IAM

• IAM Access Advisor - when the access keys were last used and which services

• IAM Access Analyzer - the resources that are shared with public third party external other than trust zone.

• Using cross account IAM role vs Resource Based Policies - If we assume a role, we gave up original permissions that we have and only have access permissions that the role have. But when using resource-based policies, no need to give up.

• IAM permission boundaries - for users or roles to set maximum permission an IAM entity get so no escalation.

  

STS Important APIs

• AssumeRole: access a role within your account or cross-account
• AssumeRoleWithSAML: return credentials for users logged with SAML
• AssumeRoleWithWebIdentity: return creds for users logged with an IdP
  • Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider
  • AWS recommends using Cognito instead
• GetSessionToken: for MFA, from a user or AWS account root user
• GetFederationToken: obtain temporary creds for a federated user, usually a proxy app that will give the creds to a distributed app inside a corporate network

Identity Federation in AWS

• Use cases:

  • A corporate has its own identity system (e.g., Active Directory)
  • Web/Mobile application that needs access to AWS resources

• Identity Federation can have many flavors:

  • SAML 2.0
  • Custom Identity Broker
  • Web Identity Federation With(out) Amazon Cognito
  • Single Sign-On (SSO)

• SAML 2.0 Federation

  • Security Assertion Markup Language 2.0 (SAML 2.0)

  • Open standard used by many identity providers (e.g., ADFS)

  • Access to AWS Console, AWS CLI, or AWS API using temporary credentials

  • Under-the-hood: Uses the STS API AssumeRoleWithSAML

  • SAML 2.0 Federation is the “old way”, Amazon Single Sign-On (AWS SSO) Federation is the new managed and simpler way

    

    

    

• Custom Identity Broker Application

  • Use only if Identity Provider is NOT compatible with SAML 2.0

  • The Identity Broker Authenticates users & requests temporary credentials from AWS

  • The Identity Broker must determine the appropriate IAM Role

  • Uses the STS API AssumeRole or GetFederationToken by client to obtain temp credentials

    

• Web Identity Federation – With Cognito

  

  • Create IAM Roles using Cognito with the least privilege needed
  • Build trust between the OIDC IdP and AWS
  • Cognito support MFA, Data Synchronization and anonymous users

Active Directory and AWS Directory services

• What is Microsoft Active Directory (AD)?
  • Database of objects: User Accounts, Computers, Printers, File Shares, Security Groups
  • Centralized security management, create account, assign permissions
  • Objects are organized in trees
  • A group of trees is a forest
• AWS Directory Services

  • AWS Managed Microsoft AD

    • Create your own AD in AWS, manage users locally, supports MFA

    • Establish “trust” connections with your on- premises AD

      • One-way trust: AWS → On-prem

      • One-way trust: On-prem → AWS or

      • Two-way forest trust: AWS ↔ on-premises

        

    • No replication, just trust between on-premise AD and AWS AD

    • For better latency, replicate on-prem AD to EC2 instance manged by yourself and deploy AD.

      

  • AD Connector

    • Directory Gateway (proxy) to redirect to on- premises AD, supports MFA
    • No caching
    • Users are managed on the on-premises AD

  • Simple AD

    • Simple AD is an inexpensive Active Directory–compatible service with the common directory features.
    • No MFA, no AWS SSO
    • lower cost, low scale, basic AD compatible, or LDAP compatibility
    • No trust relationship