” action and the “table”
resource match the Allow statement, so
the request is allowed

Permission across AWS Accounts

AWS Account
Accessing resources in another AWS account
AWS Account
444455556666
AWS Organization
AWS Account
111122223333
AWS Account:
MASTER
example-bucket

"Principal": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgId": "o-a1b2c3"
}
}
Allow the entire Organization

Recommendations for cross-account access
Keep it simple:
• Use resource-based policies when available
• Unless you have a specific reason to do otherwise:
• Trust the entire other account, or
• Trust the AWS Organization
• Use IAM roles if resource-based policies are not available
• Follow the above rules for their trust policies (i.e., resource-based policies for IAM roles)

Identity at different layers
Amazon Web
Services (AWS)
Infrastructure
Application
Builders
Operators
Users
AWS Command
Line Interface (AWS
CLI)

Identity for the AWS layer:
Managing console, AWS CLI, and API access
@scale

Your options
SAML to IAM AWS Single Sign-
On (AWS SSO)
Custom Broker

Identity “for” and “of” the infrastructure
Operating
systems
Database
engines
EC2 instances
DynamoDB
Table
S3 Bucket
with objects
for of

“For” the infrastructure: Options
Traditional *Utopia

“Of” Infrastructure - Base primitive: IAM roles
AWS credentials auto
delivered and rotated
AWS credentials auto
discovered and used
Access controlled by
policy attached to role
Also works with AWS Lambda & Amazon Elastic Container Service (Amazon ECS)
Permissions
Role
Temporary
security
credential
Your code
Operating
system
EC2
instance
AWS resources

AWS Secrets Manager (e.g. conn string, config etc)
Authorized call to
Secrets Manager
DB creds loaded
DB creds
returned
Connection established
Safe
rotation
Combo provides a reliable, secure, auto-rotating solution for ALL credentials
Permissions
Role
Temporary
security
credential
Your code
Operating
system
EC2
instance
AWS resources
VPC
DBA

For the humans and the machines
Credentials Container
Lambda
Function
Service 1 Service 2
Service to serviceHuman to application

Amazon Cognito
Get AWS credentials
Access AWS services
Authenticate 1
Redirect /
Post back
Access serverless backend
Federating
IdP
IdP Token
CUP TokenCUP Token
CUP Token
AWS STS
AWS STS
User pool tokens are used to
access backend resources
Identity pools provide AWS
credentials to access AWS
services
User pools authenticate
users and returns standard
tokens
2
3
4
56

Amazon Cognito
• Application identity Swiss army knife
•Offloads identity focused undifferentiated heavy lifting
• Normalizing layer for applications
•Native and/or federated users – App doesn’t need to care
• Vends standard tokens
•CUP tokens – Accessing your APIs
•AWS Security Token Service (AWS STS) – Accessing
AWS APIs
• Clean integrations with adjacent services
•Amazon API Gateway – AuthN/Z for your APIs
•Application Load Balancer – AuthN/Z for your apps
Wikimedia Commons - By James Case from Philadelphia,
Mississippi, U.S.A.

Support for OAuth 2.0 in Cognito User Pools
• OAuth 2.0 flows:
• Authorization code
• Implicit
• Client credentials
• Resource owner password credentials
• Custom scopes defined for resource
servers

Amazon Cognito: Identity
Scenarios
Business to Consumer Business to Business
Business to Employee IoT Scenarios
Enterprise
DirectoryEnterprise
Directory
SAML
Enterprise
Directory
SAML
AWS IoT

Amazon Cognito: Services
User Pools Federated Identity (Identity Pools)
• Sign up/sign in
• User profiles
• Issue tokens
• Hosted UIs
• OAuth2/OIDC
Identity Provider/Client
• SAML2 Service Provider
Federation
• Guest access
• AWS credentials

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CONFIDENTIAL and INTERNAL ONLY.
Cognito User Pools - Comprehensive User Flows
Email or Phone
Number Verification
Forgot Password
User Sign-Up and
Sign-In
Require users to verify their email address or phone number prior to activating
their account with a one-time password challenge
Provide users the ability to change their password when they forget it with a one-
time password challenge
Allow users to sign up and sign in using an email, phone number, or username
(and password) for your application.
User Profile Data Enable users to view and update their profile data – including custom attributes
SMS Multifactor
Authentication
Require users to complete a second factor of authentication by inputting a
security code received via SMS as part of the sign-in flow
Customize these User Flows Using Lambda
Token Based
Authentication
Use JSON Web Tokens (JWTs) based on OpenID Connect (OIDC) and OAuth
2.0 standards for user authentication in your backend

Cognito User Pools - Extensive Admin Capabilities
Define Custom
Attributes
Set per-App
Permissions
Set up Password
Policies
Create and manage
User Pools
Define custom attributes for your user profiles
Set read and write permissions for each user attribute on a per-app basis
Enforce password policies like minimum length and requirement of certain
types of characters
Create, configure, and delete multiple user pools across AWS regions
Require Submission
of Attribute Data
Select which attributes must be provided by the user prior to completion of
the sign-up process
Search Users
Search users based on a full match or a prefix match of their attributes
through the console or Admin API
Manage Users
Conduct admin actions, such as reset user password, confirm user, enable
MFA, delete user, and global sign-out

SDKs for Cognito User Pools
Native
Mobile app
AWS Mobile SDK
for iOS, Android
Web app,
Custom UI
AWS Amplify
Backend
Service
AWS SDK
e.g., Java, Python,
Node.js, etc.
Web app,
Hosted UI
AWS Amplify
OR
Cognito Auth SDK
for JavaScript
Hybrid
Mobile app
AWS Amplify

AWS Integrated Authorization
Amazon API Gateway AWS Application Load
Balancer
AWS Credentials
(Any AWS service)
Cognito
Tokens
Cognito
Tokens
Cognito
Tokens
Amazon
Cognito
API GW
Amazon Cognito
Amazon
Cognito
DynamoDB,
S3, etc.
ALB

API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Identity Pools
Custom Identity Providers
AWS IAM authorization
Lambda Authorizers
Cognito Authorizers

Amazon Cognito
User Pools
Amazon Cognito
Identity Pools
Lambda Authorizers
Cognito Authorizers

Mobile app
6. Access
AWS Resources
Amazon
DynamoDB
Lambda
function
Amazon API
Gateway
Amazon Cognito
User Pools
Cognito User Pools Authorizers

Amazon Cognito
User Pools
Lambda Authorizers
Cognito Authorizers
Amazon Cognito
Identity Pools

Mobile app
8. Invoke Lambda
Lambda
function
Amazon API
Gateway
Amazon Cognito
User Pools
AWS Identity &
Access Management
Amazon
DynamoDB
IAM-based authorization
Amazon Cognito
Identity Pools

Amazon Cognito
User Pools
Lambda Authorizers
Amazon Cognito
Identity Pools
Cognito Authorizers

Custom Authorizer
Lambda function
Mobile app
Amazon API
Gateway
8. Invoke
AWS Identity &
Access Management
Lambda
function
Amazon
DynamoDB
Lambda
Authorizers

Service to service in AWS using IAM
Container
Lambda
Function
Service 1 Service 2
Permissions
Role
Temporary
security
credential
Permissions
 AWS takes care of credential distribution
 Centrally defined authorizations in IAM policies
 Resource-based policies allows access across AWS accounts
AWS Cloud

How authentication works in AWS
POST https://dynamodb.us-east-2.amazonaws.com/ HTTP/1.1
Host: dynamodb.us-east-2.amazonaws.com
X-Amz-Date: 20180918T150746Z
X-Amz-Target: DynamoDB_20120810.ListTables
X-Amz-Security-Token: FQoGZXIvYXdzEKH////////// …
Content-Type: application/x-amz-json-1.0
Authorization: AWS4-HMAC-SHA256
Credential=ASIAXXXXXXXXXXXXXXXX/20180918/us-east-
1/dynamodb/aws4_request, SignedHeaders=content-
type;host;x-amz-date;x-amz-security-token;x-amz-target,
Signature=c1b4bc2df0c47c86cbcfa54d932e8aaa455b6b7c38e65d84
0f722254add1ea9e

Service to service in AWS using Amazon Cognito (OAuth)
Container
Lambda
Function
Service 1 Service 2
Permissions
Role
AWS Cloud
CUP Token
 Alignment with human based authorization
 Bearer token model familiar to developers
• You perform credential distribution (using AWS primitives)

Attribute-based access control (ABAC)
“If the tag on the principal matches the tag
on the resource, allow, otherwise deny.”

Session tags
Principal tags → dynamic policies
Session tags → dynamic roles
New!

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:StartSession",
"Resource": [ "arn:aws:ec2:*:*:instance/*" ],
"Condition": {
"StringLike": {
"ssm:resourceTag/project": "${aws:PrincipalTag/project}",
"ssm:ResourceTag/team": "${aws:PrincipalTag/team}"
}
}
},
{
"Effect": "Allow",
"Action": "ssm:TerminateSession",
"Resource": [ "arn:aws:ssm:*:*:session/${aws:username}-*“ ]
}
]
}
Session tags ABAC policy
Identity policy attached
to IAM role for SAML
federated user

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Federated": "arn:aws:iam::111122223333:saml-provider/MyIDP },
"Action": [
"sts:AssumeRoleWithSAML",
"sts:TagSession"
],
"Condition": {
"StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" },
"StringLike": {
"aws:RequestTag/project": "*",
"aws:RequestTag/team": "*"
}
}
}
]
}
Session tags role trust policy
trust policy attached to
IAM role for SAML
federated user

Configure IdP for session tags
AWS Security Blog
Attributes → standard
Configurations → IdP specific

ABAC (Attribute Based Access Control) –
Leverage session tags
https://aws.amazon.com/blogs/mt/configure-session-manager-
access-for-federated-users-using-saml-session-tags/

Suitable for some very unique authorization usecases : Custom brokers
Custom Broker
Underlying compute
IAM role
AWS Cloud
Example Corp.
user
AuthN/Z
Determine granular
entitlements
Assess environment
and/or context
Generate session
policy
sts:AssumeRole with session policy
“on behalf of” the authorized user

Fine grained permissioning
AWS lake formation helps you set up a secure data lake in days. A data
lake is a centralized, curated, and secured repository that stores all
your data, both in its original form and prepared for analysis.
• You can use Lake Formation to centrally define security, governance, and
auditing policies in one place, versus doing these tasks per service
• Eliminates the need to manually configure them across security services like
AWS Identity and Access Management and AWS Key Management Service,
storage services like S3, and analytics and machine learning services like
Redshift, Athena, and (in beta) EMR for Apache Spark. This reduces the effort
in configuring policies across services and provides consistent enforcement
and compliance.
• E.g. https://aws.amazon.com/blogs/big-data/enable-fine-grained-permissions-
for-amazon-quicksight-authors-in-aws-lake-formation/

30+ free digital courses cover topics related to cloud
security, including Introduction to Amazon GuardDuty and
Deep Dive on Container Security
Learn security with AWS Training and Certification
Visit aws.amazon.com/training/paths-specialty/
Classroom offerings, like AWS Security Engineering on AWS,
feature AWS expert instructors and hands-on activities
Validate expertise with the AWS Certified Security - Specialty
exam
Resources created by the experts at AWS to help you build and validate cloud security skills

Access management is a journey
CC0 Public domain

Demystifying identity on AWS

More Related Content

Similar to Demystifying identity on AWS

More from AWS User Group Bengaluru

Recently uploaded

In this document

Demystifying identity on AWS