Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Security Token Service

  1. Home
  3. AWS Certified SysOps Administrator – Associate (SOA-C01)
  5. Security Token Service
  • Grants users limited and temporary access to AWS resources
  • Users can come from 3 different sources:
  • Federation (Active Directory):
    • Uses Security Assertion Markup Language (SAML)
    • Grants temporary access based off hte users AD credentials
    • Does not need to be an IAM user
    • Single sign on allows users to log into the AWS console without assigning IAM credentials
  • Federation with Mobile Apps:
    • Use Facebook, Amazon, Google, or other OpenID providers to log in
  • Cross Account Access:
    • Lets users from one AWS account access to resources in another AWS account
  • Federation – Combining or joining a list of users in one domain with a list of users in another domain (Active Directory -> IAM for example)
  • Identity Broker – A service that allows you to take an identity from Domain A and join it (federate it) to Domain B
  • Identity Store – Services like Active Directory, Facebook, Google, Amazon, etc..
  • Identities – A user of a service like Amazon, Facebook, Google, etc..
  • Steps of Authentication:
  • User enters username/password
  • Application calls an Identity Broker. The broker is passed the username/password
  • The Identity Broker uses the organizations centralized authentication to validate the identity of the user (Think Active Directory)
  • The Identity Broker then calls the new GetFederationToken function using IAM credentials. The call must include an IAM policy and duration (1-36 hours), along with a policy that specifies the permissions to be granted to the temporary security credentials
  • STS confirms that the policy of the user making the call gives permission to create new tokens and then returns 4 values
    • Access Key
    • Secret Access Key
    • Token
    • Duration of token
  • Identity Broker returns the temporary security credentials to the requesting application
  • The requesting application uses the temporary security credentials and token to make requests to Amazon
  • Amazon uses IAM to verify that the credentials allow the requested operation on the given service using the given key
  • IAM provides the service with an allowed action to perform the requested operation
  • Steps in Simplicity:
  • Develop an Identity Broker to communicate with LDAP and AWS STS
  • Identity Broker should always authenticate with LDAP first, then the STS service
  • Application gets temporary access to AWS resources

Web Identity Federation

  • Useful for mobile apps to access AWS resources
  • allows the app to receive an auth token
  • then use that token for temporary credentials.
  • not embed or distribute long-term AWS credentials with apps
  • Supports the following providers
    • Amazon
    • Facebook
    • Google

Any other OpenID Connect (OIDC) compatible id provider

Menu