Saturday, June 22, 2019

AWS Identity Federation


IAM Security Token Service (STS) :


  • STS allows you to create temporary security credentials that grant trusted users access to you AWS resources.
  • These temporary credentials are for short-term use, with a configurable session duration (time)
  • Once expired, they can no longer be used to access your AWS resources.
  • When requested through an STS API call , a credential object is retured containing :-


  1.   - Session Token
  2.   - An Access Key ID
  3.   - A Secret Access Key
  4.   - Expiration Time Stamp

When to Use STS :

- Identity Federation

Enterprise Identity federation ( authenticate through your companies network)
  STS supports SMAL (security Assertion Make up Language) which allows for use of MS Active        Directory of your own solutions.

Web Identity Federation (3rd party identity providers i.e FB google twitter etc)


- Roles for cross-Account Access
  used for organization that have more than one AWS account

- Roles for Amazon EC2 or other AWS services
  grant access to application running on an ec2 instance to access other AWS services without having    to imbed credentials
 

* For mobile applications AWS recommend using Cognito rather than STS directly because it provides additional mobile specific functionality which make the flow easier to manage.


Assume Role :
Using the AssumeRole API call, an IAM user can assume a role in another AWS account to perform specific, allowed actions.


AssumeRoleWithWebIdentity :
Using the AssumeRoleWithWebIdentity API call, our user can assume a role in the target AWS account to perform specific, allowed actions. The user receives an ID Token from Google or any IDP, which is then embedded in the AssumeRoleWithWebIdentity request to AWS. AWS returns our STS credentials.

e.g. User logs into Google, which returns an ID Token for our Application, User then requests temporary credentials to our account, allowing her to assume the S3 role and perform his actions.

AssumeRoleWithSAML :
our enterprise user , who exists in our Active Directory, is able to authenticate against ADFS and use that response with our SSO Page.
The SMAL approach allows you to leverage existing users, avoiding having to create IAM users for each person.







Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)