Identity and Federation

avatar
Created by
Luís Felipe

Cards (46)

  • In IAM, explicit DENY has precedence over ALLOW.
  • IAM Policies Conditions
    "Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}
  • IAM Policies Variables and Tags
    Example: ${aws:username}
    • "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]
    AWS Specific:
    • aws:CurrentTime, aws:TokenIssueTime, aws:principaltype, aws:SecureTransport, aws:SourceIp, aws:userid, ec2:SourceInstanceARN
    Service Specific:
    • s3:prefix, s3:max-keys, s3:x-amz-acl, sns:Endpoint, sns:Protocol…
    Tag Based:
    • iam:ResourceTag/key-name, aws:PrincipalTag/key-name
  • IAM Roles vs Resource Based Policies
    • When you assume a role (user, application or service), you give up your original permissions and take the permissions assigned to the role
    • When using a resource-based policy, the principal doesn’t have to give up any permissions
    • Example: User in account A needs to scan a DynamoDB table in Account A and dump it in an S3 bucket in Account B.
  • IAM Permission Boundaries
    • IAM Permission Boundaries are supported for users and roles (not groups)
    • Advanced feature to use a managed policy to set the maximum permissions an IAM entity can get.
  • IAM Access Analyzer
    • Find out which resources are shared externally
    • Define Zone of Trust = AWS Account or AWS Organization
    • Access outside zone of trusts => findings
  • • IAM Access Analyzer Policy Validation
    • Validates your policy against IAM policy grammar and best practices
    • General warnings, security warnings, errors, suggestions
    • Provides actionable recommendations
  • IAM Access Analyzer Policy Generation
    • Generates IAM policy based on access activity
    CloudTrail logs is reviewed to generate the policy
    with the fine-grained permissions and the appropriate Actions and Services
    • Reviews CloudTrail logs for up to 90 days
  • Using STS to Assume a Role
    • Define an IAM Role within your account or cross-account
    • Define which principals can access this IAM Role
    • Use AWS STS (Security Token Service) to retrieve credentials and impersonate the IAM Role you have access to (AssumeRole API)
    • Temporary credentials can be valid between 15 minutes to 12 hour
  • Assuming a Role with STS
    • Provide access for an IAM user in one AWS account that you own to access resources in another account that you own
    • Provide access to IAM users in AWS accounts owned by third parties
    • Provide access for services offered by AWS to AWS resources
    • Provide access for externally authenticated users (identity federation)
    • Ability to revoke active sessions and credentials for a role
    (by adding a policy using a time statement - AWSRevokeOlderSessions)
  • Providing Access to AWS Accounts Owned by Third Parties
    Zone of trust = accounts, organizations that you own
    Outside Zone of Trust = 3rd parties
    • Use IAM Access Analyzer to find out which resources are exposed
    • For granting access to a 3rd party:
    • The 3rd party AWS account ID
    • An External ID (secret between you and the 3rd party)
    • To uniquely associate with the role between you and 3rd party
    • Must be provided when defining the trust and when assuming the role
    • Must be chosen by the 3rd party
    • Define permissions in the IAM policy
  • Session Tags in STS
    • Tags that you pass when you assume an IAM Role or federate user in STS
    • aws:PrincipalTag Condition
    • Compares the tags attached to the principal making the request with the tag you specified in the policy
    • Example: allow a principal to pass session tags only if the principal making the request has the specified tags
  • STS Important APIs
    AssumeRole: access a role within your account or cross-account
    • AssumeRoleWithSAML: return credentials for users logged with SAML
    • AssumeRoleWithWebIdentity: return creds for users logged with an IdP
    • Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider
    • AWS recommends using Cognito instead
    • GetSessionToken: for MFA, from a user or AWS account root user
  • Identity Federation in AWS
    • Give users outside of AWS permissions to access AWS resources in your account
    • You don’t need to create IAM Users (user management is outside AWS)
    • Use cases:
    • A corporate has its own identity system (e.g., Active Directory)
    • Web/Mobile application that needs access to AWS resources
    • Identity Federation can have many flavors:
    • SAML 2.0
    • Custom Identity Broker
    • Web Identity Federation With(out) Amazon Cognito
    • Single Sign-On (SSO)
  • Custom Identity Broker Application
    • Use only if Identity Provider is NOT compatible with SAML 2.0
    • The Identity Broker Authenticates users & requests temporary credentials from AWS
    • The Identity Broker must determine the appropriate IAM Role
    • Uses the STS API AssumeRole or GetFederationToken
  • Web Identity Federation – With Cognito
    • Preferred over for Web Identity Federation
    • Create IAM Roles using Cognito with the least privilege needed
    • Build trust between the OIDC IdP and AWS
    • Cognito benefits:
    • Supports anonymous users
    • Supports MFA
    • Data Synchronization
    • Cognito replaces a Token Vending Machine (TVM)
  • After being authenticated with Web Identity Federation, you can identify the user with an IAM policy variable
  • What is Microsoft Active Directory (AD)?
    • Found on any Windows Server with AD Domain Services
    • Database of objects: User Accounts, Computers, Printers, File Shares, Security Groups
    • Centralized security management, create account, assign permissions
    • Objects are organized in trees
    • A group of trees is a forest
  • ADFS provides Single Sign-On across applications
  • AWS Directory Services
    • AWS Managed Microsoft AD
    • Create your own AD in AWS, manage users locally, supports MFA
    • Establish “trust” connections with your on- premises AD
    • AD Connector
    • Directory Gateway (proxy) to redirect to on- premises AD, supports MFA
    • Users are managed on the on-premises AD
    Simple AD
    • AD-compatible managed directory on AWS
    • Cannot be joined with on-premises AD
  • AWS Managed Microsoft AD
    • Managed Service: Microsoft AD in your AWS VPC
    • EC2 Windows Instances:
    • EC2 Windows instances can join the domain and run traditional AD applications (sharepoint, etc)
    • Seamlessly Domain Join Amazon EC2 Instances from Multiple Accounts & VPCs
    • Integrations:
    RDS for SQL Server, AWS Workspaces, Quicksight…
    • AWS SSO to provide access to 3rd party applications
  • Connect AWS Managed Microsoft AD to on-premises AD:

    • Ability to connect your on- premises Active Directory to AWS Managed Microsoft AD
    • Must establish a Direct Connect (DX) or VPN connection
    • Can setup three kinds of forest trust:
    • One-way trust: AWS => on-premises
    • One-way trust: on-premises => AWS
    • Two-way forest trust: AWS ó on-premises
    • Forest trust is different than synchronization
  • AD Connector is a directory gateway to redirect directory requests to your on-premises
    Microsoft Active Directory
    • No caching capability
    • Manage users solely on-premises, no possibility of setting up a trust
    • VPN or Direct Connect
    • Doesn’t work with SQL Server, doesn’t do seamless joining, can’t share directory
  • Simple AD
    Simple AD is an inexpensive Active Directory–compatible service with
    the common directory features.
    • Supports joining EC2 instances, manage users and groups
    • Does not support MFA, RDS SQL server, AWS SSO
    • Small: 500 users, large: 5000 users
    • Powered by Samba 4, compatible with Microsoft AD
    • lower cost, low scale, basic AD compatible, or LDAP compatibility
    • No trust relationship
    • When a member account is created using an API from the organization service, an IAM role called the Organization Account Access Role is automatically created within the member account.
    • Management accounts assume that administrative role using the API when it needs to perform administrative duties onto the member account.
  • In case you are inviting an account into an Organization and that account already exists from out there, then you must manually create the Organization Account Access Role
  • AWS Organization - Feature Modes
    • Consolidated billing features:
    • Consolidated Billing across all accounts - single payment method
    • Pricing benefits from aggregated usage (volume discount for EC2, S3…)
    • All Features (Default):
    • Includes consolidated billing features, SCP
    • Invited accounts must approve enabling all features
    • Ability to apply an SCP to prevent member accounts from leaving the org
    • Can’t switch back to Consolidated Billing Features only
    • AWS Organizations’ consolidated billing feature treats all accounts in the organization as one account for billing purposes.
    • This means that all accounts in the organization can receive the hourly cost benefit of Reserved Instances that are purchased by any other account..
    • The payer account of an organization can turn off Reserved Instance and Savings Plans discount sharing for any accounts in that organization, including the payer account.
    • RIs and Savings Plans discounts aren’t shared between any accounts that have sharing turned off.
    • To share an RI or Savings Plans discount with an account, both accounts must have sharing turned on
  • AWS Organizations – Moving Accounts
    1. Remove the member account from the AWS Organization
    2. Send an invite to the member account from the AWS Organization
    3. Accept the invite to the new Organization from the member account
  • Service Control Policies (SCP)
    • Define allowlist or blocklist IAM actions
    • Applied at the OU or Account level
    • Does not apply to the Management Account
    • SCP is applied to all the Users and Roles in the account, including Root user
    • The SCP does not affect Service-linked roles
    • Service-linked roles enable other AWS services to integrate with Organizations and can't be restricted by SCPs.
    • SCP must have an explicit Allow (does not allow anything by default)
  • You can restrict specific Tags on AWS resources
    • Using the aws:TagKeys Condition Key
    • Validate the Tag Keys attached to a resource against the Tag Keys in the IAM Policy
    • Example: allow IAM users to create EBS Volumes only if it has the “Env” and “CostCenter” Tags
    • Use either ForAllValues (must have all keys) or ForAnyValue (must have any of these keys at a minimum)
  • AWS Organizations –Tag Policies
    • Helps you standardize tags across resources in an
    AWS Organization
    • Ensure consistent tags, audit tagged resources,
    maintain proper resources categorization, …
    • You define Tag keys and their allowed values
  • • Certain AWS AI services may use your data for continuous improvement of Amazon AI/ML services
    • Example: Amazon Lex, Amazon Comprehend,
    Amazon Polly, …
    • You can opt-out of having your content stored or used by AWS AI services
  • AWS Organizations - Backup Policies
    AWS Backup enables you to create Backup Plans that define how to backup your AWS resources
    JSON documents that define Backup Plans across an AWS Organization
    • Gives you granular control over backing up your resources (e.g., backup frequency, time window, backup region, …)
    • Can be attached to Organization Root, specific OU, or individual Member account
  • AWS IAM Identity Center (successor to AWS Single Sign-On)
    • One login (single sign-on) for all your
    • AWS accounts in AWS Organizations
    • Business cloud applications (e.g., Salesforce, Box, Microsoft 365, …)
    • SAML2.0-enabled applications
    • EC2 Windows Instances
    • Identity providers
    • Built-in identity store in IAM Identity Center
    • 3rd party: Active Directory (AD), OneLogin, Okta
  • AWS IAM Identity CenterFine-grained Permissions and Assignments
    • Multi-Account Permissions
    • Application Assignments
    • Attribute-Based Access Control (ABAC)
  • AWS Control Tower
    • Easy way to set up and govern a secure and compliant multi account AWS environment based on best practices
    • Benefits:
    • Automate the set up of your environment in a few clicks
    • Automate ongoing policy management using guardrails
    • Detect policy violations and remediate them
    • Monitor compliance through an interactive dashboard
    AWS Control Tower runs on top of AWS Organizations:
    • It automatically sets up AWS Organizations to organize accounts and implement
    SCPs (Service Control Policies)
  • AWS Control Tower – Account Factory
    • Automates account provisioning and deployments
    • Enables you to create pre-approved baselines and configuration options or AWS accounts in your organization (e.g., VPC default
    configuration, subnets, region, …)
    • Uses AWS Service Catalog to provision new AWS accounts
  • Control Tower Guardrail
    • Provides ongoing governance for your Control Tower environment (AWS Accounts)
    Preventive – using SCPs (e.g., Disallow Creation of Access Keys for the Root User)
    • Detective – using AWS Config (e.g., Detect Whether MFA for the Root User is Enabled)
    • Example: identify non-compliant resources (e.g., untagged resources)