AWS Identity and Access Management (IAM) | Temporary Security Credentials Flashcards
Can users SSH to EC2 instances using their AWS user name and password?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
No. User security credentials created with IAM are not supported for direct authentication to customer EC2 instances. Managing EC2 SSH credentials is the customer’s responsibility within the EC2 console.
What are temporary security credentials?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Temporary security credentials consist of the AWS access key ID, secret access key, and security token. Temporary security credentials are valid for a specified duration and for a specific set of permissions. Temporary security credentials are sometimes simply referred to as tokens. Tokens can be requested for IAM users or for federated users you manage in your own corporate directory. For more information, see Common Scenarios for Temporary Credentials.
What are the benefits of temporary security credentials?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Temporary security credentials allow you to:
Extend your internal user directories to enable federation to AWS, enabling your employees and applications to securely access AWS service APIs without needing to create an AWS identity for them.
Request temporary security credentials for an unlimited number of federated users.
Configure the time period after which temporary security credentials expire, offering improved security when accessing AWS service APIs through mobile devices where there is a risk of losing the device.
How can I request temporary security credentials for federated users?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
You can call the GetFederationToken, AssumeRole, AssumeRoleWithSAML, or AssumeRoleWithWebIdentity STS APIs.
How can IAM users request temporary security credentials for their own use?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
IAM users can request temporary security credentials for their own use by calling the AWS STS GetSessionToken API. The default expiration for these temporary credentials is 12 hours; the minimum is 15 minutes, and the maximum is 36 hours.
You can also use temporary credentials with Multi-Factor Authentication (MFA)-Protected API Access.
How can I use temporary security credentials to call AWS service APIs?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
If you’re making direct HTTPS API requests to AWS, you can sign those requests with the temporary security credentials that you get from AWS Security Token Service (AWS STS). To do this, do the following:
Use the access key ID and secret access key that are provided with the temporary security credentials the same way you would use long-term credentials to sign a request. For more information about signing HTTPS API requests, see Signing AWS API Requests in the AWS General Reference.
Use the session token that is provided with the temporary security credentials. Include the session token in the “x-amz-security-token” header. See the following example request.
For Amazon S3, via the “x-amz- security-token” HTTP header.
For other AWS services, via the SecurityToken parameter.
Which AWS services accept temporary security credentials?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
For a list of supported services, see AWS Services That Work with IAM.
What is the maximum size of the access policy that I can specify when requesting temporary security credentials (either GetFederationToken or AssumeRole)?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
The policy plaintext must be 2048 bytes or shorter. However, an internal conversion compresses it into a packed binary format with a separate limit.
Can a temporary security credential be revoked prior to its expiration?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
No. When requesting temporary credentials, we recommend the following:
When creating temporary security credentials, set the expiration to a value that is appropriate for your application.
Because root account permissions cannot be restricted, use an IAM user and not the root account for creating temporary security credentials. You can revoke permissions of the IAM user that issued the original call to request it. This action almost immediately revokes privileges for all temporary security credentials issued by that IAM user
Can I reactivate or extend the expiration of temporary security credentials?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
No. It is a good practice to actively check the expiration and request a new temporary security credential before the old one expires. This rotation process is automatically managed for you when temporary security credentials are used in roles for EC2 instances.
Are temporary security credentials supported in all regions?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Customers can request tokens from AWS STS endpoints in all regions, including AWS GovCloud (US) and China (Beijing) regions. Temporary credentials from AWS GovCloud (US) and China (Beijing) can be used only in the region from which they originated. Temporary credentials requested from any other region such as US East (N. Virginia) or EU (Ireland) can be used in all regions except AWS GovCloud (US) and China (Beijing).
Can I restrict the use of temporary security credentials to a region or a subset of regions?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
No. You cannot restrict the temporary security credentials to a particular region or subset of regions, except the temporary security credentials from AWS GovCloud (US) and China (Beijing), which can be used only in the respective regions from which they originated.
What do I need to do before I can start using an AWS STS endpoint?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
AWS STS endpoints are active by default in all regions and you can start using them without any further actions.
What happens if I try to use a regional AWS STS endpoint that has been deactivated for my AWS account?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
If you attempt to use a regional AWS STS endpoint that has been deactivated for your AWS account, you will see an AccessDenied exception from AWS STS with the following message: “AWS STS is not activated in this region for account: AccountID. Your account administrator can activate AWS STS in this region using the IAM console.”
What permissions are required to activate or deactivate AWS STS regions from the Account Settings page?
Temporary Security Credentials
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Only users with at least iam:* permissions can activate or deactivate AWS STS regions from the Account Settings page in the IAM console. Note that the AWS STS endpoints in US East (N. Virginia), AWS GovCloud (US), and China (Beijing) regions are always active and cannot be deactivated.
