(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014

"Effect":"Allow",

"Principal":{

"AWS":"arn:aws:iam::1111"

"Action":"sts:AssumeRole"

"Effect":"Allow",

"Action":"s3:ListBucket",

"Resource":"*"

Session

Access Key ID

Secret Access Key

Expiration

Session Token

AWS Account

Instances Table

Your AWS Account

Another AWS Account

1Authenticate with

“Demo” user’s access

Construct sign-in URL using

the temporary security

credentials to access the

AWS Management Console

Assume the

“CrossAccount” role to get

temporary

security credentials

Script

“CrossAccount” Role

Trusts: PM Team AWS Account

Grants: EC2 full and IAM read-only

Uses External ID

IAM/STS

My AWS Account

“Demo” IAM User

Can assume the

“CrossAccount” role

IAM/STS

PM Team AWS Account

Partner’s AWS Account

Instances Table

External ID

Your AWS Account

"Effect": "Allow",

"Principal": {"AWS": "arn:aws:iam::EXAMPLE-CORP-ACCOUNT-ID"},

"Action": "sts:AssumeRole",

"Condition": {

"StringEquals": {

"sts:ExternalId": "ID-ISSUED-BY-EXAMPLE-CORP"

Partner’s AWS Account

Customer A’s AWS Account

Customer B’s AWS Account

Role A

Trusts: Partner account

Role B

Trusts: Partner account

1 Use role B

2 Assume role B

3 Show customer

B’s resources

Only if External ID =

Customer A’s external ID

Only if External ID =

Customer B’s external ID

Pass customer’s external

ID while assuming role

“TrendMicro” Role

Trusts: Trend Micro AWS Account

Grants: Few EC2, ELB, Route53 actions

IAM/STS

My AWS Account1Authenticate using

access keys of IAM user

in Trend Micro’s AWS

account

Call AWS APIs using the

temporary security

credentials

Assume the role to get

temporary security

credentials

Route 53Amazon EC2 Elastic Load

Balancing

Trend Micro Deep Security for Web Apps

Instances Table

Your AWS Account

AWS Service’s AWS Account

Instances Table

RoleInstance

Your AWS Account

EC2 Service’s AWS Account

Amazon

DynamoDB

Role: Allow Amazon S3

access but nothing else

Amazon EC2 Instance

Please give us your feedback on this session.

Complete session evaluations and earn re:Invent swag.

http://bit.ly/awsevals

(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014

Technology

From Delegating to Empowering

Delegating Computations with (almost) Minimal Time and Space …people.csail.mit.edu/holmgren/papers/fastns.pdf · 2018. 11. 9. · Delegating Computations with (almost) Minimal Time

Introduction to Delegating Effectively

Facilitating Scientific Collaborations by Delegating Identity Management

Delegating Powers: A Transaction Cost Politics, …eduart0.tripod.com/.../sitebuilderfiles/book_delegatingpowers_423f.pdf · Delegating Powers: A Transaction Cost Politics Approach

AD Delegating Control of Group Membership

Michigan Law Review Delegating Tax

The 2nd Most Powerful Time Management Tool: Delegating

4 steps to delegating to a Virtual Assistant

Delegating, Outsourcing & Hiring For Growth - Splashaccelerate3.splashthat.com/img/events/34705/assets/... · “Delegating, Outsourcing & Hiring For Growth” How To Find Super Stars

7TG Delegating to Volunteers

Delegating Skills

Delegating user tasks in applications

12UN19 Successful Planning, Organising Delegatingaztechtraining.com/.../07/Successful-Planning-Organising-Delegating.… · Organising & Delegating Enhance Planning Skills, anage

Delegating in communicatio skill and interpersonal skills

SITUATIONAL LEADERSHIP • DELEGATING • COACHING • DISCIPLINE · · 2012-01-04Situational Leadership Delegating Coaching Discipline TIME 3 hr. 3 hr. 3 hr. ... b. Strategies

Delegating Training for Supervisors. ©SHRM 20082 Introduction “Delegating work works, provided the one delegating works, too.” Robert Half, American Businessman

Mastering Access Control Policies (SEC302) | AWS re:Invent 2013

SITUATIONAL LEADERSHIP • DELEGATING • COACHING • … SD/Training/Officer- Leadership/NFA/NFA Leadershi… · • delegating • coaching • discipline federal emergency management

Barkow- Delegating Sentencing