Amazon AWS is at the heart of many of our customers workloads. Last year I started a series of tech blogs to discuss how to leverage Centrify's product portfolio to secure your AWS assets.
This year, I've had the opportunity to review the AWS Security Best Practices document and in this new series we'll provide guidance on how to implement controls to meet or exceed the Shared Responsibility Model.
About the Shared Responsibility Model
The concept is very straightforward. Amazon AWS will implement controls to provide assurance for confidentiality (e.g. encryption at rest and in transit), integrity (transaction trust), availability (redundancy of hardware, power, etc), however, depending on your business requirements, you may need to add additional controls to increase your security posture or to provide assurances to your customers beyond what's offered by AWS.
Amazon AWS Defines a "Shared Responsibility" model that has the following scope
- Infrastructure Services: Controls that apply to IaaS services like EC2, VPCs and Block Storage.
- Container Services: Controls that apply to PaaS servides like RDS Database, EMR MapReduce or Elastic Beanstalk
- Abstracted Services: Controls that apply to Services like S3 Storage, SES SMTP, etc.
In this article we'll focus on how to use Centrify Privilege Service to secure access to Windows AMIs.
The Challenge: Extend Existing Enterprise Identity and Access Management in Public Clouds
In a previous entry of this series, we discussed the additional controls that can be implemented on top of Amazon's IAM and cryptography-based controls. However, organizations may already have capabilities for Centralized Identity which is at the heart of strong access controls. This may mean that organizations need to find ways to extend this infrastructure out to public clouds like Amazon. This may imply:
- Re-creation of infrastructure (e.g. standing-up Active Directory or LDAP-like infrastructure)
- Network extension (e.g. treating the public cloud like a branch by implementing site-to-site VPNs)
- Capability duplication (e.g. implementing software and services in AWS)
In this article we'll discuss how organizations can leverage Centrify Privilege Service and the new Linux Agent (Identity Broker) to secure Linux instances and extend Enterprise Identity out to public clouds without the need of the additional overhead.
Centrify Privilege Service
Privilege Service is Centrify's answer to the traditional "password-driven" use cases (the industry refers as Shared Account Password Management, Privilege Session Management, etc); however unlike other solutions, there are several capabilities areas that set it apart from the traditional "Password Vault"
- Flexible deployment: Both as SaaS and On Premises (in fact, it was designed as a SaaS solution first)
- Identity Sourcing and Federation built-in (includes Identity Service, this means support for AD, LDAP, Google and others plus simplified SAML-based federation and 3K+ ready web and mobile apps)
- Policy, Workflow and MFA Engine: Policies for time and geo-location, RBAC, step-up authentication and Multi-factor including Smartcard, plus a built-in access request system (+ServiceNow integration)
- Infrastructure Extensibility: Privilege Service can be extended to any network using a Windows-based Centrify Connector via web protocols.
New Linux Agent
The new Linux agent takes advantage of a capability called "Identity Broker" this allows the bridging of identities known to Centrify Privilege Service; this is done via the Centrify connector. This means that the overhead of duplicating enterprise identity infrastructure or extending the enterprise to the public network can be avoided in this particular use case; all that is required is to deploy a Centrify connector wherever you want to extend Password-related services and Linux authentication. Let's show an illustration.
Company X needs to provide identity-based reporting and attestation of who has access to their public cloud EC2 instances in AWS; their primary identity source is AD. They could have used any model (independent forest, one-way trust + site2site VPN or RODC) to extend AD to AWS or they could have deployed Amazon IAM roles and used SSH keys; but any of these models implied additional overhead. With CPS and Identity Broker, all they did is this:
With this model, CompanyX not only can accomodate their corporate IT users, but external entities as well. And as we discussed before, password, session and additional services are consolidated as well, both on premises and on any public cloud. Plus
- No need to deploy "jumpboxes" to the private clouds (limits exposure)
- Shared account passwords for local accounts (Linux, Windows) or databases (like Amazon RDS) can be controlled
- Access Request provides the assurance of "documented approvals" to sensitive systems
- Deploy MFA or access only from the OnPrem network as additional controls.
This topic was covered in this post.
The client architecture is using UNIX frameworks like Name Service Switch (Identity) and Pluggable Authentication Modules (Auth). It also supports offline login as well as direct or proxy-based user/password or OAUTH-based enrollment codes (very useful for automation). This client implements the CLI tookit for setting, retrieving or deleting credentials under management.
Following on the legacy of Server Suite, the new agent generates identity like DirectControl in workstation mode.
Login - user's short name (must use the fully-qualified name the first time)
UID - auto-generated based on the GUID
Primary group - auto-private (same as UID)
GECOS - the display name in Centrify Identity Service
Home/Shell - configurable in the Settings tab.
Since most public clouds don't need legacy identity (for services like NFS), this makes the client very lightweight.
There's an implied expectation of DevOps "friendliness" when a private or public cloud solution is implemented. The new Linux agent leverages enrollment codes for this capability.
Centrify provides a sample AWS script that can be used with enrollment codes in the User Data field or with any other framework like OpsWorks (see github)
Privilege Service can accomodate several identities, including:
Note that it can accommodate identities from Active Directories without any trust relationships.
These identities can be aggregated using Identity Service Roles:
Roles, in turn can be assigned the AgentAuth privilege on a Linux Resource:
As you can see the model works like this:
Users or groups from Identity Sources are added to CIS Roles that are granted the AgentAuth right in CPS.
- cinfo – obtain information about the agent
- cenroll – enroll the identity platform and enable features
- cunenroll – leave the platform and optionally delete resource and any managed accounts
- cflush – flush the local cache
- csetaccount – add a managed account for the resource
- cgetaccount – obtain a managed account’s password
- cdelaccount - delete a managed account's password
To test-drive the new Linux agent and to see how it can secure your public-cloud Linux instances, request a CPS trial today: https://www.centrify.com/free-trial/privilege-service-form/
AWS Shared Responsibility - Securing the Amazon Account
AWS Shared Responsibility - Securing Windows AMIs with Centrify Windows MFA
AWS Shared Responsibility - Securing Amazon RDS Instances