[AWS DA GURU] IAM

Web Identity Federation

Simplifies authentication and authorization for web applications.

An Authentication token JWT is exchanged for temporary AWS credentials, allowing users to assume an IAM role, with permission to access AWS resources.

User Access to AWS Resources

Users access AWS resources after successfully authenticating with a web-based identity prvoider like Facebook, Amazon, or Google.

Authentication

Following successful authentication, users receive an authentication code from the web ID provider.

Authorization

Users can trade this authentication code for temporary AWS security credentials, authorizing access to AWS resources.

Congnito

User Pools

Handle sign-up and sign-in functionality for mobile and web applications.

Sign-in

Users can sign-in-directly to the User Pool, or using Facebook, Google, Amazon.

Identity Pools

Identity Pools enable you to provide temporary AWS credentials. Enabling access to AWS service like S3 or DynamoDB.

Cognito Push Synchronization

Cognito Push Synchronization uses SNS to send a slient push notification of user data updates to multiple devices associated with a single user ID.

Lab: Cognito user access DynamoDB for read

Inline, AWS Managed, and Customer Managed Policies

There are three types of IAM policies

AWS Managed Policies
Customer Managed Policies
Inline Policies

AWS Managed Policies

An IAM policy created and administered by AWS.

For example:

AmazonDynamoDBFullAccess
AWSCodeCommitPowerUser
....

You can assign appropriate permissions to your users without having to write the policy yourself.

Attach to multiple users, groups, or roles in the same AWS account or across different accounts.

You cannot change the permissions defined in an AWS managed policy.

Customer Managed Plicies

Created by You: A standalone policy that you create and administer inside your own AWS account. YOu can attach this policy to multiple users, groups, and roles within your own account.
Copy an Existing Policy: In order to create a customer managed policy, you can copy an existing AWS managed policy and customize it to fix the requirements of your organization.
Your needed: Recommended for use cases where the existing AWS managed policies don't meet the needs of your environment.

Inline Policeis

1:1 Relationship: There is a strict 1:1 relationship between the entity and the policy
Embedded: When you delete the user, group, or role in which the inline policy is embedded, the policy will also be deleted.
Single User, Group, Role: The policy must not be inadvertently assigned to any other user, group, or role than the one for which it is intented. The policy must only ever be attached to a single user, group or role.

You cannot find inline policies which created for A user.

In most cases, AWS recommends using manged policies over inline policies.

STS AssumeRoleWithWebIdentity

STS: Part of the Security Token Service
Allows users who have authenticated with a web identity provider to access AWS resources.
After the user has authenticated, the application maeks the assue-role-with-web-identity API call
If successful, STS will return temporary credentials enabling access to AWS reources.
With AssumedRoleUser, the Arn and AssumedRoleID are used to programmatically reference the temporary credientials, not a IAM role or user.

By setting up cross-account access, you can delegate access to resources that are in different AWS accounts, and you don't need to create individual IAM users in each account.

Reference: IAM Tutorial: Delegate access across AWS accounts using IAM roles.