WHITE PAPER

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

The Challenges Of Securing AWS Access and How To Address Them In The Modern Enterprise

Executive Summary

When operating in Amazon Web Services (AWS) it is important

to understand your responsibility when it comes to security. AWS

operates under a shared security responsibility model, where AWS is

responsible for the security of the underlying cloud infrastructure and

you, the AWS customer, are responsible for securing workloads you

deploy in AWS. IT administrators and Security Officers should educate

themselves on how to leverage AWS Identity and Access Management

(IAM) configuration to protect access to AWS resources in a way that

enhances security yet doesn’t hinder productivity.

The path to securing AWS access in the enterprise runs through

securing AWS sign-in and configuring least privilege access across

multiple accounts. The solution is elimination of passwords with

Single Sign-On (SSO) and automated provisioning of AWS roles across

all AWS accounts. This is made possible by integrating with a modern

identity solution such as OneLogin’s cloud directory. The benefits

are improved security by reducing risk of identity theft, an increase

in productivity with faster access to applications and services, and

significant savings for IT with automation and end-user self-service.

In this whitepaper we articulate the technical challenges of securing

AWS access and the value proposition of an identity platform for

the modern enterprise. In addition, we offer a brief introduction to

OneLogin and instructions on how to create a free account.

AWS Security And Enterprise SaaS Challenges

When operating in Amazon Web Services (AWS) it is important

to understand your responsibility when it comes to security. AWS

operates under a shared security responsibility model, where AWS

is responsible for the security of the underlying cloud infrastructure

and you are responsible for securing workloads you deploy in AWS.

This gives you the flexibility and agility you need to implement the

most applicable security controls for your business functions in the

AWS environment. You can tightly restrict access to environments

Content

Executive Summary

AWS Security And Enterprise SaaS

Challenges

Single-Sign On: Eliminating Passwords

And Enhancing Access Management

Automating Least Privilege Access:

Provisioning AWS Roles Across

Multiple Accounts

Putting It All Together: Modern

Identity for Cloud Apps And Services

Securing Corporate-Wide Access

OneLogin Roles & Mappings:

Automating Complex Access

Management

Summary of Value and Getting

Started With OneLogin

sales@onelogin.com | 855 .426 .7227 | onelogin .com

2

that process sensitive data, or deploy less stringent controls for

information you want to make public.

This shared security responsibility model can reduce your operational

burden in many ways, and in some cases may even improve your

default security posture without additional action on your part.

AWS security is a full set of products to meet security infrastructure

needs, such as protection from various network attacks, data storage

encryption, monitoring and logging. IT administrators should educate

themselves on ways to leverage these products, starting with AWS

Identity and Access Management (IAM) configuration to protect access

to AWS resources.

Effective security requires granular access control, and AWS IAM

provides the ability to implement a level of fine grained access. With

AWS IAM, admins are able to quickly create users and groups, and

assign each a fine-grained policy for accessing just the AWS services

and actions that the user needs. As an admin, you have the power to

give engineers the privileges they need for their tasks while restricting

them from risky actions such as restarting production instances on

EC2, modifying parts of the network configuration on VPC, or deleting

files from certain S3 accounts. These are merely examples, and what

is important to remember is that it is possible to apply a policy that

lets the engineer do exactly what she needs to do and ensure that

she cannot do things that are not part of her job, ensuring that there

are no intentional or accidental actions taken. With the functionality

provided by AWS IAM, organizations are able to implement the

right level of access controls to allow employee productivity while

maintaining the appropriate security controls.

While AWS offers a robust set of IAM tools designed to secure your

AWS account, AWS does not have organizational context such as the

reporting structure and roles, organization-wide security policies,

HR processes, and productivity needs - all critical to accurately

determine who should have access to sensitive resources at any point

in time. Authentication and authorization of employees should be

unified across all corporate applications, services and resources into

a Single Sign-On (SSO) solution, and combined with the right means

of additional security such as multi-factor authentication (MFA).

To accomplish this effectively and efficiently, administrators would

need a single integration point for applications, services, corporate

directories and security layers. Without extending AWS security to the

organization, administrators face the dual challenge of 24x7 uptime

for applications built on top of AWS, along with the task of constantly

aligning their AWS security with the organization to protect AWS

resources from both internal and external threats such as warranted or

malicious application access to sensitive data.

While AWS offers a robust

set of IAM tools designed

to secure your AWS account,

AWS does not have

organizational context which

is critical to determine access

to sensitive resources.

sales@onelogin.com | 855 .426 .7227 | onelogin .com

3

So, while AWS offers granularity and flexibility for protecting access

to all AWS platform resources, what remains critical for security

champions—such as IT administrators and Security Officers—to do is

educate themselves on how to leverage the power of AWS IAM in a

way that enhances security yet doesn’t hinder productivity. A modern

identity platform plays a big role in making that a reality.

Single-Sign On: Eliminating Passwords And Enhancing

Access Management

Identity theft accounted for 64%1 of all data breaches in the first half

of 2016. To understand the reason for it, consider the challenges of

deploying and supporting an average of 7302 SaaS applications and

services, such as Box, AWS and Slack, in the average enterprise.

As a result, companies seek to protect their sensitive data by

eliminating app-specific passwords, and govern the authentication

policy with means like IP-based restrictions, multi-factor

authentication, password policies and organizational context - e.g.

executive functions need stronger security. IT administrators are

tasked with reducing user authentication complexity and risks by

unifying all authentication into a Single Sign-On solution that applies

to all corporate employees. AWS enables you to tie an identity solution

into your AWS account to control access to your AWS resources, thus

enabling administrators to simplify and automate secure sign-in and

and access control. The first step to implementing and benefiting from

this kind of integration is to understand the power of SAML.

SAML (Security Assertion Markup Language) is an XML-based standard

which passes login information through a browser between an identity

provider server (e.g. appears to the user as a login page) and a 3rd

party web application or service. SAML provides apps with tokens

instead of credentials for logging in users. End-users only have to sign-

in once to an identity provider which can forward the secure tokens to

any app that supports SAML. Key benefits include:

1. Administrators do not need to manually align app-specific access

with the corporate directory. After a 5-minute setup for any given

app or service that supports SAML, only corporate users would

be able to login to corporate apps, with the option of advanced

policies like role-based access.

2. End-users enjoy a frictionless sign-in experience. If they are already

signed in to their corporate account, they can immediately access

1 Source: Gemalto data breach statistics, Sep 2016.2 Source: Cisco

The challenges of supporting

an average of 730 SaaS apps

in the modern enterprise lead

companies to protect their

sensitive data by eliminating

app-specific passwords, and

using advanced means like

multi-factor authentication.

sales@onelogin.com | 855 .426 .7227 | onelogin .com

4

the AWS Management Console securely and simply click through

to the desired service, significantly reducing the threat of phishing.

3. The identity provider maintains organizational integrity and verifies

that only active users are logged in. This significantly reduces the

risk of compromised accounts and minimizes orphan accounts.

Fortunately for administrators, AWS was built with highly flexible and

advanced SAML support that enables administrators to extend AWS

access to their organization, with the help of a modern identity solution.

AWS, paired with an identity solution, enables companies to

accomplish frictionless and secure SSO based on a corporate directory,

but there is another challenge: scaling this secure solution across

multiple AWS accounts, and tightening security with least privilege

access using multiple roles.

Automating Least Privilege Access: Provisioning AWS Roles Across

Multiple Accounts

When looking at a large or a fast-growing engineering organization,

companies are dealing with serious security concerns for the more

critical parts of their business. For example, engineers, technical

marketers, and solutions architects should have the freedom to spin

up test instances, but only a subset of engineers in dev operations and

tech operations roles should have any access to production instances.

This simple requirement becomes a true challenge when taking into

account complex deployments, multiple engineering departments with

different resources and needs, and requirements such as compliance

and auditing, e.g. every access must be accounted for.

To deal with this critical security requirement, companies seek a secure

access solution that separates AWS environments based on security

and productivity concerns and applies an access control policy that

takes into consideration all security and engineering needs across

the organization. With this approach in place, organizations can scale

the AWS solution across many environments, including multiple test,

staging and production accounts, as well as enable engineers to use

least privilege access when performing critical AWS tasks.

Fortunately, AWS supports highly granular user policies, even across

multiple accounts. For example, one policy could give users only read

access to a specific Amazon S3 bucket, while another policy could give

users only execute access to launch Amazon EC2 instances.

This role granularity is the IT administrator’s best friend, but it requires

extending it to the organization for role assignments to be meaningful.

AWS, paired with an identity

solution, enables companies

to accomplish frictionless

and secure SSO based on

a corporate directory.

sales@onelogin.com | 855 .426 .7227 | onelogin .com

5

This is where a full-fledged identity platform comes to the rescue,

by providing smart and flexible mapping of roles from your corporate

directory to roles in your AWS accounts. This mapping can leverage

employee metadata such as internal department or job function in

order to provide AWS with a list of AWS roles and AWS accounts that

the user is allowed to access. Then, with every new login to AWS, the

identity platform first calculates the right privileges for the user and

passes the information to AWS to provide the right level of access. This

is accomplished in real-time such that the employee metadata is always

fresh and the privileges are always true to the employee’s current role

status and organizational role.

Organizations need a strong

identity provider to leverage

organizational context for

overarching authentication

and role-based access control.

ROLE-BASED ACCESS

Active Directory OneLogin

Role: TechOps Lead

S3 Admin, VPC User,RDS Power User, Route 53 Admin

Optional external directory, such as on-premise AD

or LDAP

EC2 Power User,IAM Admin,

Route 53 User

EC2 Admin, IAM Admin, Route 53 User,

VPC Power User

Route 53 User,S3 Power User,

VPC User

Role: DevOps Engineer

Role: DevOps Lead

Role: TechOps Engineer

AWS

FIREWALL CLOUD

With the mapping of corporate metadata to AWS roles complete, users

can now sign-in to their AWS Account(s). Depending on the number of

roles and accounts the user has access to, she will be presented a list

of all accounts and roles in the AWS Management Console dashboard,

and she will be able to switch to any account and role for the task at

hand. By way of extending AWS security using organizational context,

we gain both maximum security and increased productivity.

Putting It All Together: Modern Identity for Cloud Apps And Services

We have seen how AWS enables administrators and security personnel

to protect AWS access in two key ways: Secure token-based sign-

in with SAML, and access control with granular AWS policies. In

order to streamline identity information and access control in a

way that enables fast and secure access to apps or services like

AWS, organizations need a strong identity provider to leverage

organizational context for overarching authentication and role-based

access control. Modern identity platforms can be a standalone cloud

directory for your users or a key integration point for all apps, services

and directories, and they enable Single Sign-On as well as passing of

employee metadata to apps in a number of standard ways.

sales@onelogin.com | 855 .426 .7227 | onelogin .com

6

They also support multiple security layers such as Multi-Factor

Authentication IP-based restriction. In the next few sections we will

look at how a solution like OneLogin can help you gain the level of

security and productivity that you need.

Securing Corporate-Wide Access

A key strength of OneLogin is the ease of adding a new app with

secure corporate-wide access. Within an hour, you can stand up a new

OneLogin account that is either a standalone cloud directory with

all your corporate users, or it is syncing from one or more external

directories such as Active Directory or LDAP.

OneLogin has over 5,000 pre-integrated apps, including the AWS

Management Console for a one-click access to the AWS dashboard. As

you can see in the snippet below, since the app is pre-integrated, the

only thing you need is your unique AWS account identifier which you

can find in your Amazon account.

sales@onelogin.com | 855 .426 .7227 | onelogin .com

7

You can allow select users access to the AWS Management Console within

seconds, using OneLogin’s app policy. Every user who is allowed to access

AWS can access it directly or through OneLogin’s app portal which is

customized for each user with only the apps she is allowed to use:

Interested in learning more

about single sign-on or

advanced security policies?

Visit onelogin.com/aws for

more information or request

access to OneLogin

A single click and the user is signed into AWS. At this point, only active

corporate users can sign into AWS. Companies gain both security

and productivity. With AWS specifically, access to all AWS available

accounts and services is reduced to a single access point, which can be

protected with a flexible security policy.

sales@onelogin.com | 855 .426 .7227 | onelogin .com

8

OneLogin Roles & Mappings: Automating Complex Access Management

Moreover, an identity provider like OneLogin can make it easier to

securely pass key metadata such as user identifiers and roles to

integrated apps and services, like AWS and all your other corporate

applications. This feature is often called user provisioning, and it can

take place in the background between OneLogin and other apps, or in

real-time at login, depending on the supported integration.

Only advanced identity providers, like OneLogin, can separate

application assignment from permission assignment. This gives

administrators the flexibility to do a clean application deployment so

they can configure role-based access without worrying about any users

getting immediate access, and then gradually give access to users

when approved and ready. A good rules engine uses simple conditions,

with no need for complex code-like expressions to determine whether

a user should get access.

In this OneLogin screenshot, the Active Directory group called IT

Administrators corresponds to several AWS Roles such as S3 Full

Access and Route 53 Full Access.

The end result is that through one connection, administrators are

able to utilize a centralized administrative portal to set up multiple

application rules that build on top of each other. Because these rules

Only advanced identity

providers, like OneLogin,

can separate application

assignment from permission

assignment for SaaS apps.

sales@onelogin.com | 855 .426 .7227 | onelogin .com

9

all correlate to Active Directory attributes or groups, administrators

can handle multiple employee joins, moves or leaves at scale.

An AWS multi-role provisioning functionality greatly eases the

administrative overhead to secure AWS, allowing IT to move at the speed

of the business to fulfill their mandate of delivering end-user productivity.

Summary of Value and Getting Started With OneLogin

Cloud identity platforms, like OneLogin, provide a comprehensive

solution for managing user identities both in the cloud and behind the

firewall. OneLogin integrates with cloud and on-premise apps using

open standards like SAML and OpenID, to provide services such as

Single Sign-On with Multi-Factor Authentication for web and mobile,

user provisioning into apps, multiple directory integration, and more.

OneLogin comes pre-integrated with thousands of applications.

With OneLogin, organizations have an identity provider that moves at the

speed of their business. As new applications are created or onboarded, IT

can automatically provide access to the correct users. Day 1 productivity

for new employees can be achieved in any new application, greatly

reducing time to value and increasing productivity for the business.

Learn more about user provisioning or role-based access for AWS and

activate a free OneLogin account for AWS by visiting onelogin.com/aws.

With OneLogin, organizations

have an identity provider

that moves at the speed

of their business.

sales@onelogin.com | 855 .426 .7227 | onelogin .com

10

Appendix A: How SAML Works

SAML (Security Assertion Markup Language) is an XML-based standard

which passes login information through a browser between an identity

provider server (e.g. appears to the user as a login page) and a 3rd party

web application or service. Below is a snippet of a typical SAML response.

A full response has additional attributes, a digital signature and encryption.

An AWS account is configured to accept logins via the identity

solution for single sign-on, and the identity solution is configured

with the information of the AWS account. The identity solution

authenticates the user with corporate credentials and verifies access,

and sends the user immediately to the AWS Management Console to

continue working. If the user is accessing the app from a special app

portal with all the apps she has access to, then she is already signed in

and can launch the AWS Management Console in a single click. It is a

smooth and frictionless user experience.

Behind the scenes, the user is redirected from the identity solution to

the AWS Management Console with a secure token which identifies the

user who is associated with additional meta information such as the

account identifier and permitted roles.

Service Provider(e.g. AWS)

User(e.g. via browser)

SAML 2.0 FLOWIdP-Initiated

Identity Provider(e.g. OneLogin)

Request SSO Service

Authenticate the user

Request access to service

User is logged into service

Redirect to service with SAML token SAML token isgenerated with user attributesSAML token

is verified

Auth requestis verified

sales@onelogin.com | 855 .426 .7227 | onelogin .com

11

Appendix B: How AWS Roles Work

In AWS a role is essentially a set of permissions that grant access to

actions and resources in AWS. Instead of being uniquely associated

with one person, a role is intended to be assumable by anyone who

needs it. Additionally, a role does not have any credentials associated

with it. Instead, when the identity provider requests user access to the

role temporary credentials will be issued to allow the user access to

AWS resources.

When a role is created, a permission policy is also created for the role.

This permission policy defines what actions, within the AWS account,

the role is allowed to perform. For identity providers an additional

policy is tied to the role which states which identity providers are

allowed to use the role.

SAML messages, which are used to sign-in users with user identifiers

as well as other metadata, include multiple Amazon Resource Names

(ARN) that point to permitted accounts and roles for the user. The

metadata is sourced by your identity provider based on role mappings,

and it is digitally signed by the identity provider to ensure that only a

trusted provider is signing in the user to the correct accounts and roles.

AWS IAM Policy sample. Source: AWS

sales@onelogin.com | 855 .426 .7227 | onelogin .com

12

About OneLogin, Inc.

OneLogin brings speed and integrity to the modern enterprise with an

award-winning SSO and identity-management platform. Our portfolio

of solutions secure connections across all users, all devices, and every

application, helping enterprises drive new levels of business integrity

and operational velocity across their entire app portfolios. The choice

for innovators of all sizes such as Condé Nast, Pinterest and Steelcase,

OneLogin manages and secures millions of identities across more than

200 countries around the globe. We are headquartered in San Francisco,

California. For more information, log on to www.onelogin.com, Facebook,

Twitter, or LinkedIn.

About Amazon Web Services

In 2006, Amazon Web Services (AWS) began offering IT infrastructure

services to businesses in the form of web services—now commonly known

as cloud computing. One of the key benefits of cloud computing is the

opportunity to replace up-front capital infrastructure expenses with low

variable costs that scale with your business. With the Cloud, businesses

no longer need to plan for and procure servers and other IT infrastructure

weeks or months in advance. Instead, they can instantly spin up hundreds

or thousands of servers in minutes and deliver results faster.

Today, Amazon Web Services provides a highly reliable, scalable, low-cost

infrastructure platform in the cloud that powers hundreds of thousands of

businesses in 190 countries around the world. With data center locations

in the U.S., Europe, Brazil, Singapore, Japan, and Australia, customers

across all industries are taking advantage of the benefits of AWS.