Advanced Identity Flashcards
STS advanced token service
Time how long
API commands
AssumeRole
AssumeRoleWithSAML:
AssumeRoleWithWebidentity:
GetSessionToken:
GetFederationToken:
GetCallerIdentity:
DecodeAuthorizationMessage:
how to get information about user and roles
how to read error information
STS
Grants limited and temporary access to AWS resource: 1 HOUR MAX
AssumeRole:
Assume role within account or cross account
AssumeRoleWithSAML:
Return credentials for users logged in via SAML
AssumeRoleWithWebidentity:
Return Credentials for users logged into identity provider
Better to not use this and use COGNITO IDENTITY POOLS instead
GetSessionToken:
for MFA from a user or aws account root user
GetFederationToken:
Temporary credentials for federated user
GetCallerIdentity:
Return details about IAM user , or role used in API call
DecodeAuthorizationMessage:
Decode error messages when AWS API is REJECTED
STS to assume a role
Role vs principal
STS gives what to do what
how long min max is token used for.
- Define a role within your own account or cross accounts
- WHAT THE ROLE IS - Define which principals that can access this IAM role
- WHO CAN ASSUME THAT ROLE - Use STS to retrieve CREDENTIALS to impersonate the IAM role (USE ASSUMEROLE API)
- creds can be valid from 15 min to 1 hour
STS in-account access
A. User is assigned to Role
B. User sends AssumeRole API to STS
C. STS checks IAM permissions to see if user can assume role from IAM
D. return STS temp credentials to act as role
STS cross account access
Who is the principal
where is the role created
What API is used, where is sts that this API goes to
Two accounts
Account: Target
Account: Request
- In target account you need to create role that grants ability to change resources.
Role:UpdateApp
Principal: Account Request
*Authorized users from request account can use the UpdateApp Role.
- In Account Request enviroment, the admin allows certain users to assume this role.
Grant ability to call STS with ASSUMEROLE API for the UpdateApp role.
This API call goes across account to the other accounts STS service - STS returns temporary credentials to users in the requesting account, now the user can access resources on the target account
STS with MFA
API call to STS, what it returns
IAM policy condition requirement
GetSessionToken API from STS
for MFA need proper IAM policy with proper IAM conditions:
Condition is aws:Multifactorauthpresent:True (explicit)
Getsessiontoken returns:
Access ID
Secret Key
Session token
Expire date
Permission needed to pass iam roles to services
IAM action for this:
To configure services we must PASS IAM role to service, usually during service
EX: Giving a role to EC2 for it to assume role
Permission is needed:
Iam:Passrole
Iam:Getrole, VIEW role getting passed
*ROLES can only be passed to services that their trust allows.
TRUST POLICY: which principal can assume the role.
STS:ASSUMEROLE. Principal dictates which target/service can hold this role.
Microsoft AD overview
Windows server with AD domain services
Database of objects: user accounts, computer etc
TREE: Objects
Forest: Group of Objects
Centralized behind DOMAIN CONTROLLER
AWS directory services: AWS managed Microsoft AD
Create own directly in AWS
Manage users locally and supports MFA
- Creates trust connection with on premise AD. IF AWS IS DOWN THEN ON PREMISE CAN BE USED.
- ALSO AWS CAN HOLD INFORMATION IF LOCAL SERVICE IS DOWN
AWS directory services: AD CONNECTOR
Direct gateway PROXY for on premise active directory.
This means if local active directory goes down, then authentication goes down. because proxy of authentication requests all go through local server.
AWS directory services: Simple AD
AD compatible managed directory on AWS
*best for no on premise AD
CANNOT BE JOINED WITH ON PREMISE AT ALL
