Federation
High Level¶
- IAM Identity Providers (IDP) = provide ability to federate outside entities with IAM & assign privileges to those users
-
IAM can integrate 2 types of IDP
WEB IDENTITIES - OIDC (OpenID Connect)
INTERNAL IDENTITIES - SAML (for AD, LDAP)
- ADFS (AD Federation Services)
-
Functioning
- Works by returning a temporary token associated with a role to the IDP
- Actual Role returned is determined via information received from IDP
- Attributes of the user in the on-premises IDstore
- Username & auth service of WEB IDstore
Security Token Service (STS)¶
- Grants users limited and temporary access to AWS resources
- Can't be revoked, but you can revoke an IAM user if they created the temporary creds, which invalidates them
-
Users can come from 3 resources
Federation (Active Directory) - Uses SAML
- Grants temporary access based on the users AD creds
- Does not need to be a user in IAM
Federation with mobile apps Uses facebook/amazon/google/openid providers to login Cross-account access Let users from one AWS account access resources in another -
APIs
API Description AssumeRole
Assume a specific role after authenticating with an AWS account AssumeRoleWithWebIdentity
OIDC (Google, Facebook) AssumeRoleWithSAML
SAML (AzureAD, Okta) -
Session Policies
- An inline policy that you can create on the fly and pass in the session during role assumption to further scope the permissions of the role session
- The effective permissions of the session are the intersection of the role's identity-based policies and the session policy
Sample AssumeRole Policy
// ProdAccess role trust relationship policy definition in the Prod account
// Allows an IAM user or role in the Dev account to perform the AssumeRole action
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::dev-aws-account-id:root" },
"Action": "sts:AssumeRole",
}
}
// Policy definition attached to the user or role in the Dev account that
// allows them to perform the AssumeRole action on the ProdAccess role in the Prod account
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["sts:AssumeRole"],
"Resource": "arn:aws:iam::prod-account-id:role/ProdAccess"
}
]
}
SSO¶
General Info¶
- Use Cases
-
- Manage multi-account access with Organizations
- SSO to other applications via SAML
- Characteristics
-
- Control access by mapping users/groups (from the attached directory) to permissions sets & accounts
- This data is held in SSO, not the directory
- Directories
Native directory
: Create users & groups within SSO (default)AWS Directory Service
: Managed AD & AD Connector (not simple AD)- Only a single directory can be connected
- Permissions sets
- Collections of policies implemented as
Roles
in member accounts - Limit of 20 per account
- Ref 10 AWS managed policies, or use an inline policy
- Collections of policies implemented as
- Features
- Free
- Sign-ins logged to CloudTrail
- No API: for CLI access, SSO user portal gives you temporary creds for the Roles you have access to
Active Directory Federation with AWS (SAML)¶
- Description
-
- AWS allows federated sign-in to AWS using AD credentials
- Provides SSO for users
- Characteristics
-
- ADFS acts as an identity broker between AWS and AD
- AD users can assume roles in AWS based on group membership in AD
- 2-way trusts
- in AWS, ADFS is trusted as the ID provider
- in ADFS, configure Relying Party Trust with AWS as the Relying Party
- Functioning (see also official docs)
- Corporate users accesses the corporate ADFS portal sign-in and provides their AD creds
- ADFS authenticate the user against AD
- AD return user's information including group membership
- ADFS sends a SAML token to the user's browser which sends the token to the AWS sign-in endpoint
- The AWS sign-in endpoint makes an STS
AssumeRoleWithSAML
request and STS returns temporary credentials - User is authenticated and allowed to access the AWS management console
Web Identity Federation¶
- Lets you give your users access to AWS resources after they have authn with a web-based id provider (amazon, facebook, google)
- Following authn, the user receives an authn code from the web id provider, which they can trade for temporary AWS security credentials
Cognito¶
Description¶
- Use Case
-
- Provides Web Identity Federation
- Provides temporary limited-privileged creds for both auth/unauth users
- Acts as an ID broker between app and an IdP
- Functioning
-
- After user is auth with provider, an OAUTH/OpenID token returned from the provider is passed by your app to Cognito, which returns a new Cognito ID for the user & a set of temp, limited-priv AWS creds
- You will be asked to create a new IAM role for end users
- By default access to: Cognito sync, mobile analytics
Components¶
Component | Description |
---|---|
User Pools |
![]() |
Identity Pools |
![]() |
Roles Anywhere¶
Coming Soon
Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere:
- AWS has released IAM Roles Anywhere, a feature that extends the capabilities of IAM roles to workloads outside AWS
- This feature provides a secure way to obtain temporary AWS credentials and removes the need for long-term AWS credentials
Microsoft AD¶
Directory Service¶
- General Info
-
- Managed Microsoft AD
- Can join to existing AD with trust relationships
- Or replace an on-prem AD by using Direct Connect or VPN
- Can assign IAM roles to AD users for AWS access
- Works with EC2 (manage them via group policies), RDS SQL server, WorkSpaces, AWS SSO
- Managed Microsoft AD
Solutions
Solution | Description | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS Directory Service for MS AD (Enterprise Edition) |
|
||||||||||||
Simple AD |
|
||||||||||||
AD Connector |
|
Cloud Directory¶
- Generic directory service - not Active Directory
- Could be used for user/device management
- Encrypted at rest and in transit