Security Token Service (STS)
- Gives out temporary credentials
- Global service
- All credentials are global
- Possible to call regional endpoint for reduced latency
- Use cases
- Federation (e.g. Enterprise or Web)
- Delegation (e.g. Cross-account access)
- Roles for EC2 instances (no need for storing Access Keys)
- AWS Service that manage resources on customer behalf (e.g. AutoScaling)
Temporary Credentials
- Similar to Access Keys but short-lived (minutes to hours)
- Not stored with the user but dynamically generated
- No need to distribute them
- Can grant access without AWS identity (basis for federated identity)
- Have restrictions based on the API used to generate them
- For AssumeRole - cannot call GetFederationToken followed by GetSessionToken
- You could extend expiration of your token this way
Revoking Temporary Credentials
- Specify policy that denies access based on
- creator name (e.g. compromised account)
- issue before certain time
Session
- Temporary access to AWS
- Generated by STS
- Elements
- Access Key
- Secret Access Key
- Session Token
- Must be submitted to every API call along with Access Key and Secret Access Key
- Expiration (Min/Max/Default)
- GetFederationToken (15m/36h/12h)
- AssumeRole*(15m/1h/1h)
Policy scoping
- Allows to restrict permissions (logical: role permissions && policy)
GetFederationToken
- Works within AWS account
- Up to 36 hours (much longer than others)
- No MFA
- Requires AWS credentials
- Desired policy passed is passed as an argument
- Caller must have union of all policies that you want to grant
- Policy
- There are no "role permissions" here so you only get what you specify
- If no policy specified authenticated user may still get access based on resource policy, e.g.
- Temporary credentials created for "Susan" (federation token)
- S3 bucket access for "arn:aws:sts::111122223333:federated-user/Susan"
- Use cases
- server side proxies (must safely store long term credentials)
AssumeRole
- Works cross-account
- 15 minutes - 1 hour
- MFA supported
- Supports policy scoping
- Requires AWS credentials
- Use cases
- Grant access to resources in different AWS account
- Enforce MFA authentication for privilage escalations
AssumeRoleWithSAML (SAML 2.0)
- Works cross-acount
- 15 minutes - 1 hour
- Does not require AWS credentials (SAML response is cryptographically signed)
- Must configure SAML Identity Provider first
- Supports policy scoping
- RoleSessionName is visible in CloudTrail so use correct value for traceability
- Use cases
- Enterprise organizations who have software that produces SAML assertions
- Active Directory -> Active Directory Federation Services
- Used for corporate Single Sign On (e.g. Isengard)
AssumeRoleWithWebIdentity
- Works cross-account
- 15 minutes - 1 hour
- Does not require AWS credentials
- Obsoleted by Cognito for mobile scenarios
- Supports Policy Scoping
- Request is not signed so make sure no intermediate can alter the policy
- Use cases
- Mobile and web users who do not have IAM users
GetSessionToken
- Give temporary credentials for IAM user
- 15 minutes - 36 hours
- Requires AWS Credentials
- Use cases
- enforce MFA for avoiding privilege escalation
- untrusted environments (web, mobile)
Single Sign On to the console
- Temporary credentials can be used for sign-in
- Endpoint: https://signin.aws.amazon.com/federation
- Pass temporary credentials
- It returns a token that can be used to sign-in directly to AWS console
References
- https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9
No comments:
Post a Comment