IAM authenticates a principal (human or application) using one the following three ways:
Password policy ensures complexity and duration of password
MFA enables multi factor authentication
Access Key is a combination of 20 char Access Key Id and 40 char Secret Access Key
Using Access Key, an application can interact with AWS SDK/API via IAM
aws config cli command can store access key id and secret access key
For security purposes you need to rotate keys from time to time
Access Key/Session Token
Process can assume a role and a temp security token is obtained by the process from IAM STS
Security token contains Access Key (Access Key Id/Secret Access Key combo) and a session token
Calls to SDK API must be passed with both the above values to access AWS resource
Security Token Service (STS) grants users temporary access to resources on AWS. There are three types of users
Federation users such as active directory or any other LDAP based directory service users
Federation with well known services such as Google/FB/Twitter users
Users from another AWS account
Identity broker is a service that can take identity from Identity Store/Pool 1 and join (federate) it with Identity Store/Pool 2
In a typical scenarios, a user logs into a website with id/pwd
Identity broker then calls LDAP first and authenticates the user
Then identity broker talks to AWS STS to get authenticated and get security token to access AWS services (like S3)
Or alternatively it can request IAM role and assume that role to authenticate with STS and then get access permissions to talk to S3
Active Directory users can access AWS using SAML (Security Assertive Markup Language). AD Connector is designed to give you an easy way to establish a trusted relationship between your Active Directory and AWS. When AD Connector is configured, the trust allows you to:
Sign in to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials.
Seamlessly join Windows instances to your Active Directory domain either through the Amazon EC2 launch wizard or programmatically through the EC2 Simple System Manager (SSM) API.
Provide federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles.
Credentials that are created by using account credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1 hour.
The GetSessionToken action must be called by using the long-term AWS security credentials of the AWS account or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours)