AWS Identity and Access Management (IAM) | Identity Federation Flashcards
Can I use the API or CLI to activate or deactivate AWS STS regions?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
No. There is no API or CLI support at this time to activate or deactivate AWS STS regions. We plan to provide API and CLI support in a future release.
What is identity federation?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider (such as Microsoft Active Directory or from the AWS Directory Service) or from a web identity provider (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider).
What are federated users?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Federated users (external identities) are users you manage outside of AWS in your corporate directory, but to whom you grant access to your AWS account using temporary security credentials. They differ from IAM users, which are created and maintained in your AWS account.
Do you support SAML?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Yes, AWS supports the Security Assertion Markup Language (SAML) 2.0.
What SAML profiles does AWS support?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
The AWS single sign-on (SSO) endpoint supports the IdP-initiated HTTP-POST binding WebSSO SAML Profile. This enables a federated user to sign in to the AWS Management Console using a SAML assertion. A SAML assertion can also be used to request temporary security credentials using the AssumeRoleWithSAML API. For more information, see About SAML 2.0-Based Federation.
Can federated users access AWS APIs?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Yes. You can programmatically request temporary security credentials for your federated users to provide them secure and direct access to AWS APIs. We have provided a sample application that demonstrates how you can enable identity federation, providing users maintained by Microsoft Active Directory access to AWS service APIs. For more information, see Using Temporary Security Credentials to Request Access to AWS Resources.
Can federated users access the AWS Management Console?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Yes. There are a couple ways to achieve this. One way is by programmatically requesting temporary security credentials (such as GetFederationToken or AssumeRole) for your federated users and including those credentials as part of the sign-in request to the AWS Management Console. After you have authenticated a user and granted them temporary security credentials, you generate a sign-in token that is used by the AWS single sign-on (SSO) endpoint. The user’s actions in the console are limited to the access control policy associated with the temporary security credentials. For more details, see Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).
Alternatively, you can post a SAML assertion directly to AWS sign-in (https://signin.aws.amazon.com/saml). The user’s actions in the console are limited to the access control policy associated with the IAM role that is assumed using the SAML assertion. For more details, see Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Using either approach allows a federated user to access the console without having to sign in with a user name and password. We have provided a sample application that demonstrates how you can enable identity federation, providing users maintained by Microsoft Active Directory access to the AWS Management Console.
How do I control what a federated user is allowed to do when signed in to the console?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
When you request temporary security credentials for your federated user using an AssumeRole API, you can optionally include an access policy with the request. The federated user’s privileges are the intersection of permissions granted by the access policy passed with the request and the access policy attached to the IAM role that was assumed. The access policy passed with the request cannot elevate the privileges associated with the IAM role being assumed. When you request temporary security credentials for your federated user using the GetFederationToken API, you must provide an access control policy with the request. The federated user’s privileges are the intersection of the permissions granted by the access policy passed with the request and the access policy attached to the IAM user that was used to make the request. The access policy passed with the request cannot elevate the privileges associated with the IAM user used to make the request. These federated user permissions apply to both API access and actions taken within the AWS Management Console.
What permissions does a federated user need to use the console?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
A user requires permissions to the AWS service APIs called by the AWS Management Console. Common permissions required to access AWS services are documented in Using Temporary Security Credentials to Request Access to AWS Resources.
How do I control how long a federated user has access to the AWS Management Console?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Depending on the API used to create the temporary security credentials, you can specify a session limit between 15 minutes and 36 hours (for GetFederationToken and GetSessionToken) and between 15 minutes and 12 hours (for AssumeRole* APIs), during which time the federated user can access the console. When the session expires, the federated user must request a new session by returning to your identity provider, where you can grant them access again. Learn more about setting session duration.
What happens when the identity federation console session times out?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
The user is presented with a message stating that the console session has timed out and that they need to request a new session. You can specify a URL to direct users to your local intranet web page where they can request a new session. You add this URL when you specify an Issuer parameter as part of your sign-in request. For more information, see Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
How many federated users can I give access to the AWS Management Console?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
There is no limit to the number of federated users who can be given access to the console.
What is web identity federation?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Web identity federation allows you to create AWS-powered mobile apps that use public identity providers (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider) for authentication. With web identity federation, you have an easy way to integrate sign-in from public identity providers (IdPs) into your apps without having to write any server-side code and without distributing long-term AWS security credentials with the app.
For more information about web identity federation and to get started, see About Web Identity Federation.
How do I enable web identity federation with accounts from public IdPs?
Identity Federation
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
For best results, use Amazon Cognito as your identity broker for almost all web identity federation scenarios. Amazon Cognito is easy to use and provides additional capabilities such as anonymous (unauthenticated) access, and synchronizing user data across devices and providers. However, if you have already created an app that uses web identity federation by manually calling the AssumeRoleWithWebIdentity API, you can continue to use it and your apps will still work.
Here are the basic steps to enable identify federation using one of the supported web IdPs:
Sign up as a developer with the IdP and configure your app with the IdP, who gives you a unique ID for your app.
If you use an IdP that is compatible with OIDC, create an identity provider entity for it in IAM.
In AWS, create one or more IAM roles.
In your application, authenticate your users with the public IdP.
In your app, make an unsigned call to the AssumeRoleWithWebidentity API to request temporary security credentials.
Using the temporary security credentials you get in the AssumeRoleWithWebidentity response, your app makes signed requests to AWS APIs.
Your app caches the temporary security credentials so that you do not have to get new ones each time the app needs to make a request to AWS.
For more detailed steps, see Using Web Identity Federation APIs for Mobile Apps.
