AWS Concepts – Identity & Access Management

When we talk about Identity and Access (IAM) what do we really mean? For me, it boils down to who you are and what you are entitled to access.

Simple statement, but it does start to get rather complicated when you think about Identity Management.

If you think about your own organisation what directory service does it use? Probably Active Directory Domain Services (AD DS). Think about how many years it has it been fine tuned with integration with third party solutions such as MFA, SSO and VPNs.

The list does truly go on and on. Most organisations will treat their on-premises Active Directory Domain Services (AD DS) as the one source of all truth for users, groups, permissions and passwords.

So the question is how does AWS deal with IAM?

What Is AWS IAM?

It is AWS hyperscale web service that allows users and services shared access to your AWS account. It uses an eventually consistent model, which in a nutshell means that changes are not immediately available.

Users are authenticated and then authorised to use AWS services. To ease the management of individual users, groups are used. Policies are applied to groups which then dictate what the user or service can do.

Policies are JSON documents, used to define actions, effect, resources and conditions on what can be evoked for example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.168.1.0/24"
                }
            }
        }
    ]
}

When you create an IAM user, they can’t access anything until you give them permission.

It should be noted that actions or resources which are not explicitly allowed are denied by default.

We also have IAM Roles, which are similar to users but are AWS identities with permissions (JSON policy) which determines what can or can’t do. It is important to note that IAM Roles don’t have any passwords or long terms access credentials. Access keys are created dynamically and provided on a temporary basis. Typically they are used to delegate access to applications or services.

IAM Roles can also be used to provide users with enhanced privileges on a temporary basis for example a user requires occasional admin access to an S3 bucket.

To enable policies to be tested before you apply them into production, AWS have a handy policy simulator which can be found here.

Identity Federation

AWS IAM supports identity federation for delegated access to either the AWS Management Console or APIs. Federated users are created within your corporate directory outside of the AWS account.

These can be web identity providers such as Amazon, FaceBook, Google or an OpenID Connect provider.

Within the enterprise world, we tend to see Active Directory Domain Services used in conjunction with Active Directory Federation Services. AWS have integration using Security Assertion Markup Language 2.0 (SAML 2.0) using STS AssumeRoleWith SAML.

A high level overview of this is shown below in the diagram below.

  1. User browsers to URL and is redirected to AD FS sign in page
  2. User enters Active Directory credentials
  3. User authenticated by Active Directory Domain Services
  4. Users browser receives a SAML 2.0 assertion
  5. User browser posts the SAML 2.0 assertion to AWS STS
  6. AssumeRoleWithSAML requests temporary security credentials and constructs a sign in URL for the AWS Management Console
  7. User browser receives the sign in URL and is redirected to the AWS Management Console

Single Sign On Cloud Applications

To provide easier integration with popular cloud applications
such as Dropbox, Office365 and SalesForce. AWS provide single sign on (SSO) using SAML 2.0via a configuration wizard.

Further information can be found here.

MultiFactor Authentication

AWS MFA provides an extra later of security to reduce the overall risk of compromised credentials. Providing a secondary authentication step for Management Console and API users.

For the MFA device, you have a choice of three items:

  1. Virtual MFA Device
  2. Hardware Key
  3. Hardware Device

This link shows which form factors can be used across devices.

Final Thoughts

AWS IAM is a web scale directory that can provides integration with on-premises directory services and cloud applications. Interestingly this is an added value service with no extra cost, which is a different approach from traditional licensing vendors.

My VCP5-DT Exam Experience

Disclaimer

Before I start this entry, I would like to point out that this isn’t for anyone who wants to know the answers to the exam questions as I won’t be disclosing any information about the content except for pointing you towards the VCP5-DT exam blueprint.

Interesting Stuff

I gave myself a personal objective to learn, understand, deploy and troubleshoot a View environment on 19th December 2012, with a ‘View’ pardon the pun to pass the exam in February 2013.

View was completely new to me, as I explained in is blog post, however it was something that had been on my radar for quite a while.  When it comes to learning a new subject, I have to confess I think I have a small case of OCD.  When I get involved, I get involved with both feet much to the annoyance of my ever understanding wife.  This means I spend at least two hours every day reading, labbing, listening or blogging about View until I’m ready for the exam.

Everyone learns a subject differently, however I’m getting to an age now where I have a tried and tested formula which works for me:

  1. Read it (someone else’s material)
  2. Lab it (implement it)
  3. Blog it (write about it to reinforce learning)
  4. Watch it (computer based training)
  5. Build it (build it again but better than the first time round)

I think it’s a good idea I expand on this a little, with the resources that I used to take my View understanding from very little, to a little bit more.

Resources

I cannot speak more highly of this book, it takes you from zero to hero and explains how all the View ‘cogs’ fit together.

This is a great View basics course, so you can see how the components fit together.  I also listed to this whist driving to client meetings to reinforce any items I had been labbing or didn’t really get from Barry’s and Mike’s book.  The only downside I would say to this is that one of the presenters had either been working too hard or not sleeping enough, as they appeared to yawn quite a lot.

Great blog by Christoph Harding which I found that when I ‘googled’ View questions was a leading resource to either provide answers or point you in the right direction.  I would highly recommend following thatsmyview.net RSS Feed or on Twitter @cdommermuth

This is the numero uno site for anything View related (in my opinion) and goes into great technical detail.  Again if you are interested in View, follow myvirtualcloud.net RSS Feed or on Twitter @andreleibovic

Lab

Your lab is key for the VCP5-DT exam, you need to build it, break it, fix it and build it again.

The hardware in lab my can be found over here.  A picture of my vCenter probably will speak a thousand words, it’s pretty straight forward really.

Infrastructure holds vCenter, DC and Veeam

View Infrastructure holds Connection Server, Security Server, Transfer Server and ThinApp Windows 7.

View LC Desktops are for Linked Clones Desktops

View LM Desktops are for Local Mode Desktops

Oh, before anyone asks, I have shares set on my Resource Groups.

View Lab

You will find yourself spending a lot of time in Active Directory if you really want to test out GPO’s and get the configuration just right.  Below is my OU configuration, pretty straight forward but it met all the requirements I had.

AD

You might say I went to town, as I ended up with 28 GPO’s!

GPO

One of the items I found particularly difficult to test was the Security Server as I don’t have a static IP Address.  I ended up registering for the no-ip.org service.  Which if you have a compatible router will update your DNS record automatically to your public IP Address.  This then enabled me to VPN into my router and then alter the External IP Address in View Administrator.

Perhaps not the most elegant of solutions, but it worked!

VCP5-DT Exam

Once I have completed all of the study materials and feel that I know each exam objective, it’s time for the exam.  I’m a morning person and therefore always book my exams first thing.  For some reason my local exam centre stopped offering the VCP5-DT and I had to make a 40 mile trip, which isn’t always the most pleasant, but it does take your mind of the exam trying to work out where to park.

I always approach exams the same way, I get to the examination centre round 30 minutes early, so you can go over the sign in process and hand over your valuables.  I then make three signs on the plastic sheet you are given

Tick – these are for questions I know I have definitely know the answers too.

Question Mark – these are questions I’m 80% plus sure on

Cross – these are questions I’m making an educated guess or generally haven’t got a clue on!

I try to aim for 30 seconds per question to give myself enough time to review questions at the end.  If I find I have spent over a minute on a question, I will mark it for review and then come back to it.  At the end of the exam, I only review questions I have marked for review not all of them.

The exam consisted of 85 questions over 90 minutes, which is a fairly tough time frame, but I’m pleased to say that I passed with a respectable 454/500.

VMware View – Objective 3.4 Configure Local Mode Use

Knowledge

  • Given a customer environment and requirements, apply compatible Local Mode pool settings

Bit of a broad title, but we can run down some of the Local Mode settings to ensure they meet what Mr Customer wants!

Local Mode

Local Mode Virtual Desktop

Bit of an obvious one, but you are going to need to configure either an Automated Full Clone, Linked Clone or Manual Clone.

Whatever your choice, make sure that your that your Virtual Machine Hardware is 7.  I have heard that version 8 now works, but I haven’t tested it yet.

Transfer Server

This has to be configured with a LSI Logic Parallel SCSI Controller, otherwise Local Mode no worky!

View Administrator

Numero uno has to be to enable Local Mode, which is under Policies > Global Policies

Local Mode 2

We have a few other choices in here, they are:

User Initiated Rollback Can the user go back to the View Desktop version and discard any offline changes?

Max Time Without Server Contact How long is the desktop allowed to be offline? If it goes over this period you will get a warning stating you need to be like ET and call home.

Target Replication Frequency How often does the View Agent try and connect back to home

User Deferred Replication Can the user choose to put off replication?

Disks Replicated OS, Persistent or both?

User Initiated  Yay or nah

User Initiated Replication Yay or nah

All of these settings can be applied at Pool level as well for extra diversification.

Interestingly enough, you can actually state on a Pool settings that the desktop can only be used offline. By choosing the following settings:

Local Mode 3

Group Policy

We have a number of Group Policy settings which can be found in the View Client ADM under either

Computer Configuration > Administrative Templates > Classic Administrative Templates > VMware View Client Configuration

User Configuration > Administrative Templates > Classic Administrative Templates > VMware View Client Configuration

Default Exit Behavior For Local Mode Desktops Do we want them to Suspend or Shutdown

Delay The Start of Replications When Starting The View Client With Local Mode How much time in seconds after you login to View Client Local Mode before it tries to replicate

Redirect SmartCard Readers in Local Mode Can we use a Smart Card Reader in Local Mode

Client Device

Hopefully it should go without saying that if you want to bring a View Desktop ‘offline’ then your physical hardware needs to have more RAM than the View Desktop.  Also you need to make sure you have enough free disk space to hold the Local Mode desktop.

Last thing to note that Local Mode doesn’t work with dual monitors in the traditional sense.  Instead it stretched your desktop across two screens.

VMware View – Objective 3.3 Configure Manual Pools

Knowledge

  • Identify pool settings
  • Identify desktop sources

In blog post VMware View – Objective 3.1 Configure Automated Pools Using Linked Clones, we covered identify pool settings.  So in this blog post, we will look explicitly at ‘identify desktop sources’.

Back into View Administrator > Inventory > Pools > Add

View Manual Pool 1

Select Manual Pool

Manual Pool 1

Select Dedicated as the User Assignment

Manual Pool 2

Ah ha, something different, we know how a choice of vCenter Virtual Machines, which is any VM you have created or it can be a Phsyical Computer you want to access remotely and let View Broker the connection to it.

I’m going to roll with vCenter Virtual Machines

Manual Pool 3

From this point forward, all the rest of the choices are exactly the same as with a Linked Clone or Full Automated Pool.  So thanks for reading!

VMware View – Objective 3.2 Configure Automated Pools Using Full Clones

Knowledge

  • Identify floating vs. dedicated assignments
  • Identify pool settings
  • Identify provisioning settings
  • Identify template
  • Identify vCenter Server resource settings
  • Identify guest customization settings

In my previous blog post VMware View – Objective 3.1 Configure Automated Pools Using Linked Clones, we covered pretty much all of the above points.

However, what’s the difference between a Linked Clone and a Full Clone? Well a Full Clone is exactly the same as when we use a virtual machine as template.  vSphere creates a Full Clone of the VM, and then we run Sys Prep against it too change the GUID, join it too the domain etc.

So I think we will run through the process of creating an Automated Full Clone Pool, however, I won’t explain all the knowledge points again, only the differences.

Back into View Administrator > Inventory > Pools > Add

View Manual Pool 1

Select Automated Pool and hit Next

View Linked Clones 2

We get the same question about Dedicated or Floating Assignment, a quick recap below.

Dedicated – This means when a Users logs in, a desktop is assigned to them and this is the desktop they will always continue to use.

Floating – This means the User is not assigned a desktop and is used in environments such as call centers where desktop personalisation is not a requirement.

This is the point where we choose ‘Full Virtual Machines’ and hit Next

View Manual Pool 4

Enter in your ID, Display Name and View Folder

View Manual Pool 5

We get the same choices for the Pool Settings

View Manual Pool 6

Again we get the same Provisioning Settings

View Manual Pool 7

This part is slightly different as we need to use a Template for our Automated Full Clones.  The rest however is the same.

View Manual Pool 8

I have enabled Host Caching which is in View Configuration > Servers vCenter Servers > Edit > Host Caching

Host Cachine

Essentially Host Caching gives up some of the memory on the ESXi Hosts to help out with View Desktops during boot storms.

View Manual Pool 9

In Guest Customization select a Sys Prep which you know works correctly e.g. it joins Desktops to the domain.View Manual Pool 10

There we go jobs ‘a good un’ our Automated Manual Pool is done.  All is left to do, is Entitle Users

View Manual Pool 11