SlideShare a Scribd company logo

A guide on Aws Security Token Service

Blazeclan Technologies Private Limited
Blazeclan Technologies Private Limited

The document discusses AWS Security Token Service (STS), which enables users to request temporary security credentials. STS works with AWS Identity and Access Management (IAM) to provide credentials for IAM users or federated users authenticated outside of AWS. STS allows generating limited-privilege credentials for IAM users, federated users authenticated by an identity provider, and for delegating access to services that need to access AWS resources. The temporary credentials provided by STS can be used to make AWS API calls for the duration specified, providing a secure way to access AWS resources without long-term credentials.

TechnologyBusiness
1 of 30
Download to read offline
Security Token Service (AWS STS) 1 ~ Kaushik Mohanraj
Blazeclan Agenda Cloud IT Better2 • What is STS and what it has to offer… • Recap on AWS IAM as prerequisite • Why STS ???? • Brief information on its Details • Use cases
Blazeclan What is STS ?? Cloud IT Better3 • AWS STS : Security Token Service • The AWS Security Token Service is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
Blazeclan And what was IAM …??? Cloud IT Better4 • AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. • IAM enables you to create and manage users in AWS and access AWS resources. • IAM offers greater security, flexibility, and control when using AWS. • IAM enables you to:  Manage IAM users and their access  Manage access for federated users
Blazeclan A brush up on IAM Role, IAM User and IAM Group is… Cloud IT Better5 • IAM User:  A user is an individual, system, or application that interacts with AWS programmatically • IAM Group:  A group is a collection of users. Groups don't directly interact with AWS; only users do • IAM Role:  A role is an entity that has a set of permissions, and that another entity assumes to make calls to access your AWS resources.  GET http://169.254.169.254/latest/meta-data/iam/security-credentials/[role]
Blazeclan Why STS… When requested for Access through an STS API call it would typically return Temporary Security credentials consisting of : • Security Token • An Access Key ID • A Secret Access Key Cloud IT Better6 • The access Key ID & Secret Access Key generated with the token cannot be used without the token. • There are No limits on the number of “Sets” that we can create. • STS service is designed to have limited access on a couple of Services.(Link)
Blazeclan Ways to Access STS • API Calls • AWS offers SDK’s for selected languages, namely • Java • PHP • .Net • Ruby Cloud IT Better7 Link for any further reference
Blazeclan Types of User for whom you would Enable Access.. • Enable Access for IAM Users • Enable Access for Federated Users • Delegating API Access to Services Cloud IT Better8
Blazeclan Creating Temporary Security Credentials to Enable Access for IAM Users • IAM users can use the AWS Security Token Service GetSessionToken API action to create temporary security credentials for themselves Cloud IT Better9 Example Request: https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=GetSessionToken &DurationSeconds=3600 &AUTHPARAMS Action Validity
Blazeclan GetSessionToken Request Description •Request Parameters • DurationSeconds • SerialNumber • The identification number of the MFA device for the user. • TokenCode • The value provided by the MFA device. (Non of them are mandatory) Cloud IT Better10 Note: You can specify the duration of the temporary security credentials to be from 15 minutes to 36 hours. By default, the credentials are valid for 12 hours. Link for further Details
Blazeclan Continued…. Cloud IT Better11 Expiration Time Secret Access Key Access Key ID
Blazeclan You Still think you account would be compromised ?? Temporary Security Credentials for IAM Users with Multi-Factor Authentication (MFA) • The following is an example of a GetSessionToken request with an MFA verification code and device serial number using the STS Query API. Cloud IT Better12
Blazeclan Creating Temporary Security Credentials to Enable Access for Federated Users So who is a Federated User ? A Non-AWS user whose identity can be authenticated. Cloud IT Better13
Blazeclan Cloud IT Better14 Creating Temporary Security Credentials to Enable Access for Federated Users Grant temporary access to a non-AWS user whose identity you can authenticate (a federated user) use the AWS STS GetFederationToken action Action Validity Authentication From the Identity Broker
Blazeclan GetFederationToken Request Description •Request Parameters • DurationSeconds – (Optional) • Name – (Mandatory) • Policy – (Optional) Cloud IT Better15 Note: You can specify the duration of the temporary security credentials to be from 15 minutes to 36 hours. By default, the credentials are valid for 12 hours only if created by IAM USERs; credentials created using account credentials have a maximum duration of one hour. Link for further Details
Blazeclan Continued….. Cloud IT Better16 Expiration Time Secret Access Key Access Key ID Federated User ID
Blazeclan GetFederationToken Response Description •Response Parameters • Credentials • FederatedUser • Identifiers for the federated user associated with the credentials. You can use the federated user's ARN in your resource policies. • PackedPolicySize • A percentage value indicating the size of the policy in packed form. Policies for which the packed size is greater than 100% of the allowed value are rejected by the service. Cloud IT Better17
Blazeclan Creating Temporary Security Credentials for Delegating API Access • We Know that we can delegate access to our AWS resources by using IAM roles. • IAM roles allow you to establish trusted relationships with other AWS accounts (trusted entities) • IAM users from trusted entities can use the AWS Security Token Service AssumeRole action to obtain temporary security credentials • With the temporary security credentials, callers are granted the permissions that are defined in the role.(only) Note: You can specify the duration of the temporary security credentials to be from 15 minutes to one hour. By default, the credentials are valid for one hour. Link for further Details Cloud IT Better18
Blazeclan Continued… Cloud IT Better19 Requirements for assuming a role To assume a role, the caller must meet the following requirements: •The caller must have permission to call AssumeRole for the specific role. •The role defines the caller's AWS account ID as a trusted entity. •The caller must use IAM user credentials to assume a role. •If the role has an external ID defined, the caller must pass that external ID when calling AssumeRole
Blazeclan External ID (Use-case Specific) Cloud IT Better20 • An external ID is an additional piece of information that you can specify when assuming an IAM role. • As a third party, you might have multiple customers who use your service to access or manage their AWS resources. You assign an external ID that is associated with each customer. Customers include this ID when they create a role that you can assume. • Then each time you assume a role, you include the external ID as part of the request. • The external ID can be any identifier that is used to identify each customer (it doesn't have to be a secret value). The only requirement is that the external ID must be unique for each customer.
Blazeclan AssumeRole Request Description Cloud IT Better21 Action Validity External ID
Blazeclan AssumeRole Request Description Request Parameters • DurationSeconds – (Optional) • ExternalId – (Optional) • Policy – (Optional) • RoleArn – (Mandatory) • The ARN of the role that the caller is assuming. • RoleSessionName – (Mandatory) • An identifier for the assumed role session. The session name is included as part of the AssumedRoleUser Cloud IT Better22
Blazeclan AssumeRole Response Description Cloud IT Better23 Expiration Time Packed Policy Size Assumed Role ARN
Blazeclan AssumeRole Response Description •Response Parameters • AssumedRoleUser • Credentials • PackedPolicySize • A percentage value indicating the size of the policy in packed form. Policies for which the packed size is greater than 100% of the allowed value are rejected by the service. Cloud IT Better24
Blazeclan How Permissions Work ? Cloud IT Better25 Source : http://docs.aws.amazon.com/STS/latest/UsingSTS/FederationPermissions.html
Blazeclan Use Cases Cloud IT Better26 Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
Blazeclan Use Cases Cloud IT Better27 Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
Blazeclan Cross Account Delegation(Clouldlytics Scenario) Cloud IT Better28 Source : http://docs.aws.amazon.com/IAM/latest/UserGuide/Delegation.html
Blazeclan Content References and Suggested Pages:  AWS Documentation - Using Temporary Security Credentials  AWS Documentation - AWS Security Token Service  AWS Documentation - Using Temporary Security Credentials  AWS Documentation - AWS Identity and Access Management  AWS Documentation - Using Temporary Security Credentials  AWS Documentation - AWS Identity and Access Management Cloud IT Better29
Thank you Thank You

Recommended

Federation
FederationFederation
FederationAmazon Web Services
 
Federation
Federation Federation
Federation Amazon Web Services
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAmazon Web Services
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCAmazon Web Services
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 

Recommended

Federation
FederationFederation
FederationAmazon Web Services
 
Federation
Federation Federation
Federation Amazon Web Services
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
AWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAWS Identity and Access Management and Consolidated Billing
AWS Identity and Access Management and Consolidated BillingAmazon Web Services
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
 
In Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCIn Depth: AWS IAM and VPC
In Depth: AWS IAM and VPCAmazon Web Services
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
AWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAdam Fokken
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014Amazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live byJohn Varghese
 
AWS IAM policies in plain english
AWS IAM policies in plain english AWS IAM policies in plain english
AWS IAM policies in plain english Bogdan Naydenov
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Announcements for Mobile Developers
Announcements for Mobile DevelopersAnnouncements for Mobile Developers
Announcements for Mobile DevelopersAmazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsBryant Poush
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web ServicesBrett Gillett
 
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsBuilding Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsAmazon Web Services
 
Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
AWS Users Authentication
AWS Users AuthenticationAWS Users Authentication
AWS Users Authenticationchandrasen Reddy
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 

More Related Content

What's hot

Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
AWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAdam Fokken
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014Amazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014Amazon Web Services
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live byJohn Varghese
 
AWS IAM policies in plain english
AWS IAM policies in plain english AWS IAM policies in plain english
AWS IAM policies in plain english Bogdan Naydenov
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Announcements for Mobile Developers
Announcements for Mobile DevelopersAnnouncements for Mobile Developers
Announcements for Mobile DevelopersAmazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsBryant Poush
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web ServicesBrett Gillett
 
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsBuilding Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsAmazon Web Services
 
Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 

What's hot (20)

Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
AWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep DiveAWS Twin Cities Meetup - IAM Deep Dive
AWS Twin Cities Meetup - IAM Deep Dive
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
 
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
 
AWS IAM policies in plain english
AWS IAM policies in plain english AWS IAM policies in plain english
AWS IAM policies in plain english
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
 
Announcements for Mobile Developers
Announcements for Mobile DevelopersAnnouncements for Mobile Developers
Announcements for Mobile Developers
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
IAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with ConditionsIAM Deep Dive - Custom IAM Policies with Conditions
IAM Deep Dive - Custom IAM Policies with Conditions
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web Services
 
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and WebsocketsBuilding Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and Websockets
 
Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300Ubiquitous Encryption on AWS - Level 300
Ubiquitous Encryption on AWS - Level 300
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 

Similar to A guide on Aws Security Token Service

Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAmazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017Amazon Web Services
 
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAmazon Web Services
 
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)Amazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Amazon Web Services
 
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
 
Cross-Account Delegation in AWS
Cross-Account Delegation in AWSCross-Account Delegation in AWS
Cross-Account Delegation in AWSJames Wing
 
AWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxAWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxhawkheadtrolley
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at OktaAmazon Web Services
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJean-François LOMBARDO
 

Similar to A guide on Aws Security Token Service (20)

AWS Users Authentication
AWS Users AuthenticationAWS Users Authentication
AWS Users Authentication
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Federation
FederationFederation
Federation
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
 
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
AWS re:Invent 2016: The Secret to SaaS (Hint: It's Identity) (GPSSI404)
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
 
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
 
AWSM2C3.pptx
AWSM2C3.pptxAWSM2C3.pptx
AWSM2C3.pptx
 
Cross-Account Delegation in AWS
Cross-Account Delegation in AWSCross-Account Delegation in AWS
Cross-Account Delegation in AWS
 
AWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxAWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptx
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
 

More from Blazeclan Technologies Private Limited

[TechTalks] Learning Configuration Management with SaltStack (Advanced Concepts)
[TechTalks] Learning Configuration Management with SaltStack (Advanced Concepts)[TechTalks] Learning Configuration Management with SaltStack (Advanced Concepts)
[TechTalks] Learning Configuration Management with SaltStack (Advanced Concepts)Blazeclan Technologies Private Limited
 
[TechTalks] Effects of UI/ UX Designs on Customer Satisfaction & Loyalty
[TechTalks] Effects of UI/ UX Designs on Customer Satisfaction & Loyalty[TechTalks] Effects of UI/ UX Designs on Customer Satisfaction & Loyalty
[TechTalks] Effects of UI/ UX Designs on Customer Satisfaction & LoyaltyBlazeclan Technologies Private Limited
 
Cloudlytics Reporting: Analyze Amazon CloudFront, S3 & ELB Logs - Part 2
Cloudlytics Reporting: Analyze Amazon CloudFront, S3 & ELB Logs - Part 2Cloudlytics Reporting: Analyze Amazon CloudFront, S3 & ELB Logs - Part 2
Cloudlytics Reporting: Analyze Amazon CloudFront, S3 & ELB Logs - Part 2Blazeclan Technologies Private Limited
 

More from Blazeclan Technologies Private Limited (20)

2020 Recap | Clan's Transformational Journey In The New Normal
2020 Recap | Clan's Transformational Journey In The New Normal2020 Recap | Clan's Transformational Journey In The New Normal
2020 Recap | Clan's Transformational Journey In The New Normal
 
Reminiscing 2019 And Heading Toward A Brighter Future!
Reminiscing 2019 And Heading Toward A Brighter Future!Reminiscing 2019 And Heading Toward A Brighter Future!
Reminiscing 2019 And Heading Toward A Brighter Future!
 
[TechTalks] Learning Configuration Management with SaltStack (Advanced Concepts)
[TechTalks] Learning Configuration Management with SaltStack (Advanced Concepts)[TechTalks] Learning Configuration Management with SaltStack (Advanced Concepts)
[TechTalks] Learning Configuration Management with SaltStack (Advanced Concepts)
 
Architecting for Big Data with AWS
Architecting for Big Data with AWSArchitecting for Big Data with AWS
Architecting for Big Data with AWS
 
Micro services on AWS
Micro services on AWSMicro services on AWS
Micro services on AWS
 
[TechTalks] Effects of UI/ UX Designs on Customer Satisfaction & Loyalty
[TechTalks] Effects of UI/ UX Designs on Customer Satisfaction & Loyalty[TechTalks] Effects of UI/ UX Designs on Customer Satisfaction & Loyalty
[TechTalks] Effects of UI/ UX Designs on Customer Satisfaction & Loyalty
 
AWS RDS Migration Tool
AWS RDS Migration Tool AWS RDS Migration Tool
AWS RDS Migration Tool
 
Overview of AWS Services for your Enterprise
Overview of AWS Services for your Enterprise Overview of AWS Services for your Enterprise
Overview of AWS Services for your Enterprise
 
Enterprise Cloud for your Business Applications
Enterprise Cloud for your Business ApplicationsEnterprise Cloud for your Business Applications
Enterprise Cloud for your Business Applications
 
Overview of AWS Services for Media Content
Overview of AWS Services for Media ContentOverview of AWS Services for Media Content
Overview of AWS Services for Media Content
 
Cloud stream webinar
Cloud stream webinarCloud stream webinar
Cloud stream webinar
 
Solving Big Data problems on AWS by Rajnish Malik
Solving Big Data problems on AWS by Rajnish MalikSolving Big Data problems on AWS by Rajnish Malik
Solving Big Data problems on AWS by Rajnish Malik
 
Life of data from generation to visualization using big data
Life of data from generation to visualization using big dataLife of data from generation to visualization using big data
Life of data from generation to visualization using big data
 
Productive Expansion on Amazon Web Services with BlazeClan
Productive Expansion on Amazon Web Services with BlazeClan Productive Expansion on Amazon Web Services with BlazeClan
Productive Expansion on Amazon Web Services with BlazeClan
 
Hurix case study
Hurix case study Hurix case study
Hurix case study
 
Cloudlytics Reporting: Analyze Amazon CloudFront, S3 & ELB Logs - Part 2
Cloudlytics Reporting: Analyze Amazon CloudFront, S3 & ELB Logs - Part 2Cloudlytics Reporting: Analyze Amazon CloudFront, S3 & ELB Logs - Part 2
Cloudlytics Reporting: Analyze Amazon CloudFront, S3 & ELB Logs - Part 2
 
Analyze Amazon CloudFront, S3 & ELB Logs with Cloudlytics - Part 1
Analyze Amazon CloudFront, S3 & ELB Logs with Cloudlytics - Part 1Analyze Amazon CloudFront, S3 & ELB Logs with Cloudlytics - Part 1
Analyze Amazon CloudFront, S3 & ELB Logs with Cloudlytics - Part 1
 
Solving Big Data Industry Use Cases with AWS Cloud Computing
Solving Big Data Industry Use Cases with AWS Cloud ComputingSolving Big Data Industry Use Cases with AWS Cloud Computing
Solving Big Data Industry Use Cases with AWS Cloud Computing
 
Amazon CloudFront Complete with Blazeclan's Media Solution Stack
Amazon CloudFront Complete with Blazeclan's Media Solution StackAmazon CloudFront Complete with Blazeclan's Media Solution Stack
Amazon CloudFront Complete with Blazeclan's Media Solution Stack
 
Big Data Building Blocks with AWS Cloud
Big Data Building Blocks with AWS CloudBig Data Building Blocks with AWS Cloud
Big Data Building Blocks with AWS Cloud
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

A guide on Aws Security Token Service

  • 1. Security Token Service (AWS STS) 1 ~ Kaushik Mohanraj
  • 2. Blazeclan Agenda Cloud IT Better2 • What is STS and what it has to offer… • Recap on AWS IAM as prerequisite • Why STS ???? • Brief information on its Details • Use cases
  • 3. Blazeclan What is STS ?? Cloud IT Better3 • AWS STS : Security Token Service • The AWS Security Token Service is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
  • 4. Blazeclan And what was IAM …??? Cloud IT Better4 • AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. • IAM enables you to create and manage users in AWS and access AWS resources. • IAM offers greater security, flexibility, and control when using AWS. • IAM enables you to:  Manage IAM users and their access  Manage access for federated users
  • 5. Blazeclan A brush up on IAM Role, IAM User and IAM Group is… Cloud IT Better5 • IAM User:  A user is an individual, system, or application that interacts with AWS programmatically • IAM Group:  A group is a collection of users. Groups don't directly interact with AWS; only users do • IAM Role:  A role is an entity that has a set of permissions, and that another entity assumes to make calls to access your AWS resources.  GET http://169.254.169.254/latest/meta-data/iam/security-credentials/[role]
  • 6. Blazeclan Why STS… When requested for Access through an STS API call it would typically return Temporary Security credentials consisting of : • Security Token • An Access Key ID • A Secret Access Key Cloud IT Better6 • The access Key ID & Secret Access Key generated with the token cannot be used without the token. • There are No limits on the number of “Sets” that we can create. • STS service is designed to have limited access on a couple of Services.(Link)
  • 7. Blazeclan Ways to Access STS • API Calls • AWS offers SDK’s for selected languages, namely • Java • PHP • .Net • Ruby Cloud IT Better7 Link for any further reference
  • 8. Blazeclan Types of User for whom you would Enable Access.. • Enable Access for IAM Users • Enable Access for Federated Users • Delegating API Access to Services Cloud IT Better8
  • 9. Blazeclan Creating Temporary Security Credentials to Enable Access for IAM Users • IAM users can use the AWS Security Token Service GetSessionToken API action to create temporary security credentials for themselves Cloud IT Better9 Example Request: https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=GetSessionToken &DurationSeconds=3600 &AUTHPARAMS Action Validity
  • 10. Blazeclan GetSessionToken Request Description •Request Parameters • DurationSeconds • SerialNumber • The identification number of the MFA device for the user. • TokenCode • The value provided by the MFA device. (Non of them are mandatory) Cloud IT Better10 Note: You can specify the duration of the temporary security credentials to be from 15 minutes to 36 hours. By default, the credentials are valid for 12 hours. Link for further Details
  • 11. Blazeclan Continued…. Cloud IT Better11 Expiration Time Secret Access Key Access Key ID
  • 12. Blazeclan You Still think you account would be compromised ?? Temporary Security Credentials for IAM Users with Multi-Factor Authentication (MFA) • The following is an example of a GetSessionToken request with an MFA verification code and device serial number using the STS Query API. Cloud IT Better12
  • 13. Blazeclan Creating Temporary Security Credentials to Enable Access for Federated Users So who is a Federated User ? A Non-AWS user whose identity can be authenticated. Cloud IT Better13
  • 14. Blazeclan Cloud IT Better14 Creating Temporary Security Credentials to Enable Access for Federated Users Grant temporary access to a non-AWS user whose identity you can authenticate (a federated user) use the AWS STS GetFederationToken action Action Validity Authentication From the Identity Broker
  • 15. Blazeclan GetFederationToken Request Description •Request Parameters • DurationSeconds – (Optional) • Name – (Mandatory) • Policy – (Optional) Cloud IT Better15 Note: You can specify the duration of the temporary security credentials to be from 15 minutes to 36 hours. By default, the credentials are valid for 12 hours only if created by IAM USERs; credentials created using account credentials have a maximum duration of one hour. Link for further Details
  • 16. Blazeclan Continued….. Cloud IT Better16 Expiration Time Secret Access Key Access Key ID Federated User ID
  • 17. Blazeclan GetFederationToken Response Description •Response Parameters • Credentials • FederatedUser • Identifiers for the federated user associated with the credentials. You can use the federated user's ARN in your resource policies. • PackedPolicySize • A percentage value indicating the size of the policy in packed form. Policies for which the packed size is greater than 100% of the allowed value are rejected by the service. Cloud IT Better17
  • 18. Blazeclan Creating Temporary Security Credentials for Delegating API Access • We Know that we can delegate access to our AWS resources by using IAM roles. • IAM roles allow you to establish trusted relationships with other AWS accounts (trusted entities) • IAM users from trusted entities can use the AWS Security Token Service AssumeRole action to obtain temporary security credentials • With the temporary security credentials, callers are granted the permissions that are defined in the role.(only) Note: You can specify the duration of the temporary security credentials to be from 15 minutes to one hour. By default, the credentials are valid for one hour. Link for further Details Cloud IT Better18
  • 19. Blazeclan Continued… Cloud IT Better19 Requirements for assuming a role To assume a role, the caller must meet the following requirements: •The caller must have permission to call AssumeRole for the specific role. •The role defines the caller's AWS account ID as a trusted entity. •The caller must use IAM user credentials to assume a role. •If the role has an external ID defined, the caller must pass that external ID when calling AssumeRole
  • 20. Blazeclan External ID (Use-case Specific) Cloud IT Better20 • An external ID is an additional piece of information that you can specify when assuming an IAM role. • As a third party, you might have multiple customers who use your service to access or manage their AWS resources. You assign an external ID that is associated with each customer. Customers include this ID when they create a role that you can assume. • Then each time you assume a role, you include the external ID as part of the request. • The external ID can be any identifier that is used to identify each customer (it doesn't have to be a secret value). The only requirement is that the external ID must be unique for each customer.
  • 21. Blazeclan AssumeRole Request Description Cloud IT Better21 Action Validity External ID
  • 22. Blazeclan AssumeRole Request Description Request Parameters • DurationSeconds – (Optional) • ExternalId – (Optional) • Policy – (Optional) • RoleArn – (Mandatory) • The ARN of the role that the caller is assuming. • RoleSessionName – (Mandatory) • An identifier for the assumed role session. The session name is included as part of the AssumedRoleUser Cloud IT Better22
  • 23. Blazeclan AssumeRole Response Description Cloud IT Better23 Expiration Time Packed Policy Size Assumed Role ARN
  • 24. Blazeclan AssumeRole Response Description •Response Parameters • AssumedRoleUser • Credentials • PackedPolicySize • A percentage value indicating the size of the policy in packed form. Policies for which the packed size is greater than 100% of the allowed value are rejected by the service. Cloud IT Better24
  • 25. Blazeclan How Permissions Work ? Cloud IT Better25 Source : http://docs.aws.amazon.com/STS/latest/UsingSTS/FederationPermissions.html
  • 26. Blazeclan Use Cases Cloud IT Better26 Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
  • 27. Blazeclan Use Cases Cloud IT Better27 Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
  • 28. Blazeclan Cross Account Delegation(Clouldlytics Scenario) Cloud IT Better28 Source : http://docs.aws.amazon.com/IAM/latest/UserGuide/Delegation.html
  • 29. Blazeclan Content References and Suggested Pages:  AWS Documentation - Using Temporary Security Credentials  AWS Documentation - AWS Security Token Service  AWS Documentation - Using Temporary Security Credentials  AWS Documentation - AWS Identity and Access Management  AWS Documentation - Using Temporary Security Credentials  AWS Documentation - AWS Identity and Access Management Cloud IT Better29