Skip to content

Federation

High Level

  • IAM Identity Providers (IDP) = provide ability to federate outside entities with IAM & assign privileges to those users
  • IAM can integrate 2 types of IDP

    WEB IDENTITIES
    • OIDC (OpenID Connect)
    INTERNAL IDENTITIES
    • SAML (for AD, LDAP)
    • ADFS (AD Federation Services)
  • Functioning

    • Works by returning a temporary token associated with a role to the IDP
    • Actual Role returned is determined via information received from IDP
      • Attributes of the user in the on-premises IDstore
      • Username & auth service of WEB IDstore

Security Token Service (STS)

  • Grants users limited and temporary access to AWS resources
  • Can't be revoked, but you can revoke an IAM user if they created the temporary creds, which invalidates them
  • Users can come from 3 resources

    Federation (Active Directory)
    • Uses SAML
    • Grants temporary access based on the users AD creds
    • Does not need to be a user in IAM
    Federation with mobile apps Uses facebook/amazon/google/openid providers to login
    Cross-account access Let users from one AWS account access resources in another
  • APIs

    API Description
    AssumeRole Assume a specific role after authenticating with an AWS account
    AssumeRoleWithWebIdentity OIDC (Google, Facebook)
    AssumeRoleWithSAML SAML (AzureAD, Okta)
  • Session Policies

    • An inline policy that you can create on the fly and pass in the session during role assumption to further scope the permissions of the role session
    • The effective permissions of the session are the intersection of the role's identity-based policies and the session policy
Sample AssumeRole Policy
// ProdAccess role trust relationship policy definition in the Prod account
// Allows an IAM user or role in the Dev account to perform the AssumeRole action
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": { "AWS": "arn:aws:iam::dev-aws-account-id:root" },
        "Action": "sts:AssumeRole",
    }
}

// Policy definition attached to the user or role in the Dev account that
// allows them to perform the AssumeRole action on the ProdAccess role in the Prod account
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["sts:AssumeRole"],
            "Resource": "arn:aws:iam::prod-account-id:role/ProdAccess"
        }
    ]
}

SSO

General Info

Use Cases
  • Manage multi-account access with Organizations
  • SSO to other applications via SAML
Characteristics
  • Control access by mapping users/groups (from the attached directory) to permissions sets & accounts
  • This data is held in SSO, not the directory
  • Directories
    • Native directory: Create users & groups within SSO (default)
    • AWS Directory Service: Managed AD & AD Connector (not simple AD)
    • Only a single directory can be connected
  • Permissions sets
    • Collections of policies implemented as Roles in member accounts
    • Limit of 20 per account
    • Ref 10 AWS managed policies, or use an inline policy
  • Features
    • Free
    • Sign-ins logged to CloudTrail
    • No API: for CLI access, SSO user portal gives you temporary creds for the Roles you have access to

Active Directory Federation with AWS (SAML)

Description
  • AWS allows federated sign-in to AWS using AD credentials
  • Provides SSO for users
Characteristics
  • ADFS acts as an identity broker between AWS and AD
  • AD users can assume roles in AWS based on group membership in AD
  • 2-way trusts
    • in AWS, ADFS is trusted as the ID provider
    • in ADFS, configure Relying Party Trust with AWS as the Relying Party
  • Functioning (see also official docs)
    • Corporate users accesses the corporate ADFS portal sign-in and provides their AD creds
    • ADFS authenticate the user against AD
    • AD return user's information including group membership
    • ADFS sends a SAML token to the user's browser which sends the token to the AWS sign-in endpoint
    • The AWS sign-in endpoint makes an STS AssumeRoleWithSAML request and STS returns temporary credentials
    • User is authenticated and allowed to access the AWS management console

Web Identity Federation

  • Lets you give your users access to AWS resources after they have authn with a web-based id provider (amazon, facebook, google)
  • Following authn, the user receives an authn code from the web id provider, which they can trade for temporary AWS security credentials

Cognito

Description

Use Case
  • Provides Web Identity Federation
  • Provides temporary limited-privileged creds for both auth/unauth users
  • Acts as an ID broker between app and an IdP
Functioning
  • After user is auth with provider, an OAUTH/OpenID token returned from the provider is passed by your app to Cognito, which returns a new Cognito ID for the user & a set of temp, limited-priv AWS creds
  • You will be asked to create a new IAM role for end users
    • By default access to: Cognito sync, mobile analytics

Components

Component Description
User Pools
  • User directories used to manage sign-up and sign-in functionality for mobile/web apps
  • Process
    • Users can sign-in directly to the User Pool, or indirectly via an IdP (SAML 2.0 or OpenID Connect compliant)
    • Cognito acts as an ID broker
    • Successful authn generates JWTs that the application developer can use to secure and authorize access to application APIs or use to obtain AWS temporary credentials
Identity Pools
  • Grant users access to AWS services (either directly from federation, or in exchange for a user pool token)
  • Store of user identity info (mapping between federated user IDs and Cognito user IDs) that is specific to your AWS account
    • Enable you to create unique identities for your users and authn them with ID providers
    • Assign IAM roles to user already authn with another IdP

Roles Anywhere

Coming Soon

Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere:

  • AWS has released IAM Roles Anywhere, a feature that extends the capabilities of IAM roles to workloads outside AWS
  • This feature provides a secure way to obtain temporary AWS credentials and removes the need for long-term AWS credentials

Microsoft AD

Directory Service

General Info
  • Managed Microsoft AD
    • Can join to existing AD with trust relationships
    • Or replace an on-prem AD by using Direct Connect or VPN
  • Can assign IAM roles to AD users for AWS access
  • Works with EC2 (manage them via group policies), RDS SQL server, WorkSpaces, AWS SSO

Solutions

Solution Description
AWS Directory Service for MS AD (Enterprise Edition)
  • Managed MS AD hosted on AWS
  • Can setup trust relationships with existing AD domains to extend those directories to AWS services
  • Best choice if you have > 5,000 users & need trust between AWS-hosted and on-premises directories
Simple AD
  • MS AD compatible directory powered by Samba 4
  • Least expensive & best choice if < 5,000 users & don't need advanced features
  • User accounts in Simple AD
    • Can also access AWS apps (workspaces, workdocs, workmail)
    • Can use IAM roles to access AWS console
  • Provides daily automated snapshots to enable point-in-time recovery
SupportsDoes NOT support
user accounts, group membershipstrust between Simple AD & other AD domains
domain-joining EC2, group policiesDNS dynamic update
Kerberos-based SSOcommunication over LDAP
Powershell AD cmdlets
MFA
AD Connector
  • Proxy service for connecting on-premises AD to AWS without requiring federation infrastructure
    • Forwards sign-in requests to your AD DCs for auth & provides the ability for apps to query the directory for data
    • You continue to manage your AD as usual
    • Best when you want to use your existing on-premises directory with AWS services
    • Best if you need to ALLOW on-premises users to login to AWS with their AD credentials
  • Enables consistent enforcement of existing security policies whether users are accessing resources on-premises or on AWS
  • Users can
    • Use existing corporate credentials to login to AWS apps (workspaces, etc.)
    • Access the AWS console (if proper permissions)
  • Can be used to enable MFA by integrating it with RADIUS-based MFA infrastructure

Cloud Directory

  • Generic directory service - not Active Directory
  • Could be used for user/device management
  • Encrypted at rest and in transit