STS

Introduction

• Security Token Service (STS) enables to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users) throught AssumeRole approach.

  • It returns a set of temporary security credentials consist of an access key ID, a secret access key, and a security token.

• Once an user assumes a role, the original permissions of that user is forgotten.

Feature

• Federation - To grant temporary pirvilege based on federation credentials without creating/assigning IAM credentials.

  • Types:

    • SAML 2.0 (or SAML 2.0 Federated Users to access AWS Console)

    • Custom Identity Broker (an on-premise idP)

    • Web Identity (an external idP. ex: Google, Facebook, Amazon, Cognito.) Federation

      • With Amazon Cognito

      • Without Amazon Cognito (not recommended, use Cognito for allowing anonymous users, data synchronization, MFA)

    • Single Sign On

    • Non-SAML with AWS Microsoft AD

  • Important APIs:

    • AssumeRole: access a role within your account or cross-account.

    • AssumeRoleWithSAML: return credentials for users logged with SAML 2.0.

    • AssumeRoleWithWebIdentity: return credentials for users logged with an IdP.

    • GetSessionToken: for MFA, from a user or AWS account root user.

    • GetFederationToken: obtain temporary credentials for a federated user, usually a proxy app that will give the credentials to a distributed app inside a corporate network.

Walkthrough - SAML 2.0 Federation

• 1 idP at on-premise

  • Authenticates against LDAP to retrieve the name of the IAM role associated with the user.

  • Assumes that role via call to IAM Security Token Service (STS) AssumeRole API to get the temporary credentials.

• 2 idPs

  • ​Create a SAML provider in IAM and create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation.

  • Inside your organization's network, you configure your identity store (such as Windows Active Directory) to work with a SAML-based identity provider (IdP) like Windows Active Directory Federation Services, Shibboleth, etc.

Walkthrough - SAML 2.0 Federation

Walkthrough - Web Identity Federation (AssumeRoleWithWebIdentity)

Walkthrough - Web Identity Federation

Walkthrough - Web Identity Federation with Cognito

• Cognito replaces TVM running on EC2

Walkthrough - Web Identity Federation with Cognito

Scenario

• Credentials for mobile app

  • store temporary credentials in memory but generate new credentials next time the user runs the app.

• Integration with TVM on EC2 instances for mobile users to get temporary credentials to AWS resources. (Need management)

Terminology

• Identity Broker to AWS

  • A service to authenticate users from point A

  • Calls IAM Security Token Service (STS) GetFederationToken or AssumeRole API to get AWS temporary credentials.

• External ID

  • A secret defined by you and provide it to 3rd party only

  • Must be provided when defining and assuming the role

  • To prevent the Confused Deputy problem (another AWS account abuse our role ARN for 3rd party to assume.)