• STS provides temporary credentials for AWS resource access
  • Users can use STS from sources, as
    • Federation using Active Directory –
      • Requires SAML
      • temporary credentials as per user’s AD credentials
      • IAM user is not needed
      • With SSO, can also sign in to AWS console without any IAM credentials
    • Federation of Mobile Apps with web federation
      • Web federation from Facebook/Amazon/Google/other OpenID providers
    • Cross Account Access:
      • Users from one AWS account access to access resources in other one
  • Important terms
    • Federation –join users in one domain with another like AD -> IAM
    • Identity Broker – service to join or federate, identity from Domain A to Domain B
    • Identity Store – Services storing identities like AD, Facebook, Google, Amazon, etc.
    • Identities – user of service
  • Steps of Authentication
    • User enters username/password
    • Application calls an Identity Broker with username/password
    • Identity Broker validate user identity with organizational centralized authentication like AD
    • After validation, Identity Broker calls GetFederationToken function with IAM credentials covering IAM policy, permission and duration
    • STS if called by user, returns following values
      • Access Key
      • Secret Access Key
      • Token
      • Duration of token
    • Identity Broker sends temporary credentials to application
    • Application sends requests to AWS using temporary credentials
    • AWS verifies credentials by IAM and provide requested operation or service

Web Identity Federation

  • Access AWS resources
  • Most useful for mobile apps
  • Process involves
    • application getting authentication token
    • using token for temporary credentials.
  • Recommended for temporary and should not be embedded or distributed with apps
  • Supports following providers
    • Amazon
    • Facebook
    • Google
    • Any other OpenID Connect (OIDC) compatible id provider

 

Menu