Development Notes
  • Introduction
  • Programming Langauges
    • Java
      • Cache
      • Java Fundamentals
      • Multithreading & Concurrency
      • Spring Boot
        • Spring Security
        • Development tips
      • ORM
        • Mybatis
      • Implementation & Testing
    • Node.js
      • Asynchronous Execution
      • Node.js Notes
    • Python
      • Memo
  • Data Structure & Algorithm
  • Database
  • Design Pattern
  • AWS Notes
    • Services
      • API Gateway
      • CloudHSM
      • Compute & Load Balancing
        • Auto Scaling Group
        • EC2
        • ECS
        • ELB
        • Lambda
      • Data Engineering
        • Athena
        • Batch
        • EMR
        • IoT
        • Kinesis
        • Video Streaming
        • Quicksight
      • Deployment
        • CloudFormation
        • Code Deploy
        • Elastic Beanstalk
        • OpsWorks
        • SAM
        • SSM
      • ElasticSearch
      • Identity & Federation
        • Directory Service
        • IAM
        • Organizations
        • Resource Access Manager (RAM)
        • SSO
        • STS
      • KMS
      • Management Tools
        • Catalog
        • CloudTrail
        • CloudWatch
        • Config
        • Cost Allocation Tags
        • GuardDuty
        • Savings Plans
        • Trusted Advisor
        • X-Ray
      • Migration
        • Cloud Migration: The 6R
        • Disaster Recovery
        • DMS
        • VM Migrations
      • Networking
        • ACM
        • CloudFront
        • Direct Connect
        • EIP & ENI
        • Network Security
        • PrivateLink
        • Route53
        • VPC
        • VPN
      • Service Commnucation
        • Amazon MQ
        • SNS
        • SQS
        • Step Functions
        • SWF
      • Storage
        • Aurora
        • DynamoDB
        • EBS
        • EFS
        • ElastiCache
        • RDS
        • Redshift
        • S3
        • Storage Gateway
      • Other Services
        • Alexa for Business, Lex, Connect
        • AppStream 2.0
        • CloudSearch
        • Comprehend
        • Data Tools
        • Elastic Transcoder
        • Mechanical Turk
        • Rekognition
        • WorkDocs
        • WorkSpaces
    • Well Architect Framework
      • Security
      • Reliability
      • Performance Effeciency
      • Cost Optimization
      • Operational Excellence
    • Labs
      • Webserver Implementation
      • ELB Implementation
      • Auto-scaling Implementation
      • A 3-tier Architecture In VPC
  • Architecture
    • Security
  • Spark
    • Memo
  • Conference Notes
    • Notes of JCConf 2017
  • AI Notes
Powered by GitBook
On this page

Was this helpful?

  1. AWS Notes
  2. Services
  3. Identity & Federation

STS

PreviousSSONextKMS

Last updated 4 years ago

Was this helpful?

Introduction

  • Security Token Service (STS) enables to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users) throught AssumeRole approach.

    • It returns a set of temporary security credentials consist of an access key ID, a secret access key, and a security token.

  • Once an user assumes a role, the original permissions of that user is forgotten.

Feature

  • Federation - To grant temporary pirvilege based on federation credentials without creating/assigning IAM credentials.

    • Types:

      • (or )

      • Custom Identity Broker (an on-premise idP)

      • Web Identity (an external idP. ex: Google, Facebook, Amazon, Cognito.) Federation

        • Without Amazon Cognito (not recommended, use Cognito for allowing anonymous users, data synchronization, MFA)

      • Single Sign On

      • Non-SAML with AWS Microsoft AD

    • Important APIs:

      • AssumeRole: access a role within your account or .

      • AssumeRoleWithSAML: return credentials for users logged with SAML 2.0.

      • AssumeRoleWithWebIdentity: return credentials for users logged with an IdP.

      • GetSessionToken: for MFA, from a user or AWS account root user.

      • GetFederationToken: obtain temporary credentials for a federated user, usually a proxy app that will give the credentials to a distributed app inside a corporate network.

Walkthrough - SAML 2.0 Federation

  • 1 idP at on-premise

    • Authenticates against LDAP to retrieve the name of the IAM role associated with the user.

    • Assumes that role via call to IAM Security Token Service (STS) AssumeRole API to get the temporary credentials.

  • 2 idPs

    • ​Create a SAML provider in IAM and create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation.

    • Inside your organization's network, you configure your identity store (such as Windows Active Directory) to work with a SAML-based identity provider (IdP) like Windows Active Directory Federation Services, Shibboleth, etc.

Walkthrough - Web Identity Federation (AssumeRoleWithWebIdentity)

Walkthrough - Web Identity Federation with Cognito

  • Cognito replaces TVM running on EC2

Scenario

  • Credentials for mobile app

    • store temporary credentials in memory but generate new credentials next time the user runs the app.

Terminology

  • Identity Broker to AWS

    • A service to authenticate users from point A

    • Calls IAM Security Token Service (STS) GetFederationToken or AssumeRole API to get AWS temporary credentials.

    • A secret defined by you and provide it to 3rd party only

    • Must be provided when defining and assuming the role

Integration with on EC2 instances for mobile users to get temporary credentials to AWS resources. (Need management)

To prevent the problem (another AWS account abuse our role ARN for 3rd party to assume.)

SAML 2.0
SAML 2.0 Federated Users to access AWS Console
With Amazon Cognito
cross-account
TVM
External ID
Confused Deputy
Walkthrough - SAML 2.0 Federation
Walkthrough - Web Identity Federation
Walkthrough - Web Identity Federation with Cognito