Jon Lehtinen - Implementing Identity Management on AWS

A real-world guide to solving customer and workforce IAM challenges in your AWS cloud environments

Jon Lehtinen

BIRMINGHAMMUMBAI

Copyright 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson Dsouza

Publishing Product Manager: Yogesh Deokar

Senior Editor: Athikho Sapuni Rishana

Content Development Editor: Sayali Pingale

Technical Editor: Sarvesh Jaywant

Copy Editor: Safis Editing

Project Coordinator: Neil Dmello

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Alishon Mendonca

First published: August 2021

Production reference: 1120821

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

978-1-80056-228-8

www.packt.com

A big thank you to everyone who encouraged me to take this on, had to deal with me while I was doing it, and kept me going when major life events made me think that I had finally stretched myself too far. To my family, Aleeta, Calvin, Annabelle, and Syd, and to the Hombres, Hutch, Sean, Anthony, and Pat, I am dead serious when I say I could not have done this without you.

Jon Lehtinen

"Is it okay if I share your table?"

I first met Jon Lehtinen in Napa, California as we were both attending our first-ever Cloud Identity Summit. This simple meeting turned out to be one of the few key moments in my life when an act of pure serendipity caused my career to ricochet in a direction I could not have foreseen. An exchange of pleasantries turned into a couple of hours of conversation, an exchange of business cards, and me urging Jon to apply for one of the open positions on our IAM Operations team. Soon after, Jon packed up his family in Arizona and moved out to Virginia to join our team at GE's Information Security Technology Center.

Jon's guiding star has always been in designing his identity services to better serve the communities of developers and practitioners who consumed them. Early on, my role at GE was SSO service leader in charge of an engineering team tasked with aiding the business in integrating their applications with our IAM services. An important lesson I learned from Jon early on is that it's not enough to say that "the business is our customer." Jon has always known that the real customers were those that were building products around our services, administrators within those businesses, and the end users trying to get their work done. When I moved into a principal architect role, Jon was promoted into my old role and he quickly transformed it into one of servant leadership to support those communities. He established open office hours, built on the foundations of an online forum, and took all of the input from those communication streams to build a self-service portal where developers were expertly guided in the implementation of our IAM services in their applications in minutes and hours instead of days and weeks. Jon was truly the voice of the identity practitioners and their champion on the engineering side of the house.

Jon also wrote extensive developer and end user documentation on how the services worked, how to request them, and best practices for integrating them in different application scenarios. He continued to maintain that focus on the practitioner after leaving GE and moving on to roles at Thomson Reuters and at Okta, where today he is responsible for maximizing the value of their identity products through the internal utilization of those same services. It comes as no surprise to me that when Jon decided to make his foray into writing a book, he would choose to once again shine his light of expertise into a field that can be difficult to traverse, even for the most experienced users.

The Amazon Web Services (AWS) team deserves high praise for building such an extensive identity and access management service at the heart of AWS security. It gives developers and administrators the ability to control access by creating users and groups, designing centralized policies based on both RBAC and ABAC models, assigning those policies to specific populations, integrating existing users via federation, setting up additional controls such as multi-factor authentication, and numerous other features. Because AWS recognizes that identity services are the foundation of any security service, it offers the IAM services for free.

These services allow organizations to overcome the many security hurdles to cloud adoption but, even with Amazon's extensive documentation, the sheer number and granular nature of IAM services available can make that adoption difficult to navigate. The same wide array of authentication and authorization controls that make it possible to deploy highly secure environments using AWS can also frustrate administrators and security professionals alike.

In this book, Jon does what he has always done best: take the mystery out of a complicated service and provide practical guidance on and examples of its utilization. In the pages that follow, Jon provides a complete overview of IAM, shares details of each of the services, demonstrates the benefits of various combinations, and teaches you best practices on how to protect your AWS accounts. He will also guide you through the latest services and coach you through the configuration of important controls such as MFA.

Jon has once again provided me with knowledge and expert guidance on a service I still periodically struggle with. It's always rewarding, and comforting, to be shown the way by a professional who has been there before and has worked out the best avenue to success. I wish you well on your own journey, both through this book and on your successful path to securing your cloud workloads with AWS identity services.

Steve "Hutch" Hutchinson VP for Security Architecture, MUFG Board Member, IDPro

Jon Lehtinen has 16 years of enterprise identity and access management experience and specializes in both the strategy and execution of IAM transformation in global-scale organizations such as Thomson Reuters, General Electric, and Apollo Education Group. In addition to his work in the enterprise space, he has held positions on Ping Identity's Customer Advisory Board and as an advisor to identity verification start-up EvidentID. He currently owns the workforce and customer identity implementations at Okta.