Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS advance identity - Coggle Diagram
AWS advance identity
Security token service (STS)
limit & temp access (< 1 hour)
AssumeRole: in account | cross account
AccountRoleWithSAML
AssumeRoleWIthWebIdentity (Fb, Google,..)
-> not recommend
GetSessionToken
GetFederationToken
GetCallerIdentity
(detail IAM user | role)
DecodeAuthoriztionMessage
evaluation
default: DENY
DENY first
total policy = union of all policy
Type
AWS managed
Customer managed
Inline
(limit size)
Active Directory
Db of object: User account, Computer, File share, SG
group object -> tree; group tree -> forest
AWS Managed AD
On-prerem AD <-trust-> AWS Managed AD
support MFA
AD Connector
Directory Gateway (proxy) -> on-premise
support MFA
Simple AD (no MFA)
STS with MFA
GetSessionToken
Set cond in policy:
aws:MultiFactorAuthPresent: true
(.i.e when terminate EC2)
Grant user perm
to pass role -> aws service
permission: iam:PassRole
dest must have trust allow
(allow action: sts:AssumeRole)
dynamic policy
variable: ${aws:username}