Roles Flashcards
What are roles?
Roles - features, use cases and federation etc
- Roles are the primary way to grant cross-account access. However, with some of the web services offered by AWS you can attach a policy directly to a resource
- Roles - Create roles to assign AWS services (no need for username and password)
- Roles are a way to grant permissions via a policy to trustworthy entities which could be a user in another account, an app code running on EC2 that needs to perform actions on AWS resources
- Roles can federate with SAML users from company directories.
- One role can be applied at a time but roles can be changed at any time
- Roles are created with the necessary permission (Policies) , once created mainly “Assumed” by AWS Resources and in some cases by Users(Humans)
- IAM roles are pre-packaged sets of permissions that have no credentials.
- IAM Roles are a basis of federating external idp’s with AWS
- IAM IdP ⇐⇒ external idp authenticate idp is then mapped to a role and a temporary security token is returned that has assumed the role.
What are roles?
Roles - features, use cases and federation ..Contd
- AWS support federation via SAML 2.0 and ODIC
- Assumed Role (STS) - Must have the two-part access keys + session token for authentication
- However with some of the web services offered by AWS you can attach a “policy directly to a resource”; (instead of using a role as a proxy). These are called resource-based policies, and you can use them to grant principals in another AWS account access to the resource.
- E.g: Having a role such as IAM role for EC2 removes the need to store any credentials in a config file in an instance
- However with some of the web services offered by AWS you can attach a “policy directly to a resource”; (instead of using a role as a proxy). These are called resource-based policies, and you can use them to grant principals in another AWS account access to the resource.
Top Tip never use * pass-role* permission on a policy for EC2
What is a Service-linked role - ?
TBC
The AWS Security Token Service (STS)
The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
Security Token Service (STS) - Key Points
- STS supports AWS CloudTrail, which is a service that records AWS calls for your AWS account and delivers log files to an Amazon S3 bucket
- Endpoints The AWS Security Token Service (STS) has a default endpoint of https://sts.amazonaws.com that maps to the US East (N. Virginia) region. Additional regions are available and are activated by default. Activating and Deactivating AWS STS in an AWS Region - All regions are activated by default.
- You need to activate a region only if it was previously deactivated. After you activate a region for your AWS account, you can direct AWS STS API calls to that region.
Security Token Service (STS) - use case
- Temporary Security Credentials You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources.
Differences: STS and long-term access key credentials
- Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences:
- Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.
- Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.
Advantages for using temporary credentials (due to the differences )
- You do not have to distribute or embed long-term AWS security credentials with an application.
- You can provide access to your AWS resources to users without having to define an AWS identity for them.
- Temporary credentials are the basis for roles and identity federation.
- The temporary security credentials have a limited lifetime, so you do not have to rotate them or explicitly revoke them when they’re no longer needed. After temporary security credentials expire, they cannot be reused. You can specify how long the credentials are valid, up to a maximum limit.
- The AWS Security Token Service (STS) - STS token LifertimeCan can be anywhere between 15 mins to 36 hours ; STS calls
- Security tokens are associated with a policy by assuming IAM roles rather assume role service