1 00:00:06,674 --> 00:00:09,385 - Alright, so let's take a look at federated users 2 00:00:09,385 --> 00:00:10,302 within AWS. 3 00:00:12,127 --> 00:00:15,247 In small organizations, when you have two or three, 4 00:00:15,247 --> 00:00:18,334 maybe even a dozen users within your organization, 5 00:00:18,334 --> 00:00:20,900 people that are actually using AWS, 6 00:00:20,900 --> 00:00:23,254 creating and managing resources, 7 00:00:23,254 --> 00:00:26,042 then it's really easy to just go in and create users 8 00:00:26,042 --> 00:00:28,475 directly within the AWS identity 9 00:00:28,475 --> 00:00:30,469 and access management service. 10 00:00:30,469 --> 00:00:32,347 But in larger organizations, 11 00:00:32,347 --> 00:00:36,015 where you have potentially dozens or hundreds or thousands 12 00:00:36,015 --> 00:00:39,924 of employees all needing access to AWS, 13 00:00:39,924 --> 00:00:42,406 it becomes really difficult and challenging 14 00:00:42,406 --> 00:00:46,889 to manage those accounts, both on the corporate side, 15 00:00:46,889 --> 00:00:49,604 in your own directory and in a separate directory 16 00:00:49,604 --> 00:00:53,083 within AWS, and that's exactly what we don't want to do. 17 00:00:53,083 --> 00:00:55,839 In those particular situations, we want to leverage 18 00:00:55,839 --> 00:00:57,895 federated users. 19 00:00:57,895 --> 00:00:59,227 In large organizations 20 00:00:59,227 --> 00:01:01,727 where you have your existing directory, 21 00:01:01,727 --> 00:01:04,650 perhaps you're using LDAP or Active Directory, 22 00:01:04,650 --> 00:01:07,215 you already have a directory of users, 23 00:01:07,215 --> 00:01:10,280 you already know who they are. 24 00:01:10,280 --> 00:01:14,817 You can also determine what they're allowed to do 25 00:01:14,817 --> 00:01:17,960 by using roles, as we've talked about. 26 00:01:17,960 --> 00:01:21,607 So, federated users means that you are taking someone 27 00:01:21,607 --> 00:01:25,818 who you already know and giving them temporary access 28 00:01:25,818 --> 00:01:29,516 into AWS based on temporary credentials. 29 00:01:29,516 --> 00:01:33,642 So, by doing this, we can create a single sign-on service, 30 00:01:33,642 --> 00:01:35,469 where they sign in to one place, 31 00:01:35,469 --> 00:01:37,289 such as your corporate network, 32 00:01:37,289 --> 00:01:39,461 and then through that initial sign on, 33 00:01:39,461 --> 00:01:42,044 they then have access into AWS. 34 00:01:42,951 --> 00:01:45,076 We also have the ability to federate 35 00:01:45,076 --> 00:01:47,554 web and mobile application users. 36 00:01:47,554 --> 00:01:50,819 So, in the cases where we have a mobile application, 37 00:01:50,819 --> 00:01:54,365 and that mobile application needs access to Amazon services, 38 00:01:54,365 --> 00:01:57,448 such as Amazon S3 or Amazon DynamoDB, 39 00:01:58,368 --> 00:02:00,915 then it's possible to federate millions 40 00:02:00,915 --> 00:02:03,435 of mobile application users. 41 00:02:03,435 --> 00:02:07,542 And through that, give them temporary credentials, 42 00:02:07,542 --> 00:02:11,709 allow them to directly upload and download to Amazon S3. 43 00:02:12,604 --> 00:02:15,254 And by doing that, we could potentially 44 00:02:15,254 --> 00:02:18,938 even completely bypass a backend APIs and proxies 45 00:02:18,938 --> 00:02:21,226 and allow those mobile applications 46 00:02:21,226 --> 00:02:23,809 to go directly to AWS services. 47 00:02:25,296 --> 00:02:28,584 So, let's take a look at a federated user's example. 48 00:02:28,584 --> 00:02:31,766 Here, what we're talking about is authenticating 49 00:02:31,766 --> 00:02:36,136 our corporate users against an existing directory. 50 00:02:36,136 --> 00:02:39,181 In this case, it could be again LDAP, 51 00:02:39,181 --> 00:02:42,504 it could be Active Directory, it could just be a data base, 52 00:02:42,504 --> 00:02:45,681 a custom application looking to a database. 53 00:02:45,681 --> 00:02:48,486 So, our users authenticate to our on-premises 54 00:02:48,486 --> 00:02:49,745 identity broker. 55 00:02:49,745 --> 00:02:52,829 That could be some custom application, an intranet, 56 00:02:52,829 --> 00:02:54,205 whatever it is, 57 00:02:54,205 --> 00:02:57,243 we're looking for their credentials, 58 00:02:57,243 --> 00:03:00,175 and then we're going to authenticate them 59 00:03:00,175 --> 00:03:03,714 against our directory, now we know who they are. 60 00:03:03,714 --> 00:03:07,416 And part of that directory here says 61 00:03:07,416 --> 00:03:11,453 that this particular user, at the time that they log on, 62 00:03:11,453 --> 00:03:13,120 needs access to AWS. 63 00:03:14,156 --> 00:03:17,722 And so once it sees that, our identity broker will then 64 00:03:17,722 --> 00:03:21,889 come over to make a call to the AWS security token service, 65 00:03:22,908 --> 00:03:26,821 and pass in certain information such as the name of a role 66 00:03:26,821 --> 00:03:29,438 that we want that user to assume 67 00:03:29,438 --> 00:03:32,732 or we could also just pass in SAML, 68 00:03:32,732 --> 00:03:35,576 we could pass in a policy directly. 69 00:03:35,576 --> 00:03:37,456 And then the security token service will 70 00:03:37,456 --> 00:03:40,414 return again temporary credentials. 71 00:03:40,414 --> 00:03:43,208 We can control the lifespan of those credentials, 72 00:03:43,208 --> 00:03:46,338 they default to 15 minutes but we could push that out, 73 00:03:46,338 --> 00:03:49,463 up to 36 hours. 74 00:03:49,463 --> 00:03:51,877 Once we return those credentials, 75 00:03:51,877 --> 00:03:53,601 we can do one of two things. 76 00:03:53,601 --> 00:03:56,894 We can either just display those credentials here 77 00:03:56,894 --> 00:04:00,936 to the user so that they can use them in their command line 78 00:04:00,936 --> 00:04:02,630 as environment variables, 79 00:04:02,630 --> 00:04:05,981 they can place them into the STK for local development, 80 00:04:05,981 --> 00:04:09,989 or if they're just doing things within the AWS console, 81 00:04:09,989 --> 00:04:12,979 we could just simply redirect their browser 82 00:04:12,979 --> 00:04:17,150 to the AWS Console and have them already signed in 83 00:04:17,150 --> 00:04:19,317 and start work right away. 84 00:04:20,813 --> 00:04:24,210 So again, this is an example of federated users 85 00:04:24,210 --> 00:04:27,404 leveraging an existing directory. 86 00:04:27,404 --> 00:04:29,666 This is really powerful and useful 87 00:04:29,666 --> 00:04:33,421 when you have existing users, dozens, hundreds, thousands 88 00:04:33,421 --> 00:04:37,135 of existing users who need access into AWS 89 00:04:37,135 --> 00:04:40,257 and you don't want to recreate their accounts 90 00:04:40,257 --> 00:04:42,174 in a separate location.