Saturday, June 15, 2024
HomeCloud ComputingAWS analytics companies streamline consumer entry to information, permissions setting, and auditing

AWS analytics companies streamline consumer entry to information, permissions setting, and auditing

Voiced by Polly

I’m happy to announce a brand new use case primarily based on trusted id propagation, a just lately launched functionality of AWS IAM Identification Heart.

Tableau, a generally used enterprise intelligence (BI) utility, can now propagate end-user id right down to Amazon Redshift. This has a triple profit. It simplifies the sign-in expertise for finish customers. It permits information house owners to outline entry primarily based on actual end-user id. It permits auditors to confirm information entry by customers.

Trusted id propagation permits functions that eat information (reminiscent of Tableau, Amazon QuickSight, Amazon Redshift Question Editor, Amazon EMR Studio, and others) to propagate the consumer’s id and group memberships to the companies that retailer and handle entry to the information, reminiscent of Amazon Redshift, Amazon Athena, Amazon Easy Storage Service (Amazon S3), Amazon EMR, and others. Trusted id propagation is a functionality of IAM Identification Heart that improves the sign-in expertise throughout a number of analytics functions, simplifies information entry administration, and simplifies audit. Finish customers profit from single sign-on and wouldn’t have to specify the IAM roles they need to assume to hook up with the system.

Earlier than diving into extra particulars, let’s agree on terminology.

I exploit the time period “id suppliers” to check with the techniques that maintain consumer identities and group memberships. These are the techniques that immediate the consumer for credentials and carry out the authentication. For instance, Azure Listing, Okta, Ping Identification, and extra. Verify the total listing of id suppliers we help.

I exploit the time period “user-facing functions” to designate the functions that eat information, reminiscent of Tableau, Microsoft PowerBI, QuickSight, Amazon Redshift Question Editor, and others.

And at last, after I write “downstream companies”, I check with the analytics engines and storage companies that course of, retailer, or handle entry to your information: Amazon Redshift, Athena, S3, EMR, and others.

Trusted Identity Propagation - high-level diagram

To know the advantage of trusted id propagation, let’s briefly speak about how information entry was granted till right now. When a user-facing utility accesses information from a downstream service, both the upstream service makes use of generic credentials (reminiscent of “tableau_user“) or assumes an IAM position to authenticate in opposition to the downstream service. That is the supply of two challenges.

First, it makes it tough for the downstream service administrator to outline entry insurance policies which might be fine-tuned for the precise consumer making the request. As seen from the downstream service, all requests originate from that widespread consumer or IAM position. If Jeff and Jane are each mapped to the BusinessAnalytics IAM position, then it isn’t attainable to offer them completely different ranges of entry, for instance, readonly and read-write. Moreover, if Jeff can be within the Finance group, he wants to decide on a job during which to function; he can’t entry information from each teams in the identical session.

Secondly, the duty of associating a data-access occasion to an finish consumer includes some undifferentiated heavy lifting. If the request originates from an IAM position known as BusinessAnalytics, then extra work is required to determine which consumer was behind that motion.

Nicely, this specific instance would possibly look quite simple, however in actual life, organizations have a whole lot of customers and hundreds of teams to match to a whole lot of datasets. There was a chance for us to Invent and Simplify.

As soon as configured, the brand new trusted id propagation supplies a technical mechanism for user-facing functions to entry information on behalf of the particular consumer behind the keyboard. Realizing the precise consumer id presents three fundamental benefits.

First, it permits downstream service directors to create and handle entry insurance policies primarily based on precise consumer identities, the teams they belong to, or a mixture of the 2. Downstream service directors can now assign entry by way of customers, teams, and datasets. That is the best way most of our prospects naturally take into consideration entry to information—intermediate mappings to IAM roles are now not needed to attain these patterns.

Second, auditors now have entry to the authentic consumer id in system logs and may confirm that insurance policies are carried out accurately and comply with all necessities of the corporate or industry-level insurance policies.

Third, customers of BI functions can profit from single sign-on between functions. Your end-users now not want to know your organization’s AWS accounts and IAM roles. As a substitute, they will register to EMR Studio (for instance) utilizing their company single sign-on that they’re used to for therefore many different issues they do at work.

How does trusted id propagation work?
Trusted id propagation depends on customary mechanisms from our {industry}: OAuth2 and JWT. OAuth2 is an open customary for entry delegation that permits customers to grant third-party user-facing functions entry to information on different companies (downstream companies) with out exposing their credentials. JWT (JSON Net Token) is a compact, URL-safe technique of representing identities and claims to be transferred between two events. JWTs are signed, which implies their integrity and authenticity might be verified.

Learn how to configure trusted id propagation
Configuring trusted id propagation requires setup in IAM Identification Heart, on the user-facing utility, and on the downstream service as a result of every of those must be instructed to work with end-user identities. Though the particulars shall be completely different for every utility, they may all comply with this sample:

  1. Configure an id supply in AWS IAM Identification Heart. AWS recommends enabling automated provisioning in case your id supplier helps it, as most do. Automated provisioning works via the SCIM synchronization customary to synchronize your listing customers and teams into IAM Identification Heart. You most likely have configured this already in case you presently use IAM Identification Heart to federate your workforce into the AWS Administration Console. It is a one-time configuration, and also you don’t must repeat this step for every user-facing utility.
  2. Configure your user-facing utility to authenticate its customers together with your id supplier. For instance, configure Tableau to make use of Okta.
  3. Configure the connection between the user-facing utility and the downstream service. For instance, configure Tableau to entry Amazon Redshift. In some circumstances, it requires utilizing the ODBC or JDBC driver for Redshift.

Then comes the configuration particular to trusted id propagation. For instance, think about your group has developed a user-facing net utility that authenticates the customers together with your id supplier, and that you simply need to entry information in AWS on behalf of the present authenticated consumer. For this use case, you’d create a trusted token issuer in IAM Identification Heart. This highly effective new assemble offers you a option to map your utility’s authenticated customers to the customers in your IAM Identification Heart listing in order that it could actually make use of trusted id propagation. My colleague Becky wrote a weblog put up to indicate you develop such an utility. This extra configuration is required solely when utilizing third-party functions, reminiscent of Tableau, or a customer-developed utility, that authenticate exterior of AWS. When utilizing user-facing functions managed by AWS, reminiscent of Amazon QuickSight, no additional setup is required.

setup an external IdP to issue trusted token

Lastly, downstream service directors should configure the entry insurance policies primarily based on the consumer id and group memberships. The precise configuration varies from one downstream service to the opposite. If the appliance reads or writes information in Amazon S3, the information proprietor could use S3 Entry Grants within the Amazon S3 console to grant entry for customers and teams to prefixes in Amazon S3. If the appliance makes queries to an Amazon Redshift information warehouse, the information proprietor should configure IAM Identification Heart trusted connection within the Amazon Redshift console and match the viewers declare (aud) from the id supplier.

Now that you’ve got a high-level overview of the configuration, let’s dive into crucial half: the consumer expertise.

The tip-user expertise
Though the exact expertise of the tip consumer will clearly be completely different for various functions, in all circumstances, will probably be easier and extra acquainted to workforce customers than earlier than. The consumer interplay will start with a redirect-based authentication single sign-on movement that takes the consumer to their id supplier, the place they will register with credentials, multi-factor authentication, and so forth.

Let’s have a look at the small print of how an finish consumer would possibly work together with Okta and Tableau when trusted id propagation has been configured.

Right here is an illustration of the movement and the primary interactions between techniques and companies.

Trusted Identity Propagation flow

Right here’s the way it goes.

1. As a consumer, I try and register to Tableau.

2. Tableau initiates a browser-based movement and redirects to the Okta sign-in web page the place I can enter my sign-in credentials. On profitable authentication, Okta points an authentication token (ID and entry token) to Tableau.

3. Tableau initiates a JDBC reference to Amazon Redshift and contains the entry token within the connection request. The Amazon Redshift JDBC driver makes a name to Amazon Redshift. As a result of your Amazon Redshift administrator enabled IAM Identification Heart, Amazon Redshift forwards the entry token to IAM Identification Heart.

4. IAM Identification Heart verifies and validates the entry token and alternate the entry token for an Identification Heart issued token.

5. Amazon Redshift will resolve the Identification Heart token to find out the corresponding Identification Heart consumer and authorize entry to the useful resource. Upon profitable authorization, I can join from Tableau to Amazon Redshift.

As soon as authenticated, I can begin to use Tableau as normal.

Trusted Identity Propagation - Tableau usage

And after I connect with Amazon Redshift Question Editor, I can observe the sys_query_history desk to examine who was the consumer who made the question. It accurately stories awsidc:<electronic mail deal with>, the Okta electronic mail deal with I used after I related from Tableau.

Trusted Identity Propagation - audit in Redshift

You possibly can learn Tableau’s documentation for extra particulars about this configuration.

Pricing and availability
Trusted id propagation is offered at no extra price in the 26 AWS Areas the place AWS IAM Identification Heart is offered right now.

Listed below are extra particulars about trusted id propagation and downstream service configurations.

Pleased studying!

With trusted id propagation, now you can configure analytics techniques to propagate the precise consumer id, group membership, and attributes to AWS companies reminiscent of Amazon Redshift, Amazon Athena, or Amazon S3. It simplifies the administration of entry insurance policies on these companies. It additionally permits auditors to confirm your group’s compliance posture to know the true id of customers accessing information.

Get began now and configure your Tableau integration with Amazon Redshift.

— seb

PS: Writing a weblog put up at AWS is all the time a group effort, even whenever you see just one title beneath the put up title. On this case, I need to thank Eva Mineva, Laura Reith, and Roberto Migli for his or her much-appreciated assist in understanding the numerous subtleties and technical particulars of trusted id propagation.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments