understanding aws identity and access management | aws public sector summit 2016
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mark RylandChief Solutions ArchitectWorldwide Public Sector
June 21, 2016
Understanding AWS Identity and Access Management (IAM)
Agenda
• Identity: sources, credentials, transformations, and targets
• Access control for endpoints: targets and methods
• Access control for data: introducing Ionic Security
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (Amazon EC2, Amazon RDS,
etc.)
Abstracted services (Amazon S3, Amazon DynamoDB,
Amazon SQS, etc.)
AWS-managed (Amazon API Gateway, AWS Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
Amazon Cognito services
AWS Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
Cognito services
Security Token Service
AWS Management Console
IAM service
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
Identities sourced from IAM service Amazon Cognito user pools: major
innovation No need for separate trust configuration Multiple means for proving IAM identity
Console: username/password/MFA API/CLI: access/secret key/MFA
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
Cognito services
Security Token Service
AWS Management Console
IAM service
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
Derived identities from other sources Sessions/federation: IAM users Roles: SAML, WebIDs, EC2 service
Temporary credentials provided by Amazon Security Token Service
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
Cognito services
Security Token Service
AWS Management Console
IAM service
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
Identities from well-known sources Amazon, Facebook, Google, Twitter
No need for separate trust configuration All proofing on the IdP side with
incoming claims Temporary credentials from Amazon
Security Token Service
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
Amazon Cognito services
Security Token Service
AWS Management Console
IAM service
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
User-provided web/OID Connect
Corporate identities (AD, LDAP)
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
Corporate identities (AD, LDAP)/SAML
Identities from customer sources Separate trust configuration required All proofing on the IdP side with
incoming claims Temporary credentials from STS
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
Amazon Cognito
Security Token Service
AWS Management Console
IAM service
IAM base service stores principals & associated policies
STS used for all temp credentials
Amazon Cognito provides value-add services
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
Amazon Cognito services
Security Token Service
AWS Management Console
IAM service
IAM: username/ password[/MFA] Session token/STS
used in MFA case SAML/OIDC IdP-
initiated login
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS, etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
Amazon Cognito services
Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
Scenario #1: IAM user+MFA+console access to EC2
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
Amazon Cognito services
Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
Adm
inis
trativ
e us
ers
Scenario #1.1: AD user+SAML+console access to EC2
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
Amazon Cognito services
Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
Adm
inis
trativ
e us
ers
Scenario #2: AD user+SAML+API/CLI access to RDS
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
Amazon Cognito services
Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
End
us
ers
Scenario #3: Web/mobile user access to S3
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
Amazon Cognito services
Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
Adm
inis
trativ
e us
ers
Scenario #4: IAM CLI user/ EC2 Role to DynamoDB
Amazon Cognito services
Security Token Service
AWS Management Console
IAM service
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS creds (STS?) in use by definition Endpoints protected by IAM PARC policies
Principal/Action/Resource/Conditions/Effect Tons of features: in-line editor, policy
generator & simulator, security intelligence Moving up the stack from indirect to direct
to user-defined behaviors
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
Amazon Cognito services
Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
Three possible sources for policies
• Policies bound to principal(s)• True for most policies/services
• Policies bound to resource(s)• Only for some resource types (AWS
KMS keys, roles, S3, etc.)
• Scoped-down policies added to STS token at creation
• Creator’s privileges minus
Example: Three policies combined for S3 access{ "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_bucket", "arn:aws:s3:::my_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ]}
{ "Version": "2012-10-17", "Statement": { “Sid": “Policy-for-Role-readonly", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*" }}
{ "Version": "2012-10-17", "Statement": { "Sid": “Dynamic-time-limit-for-use-case", "Effect": "Allow", "Condition": { "DateLessThan": { "aws:CurrentTime" : "2016-06-21T15:00:00Z" }, } }}
• Policy bound to principal(s)• Principal is implicit (this
user/group/role)• True for most policies/services• Resource policy: explicit principals
• S3, SQS, API Gateway, AWS IoT, VPC endpoints, roles, etc.
• Policy added by creator of temporary creds (caller of STS)
• Role token or federation token
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
Amazon Cognito services
Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
Adm
inis
trativ
e us
ers
Scenario #5: AD user+SAML broker+API/CLI to S3
Amazon Cognito services
Security Token Service
AWS Management Console
IAM service
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML Authn/authz using conventional means
(OS/LDAP/AD) AWS provides optimizations
AWS Directory Service Automated domain-join for Microsoft
Windows servers and Linux (via PAM) Stay tuned for improvements/integrations
Amazon Cognito services
Security Token Service
AWS Management Console
IAM service
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Adm
inis
trativ
e us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
OSes/DBs/etc.
“Network OSes”
Applications
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
Authn/authz using conventional means (Application/LDAP/AD)
AWS provides optimizations App code can use roles to call AWS APIs App code can be run behind AWS-managed
endpoint Stay tuned for improvements/integrations
IAM users (and root)
IAM roles
Sessions/ “federated”
Web identities
Amazon Cognito user pools
End
us
ers
Infra & container services (EC2, RDS,
etc.)
Abstracted services (S3, DDB, SQS, etc.)
AWS-managed (API Gateway, Lambda,
AWS IoT)
AWS Directory Service
OSes/DBs/etc.
ArcGIS
Amazon Cognito services
Security Token Service
App identities
User-provided web/OID Connect
Corporate identities (AD, LDAP)/SAML
AWS Management Console
IAM service
Adm
inis
trativ
e us
ers
Scenario #6: User+AWS Directory Srv+access to Esri/S3
Adam Ghetti/Founder, Ionic Security @AdamGhetti/www.ionic.com
IN MATH WE TRUST
First and last milehigh-assurance data security
A federal agency needs tocollaborate with other appropriatefederal, state, and local agencies.
A federal agency needs to ensuretheir data is accessed only by
appropriate humans, applications,and infrastructure
while in appropriate locations.
Goal = f (Appropriately + Securely Collaborating)
v
AgencyUser
AgencyUser
AgencyUser
IAM for Infrastructure and Apps
IAM for Data
A federal agency needs to ensuretheir data is accessed only by
appropriate humans, applications,and infrastructure
while in appropriate locations.
A federal agency needs all otherscenarios to fail closed.
Unstructured DataDocuments, Email, and Media
Structured DataDatabases, Applications, and IoT
Unstructured DataDocuments, Email, and Media
Structured DataDatabases, Applications, and IoT
.DOCX
.PPTX
.XLSX
.CSV
.INI
.JPEG
.CPP
.PY
.MOV
.VSD
OracleRDS
S3ICON
MSSQL
HADOOPMONGO
MySQL
SENSOR SALESFORCE
SLACK
OUTLOOK
GMAIL
SCADA
Custom Applications
.XML
NETWORK APPLIANCE
.JAVA
.CAD
iPhone
BlackBerry
ANROID
Unstructured DataDocuments, Email, and Media
.DOCX
.PPTX
.XLSX
.CSV
.INI
.JPEG
.CPP
.PY
.MOV
.VSD
OracleRDS
S3ICON
MSSQL
HADOOPMONGO
MySQL
SENSOR SALESFORCE
SLACK
OUTLOOK
GMAIL
SCADA
Custom Applications
.XML
NETWORK APPLIANCE
.JAVA
.CAD
iPhone
BlackBerry
ANROID
INTERNALUSERS
EXTERNALUSERS ON-PREM SHARED HYBRID REGULATED CLASSIFIED
Structured DataDatabases, Applications, and IoT
Data
Users
Rights
= f (Digital assets + Classification)
= f (Infrastructure + Applications + Humans + Locations)
= f (Data + Users)
Managed rights in a digital worldare like the law; they are only as
good as their enforcement.
Rights = f (Data + Users)
ENCRYPTION
ENCRYPTION
ENCRYPTION
DECRYPTION
Rights = f (Data + Users)Data + UsersData + UsersData + Users
A federal agency needs tocollaborate with other appropriatefederal, state, and local agencies.
Rights = f (Data + Users)Data + UsersData + UsersData + Users
A federal agency needs tocollaborate with other appropriatefederal, state, and local agencies.
Rights = f (Data + Users)
ENCRYPTED DECRYPTEDKEYSKEYSKEYSKEYS
CLASSIFICATION
POLICYPOLICYPOLICYPOLICY
USERSUSERSUSERSUSERS
DIGITAL ASSETSDIGITAL ASSETSDIGITAL ASSETSDIGITAL ASSETS
KEYSKEYSKEYSKEYS
CLASSIFICATION
POLICYPOLICYPOLICYPOLICY
USERSUSERSUSERSUSERS
DIGITAL ASSETSDIGITAL ASSETSDIGITAL ASSETSDIGITAL ASSETS
Globally Unique IDs: Keys, Digital Assets, Policies, and UsersVerifiable, Federated, and Blinded Global Orchestration Service
Distributed and Hybrid Key Generation/Storage
CloudHSMs On-premHSMs
On-prem HSMs CloudHSMs No HSMs
KEYSKEYSKEYSKEYS
CLASSIFICATION
POLICYPOLICYPOLICYPOLICY
USERSUSERSUSERSUSERS
DIGITAL ASSETSDIGITAL ASSETSDIGITAL ASSETSDIGITAL ASSETS
Globally Unique IDs: Keys, Digital Assets, Policies, and UsersVerifiable, Federated, and Blinded Global Orchestration Service
Distributed and Hybrid Key Generation/Storage
CloudHSMs On-prem HSMs On-prem
HSMsCloudHSMs No HSMs
Portable, Flexible, and Verifiable Data Protection and IAM Protocol
Rights = f (Data + Users)
• ISO/IEC 27001
• ISO/IEC 27018
• SOC 2 Type 2
• FIPS 140-2 Certified Modules
• EAR, Category 5, Part 2
CERTIFICATIONS
• Over 2,000,000 seats in Global 100
across the US and Europe.
• Goldman Sachs and US DoD
• Eight different industry verticals
• Billions of production API calls
CUSTOMER STATS
IAM for Infrastructure and Apps
Protection and IAM for Data
Rights = f (Data + Users)Data + UsersData + UsersData + Users
A federal agency needs tocollaborate with other appropriatefederal, state, and local agencies.
First and last milehigh-assurance data security
www.ionic.com
Thank you!