STS Latest Update with Verified Answers

STS Latest Update with Verified Answers STS Security Token Service(STS) Grant users limited and temporary access to AWS resources. Users can come from three sources: Federation Federation with Mobile Apps Cross Account Access Federation Combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (such as Active Directory, Facebook, etc) STS - Federation Typically Active Directory Uses Security Assertion Markup Language (SAML) Grant temporary access based of the users Active Directory credentials. Does not need to be a user in IAM. Single sign on allows users to login to AWS console without assigning IAM credentials STS - Federation with Mobile Apps Use Facebook/Amazon/Google or other OpenID provider to login STS - Cross Account Access Let users from one AWS account access resources owned by another AWS account Identity Broker A service that allows you to take an identity from point A and join it (federate it) to point B Identity Store An identity store is a component of digital authentication in an access control system. An identity store is a digital electronic repository for warehousing information that uniquely describes individuals or machine entities. Services like Active Directory, Facebook, Google etc Identity the fact of being who or what a person or thing is a user of a service like Facebook etc. Scenario Question You are hosting a company website on some EC2 web servers in your VPC. Users of the website must log into the site which then authenticates against the company's active directory servers which are based on site at the company's HQ. Your VPC is connected to your company HQ via a secure IPsec VPN. Once logged in, the user can only have access to their own S3 bucket. How do you set this up? Scenario Answer Employee enters their username/password The application calls an Identity Broker. The broker captures the username and password. The identity Broker uses the organization's LDAP directory to validate the employ's identity The Identity Broker calls the new GetFederationToken function using IAM credentials. The call must include an IAM policy and a duration (1 to 36 hours, that is how long the user is granted to AWS), along with a policy that specifies the permissions to be granted to the temporary security credentials. The Security Token Service confirms that the policy of the IAM user making the call to GetFederationToken gives permission to create new tokens and then returns four values to the application: Access key Secret access key Token Token Duration The Identity Broker returns the temporary security credentials to the reporting application. The data storage application uses the temporary security credentials (including the token) to make requests to S3 S3 uses IAM to verify that the credentials allow the requested operation on the given S3 bucket and key. IAM provides S3 with the go-ahead to perform the request operation. Tips Develop an Identity Broker to communicate with LDAP and LDAP STS Identity Broker always authenticates with LDAP first, then with STS Application then gets temporary access to AWS resources Scenario 2 Develop an Identity Broker to communicate with LDAP and AWS STS Identity Broker always authenticates with LDAP first, gets an IAM role associate with a user Application then authenticates with STS and assumes that IAM role. Application uses that IAM role to interact with S3 ADFS Active Directory Federation Services is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions. Active Directory Federation Flow User JohnDow browses to the ADFS inside his domain ADFS sign on page authenticates JohnDow against AD(Active Directory) on his AD username/password JohnDow's browser receives a SAML assertion in the form of an authentication response from ADFS JohnDow's browser posts the SAML assertion to AWS sign-in endpoint for SAML ( AWS sign-in uses AssumeRoleWithSAML API to request temporary security credentials and then constructs a sign-in URL for the AWS Management Console. JohnDow's browser receives the sign-in URL and is redirected to the console. Web Identity Federation With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure, because you don't have to embed and distribute long-term security credentials with your application. Web Identity Federation - Flow User JohnDow goes to AWS sign-on and select login with Facebook Sign In JohnDow enters Facebook username/password get Facebook access token Using Facebook access token in AWS, you make AssumeRoleWithWebIdentity request to get Temporary Security Credentials The JohnDow may have access to the AWS resources that permitted by the role.