AWS Integration Guide¶
This guide provides comprehensive information on integrating ZeroTrustKerberosLink with AWS services and infrastructure.
Overview¶
ZeroTrustKerberosLink bridges your enterprise Kerberos authentication with AWS services, allowing users to access AWS resources using their existing Kerberos credentials while maintaining strong security controls.
Prerequisites¶
Before integrating ZeroTrustKerberosLink with AWS, ensure you have:
- AWS Account: Active AWS account with administrative access
- IAM Permissions: Permissions to create IAM roles and policies
- Networking: Network connectivity between ZeroTrustKerberosLink and AWS services
- Kerberos Infrastructure: Properly configured Kerberos environment
AWS IAM Configuration¶
Service Role¶
Create an IAM role for ZeroTrustKerberosLink to assume AWS roles on behalf of users:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/ZeroTrustKerberos*"
}
]
}
User Roles¶
Create IAM roles that ZeroTrustKerberosLink will map to Kerberos principals:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/ZeroTrustKerberosLinkServiceRole"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/KerberosPrincipal": "${kerberos:principal}"
}
}
}
]
}
Role Permissions¶
Configure appropriate permissions for each role based on the principle of least privilege:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}
]
}
AWS STS Configuration¶
Regional Endpoints¶
Configure ZeroTrustKerberosLink to use regional STS endpoints for better performance and availability:
aws:
sts:
regional_endpoints: true
region: "us-west-2"
Cross-Account Access¶
Configure cross-account access to allow users to access resources in multiple AWS accounts:
aws:
accounts:
- id: "123456789012"
name: "Production"
roles:
- "arn:aws:iam::123456789012:role/AdminRole"
- "arn:aws:iam::123456789012:role/DeveloperRole"
- id: "456789012345"
name: "Development"
roles:
- "arn:aws:iam::456789012345:role/AdminRole"
- "arn:aws:iam::456789012345:role/DeveloperRole"
AWS Service Integration¶
AWS CloudTrail¶
Enable AWS CloudTrail to audit role assumption activities:
aws:
cloudtrail:
enabled: true
trail_name: "ZeroTrustKerberosLinkTrail"
s3_bucket: "zerotrustkerberos-logs"
include_global_service_events: true
AWS CloudWatch¶
Configure CloudWatch for monitoring and alerting:
aws:
cloudwatch:
enabled: true
log_group: "/zerotrustkerberos"
metrics:
enabled: true
namespace: "ZeroTrustKerberosLink"
alarms:
enabled: true
sns_topic: "arn:aws:sns:us-west-2:123456789012:ZeroTrustAlerts"
AWS Secrets Manager¶
Use AWS Secrets Manager to securely store sensitive configuration:
aws:
secrets_manager:
enabled: true
region: "us-west-2"
secret_id: "zerotrustkerberos/config"
AWS Network Integration¶
VPC Configuration¶
Deploy ZeroTrustKerberosLink in an AWS VPC for secure network integration:
aws:
vpc:
id: "vpc-12345678"
subnets:
- "subnet-12345678"
- "subnet-87654321"
security_groups:
- "sg-12345678"
AWS PrivateLink¶
Use AWS PrivateLink to securely access AWS services without traversing the public internet:
aws:
privatelink:
enabled: true
services:
- "com.amazonaws.us-west-2.sts"
- "com.amazonaws.us-west-2.secretsmanager"
AWS Authentication Flow¶
The authentication flow between ZeroTrustKerberosLink and AWS follows these steps:
- User authenticates to ZeroTrustKerberosLink using Kerberos
- ZeroTrustKerberosLink validates the Kerberos ticket
- ZeroTrustKerberosLink maps the Kerberos principal to an AWS IAM role
- ZeroTrustKerberosLink calls AWS STS AssumeRole API
- AWS STS returns temporary credentials
- ZeroTrustKerberosLink returns the temporary credentials to the user
┌─────────┐ ┌─────────────────┐ ┌─────────┐
│ │ │ │ │ │
│ User │ │ ZeroTrust │ │ AWS │
│ │ │ KerberosLink │ │ STS │
│ │ │ │ │ │
└────┬────┘ └────────┬────────┘ └────┬────┘
│ │ │
│ 1. Kerberos Auth │ │
│ ───────────────────► │ │
│ │ │
│ │ 2. AssumeRole │
│ │ ────────────────────► │
│ │ │
│ │ 3. Temporary Credentials│
│ │ ◄──────────────────── │
│ │ │
│ 4. Temporary Credentials │
│ ◄─────────────────── │ │
│ │ │
Security Considerations¶
When integrating with AWS, follow these security best practices:
Use IAM Roles
Always use IAM roles with temporary credentials instead of long-term access keys.
Implement Least Privilege
Grant only the permissions necessary for each role.
Enable CloudTrail
Enable AWS CloudTrail to audit all API calls and role assumptions.
Use Conditions in Trust Policies
Implement conditions in role trust policies to restrict when roles can be assumed.
Secure Network Communication
Use VPC endpoints or PrivateLink to securely communicate with AWS services.
Troubleshooting¶
Common AWS integration issues include:
| Issue | Possible Causes | Resolution |
|---|---|---|
| Role assumption failure | Insufficient permissions, trust policy issues | Check role trust policy, verify permissions |
| Expired credentials | Credential expiration | Refresh credentials before expiration |
| Permission denied | Insufficient role permissions, restrictive session policy | Check role permissions, review session policy |
| Rate limiting | Too many API calls | Implement exponential backoff, reduce request frequency |
| Network connectivity | VPC configuration, security groups | Check network connectivity, verify security group rules |