AWS IAM Authentication

  1. IAM authenticates a principal (human or application) using one the following three ways:
    1. UserId/Password
      1. Password policy ensures complexity and duration of password
      2. MFA enables multi factor authentication
    2. Access Key
      1. Access Key is a combination of 20 char Access Key Id and 40 char Secret Access Key
      2. Using Access Key, an application can interact with AWS SDK/API via IAM
    3. Access Key/Session Token
      1. Process can assume a role and a temp security token is obtained by the process from IAM
      2. Security token contains Access Key (Access Key Id/Secret Access Key combo) and a session token
      3. Calls to SDK API must be passed with both the above values to access AWS resourcesIAM Authentication Methods
  2. Security Token Service (STS) grants users temporary access to resources on AWS. There are three types of users
    1. Federation users such as active directory or any other LDAP based directory service users
    2. Federation with well known services such as Google/FB/Twitter users
    3. Users from another AWS account
  3. Identity broker is a service that can take identity from Identity Store/Pool 1 and join (federate) it with Identity Store/Pool 2
    1. In a typical scenarios, a user logs into a website with id/pwd
    2. Identity broken then calls LDAP first and authenticates the user
      • Then identity broker talks to AWS STS to get authenticated and get security token to access AWS services (like S3)
      • Or alternatively it can request IAM role and assume that role to authenticate with STS and then get access permissions to talk to S3
  4. Active Directory users can access AWS using SAML (Security Assertive Markup Language)
    1. First authenticate with AD using id/pwd
    2. Then with the assigned temporary security credentials you can access AWS
<<< AWS Identity Access Management (IAM)Elastic Compute Cloud (EC2) >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .