Federation

High Level

• IAM Identity Providers (IDP) = provide ability to federate outside entities with IAM & assign privileges to those users

• IAM can integrate 2 types of IDP

  WEB IDENTITIES	OIDC (OpenID Connect)
  INTERNAL IDENTITIES	SAML (for AD, LDAP) ADFS (AD Federation Services)

• Functioning

  • Works by returning a temporary token associated with a role to the IDP
  • Actual Role returned is determined via information received from IDP
    • Attributes of the user in the on-premises IDstore
    • Username & auth service of WEB IDstore

Security Token Service (STS)

• Grants users limited and temporary access to AWS resources
• Can't be revoked, but you can revoke an IAM user if they created the temporary creds, which invalidates them

• Users can come from 3 resources

  Federation (Active Directory)	Uses SAML Grants temporary access based on the users AD creds Does not need to be a user in IAM
  Federation with mobile apps	Uses facebook/amazon/google/openid providers to login
  Cross-account access	Let users from one AWS account access resources in another

• APIs

  API	Description
  AssumeRole	Assume a specific role after authenticating with an AWS account
  AssumeRoleWithWebIdentity	OIDC (Google, Facebook)
  AssumeRoleWithSAML	SAML (AzureAD, Okta)

• Session Policies

  • An inline policy that you can create on the fly and pass in the session during role assumption to further scope the permissions of the role session
  • The effective permissions of the session are the intersection of the role's identity-based policies and the session policy

Sample AssumeRole Policy

// ProdAccess role trust relationship policy definition in the Prod account
// Allows an IAM user or role in the Dev account to perform the AssumeRole action
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": { "AWS": "arn:aws:iam::dev-aws-account-id:root" },
        "Action": "sts:AssumeRole",
    }
}

// Policy definition attached to the user or role in the Dev account that
// allows them to perform the AssumeRole action on the ProdAccess role in the Prod account
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["sts:AssumeRole"],
            "Resource": "arn:aws:iam::prod-account-id:role/ProdAccess"
        }
    ]
}

SSO

General Info

Use Cases

• Manage multi-account access with Organizations
• SSO to other applications via SAML

Characteristics

• Control access by mapping users/groups (from the attached directory) to permissions sets & accounts
• This data is held in SSO, not the directory
• Directories
  • Native directory: Create users & groups within SSO (default)
  • AWS Directory Service: Managed AD & AD Connector (not simple AD)
  • Only a single directory can be connected
• Permissions sets
  • Collections of policies implemented as Roles in member accounts
  • Limit of 20 per account
  • Ref 10 AWS managed policies, or use an inline policy
• Features
  • Free
  • Sign-ins logged to CloudTrail
  • No API: for CLI access, SSO user portal gives you temporary creds for the Roles you have access to

Active Directory Federation with AWS (SAML)

Description

• AWS allows federated sign-in to AWS using AD credentials
• Provides SSO for users

Characteristics

• ADFS acts as an identity broker between AWS and AD
• AD users can assume roles in AWS based on group membership in AD
• 2-way trusts
  • in AWS, ADFS is trusted as the ID provider
  • in ADFS, configure Relying Party Trust with AWS as the Relying Party
• Functioning (see also official docs)
  • Corporate users accesses the corporate ADFS portal sign-in and provides their AD creds
  • ADFS authenticate the user against AD
  • AD return user's information including group membership
  • ADFS sends a SAML token to the user's browser which sends the token to the AWS sign-in endpoint
  • The AWS sign-in endpoint makes an STS AssumeRoleWithSAML request and STS returns temporary credentials
  • User is authenticated and allowed to access the AWS management console

Web Identity Federation

• Lets you give your users access to AWS resources after they have authn with a web-based id provider (amazon, facebook, google)
• Following authn, the user receives an authn code from the web id provider, which they can trade for temporary AWS security credentials

Cognito

Description

Use Case

• Provides Web Identity Federation
• Provides temporary limited-privileged creds for both auth/unauth users
• Acts as an ID broker between app and an IdP

Functioning

• After user is auth with provider, an OAUTH/OpenID token returned from the provider is passed by your app to Cognito, which returns a new Cognito ID for the user & a set of temp, limited-priv AWS creds
• You will be asked to create a new IAM role for end users
  • By default access to: Cognito sync, mobile analytics

Components

Component	Description
User Pools	User directories used to manage sign-up and sign-in functionality for mobile/web apps Process Users can sign-in directly to the User Pool, or indirectly via an IdP (SAML 2.0 or OpenID Connect compliant) Cognito acts as an ID broker Successful authn generates JWTs that the application developer can use to secure and authorize access to application APIs or use to obtain AWS temporary credentials
Identity Pools	Grant users access to AWS services (either directly from federation, or in exchange for a user pool token) Store of user identity info (mapping between federated user IDs and Cognito user IDs) that is specific to your AWS account Enable you to create unique identities for your users and authn them with ID providers Assign IAM roles to user already authn with another IdP

Roles Anywhere

Coming Soon

Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere:

• AWS has released IAM Roles Anywhere, a feature that extends the capabilities of IAM roles to workloads outside AWS
• This feature provides a secure way to obtain temporary AWS credentials and removes the need for long-term AWS credentials

Microsoft AD

Directory Service

General Info

• Managed Microsoft AD
  • Can join to existing AD with trust relationships
  • Or replace an on-prem AD by using Direct Connect or VPN
• Can assign IAM roles to AD users for AWS access
• Works with EC2 (manage them via group policies), RDS SQL server, WorkSpaces, AWS SSO

Solutions

Solution	Description
AWS Directory Service for MS AD (Enterprise Edition)	Managed MS AD hosted on AWS Can setup trust relationships with existing AD domains to extend those directories to AWS services Best choice if you have > 5,000 users & need trust between AWS-hosted and on-premises directories
Simple AD	MS AD compatible directory powered by Samba 4 Least expensive & best choice if < 5,000 users & don't need advanced features User accounts in Simple AD Can also access AWS apps (workspaces, workdocs, workmail) Can use IAM roles to access AWS console Provides daily automated snapshots to enable point-in-time recovery Supports Does NOT support user accounts, group memberships trust between Simple AD & other AD domains domain-joining EC2, group policies DNS dynamic update Kerberos-based SSO communication over LDAP Powershell AD cmdlets MFA
AD Connector	Proxy service for connecting on-premises AD to AWS without requiring federation infrastructure Forwards sign-in requests to your AD DCs for auth & provides the ability for apps to query the directory for data You continue to manage your AD as usual Best when you want to use your existing on-premises directory with AWS services Best if you need to ALLOW on-premises users to login to AWS with their AD credentials Enables consistent enforcement of existing security policies whether users are accessing resources on-premises or on AWS Users can Use existing corporate credentials to login to AWS apps (workspaces, etc.) Access the AWS console (if proper permissions) Can be used to enable MFA by integrating it with RADIUS-based MFA infrastructure

Cloud Directory

• Generic directory service - not Active Directory
• Could be used for user/device management
• Encrypted at rest and in transit