Upload
amazon-web-services
View
425
Download
0
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Michael Cotton, Senior Solutions ArchitectTodd Gagorik, Senior Manager
June 20, 2016
AWS Directory Service and Hybrid Strategy
What you will take away from this session
Understand your federation options
Get it right at scale Plan your approach Tooling to get started
(C) Copyright David Precious and licensed for reuse under the Creative Commons Attribution 2.0 Generic
(C) Copyright GeographBot Wallace and licensed for reuse under the Creative Commons Attribution-ShareAlike 2.0 License
(C) Copyright BigMac and licensed for reuse under the Creative Commons Attribution 3.0 License
License: Creative Commons Public Domain Universal 1.0
Session prerequisites
• To get the most out of this session, you should be comfortable with several building blocks:
AWS Identity & Access
Management (IAM)
Roles Policies AWS STS Long-livedcredentials
Temporarycredentials
IAM federation: A progression of options
Cross- account trust
AWS Directory Service
Security Assertion Markup Language (SAML)
Custom identity broker
Invo
lvem
ent
Control
Session focus
Active Directory options—Simple AD• Microsoft Active Directory–compatible directory powered by Samba 4 and supports
common AD features• User accounts, group memberships, domain-joining Amazon EC2 instances running Linux
and Microsoft Windows, Kerberos-based single sign-on (SSO), and group policies. • User accounts can also access AWS applications
• Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. • Also can use IAM roles to access the AWS Management Console and manage AWS
resources. • Also, provides daily automated snapshots to enable point-in-time recovery.
• Note: does not support trust relationships between Simple AD and other Active Directory. You cannot perform schema extensions, multi-factor authentication, communication over LDAPS, PowerShell AD cmdlets, and the transfer of FSMO roles.
• When to use• Simple AD is the least expensive option and your best choice if you have 5,000 or less
users and don’t need the more advanced Microsoft Active Directory features.
Active Directory Options—Microsoft AD• AWS Directory Service for Microsoft Active Directory
(Enterprise Edition)• A managed Microsoft Active Directory • Provides much of the functionality offered by Microsoft
Active Directory plus integration with AWS applications. • Easily set up trust relationships with your existing Active Directory
domains • Note:
• You cannot perform schema extensions, multifactor authentication, PowerShell AD cmdlets, or the transfer of FSMO roles.
• When to use• Microsoft AD is your best choice if you have more than 5,000 users and need a trust
relationship set up between an AWS hosted directory and your on-premises directories.
Active Directory Options—AD Connector
• Proxy service for connecting your on-premises Microsoft AD to AWS• Forwards sign-in requests to your AD domain controllers for AuthN• Provides the ability for applications to query your AD directory for data. • Your users can use their existing corporate credentials to log on to AWS applications,
• WorkSpaces, WorkDocs, or WorkMail and AWS Management Console• You can also use AD Connector to enable multi-factor authentication by integrating with
your existing RADIUS-based MFA infrastructure• Continue to manage your Active Directory as usual and enforce your existing security
policies When to useAD Connector is your best choice when you want to use your existing on-premises directory with AWS services.
Federation with Security Assertion Markup Language (SAML)
Why should I use federation?
Before:After:
Result:
Unique credentials Long-lived keys One-off
Users Security Compliance
Short-term tokens
Naturally alignedSingle sign-on
Quick SAML primer
Identity provider Service provider
Metadata(in advance)
Assertion(login flow)
Basic AWS federation with SAML
• Known science, assuming:• Few AWS accounts• AWS Management
Console access• AWS CLI access
• Well-documented:• Whitepapers• Blogs• Documentation
(C) Copyright Diliff and licensed for reuse under the Creative Commons Attribution 3.0 License
AWS federation with SAML
Many AWSaccounts?
Lots ofIAM roles?
Multiple accessvectors?
Resource-levelpermissions?
AWS CloudTrailimpacts?
Lots of users?
Dive deep = Get it right
<SAML>
AWS federation with SAML—planning Choose your SAML provider
• Active Directory Federation Services (ADFS)• OKTA• PingFederate• Shibboleth• Optimal IDM• Etc…
Understand point of AuthN and AuthZPlan role naming standards (assumeRoleWithSAML)Do you have multiple AWS accounts?For this demo we are using:
• ADFS • Active Directory
Federation with AWS—high-level steps
Configure your network as a SAML provider for AWSCreate a SAML provider in IAMConfigure roles in AWS for your federate usersCreate groups in your AD name match to IAM rolesConfigure your SAML IdP and create assertions for the SAML authentication responsePosted to: https://signin.aws.amazon.com/saml<SAML_AuthN_response>
A walkthrough of the configuration
Flow for SAML-enabled single sign-on
Demo• AWS console federation w/SAML
• User name and password• Certificate
• AWS CLI federation w/SAML• User name and password
• What does a SAML token look like?• AWS Management Console federation with AD
• User name and password
Smooth user experience
• Federation shouldn’t limit access vectors
• Don’t create a “low-to-high” exposure in the back end
AWS federation with SAML
Key takeaways
AWSSDKs
AWSCLI
Under the hood
• Naming conventions are critical
• Configurations should rely on patterns, not values
• Think about traceability now
AWS federation with SAML who/what/when
Key takeaways
IdPconfigurations
AWS CloudTrailsamples
Your own journey: Rationalizing the decision-making process
Rationalizing the decision-making process
• Existing federation investments?
• Federation needs beyond AWS?
• Desired level of control vs. involvement?
• Competency and bandwidth for application development?
(C) Copyright Marco Bellucci and licensed for reuse under the Creative Commons Attribution 2.0 Generic
Remember the principles of cloud architecture
• Don’t overanalyze—experiment and iterate• Federation options are not mutually exclusive
• Several can exist in parallel• Federation options use the same entities
• Evolve your federation approach as your needs evolve• Right for tomorrow is not always right for today
Your own journey: Taking the first steps
Additional information• Session resources (code and samples)• AWS documentation
• Manage Federation• Integrating Third-Party SAML Solution Providers with AWS• Request Information That You Can Use for Policy Variables• Custom Federation Broker
• AWS blogs• Whitepaper—Single Sign-On: Integrating AWS, OpenLDAP, a
nd Shibboleth• How to Implement a General Solution for Federated API/CLI
Access Using SAML 2.0• How to Implement ADFS with Multiple AWS accounts
Thank you!