Scribd
Upload
13 views27 pages

2020 0219-SID Slide-Deck

The document provides guidance on integrating Azure Active Directory with AWS Single Sign-On (SSO) to manage identities and access across AWS accounts. It covers AWS Identity and Access Management (IAM) and SSO functionalities, emphasizing the use of SAML 2.0 for federated access. Additionally, it highlights the benefits of centralizing access management and security for cloud applications and AWS resources.

Uploaded by

masterlinh2008
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views27 pages

2020 0219-SID Slide-Deck

The document provides guidance on integrating Azure Active Directory with AWS Single Sign-On (SSO) to manage identities and access across AWS accounts. It covers AWS Identity and Access Management (IAM) and SSO functionalities, emphasizing the use of SAML 2.0 for federated access. Additionally, it highlights the benefits of centralizing access management and security for cloud applications and AWS resources.

Uploaded by

masterlinh2008
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

How to use your Azure Active

Directory with AWS SSO

Lior Pollack Yuri Duchovny


Solutions Architect, AWS Solutions Architect, AWS

February 27th, 2020

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical types of identities

AWS Accounts

Alice
Federated
Access
******

Application Amazon Cognito


CloudBusiness
/ SAML Applications Users
Applications

Workforce Identity Application Identity


© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Single Sign-On

Choose Manage Increase CLI Browser and mobile portal


identity access security, access to
source centrally productivity accounts/roles/apps

Security Assertion Markup System for Cross-domain Identity


Language Management

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda

AWS Identity and Access Management (IAM)


✓ overview
✓ federation with Azure AD

AWS Single Sign On (SSO)


✓ multi-account access and governance
✓ simplifying multi-account access with existing Azure AD identities

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access
Management

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS IAM

• What it is
• I – Authentication: Support for human and application caller identities
• AM – Authorization: Powerful, flexible permissions language for
controlling access to cloud resources
• Why it matters to you: Every AWS service uses IAM to authenticate
and authorize API calls

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS identities for human callers: IAM users

AWS account

Long-term
security credential

IAM
user

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS identities for non-human callers

Amazon AWS Lambda Amazon AWS Glue Amazon ECS


EC2 function SageMaker crawler task
instance notebook

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS identities for human callers: Federated identities

AWS account
Corporate
identities
(administrators) IAM role: Temporary security
administrator credentials

IAM role:
developer
Corporate
identities
(developers)

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are IAM policies?
Policies provide authorization to AWS services and resources

Two parts:
• Specification: Defining access policies
• Enforcement: Evaluating policies
When you define access policies. You specify which IAM principals are allowed to
perform which actions on specific AWS resources and under which conditions.

IAM enforces this access by evaluating the AWS request and the policies you defined
and returns either yes or no answer.

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM policies enable granular access controls
{ Principal: The entity that is allowed or denied access
"Statement":[{
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
"Effect":"effect",
"Principal":"principal",
Action: Type of access that is allowed or denied
"Action":"action",
"Resource":"arn", "Action":"secretsmanager:GetSecretValue"
"Condition":{
"condition":{ Resource: The Amazon resource(s) the action will act on
"key":"value" } "Resource":"arn:aws:secretsmanager:xx-xxxx-xx:xxx:secret:xxx"
}
} Condition: The conditions that are valid under the access defined
]
"StringEqua": {"secretsmanager:ResourceTag/Project": "Project1"}
}

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAML 2.0 – based federated users

AssumeRoleWithSAML

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Single Sign On

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Single Sign-on

Cloud single sign-on (SSO) service that helps centrally manage


SSO access to AWS accounts and business applications.

Centrally manage Use your existing Easy to enable SSO access to


access to multiple corporate identities. and use. business
AWS accounts. applications.

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Account

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Govern accounts

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Organization

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Organizations

Central governance and management across AWS accounts


for a comprehensive multi-account AWS environment

Manage and Audit, monitor,


define your Control access and secure your Share resources Centrally manage
organization and and permissions environment for across accounts costs and billing
accounts compliance

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Single Sign-On

SSO Identity Store

AWS Managed
Microsoft AD

Cloud / SAML Applications


AWS Organizations

NEW! External Identity Provider

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo – SSO Basic Configuration

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SSO with external identity provider

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Single Sign-On external identity provider support
Standards-based provisioning and authentication

AWS Account AWS Account

Azure AD

Business Applications

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
Integrating AWS SSO with Azure AD

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
Signing into AWS CLIv2

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SSO recap
Manage identities:
Within AWS SSO
In your on-premises directory
In a cloud identity provider

AWS SSO supports open standards:


SAML 2.0 New!

SCIM New!

Centrally control access across AWS accounts in your organization and business
applications.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional resources

https://aws.amazon.com/single-sign-on/

https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

https://aws.amazon.com/about-aws/whats-new/2019/11/manage-access-to-aws-
centrally-for-azure-ad-users-with-aws-single-sign-on/

https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/

https://aws.amazon.com/iam/

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!

Lior Pollack Yuri Duchovny


Solutions Architect, AWS Solutions Architect, AWS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

You might also like