Skip to content

Instantly share code, notes, and snippets.

@rhenning

rhenning/AWS-ReInvent2015-SEC307-NOTES.md

Last active April 8, 2016 00:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rhenning/bb8d997ddd9e87143aae591114b02568 to your computer and use it in GitHub Desktop.
Save rhenning/bb8d997ddd9e87143aae591114b02568 to your computer and use it in GitHub Desktop.
Download ZIP
re:Invent 2015 SEC307 AWS IAM Federation notes
Raw
AWS-ReInvent2015-SEC307-NOTES.md

https://www.youtube.com/watch?v=-XARG9W2bGc

  • SAML federation at scale
    • Automate onboarding
      • Allow a cross-account trust to create SAML providers w/ MFA from master/payer acct (15:47)
        • This allows bootstrapping new accounts by a small group of admins w/ real IAM accts or root acct
      • automate integrating each subaccount's SAML ID provider
      • automate deployment of subaccount IAM role & policies
      • automate deployment of central directory groups/structure
      • keep role definitions consistent across subaccounts
    • Recommendation is to name central directory groups AWS-aws-account-num-aws-iam-role in central directory
      • this allows smooth integration from SAML <-> IAM Roles across many accounts (explanation @ 26:00)
      • you can auto-generate a post-login page & embed URLs for assume role using this (23:51)
    • Use sts:assumeRole(+MFA) for CLI/API access (24:30)
      • Auditing federated accounts in CloudTrail for compliance (27:11)
    • Key Takeaways
      • Naming conventions are critical
      • Configuration should rely on patterns, not values
      • Think about traceability now
      • Tighter policies help reduce AWS account sprawl
    • Focus on workflow
  • For more advanced integrations, use a custom identity broker (30:00)
    • Keep in mind Dow Jones' Nova service was created Pre-SAML
      • Probably not necessary today
    • Possibilities for Dynamic Policy Generation per project/env (44:00)
  • Rationalizing SAML v. Custom ID broker (46:00)
    • Existing Federation investments?
    • What exists outside AWS?
    • Desired level of control v. involvement?
    • Competency & bandwidth for custom ops development?
    • SAML
      • Pro
        • Low barrier to entry
        • Federation beyond AWS
      • Con
        • Number of roles, groups
        • Additional automation to scale
      • Best for a balanced federation approach
    • Custom ID broker
      • Pro
        • Granular & contextual policies
        • Complete control
      • Con
        • Dev effort
        • Complex evaluations
      • Best for increased involvement, ultimate control, least privilege
    • Don't overanalyze, experiment & iterate.
    • Federation options aren't mutually exlusive
    • Evolve as needs evolve, use the simplest approach that fits your needs
  • Resources, tools, code, slide deck (51:30)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment