AWS Security Token Service(STS)

  • We use assume role API under AWS security token service.
  • Define an IAM role Within your account or cross account.
  • Define which principles can access this IAM role.
  • Use AWS STS(Security Token Service) to retrieve Credentials and impersonate the IAM role You have access to(Assume Role API).
  • Temporary credentials can be valid between 15 minutes to 12 hours.
  • Returns a set of temporary security credentials that we can use to access AWS resources.
  • The temporary credentials consist of an access key ID, a secret access key, and a security token.
  • Role must have permissions of assume role.
  • Used to provide an indirect access to a user for accessing resources.
    • User does not have access to resources directly, user can assume a role that has access to resources.
  • Security token received by a user is valid for specific time.
  • Services can also assume role besides user like Lambda, S3.
  • We have a policy for user which defines which role can be assumed.
  • The use case is when a root user wants IAM user access to resources for a limited amount of time between 1 hours - 12 hours.
  • Steps to perform above scenarios is as follows.
    • Create IAM user.
    • Give few permissions to this IAM user using policy.
    • Create one role which I am user can assume it.
    • Create one policy which will allow IAM user to assume R1 role ARN - call this policy as P3.
    • Call assume role API to finally assume role R1.
  • Assume role API give an access key, secret key and session token.
  • Create a user from cli using command
    • aws iam create-user --user-name MyUsername
    • aws iam create-access-key --user-name MyUsername
      • This will give you access key and secret access key for the user.
  • Run AWS configure to configure access key, secret access key and user account.
    • It will replace the root access key with the one we have received in last command.
    • Enter the region and output format (json, yml) etc.
  • Create a policy for the user to assume a role as follows
    • {
      • "Effect": "Allow"
      • "Action":[
        • "sts: Assume Role"
      • ],
      • "Resource" "*" //any role, give role ARN here for specific role
    • }
  • Under trust relationships In Role add the ARN of the user.
  • This allows user to assume a role.
  • When to use STS
    • Provide access for an IAM user In AWS account that you own to access resources in another account that you own.
    • Provide access to IAM user in AWS account owned by third-parties.
    • Provide access for services used by AWS to AWS resources.
    • Provide access for externally authenticated users(Identity Federation).
    • Ability to revoke active session and credentials for a role(by adding a policy using a time statement-AWSRevokeOlderSessions).
  • When we assume a role, We give up our original permissions and take the permissions assigned to the role.
  • We can grant IAM users permissions to switch roles within our AWS account or to roles defined in other AWS accounts that we own.
  • Benefits
    • You must explicitly grant your users permission to assume the role.
    • Your users Must actively switch to the role Using AWS management console or assume the role using the AWS CLI or AWS API.
    • You can add multi-factor authentication(MFA) protection to the role so that only users who signed in with MFA device can assume the role.
    • Least privileged auditing using cloud Trail.
  • Providing access to AWS accounts owned by third parties.
    • Our zone of trust includes our accounts, organisations that we own.
    • Third parties are outside our zone of trust.
    • We use IAM access analyser to find out which resources are exposed.
    • We get third-party AWS account ID.
    • An external ID(Secret between you and the third-party)
      • To uniquely associate with the role between you and the third party.
      • Must be provided when defining the trust and when assuming the role.
    • Define permissions in IAM policy
  • Admin creates “updateDataBucket” role Which allows access to read/write in “Data Bucket” in S3.
  • Admin grants members of the group permission to assume the “updateDataBucket” role.
  • User request access to the role.
  • STS returns, role credentials.
  • User has access to the S3 bucket by using the role credentials.
  • Session tags in STS.
    • Tag that you pass when you assume an IAM role, or federate user in STS.
    • aws:Principal Tag Condition
      • Compares the tags Attached to the principal making the request ,with the tag you specified in the policy.
      • Example: Allow a principal to pass session tag only if the principal making the request has the specified tags.
  • STS important API’s
    • Assume role: Access a role Within your account or cross account.
    • Assume role with SAML: Returns credentials for users logged in with SAML.
    • Assume with web identity: Return credentials for users logged in with an IDP.
      • Example providers include Amazon, Cognito, login with Amazon, Facebook, Google or any Open ID connect compatible identity provider.
      • AWS recommends using Cognito instead.
    • Get session token
      • For MFA From a user or AWS account route user.
    • Get federation token
      • Obtain temporary credentials for a federated user, Usually a proxy App that will give The credentials to a distribution app Inside a corporate network.

Comments

Post a Comment

Popular posts from this blog

Effect : Deny vs No Action

No action allows us to provide granular level control over resources operations. For example, if we use effect, deny For all actions in IAM An, then we use effect allow over some actions in IAM then deniable supersede allow. The way to overcome above issue is to use NoAction on all IAM operations And action on Allowed IAM operations. Example { "Version" : "2012-10-17" , "Statement" : [ { "Effect" : "Allow" , "NotAction" : [ "iam:*" , "organizations:*" , "account:*" ], "Resource" : "*" }, { "Effect" : "Allow" , "Action" : [ "iam:CreateServiceLinkedRole" , "iam:DeleteServiceLinkedRole" , "iam:ListRoles" , "organizations:DescribeOrganization" , "account:ListRegions" ,
Read more

AWS Summaries

Database Summary  RDS(OLTP) SQL My SQL Post Gre SQL Oracle Aurora Maria DB Dynamo DB(No SQL) Redshift OLAP Elastic cache Memcached Redis RDS runs on virtual machines We cannot log into this operating systems however Patching of our RDS Operating system and DB is Amazons responsibility. RDS is not server-less. Aurora surverless is seven less which is an exception. Dynamo DB is server-less. There are two types of backups for RDS Automated backups Database snapshots Read replicas Can be multi availability zones. Use to increase performance Must have backups turned on. Can be in different regions. Can be MySQL,PostgreSQL,Maria DB, Oracle, Aurora, SQL Server is not supported. Can be promoted to master, this will break read replica. Multi availability zone Used for DRG only and not performance. You can force a fail over from one availability zone to another by re-booting the RDS instance. Encryption at Rest Is supported for My SQL, Oracle, SQL server, Postgre SQL, Maria DB and Aurora. Encryp
Read more

Infrastructure Setup using Cloud Formation Templates

Services Required to create CICD Code Build Build code and deploy image in jfrog Code Pipeline Has (Continuous Integration Continuous Deployment)CICD flow Cloud Formation To deploy and create infrastructure we use yml files. S3 Store our data packages and yml files which are used by CFT. ECS To deploy our application on fargate servers We can also create our manual EC2 instances from pipeline. Secrets Manager Manages all the secrets. ELB/ALB Elastic/Application Load Balancer To map context paths of different services GitHub Stores our code Jfrog Used to store all the docker images Dockerfile Used to create a customised docker image Scanning for Vulnerabilities free code Sonarcube Checkmarx Twistlock Cloudwatch Used to store logs We create log group for each of instances Lambda Functions Used for serverless technologies. Creating a new Environment Create the YML images of the different resources required in the environment. The CFT templates are stored in S3 or can be uploaded from syst
Read more