AWS Security Token Service
AWS STS: Use STS to Assume a Role within the same AWS account or different AWS accounts and Identity Federation.
How is it achieved?
- Define an IAM Role within your account or cross-account that we want to assume
- Define which Principals can access this IAM Role
- Use AWS STS to retrieve credentials and impersonate the IAM Role you have access to (AssumeRole API)
- Temporary credentials can be valid between 15 minutes to 12 hour
Use-cases / When do we want to Assume a Role with STS:
Want to provide access for an IAM user in One AWS account that you own to access resources in another account you own?
Want to provide access to IAM users in AWS accounts owned by third parties Provide access to externally authenticated Users [Identity Federation]
How do you provide access to AWS accounts owned by third parties? Use: External ID;
Zone of Trust: accounts, organizations you own Outside Zone of Trust: 3rd parties
Use IAM Access Analyzer to find out which resources are exposed outside our trust zone.
Steps:
- Get their AWS account ID.
- An external ID (secret between you and the 3rd party) and this ID should be a random string generated by the third party
Uniquely associate the Role only to the 3rd party Must be provided when defining the trust and when assuming the role
- Define permissions in the IAM policy
AWS STS Important APIs
- AssumeRole: access a role within your account or cross-account
- AssumeRoleWithSAML: return credentials for Users logged with SAML
- AssumeRoleWithWebIdentity: return credentials for Users logged with an IdP - Identity Provider
Ex: IdP like Amazon Cognito, Google, FB, or any OpenID connect-compatible IdP.
- AWS recommends using Cognito instead.
- GetSessionToken: for MFA, from a User or AWS account root user
- GetFederationToken: obtain temporary credentials for federated User, usually a proxy app that gives credentials to a distributed app inside a corporate network
#resources #role #awscloud #security #credentials #cognito #using #users