반응형
블로그 이미지
개발자로서 현장에서 일하면서 새로 접하는 기술들이나 알게된 정보 등을 정리하기 위한 블로그입니다. 운 좋게 미국에서 큰 회사들의 프로젝트에서 컬설턴트로 일하고 있어서 새로운 기술들을 접할 기회가 많이 있습니다. 미국의 IT 프로젝트에서 사용되는 툴들에 대해 많은 분들과 정보를 공유하고 싶습니다.
솔웅

최근에 올라온 글

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

카테고리


반응형

AWS IAM


Amazon Identity and Access Management (IAM) is an implicit service, providing the authentication infrastructure used to authenticate access to the various services.





What Is IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).


AWS Identity and Access Management (IAM)







Identity Federation : Facebook, Active Directory, Google account etc.

PCI DSS Compliance (Payment Card Industry -PCI- Data Security Standard -DSS- Compliance)

Multi-Factor Authentication - ID+PW and MFA Devices Code (i.e. Google Authenticator etc.)

Password Policy


IAM Policies

: A document that defines one or more permissions

: Can be attached to users, groups and roles

: Written in JavaScript Object Notification(JSON)

: Select from pre-defined AWS list of polices or create your own policy






Concepts to know




Amazon S3

From Wikipedia, the free encyclopedia


Amazon S3 (Simple Storage Service) is a web service offered by Amazon Web Services. Amazon S3 provides storage through web services interfaces (RESTSOAP, and BitTorrent).[1] Amazon launched S3 on its fifth publicly available web service[citation needed], in the United States in March 2006[2] and in Europe in November 2007.[3]

Amazon says that S3 uses the same scalable storage infrastructure that Amazon.com uses to run its own global e-commerce network.[4]

Amazon S3 is reported to store more than 2 trillion objects as of April 2013.[5] This is up from 10 billion as of October 2007,[6] 14 billion in January 2008, 29 billion in October 2008,[7] 52 billion in March 2009,[8] 64 billion objects in August 2009,[9] and 102 billion objects in March 2010.[10] S3 uses include web hosting, image hosting, and storage for backup systems. S3 guarantees 99.9% monthly uptime service-level agreement (SLA),[11] that is, not more than 43 minutes of downtime per month.[12]



SAML

위키백과, 우리 모두의 백과사전.

SAML(Security Assertion Markup Language, 샘엘[1])은 인증 정보 제공자(identity provider)와 서비스 제공자(service provider) 간의 인증 및 인가 데이터를 교환하기 위한 XML 기반의 개방형 표준데이터 포맷이다. 보안 어서션 마크업 언어[2]보안 추가 마크업 언어[3]라고도 한다. SAML은 OASIS 보안 서비스 기술 위원회의 산물이다. SAML은 2001년으로 거슬러 올라가며, 최근의 주요 SAML 업데이트는 2005년에 게시되었다. 그러나 프로토콜 개선은 선택적, 추가 표준들을 통해 꾸준히 추가되어오고 있다.

SAML이 기술하는 가장 중요한 요구사항은 웹 브라우저 통합 인증(SSO)이다. 통합 인증은 인트라넷 수준에서 일반적이지만(이를테면 쿠키를 사용하여) 인트라넷 밖으로 확장하는 것은 문제가 있으며 상호 운용 사유 기술들이 범람하게 되었다. (이 밖에 브라우저 SSO 문제를 해결하기 위한 최근의 접근은 오픈ID 커넥트 프로토콜이 있다)[4]







About SAML 2.0-based Federation

AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP's service instead of writing custom identity proxy code.





Identity Broker

Federating users by creating a custom identity broker application


If your identity store is not compatible with SAML 2.0, then you can build a custom identity broker application to perform a similar function. The broker application authenticates users, requests temporary credentials for users from AWS, and then provides them to the user to access AWS resources.




AWS STS (Security Token Service)


The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more detailed information about using this service, go to Temporary Security Credentials.




ADFS


Active Directory Federation Services (ADFS) is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries.






Web Identity Federation with Mobile Applications


Introducing Web Identity Federation

AWS Security Token Service (STS) now offers Web Identity Federation (WIF). This allows a developer to federate their application from Facebook, Google, or Amazon with their AWS account, allowing their end users to authenticate with one of these Identity Providers (IdP) and receive temporary AWS credentials. In combination with Policy Variables, WIF allows the developer to restrict end users' access to a subset of AWS resources within their account.

To help you understand how web identity federation works, you can use the Web Identity Federation Playground. This interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to AWS.

This article shows how WIF can be used to give many users a "Personal File Store" all housed within a single Amazon S3 bucket without the need for any backend infrastructure. It is adapted from a previous article which used a custom Token Vending Machine hosted in AWS Elastic Beanstalk.




The AWS Web Identity Federation Playground


We added support for Amazon, Facebook, and Google identity federation to AWS IAM earlier this year. This poweful and important feature gives you the ability to grant temporary security credentials to users managed outside of AWS.

In order to help you to learn more about how this feature works and to make it easier for you to test and debug your applications and websites that make use of it, we have launched the Web Identify Federation Playground:




IAM (Identity Access Management)


Allows you to manage users and their level of access to the AWS Console. It is important to understand IAM and how it works, both for the exam and for administrating a company's AWS account in real life.


* What does IAM give you?

- Centralised control of your AWS account

- Shared Access to your AWS account

- Granular Permissions

- Identity Federation (including Active Directory, Facebook, Linkedin etc.)

- Multifactor Authentication

- Provide temporary access for users/devices and services where necessary

- Allows you to set up your own password rotation policy

- Integrates with many different AWS services

- Supports PCI DSS Compliance


* Critical Terms

Users -End Users 

Groups - A collection of users under one set of permissions

Roles - You create roles and can then assign them to AWS resources

Policies - A document that defines one (or more permissions)


- AWS Identity and Access Management(IAM) allows you to securely control access to AWS services and resources for your users

- Policies which are written in JSON allow you to define granular access to AWS resources

- The people or systems that use our AWS resources, like admins, end users or system that need permissions to access your AWS data

- Groups are a collection of users that all inherit the same set of permissions and can be used to reduce your user management overhead.

- IAM roles can be assumed by anyone who needs them and it does not have an access key or password associated with it.

- AWS also has a list of IAM best practices to ensure that your environment is secure and safe




* Security Token Service (STS)

Grants users limited and temporary access to AWS resources.

Users can come from three sources


- Federation (typically Active Directory)

  : Uses Security Assertion Markup Language (SAML)

  : Grants temporary access based off the users Active Directory credentials. Does not need to be a user in IAM

  : Single sign on allows users to log in to AWS console without assigning IAM credentials


- Federation with Mobile Apps

  : Use Facebook/Amazon/Google or other OpenID providers to log in.

  

- Cross Account Access

  : Let's users from one AWS account access resources in another

  


* Understanding key Terms


- Federation : combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (such as Active Directory, Facebook etc.)


- Identity Broker : a service that allows you to take an identity from point A and join it (federate it) to point B. (*****)


- Identity Store : Services like Active Directory, Facebook, Google etc.


- Identities : a user of a service like Facebook etc.





Recap


* IAM consists of the following

- Users

- Groups (A way to group our users and apply polices to them collectively)

- Roles

- Policy Documents


* Summary

- IAM is universal. It does not apply to regions at this time.

- The "root account" is simply the account created when first setup your AWS account. It has complete Admin access.

- New Users have NO permissions when first created

- New Users are assigned Access Key ID & Secret Access Keys when first created

- These are not the same as a password, and you cannot use the Access key ID & Secret Access Key to Login in to the console. You can use this to access AWS via the APIs and Command Line however.

- You only get to view these once. If you lose them, you have to regenerate them. So save them in a secure location.

- Always setup Multifactor Authentication on your root account.

- You can create and customise your own password rotation policies.





Quiz


IAM 

: IAM allows you to manage users, groups and roles and their corresponding level of access to the AWS Platform

: Centralised control of your AWS account

: Integrates with existing active directory account allowing single sign on

: Fine-grained access control to AWS resources


* Web Identity Federation : Allow users to use their social media account to gain temporary access to the AWS platform


* AssumeRoleWithWebIdentity : API call that used to obtain temporary security credentials when authenticating using Web Identity Federation


* AssumeRoleWithSAML : API call that to request temporary security credentials from the AWS platform when federating with Active Directory


* Steps performing when using active directory to authenticate to AWS

1) The user navigates to ADFS webserver, 2) The user enter in their single sign on credentials, 3) The user's web browser receives a SAML assertion from the AD server, 4) The user's browser then posts the SAML assertion to the AWS SAML end point for SAML and the AssumeRoleWithSAML API request is used to request temporary security credentials. 5) The user is then able to access the AWS Console.


* SAML 

: Security Assertion Markup Language

: AWS sign-in endpoint for SAML is https://signin.aws.amazon.com/saml


* Web Identity Federation steps

1) A user authenticates with facebook first. They are then given an ID token by facebook. An API call called AssumeRoleWithWebIdentity is then used in conjunction with the ID token. A user is then granted temporary security credentials.



반응형