[AWS - DA] Advanced Identity

AWS STS - Security Token Service

  • Allows to grant limited and temporary access to AWS resource (up to 1 hour)
  • AssumeRole: Assume roles within your account or cross account
  • GetSessionToken: for MFA, from a user or AWS account root user
  • DecodeAuthorizationMessage: decode error message when an AWS API is denied
  • AssumeRoleWithSAML: return credentials for users logged with SAML
  • GetRederationToken: obtaini temporary creds for a federated user
  • GetCallerIdentity: return details about the IAM user or role userd in the API called

 

STS with MFA

  • User GetSessionToken from STS
  • Appropriate IAM policy using IAM conditions
  • aws:MultiFactorAuthPresent: true
  • Reminder, GetSessionToken
  • return:
    • AccessID
    • Secrect Key
    • SessionToken
    • Expiration date

 

IAM Policies & S3 Bucket Policies

  • IAM Policies are attached to user, roles, groups
  • S3 Bukcet Policies are attached to bucekts
  • When evaluating if an IAM Principal can perform an operation X on a bucket, the union of its assigned IAM policeis and S3 bucket policies will be evaluated

 

 

 

 

posted @ 2021-06-28 15:41  Zhentiw  阅读(71)  评论(0编辑  收藏  举报