Modern organizations that depend on SaaS have been increasingly adopting Identity Providers or single sign-ons (SSOs) in order to federate authentication back to home directory services. Most SSOs support SAML or OAuth, and a growing number of SaaS companies are jumping on board to eliminate the liability of storing customer password hashes. Although an SSO-integrated SaaS solution solves a majority of use cases, such as web console login, there are services that still require access using a combination of a username and password. For many startups, and a growing number of enterprises, Amazon Web Services (AWS) replaces a data center, which includes all of the infrastructure organizations would typically control. Everything from networking to data storage is now managed as a service, including the authorization to those resources, through a web portal or API call. Many organizations leverage AWS Identity and Access Management (IAM) to manage access for various users and service accounts. IAM is incredibly flexible and allows for granular controls but not without flaws.
Some scary thoughts about AWS credentials
In the past year or so, there’ve been a number of articles, blog posts and talks on compromised AWS credentials wreaking havoc. For example, last year Code Spaces was breached—its service was disrupted and a vast majority of its infrastructure hosted on AWS was permanently wiped out. Code Spaces is no longer in business because their AWS IAM credentials were compromised. AWS/SSO federation may have saved them. Even in a federated AWS/SSO environment where accounts are enabled with 2FA, there are limitations. Many engineers and developers issue keys to supplement access to AWS Roles used by nodes. Implementation of this mechanism carries risk and can be complex at scale. A much stronger solution to mitigate this risk is to make use of the Amazon Security Token Service (STS). Amazon provides use cases here. On Monday, April 20, I’ll discuss how to federate the AWS CLI using the AWS STS and an Identity Provider at BSidesSF. If you’re in San Francisco, be sure to drop by.
About the Author: Paul Moreno is the Security Team Lead at Pinterest, a visual bookmarking tool for saving and discovering creative ideas. At Pinterest, Paul has spent his tenure establishing the Security Engineering foundation and assembling a core security team. As a recognized technology generalist with extensive experience working for startups and public companies, Paul delivers data-driven solutions for modern cloud security threats. Prior to joining Pinterest, Paul was an early employee at ngmoco:), a breakthrough mobile gaming company acquired for $300 million in October 2010. He’s been invited to participate on multiple customer advisory boards, including Digicert and OpenDNS. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
