AWS身份威胁建模：从联合身份验证到资源访问.pdf

1、 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.S E C 3 3 5Threat modeling for AWS identity:From federation to resource accessMeg Peddada(She/Her)Senior Partner SAAWSAlex Waddell(He/Him)Senior Security Specialist

2、SAAWS 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Answer these four questionsHow to threat model 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.What are we working on?What can go wrong?What are we going to do about it?Did we do a good enough job?Answer thes

3、e four questionsHow to threat model 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Threat framework example:STRIDESpoofingTamperingRepudiationInformation disclosureDenial of serviceElevation of privilege 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Threat st

4、atementA threat source with pre-requisites,can threat action,which leads to threat impact,resulting in goal of impacted assets.2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Tooling at AWSThreat ComposerA simple open source and free to download threat modeling tool to help humans

5、 to reduce time-to-value when threat modelinghttps:/awslabs.github.io/threat-composer/2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Scenario:User managing applicationResourcesAWS Identity and Access Management(IAM)Web browser/CLIUserAuthn/AuthZAWS CloudAWS VPCAWS accountIdentity

6、 ProviderAWS IAM Identity Center 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.AWS IAM Identity CenterData StoreData Flow&Trust Boundaries2User accesses the data storeData store validates credentialsExternal Identity Provider1IdP Group&User sync(SCIM)4User retrieves data from th