Scribd
Upload
52 views63 pages

3.09 Security Pillar

Uploaded by

Ananya Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
52 views63 pages

3.09 Security Pillar

Uploaded by

Ananya Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 63

CCA Unit 3 – Architecting on AWS

CCA 3.09: Security Pillar

Section 1: Introduction to System Design


Section 2: Automation and Serverless Architectures
Section 3: Well-Architected Best Practices
CCA 3.08 Introducing the Well-Architected Framework
CCA 3.09 Well-Architected Pillar 1: Security
CCA 3.10 Well-Architected Pillar 2: Reliability
CCA 3.11 Well-Architected Pillar 3: Performance Efficiency
CCA 3.12 Well-Architected Pillar 4: Cost Optimization
Section 4: Deployment and Implementation

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar

What’s In This Module

Security Pillar Overview


Principles of the Security Pillar & Key Services
Preventing Common Security Exploits
Securing & Encrypting Data
Securing Data At Rest on S3
Authentication

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 1

Security Pillar Overview

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 1: Security Pillar Overview

Best Practice: Secure Your Infrastructure Everywhere

Build security into Physical data centers typically rely on security at the
every layer of your perimeter. AWS enables you to implement security at the
perimeter as well as within and between your resources.
infrastructure.

Things to consider:
Isolate parts of your infrastructure Leverage managed services
Encrypt data in transit and at rest Log access of resources
Enforce access control granularly, using the Automate your deployments to keep security
principle of least privilege consistent
Use multi-factor authentication

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 1: Security Pillar Overview
Securely Store and Analyze Terabytes of Data
Mount Sinai uses AWS to securely store and analyze 100 TB of data…


Needed to search and analyze terabytes of
By using AWS, we met strict genomics data to investigate the causes of
aggressive forms of cancer: breast and ovarian.
HIPAA standards for
Using AWS gives researchers the ability to mine
confidentiality… and we can data from cancer patients all over the world.
store source files securely and Analyzes more than 100 TB of data each time new
cost-effectively. information comes in.
Dr. John A. Martignetti Can store source files securely and cost-effectively
Icahn School of Medicine at Mount Sinai
with durability and accessibility.

Internationally recognized leader in medical and scientific


” Mount Sinai leveraged Station X’s GenePool
platform, which is built on the AWS Cloud, to
complete this project.
training, biomedical research, and patient care.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 2

Principles of the Security Pillar

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Well-Architected Pillar 1: Security

The ability to protect information, systems, and assets while delivering business value through
risk assessments and mitigation strategies.

• Identity and access management


• Detective controls
• Infrastructure protection
• Data protection
• Incident response

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 2: Principles

Security Pillar Principles

Apply Security at All Layers


Instead of just running security appliances (e.g., firewalls) at the edge of your
infrastructure, use firewalls and other security controls on all of your resources:
 Every virtual server
 Every load balancer
 Every network subnet

Enable Traceability
Automate Responses To Security Events
Focus On Securing Your System
Automate Security Best Practices

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 2: Principles

Security Pillar Principles

Apply Security at All Layers


Enable Traceability
Log and audit all action and changes to your environment and access to your services.

Automate Responses To Security Events


Focus On Securing Your System
Automate Security Best Practices

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 2: Principles

Security Pillar Principles

Apply Security at All Layers


Enable Traceability
Automate Responses To Security Events
Monitor and automatically trigger responses to event-driven or condition-driven alerts.

Focus On Securing Your System


Automate Security Best Practices

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 2: Principles

Security Pillar Principles

Apply Security at All Layers


Enable Traceability
Automate Responses To Security Events
Focus On Securing Your System
With the AWS Shared Responsibility Model:
 AWS provides secure infrastructure and services.
 You can focus on securing your application, data, and
operating systems.

Automate Security Best Practices

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 2: Principles

Security Pillar Principles

Apply Security at All Layers


Enable Traceability
Automate Responses To Security Events
Focus On Securing Your System
Automate Security Best Practices
 Use software-based security mechanisms to improve your ability
to securely scale more rapidly and cost-effectively.
 Create and save a custom baseline image of a virtual server, and
then use that image automatically on each new server you launch.
 Create an entire infrastructure that is defined and managed in a
template.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 3

Key Services for Security

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 3: Key Services for Security

Key Services for Security


Areas Key Services

Data protection AWS Key


Elastic Load Management
Amazon Amazon S3 Amazon RDS Service (KMS)
Balancing
EBS

Privilege
management
AWS IAM MFA token

Infrastructure
protection
Amazon VPC

Detective controls
AWS CloudTrail AWS Config Amazon
CloudWatch

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 4

Preventing Common Security Exploits

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 4: Preventing Common Exploits

DDoS (Distributed Denial of Service) Attacks


A Denial of Service (DoS) attack attempts to make your website or application unavailable
to your end users.

To achieve this, attackers use a variety of techniques that consume network or other
resources, thus interrupting access for legitimate end users.

The attackers use multiple hosts to orchestrate an attack against a target.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 4: Preventing Common Exploits

Distributed Denial of Service (DDoS) Protection


Protecting against attacks is a shared responsibility between AWS and you.

AWS Customer
 AWS API endpoints are hosted on  Front your application with AWS
large, Internet-scale, world-class Services
infrastructure.
 Safeguard exposed resources
 Proprietary DDoS mitigation techniques
 Minimize the attack surface
are used.
 AWS networks are multi-homed across  Evaluate soft limits and request
a number of providers to achieve increases ahead of time
Internet access diversity.  Learn normal behavior
 Create a plan for attacks

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 4: Preventing Common Exploits

DDoS Mitigation Example

Auto
Auto Scaling
Users Scaling

WAF

CloudFront ELB ELB


edge location Web app servers
Security Security Security
group group group
Security group

DMZ WAF/proxy Front-end servers


public subnet private subnet private subnet
DDoS

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 4: Preventing Common Exploits

Using Amazon Inspector To Prevent Common Exploits

Is an automated security assessment service that assesses applications for:


 Vulnerabilities
 Deviations from best practices

Produces a detailed report with prioritized steps for remediation after


performing the assessment.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 4: Preventing Common Exploits

Amazon Inspector Rules

Amazon Inspector includes a knowledgebase with hundreds of rules that are

Mapped to:
 Common security compliance standards
 Vulnerability definitions

Regularly updated by AWS security researchers.

Examples of Built-In Rules

Remote root login Vulnerable software


being enabled versions installed

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 4: Preventing Common Exploits

Amazon Inspector Prioritized List of Findings

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 4: Preventing Common Exploits

Amazon Inspector Detailed Remediation Recommendations

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 5

Securing Data

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 5: Securing Data

CloudFront Custom SSL Support

By default, your content is delivered to viewers over HTTPS by using a CloudFront


distribution domain name such as https://dxxxxx.cloudfront.net/image.jpg.

Custom SSL certificate support features let you use your own domain name and your own
SSL certificate.
 Server Name Indication (SNI) Custom SSL
Allows multiple domains to serve SSL traffic over the same IP address.
 Dedicated IP Custom SSL
To deliver content to browsers that do not support SNI.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 5: Securing Data

Use Alternate Domain Names With HTTPS

1. To use dedicated IP, request permission for your AWS account (not necessary for SNI).

2. Upload your SSL certificate to the IAM certificate store.

aws iam upload-server-certificate --server-certificate-name


CertificateName --certificate-body file://public_key_certificate_file
--private-key file://privatekey.pem --certificate-chain
file://certificate_chain_file --path /cloudfront/path/

3. Update your distribution to include your domain names.


 Specify which SSL certificate you want to use.
 Specify dedicated IP address or SNI.
 Add or update DNS records.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 5: Securing Data

CloudFront Security: Advanced SSL Features Support

High-security ciphers
Improve the security of HTTPS connections.

Perfect Forward Secrecy


Provides additional safeguards against eavesdropping of encrypted data
through a unique random session key.

OCSP Stapling
Improves the time taken for individual SSL/TLS handshakes by moving the
Online Certificate Status Protocol (OSCP) check.

Session Tickets
Helps speed up the time spent restarting or resuming an SSL/TLS session.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudFront New Origin Security Features

• Enforce HTTPS-only connection between CloudFront and your


origin webserver
• Configure CloudFront to use HTTPS to connect to your origin server
• Support for TLSv1.1 and TLSv1.2
• Add or modify request headers forwarded from CloudFront to
your origin
• Configure CloudFront to add custom headers or override the value of
existing request headers when CloudFront forwards requests to your
origin

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 5: Securing Data

How To Make Content Private

Restrict access to objects in your Amazon S3 bucket.

Require that users use signed URLs.


 Create CloudFront key pairs for your trusted signers.
 Write the code that generates signed URLs.
• Typically, you'll write an application that automatically generates signed URLs.
• Alternatively, use a web interface to create signed URLs.
 Add trusted signers to your distribution.
 Note: Once you add a trusted signer to your distribution, users must use
signed URLs to access the corresponding content.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 5: Securing Data

Origin Access Identity To Restrict Access

Restrict access to Amazon S3 content by creating an origin access identity (OAI), which is a
special CloudFront user.
 CloudFront origin access identity gets the objects from Amazon S3 on your users’ behalf.
 Direct access to the objects through Amazon S3 URLs will be denied.

Procedure:
1. Create an origin access identity and add it to your distribution.
2. Change the permissions either on your Amazon S3 bucket or the objects in your bucket so that only
the origin access identity has read permission.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 5: Securing Data

Use IAM To Control API Access To CloudFront Resources


Control a user’s API access to CloudFront with IAM policies.
Group policy example:
{ Grant permission to access all
"Version": "2012-10-17", CloudFront actions for the group
"Statement":[{ this policy is attached to…
"Effect":"Allow",
"Action":["cloudfront:*"],
"Resource":"*", …with condition that actions
"Condition":{ require use of SSL/TLS
"Bool":{
"aws:SecureTransport":"true"
}
}
}
]
}
© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 6

Encrypting Data

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 6: Encrypting Data
Key is used to encrypt data
Encryption Primer along with an encryption
algorithm (e.g. AES).

Hardware/ Symmetric Plaintext Encrypted

?
Software Data Key Data Data

Key is generated from either


software or hardware.
Encrypted
Data in Storage

? Symmetric Master Key Encrypted Data


Key Hierarchy

Data Key Key


You don’t want to store the key Key encryption
with the encrypted data! key

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 6: Encrypting Data

What Is AWS Key Management Service (KMS)?

Customer Master
AWS KMS is a managed encryption service that Keys AWS KMS
enables you to easily encrypt your data.
 Two-tiered key hierarchy using envelope encryption.

 Data keys are unique.


Data Key 1 Data Key 2 Data Key 3 Data Key 4
 AWS KMS master keys encrypt data keys.

 AWS KMS master keys never leave the AWS KMS


system.

Amazon Amazon Amazon Custom


S3 Object EBS Volume Redshift Application
Cluster

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 6: Encrypting Data

AWS KMS Customer Master Key (CMK) And Data Keys


1 Request for data key
CMK

Application 2 AWS KMS


Data Key Encrypted
Data Key

Encrypted Encrypted
Data Data Key
Data is encrypted Amazon
EBS
using the data key

Plaintext
3
Encrypted 4
Data Data Application EC2
Instances
S3 bucket

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 6: Encrypting Data

Benefits Of Using AWS KMS

Only data keys are available directly to the customer, and these are unique to each item encrypted.
If one was compromised, it would not allow decryption of other objects.

The risk of a compromised data key is limited.

The performance for encrypting large data is improved.

It is easier to manage a small number of master keys than millions of data keys.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 6: Encrypting Data

AWS KMS Integration With Other AWS Services

The following services are integrated with AWS KMS to


simplify data encryption:
 Amazon Elastic Block Store (EBS)
 Amazon Simple Storage Service (S3)
 Amazon RDS
 Amazon Redshift
 Amazon Elastic Transcoder
 Amazon WorkMail
 Amazon EMR

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 6: Encrypting Data

EBS Volume Encryption Using AWS KMS


Encrypted volume EBS Volume
key stored with 1
volume metadata Requests a volume key Generate Data
Key (CMK)

AWS KMS Interface


Uses volume key to
Receives encrypted decrypt/encrypt all data
volume key from/to the volume

2 4
3
Decrypt
Requests to decrypt the
encrypted volume key
Amazon
EC2 Host

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 6: Encrypting Data

AWS CloudHSM

Protects your cryptographic keys using a dedicated, tamper-resistant Hardware Security


Module (HSM).

Helps you comply with strict cryptographic key management requirements.


Designed to meet FIPS 140-2 and Common Criteria EAL4+ standards.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 6: Encrypting Data

AWS CloudHSM vs AWS KMS

AWS CloudHSM AWS KMS

Single-tenant HSM Multi-tenant AWS service

Customer-managed durability and availability Highly available and durable key storage and
management

Customer managed root of trust AWS managed root of trust

Broad third-party app support Broad support for AWS services

Symmetric and asymmetric options Symmetric encryption only

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 7

Encrypting Source and Output Data at


Rest in Amazon S3

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 7: Encrypting Data at Rest in S3

Source And Output Data At Rest In Amazon S3

Data stored in Amazon S3 is private by default, requires AWS credentials for access
• Access to Amazon S3 can be over HTTP or HTTPS
• Amazon S3 logging allows auditing of access to all objects
• Amazon S3 supports access control lists and policies for every bucket, prefix (directory/folder),
and object

Amazon S3 provides server-side encryption (AES-256) using AWS maintained keys or


customer provided keys
• AWS encryption keys are further encrypted with a rotating key

Can also encrypt data before storage in Amazon S3 (client-side encryption)

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 7: Encrypting Data at Rest in S3

Source And Output Data At Rest In Amazon S3

Data stored in Amazon S3 is private by default, requires AWS credentials for access
• Access to Amazon S3 can be over HTTP or HTTPS
• Amazon S3 logging allows auditing of access to all objects
• Amazon S3 supports access control lists and policies for every bucket, prefix (directory/folder),
and object

Amazon S3 provides server-side encryption (AES-256) using AWS maintained keys or


customer provided keys
• AWS encryption keys are further encrypted with a rotating key

Can also encrypt data before storage in Amazon S3 (client-side encryption)

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 7: Encrypting Data at Rest in S3

AWS Server-Side Encryption

Your applications in Your applications on


your data center Amazon EC2
HTTPS
With Amazon Glacier, data
is encrypted by default.
With Amazon RDS for Oracle
AWS Storage Services and MS-SQL, use a feature
specific to those databases
With Amazon S3 and (Transparent Data Encryption).
encryption is an
optional step.

Amazon Amazon RDS for RDS for


S3 Glacier Oracle MS-SQL

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 7: Encrypting Data at Rest in S3

Amazon RDS Security Groups

Control traffic in and out of a DB instance.

No network access by default.

Three types:
 DB security groups
Control access to a DB instance that is not in a VPC.
 VPC security groups
Control access to a DB instance inside a VPC.
 EC2 security groups
Control access to EC2 instances.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 7: Encrypting Data at Rest in S3

Amazon RDS Security Groups

EC2 security EC2 security


group group

Instance
not in a DB security
group
VPC

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 7: Encrypting Data at Rest in S3

Amazon RDS Security Groups

EC2 security
group

Instance in a VPC security


group
VPC

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 7: Encrypting Data at Rest in S3

Encrypting Amazon RDS Connections

You are responsible for encryption of your data in-transit.

Use SSL/TLS to encrypt connections between applications and DB Instances.

Configure your DB instance to accept only encrypted connections.

Encryption of data connections helps meet compliance standards.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 7: Encrypting Data at Rest in S3

Encrypting Amazon RDS Resources

You are responsible for encrypting your data at-rest.

Use encryption option to encrypt data at-rest.


• Underlying storage for the instance, its backups, logs, Read Replicas, and snapshots.
• Uses AES-256 encryption algorithm.

Encrypting data-at-rest helps meet compliance standards.

Automatic handling of authentication and decryption.

Supports TDE for Oracle and SQL Server DB instances.

Use AWS Key Management Service to manage keys.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 8

Authentication

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

AWS Directory Service

AWS Directory Service is a managed service to:


• Run Microsoft AD as a managed service within AWS Directory Service
• Connect your AWS resources with an existing on-premises Microsoft Active Directory (AD Connector)
• Set up a new, stand-alone directory in the AWS Cloud (Simple AD)

AWS Directory Service allows use of existing corporate credentials for:


• Accessing AWS services (e.g. Amazon WorkSpaces, and Amazon WorkDocs)
• Accessing the AWS Management Console through IAM Roles

Options:
• Run Microsoft AD as a managed service within AWS Directory Service
• Use AD Connector
• Use Simple AD

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

AWS Directory Service

AWS Directory Service is a managed service to:


• Run Microsoft AD as a managed service within AWS Directory Service
• Connect your AWS resources with an existing on-premises Microsoft Active Directory (AD Connector)
• Set up a new, stand-alone directory in the AWS Cloud (Simple AD)

AWS Directory Service allows use of existing corporate credentials for:


• Accessing AWS services (e.g. Amazon WorkSpaces, and Amazon WorkDocs)
• Accessing the AWS Management Console through IAM Roles

Options:
• Run Microsoft AD as a managed service within AWS Directory Service
• Use AD Connector
• Use Simple AD

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

AWS Directory Service

AWS Directory Service is a managed service

AWS Directory Service allows use of existing corporate credentials

Options:
• Run Microsoft AD as a managed service within AWS Directory Service
• Powered by Windows Server 2012 R2
• Created as a highly available pair of domain controllers connected to your VPC
• Use AD Connector
• Connect to your on-premises Active Directory via VPC VPN connection or AWS Direct Connect
• Users access AWS applications with existing credentials
• Integrate with existing RADIUS-based MFA solutions
• UseWeb
© 2017 Amazon Simple
Services,AD
Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

AWS Security Token Service (STS)

STS is a lightweight web service that enables you to request temporary, limited-privilege
credentials for IAM users or for users that you authenticate (federated users).

Allow trusted entity to assume a role by calling the AssumeRole APIs of STS
To view security credentials of a running Amazon EC2 instance, use the following Instance Metadata
Service (IMDS) URL:
http://169.254.169.254/latest/meta-data/iam/security-credentials/

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

Federated Users

Authenticate users to your own identity store:

You write an “identity broker application.”

Users authenticate to your identity broker.

Your identity broker provisions temporary credentials via STS.

Single Sign-On (SSO): Temporary credentials can be used to sign user directly into
the AWS Management Console.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

Use Case: STS Identity Broker

AWS Cloud (Relying Provider)


Customer (Identity Provider)

Access AWS APIs


User Application APP
4 AWS Services
Red
ire ct t o
User accesses
1 Co n
sole
broker
AWS Console
3 Get
Tem
Identity Broker p orary
Secu
rity C
rede
ntial
s
2 AWS STS
Authenticate user
Corporate
Identity Store

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

SSO Federation Using SAML

Amazon STS supports SAML 2.0.

Benefits:
• Open standards
• Quicker and easier to implement federation
• Leverage existing identity management software to manage access to AWS resources
• No coding required

AWS Management Console SSO:


• IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile)
• New sign-in URL that greatly simplifies SSO:
https://signin.aws.amazon.com/saml<SAML_AuthN_response>
• API federation using new assumeRoleWithSAML operation

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

SSO Federation Using SAML

Amazon STS supports SAML 2.0.

Benefits:
• Open standards
• Quicker and easier to implement federation
• Leverage existing identity management software to manage access to AWS resources
• No coding required

AWS Management Console SSO:


• IdP-initiated web SSO via SAML 2.0 using the HTTP-POST binding (web SSO profile)
• New sign-in URL that greatly simplifies SSO:
https://signin.aws.amazon.com/saml<SAML_AuthN_response>
• API federation using new assumeRoleWithSAML operation

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

SSO Federation Using SAML


Enterprise (Identity Provider)
AWS (Service Provider)

Post the SAML assertion to sign-in


Browser
interface 4

AWS Sign-in
User logs in to Portal

Receive response
1

(SAML assertion)
Identity Store
3 5
Redirected to AWS
Management Console
2
User authenticated

Portal

Corporate Data Center

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

Web Identity Federation

Use STS API, AssumeRoleWithWebIdentity


• Lets you request temporary security credentials to access AWS resources.

Supported web identity providers:


• Amazon
• Google
• Facebook

A mobile app can be developed without server-side code and without distributing long-
term credentials with the mobile app.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
CCA 3.09: Security Pillar ► Part 8: Authentication

Use Case: Web Identity Federation

1 Authentication Acce
ss AW
S Se
rvice
s
3
2
Au
th
or
iza
tio AWS Services
n

Web Identity Provider

Web Identity AWS STS


Federation

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
In review…
Security Pillar Overview
Principles of the Security Pillar & Key Services
Preventing Common Security Exploits
Securing & Encrypting Data
Securing Data At Rest on S3
Authentication

Knowledge Assessment

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
Up Next…

CCA 3.09 Worksheet - Improve This Architecture Exercise

CCA 3.10 - Well-Architected Pillar 2: Reliability

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.

This work may not be reproduced or redistributed, in whole or in part, without prior written permission
from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.

Errors or corrections? Email us at [email protected].


For all other questions, contact us at
https://aws.amazon.com/contact-us/aws-training/.

All trademarks are the property of their owners.

© 2017 Amazon Web Services, Inc. or its affiliates. All rights reserved.

You might also like