I want to restrict access to a webpage on a AWS EC2 instance, to only company employees, which are spread all over the world. I have successfully whitelisted the UK offices, but i haven't for colleagues in Asia and Europe.
Rather than adding IP's daily, which also changes for the user, i want a system which can verify the employees. Poor design.
I was thinking of having a Cognito User Pool and Identify Pool. Or a VPN for user to login.
Have people had similar issues and how have they overcome them. Any advice will be appericated.
Amazon Cognito would be a perfect solution for this. You can scan the user's E-Mail in the Pre-Authentication Lambda Trigger, and based on the user's E-Mail ID and other login parameters, you could allow or deny the Authentication Event.
For more information on the Pre-Authentication Lambda Trigger and sample codes, I would recommend you to go through this official AWS documentation.
Related
Following is the documentation for AWS switch role -
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html
What is the equivalent of this available for Alibaba Cloud ?
The goal is to use something similar in Alibaba cloud so that the credentials obtained from the assumed role can be used to create / access resources in another account based on the permissions given to that role.
The AssumeRole functionality is available in Alibaba Cloud, Details can be accessed on AssumeRole
It could have solutions for cross account access. usually in two scenes
personal account, you could just create one RAM role for him. it could be faster.
company account, you could add different company account in your enterprises. they will be one of the member , then it is ok for cross access.
I have a .NET console application that performs operations on files. I would like to allow clients to give us access to their Google Drive accounts so we can read and write files. Our console application runs as a service so there is no way for the user to interact with it and authorize our access to their Google Drive account.
I was looking at using a Google Service Account for application level authentication until I learned that a Service Account does not have access to the Google Drive folder of the user that sets up the Service Account. This sort of defeats the purpose because it is the client's Google Drive account I am looking to gain access to.
I saw a workaround posted by SO member #pinoyyid posted in this SO answer where the refresh token can be generated using Google's Oauth2 Playground, but I am concerned that the refresh tokens could expire and user intervention would be needed again to generate another one.
Another response mentioned the solution was to create the Service Account and then share the user's Google Drive account with the Service Account.
What is the recommended approach by Google? How best to gain access to a Google Drive account while only requiring the owner to authenticate on a one-time basis, yet allowing them the ability to revoke access at any time?
Both Service Account and a stored OAuth Refresh Token are viable approaches. Each has its pros and cons.
A Service Account will work where your users only need to grant access to a specific folder which they can share to the SA. Be aware that any files the SA creates are owned by, and consume quota of, the SA. You can't "share the user's Drive account to the SA", you can only share individual folders.
Storing a RT is the more permissive option. You wouldn't use the OAuth playground as described in my answer that you referenced as that's far to clunky to ask users to go through. Instead you would need to write your own registration/authorisation service (you can use AppEngine, Lambda, etc - so it's not difficult to write and host).
Here is the scenario, I've an instance of Oracle Identity Manager (OIM). The instance stores all of my user profiles. Now, I'm writing few REST APIs, which should be authenticated using users present on OIM.
I'm also thinking of using AWS cognito to provide authentication flow. So, my questions are
Q. How can we connect Cognito & OIM?
Q. If no need of Cognito for this scenario, then how can we make use of OIM?
I've recently strated looking into both the tools. So, please spare me for some obvious questions.
I'm from the Cognito team, and Bruce0's suggestion is spot on. If you need to access AWS resources, you would set up a developer authenticated identity provider which could leverage this (or any other identity manager/provider).
They don't want to give me their Amazon username and password because it has their complete purchase history.
Is there anyway for them to authorize me as a user?
Amazon has AWS Identity and Access Management, that should help with what your asking. http://aws.amazon.com/iam/
It's easy enough to create new accounts on Amazon, and it's also reasonable to keep corporate and personal accounts separate for expense purposes. I'd recommend doing that for simplicity, but I understand that it could be a concern regarding potential misuse on the rest of the Amazon site.
The use of access keys (as suggested by #KristianGlass) may be adequate, as well, allowing you to create and kill instances, but not allowing you access to the main AWS console. Elasticfox also works with the EC2 keys, so you could use that as a surrogate for the console.
Depending on what you're looking for, they might just be able to create you an Access Key and have you use that.
If they look under "Security Credentials" in their Account page (this should be a link to it) they can easily "Create a new Access Key" (they will of course need to give you both the Access Key ID and the Secret Access Key).
To paraphrase Amazon's documentation about Access Keys, you can use them for making requests to REST or Query APIs - specifically this includes EC2.
Is it possible to have multiple users to manage an Amazon EC2 environment? I want to give access to several additional people to create machines on my existing billing account.
Amazon just announced AWS Identity and Access Management - http://aws.amazon.com/iam/
As of right now, it's in 'preview' mode, but this will allow you to have multiple AWS management accounts.
A few months ago Amazon announced Consolidated Billing. I never used it, but I think that is what you're looking for:
Consolidated Billing enables you to see a combined view of AWS costs incurred by all accounts in your department or company, as well as obtain a detailed cost report for each individual AWS account associated with your paying account. Consolidated Billing may also lower your overall costs since the rolled up usage across all of your accounts could help you reach lower-priced volume tiers more quickly.
Consolidated Billing Guide
This is absolutely possible using IAM service of AWS. With the help of IAM you can create users and give them specific permissions on various services of amazon.
You can try http://LabSlice.com. It's primarily for Virtual Lab Management (ie. playground environments), but may suit your needs.