【全新发布】使用 JSON Web Tokens 实现超越 AWS Identity 的安全身份验证【重复】.pdf

1、 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.S E C 3 5 2-RLiam WadmanHe/himPrincipal Solutions ArchitectAWS IdentityVaishnavi MeruguShe/HerSeni

2、or Product ManagerAWS IdentityRam MaharajapuramHe/HimSenior Software Development ManagerAWS IdentityAuthenticate securely beyond AWS identity with JSON Web Tokens 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Agenda01A history of credentials at AWS02Introducing the new AWS WebId

3、entity Token03Demo04Examples,Best practices05Going Off Label06Q&A 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.But first,some housekeeping 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.2006

4、Root user long lived access keys2011 IAM user long lived access keys2012 Temporary credentials and IAM rolesHistory of Credentials at AWS Identity2015 through early 2025 Service Specific CredentialsLate 2025 AWS Web Identity Token 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.TL

5、S is not widespreadThere was no VPCComputers were slowThere were 3 AWS services 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.AWS Signature AuthenticationAliceAWS Service sigv4Sign(One Cloud Please,Secret_Access_Key)OneCloud!SigV4Verify(One Cloud Please,$RESULT_OF_SIGV4)OneCloud

6、,Please$RESULT_OF_SIGV4 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.AWS Signature BenefitsSpeed and scaleRequests are tamper evidentRequests have limited replay capability 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Whats the catch?Bad actors keep findin