Explore

Misc

IAM Instance Profiles

Definition

Instance Profile: A container for an IAM role used to pass role information to an EC2 instance during startup.

Characteristics

Single Role Assignment: Each instance profile can contain only one IAM role.

Role Reusability: A role can be included in multiple instance profiles.

AWS CLI Commands

Create: aws iam create-instance-profile

Add Role: aws iam add-role-to-instance-profile

List: aws iam list-instance-profiles, aws iam list-instance-profiles-for-role

Get Information: aws iam get-instance-profile

Remove Role: aws iam remove-role-from-instance-profile

Delete: aws iam delete-instance-profile

⁠

AWS Security Token Service (STS)

Overview

Purpose: Enables requesting temporary, limited-privilege credentials for IAM users or federated users.

Availability: By default, available as a global service. Requests go to a single endpoint at https://sts.amazonaws.com.

Optional Regional Endpoints: Can send requests to endpoints in any region to reduce latency.

Credentials Characteristics

Temporary: Short-term credentials that can last from minutes to hours.

Dynamic Generation: Generated dynamically and not stored with the user.

Expiration: After expiry, AWS no longer recognizes or allows access.

Advantages

Distribution Elimination: No need to distribute or embed long-term AWS security credentials.

Flexible Access: Provides access to AWS resources without defining an AWS identity for users.

Lifecycle Management: Temporary credentials have a limited lifetime, reducing the need for explicit revocation.

API Actions

Requesting Session Token:

AssumeRole – can only be used by IAM users (can be used for MFA).

AssumeRoleWithSAML – can be used by any user who passes a SAML authentication response that indicates authentication from a known (trusted) identity provider.

AssumeRoleWithWebIdentity – can be used by an user who passes a web identity token that indicates authentication from a known (trusted) identity provider.

GetSessionToken – can be used by an IAM user or AWS account root user (can be used for MFA).

GetFederationToken – can be used by an IAM user or AWS account root user.

Identity Federation

Federation with LDAP: Uses SAML 2.0 to grant temporary access based on LDAP credentials.

Federation with Mobile Apps: Uses OpenID providers like Facebook, Amazon, or Google for login.

Cross-Account Access: Enables users from one AWS account to access resources in another.

Usage Scenarios

Identity Broker Integration: Communicates with LDAP and AWS STS to provide temporary access to AWS resources.

Scenario 1: Broker authenticates with LDAP first, then with AWS STS.

Scenario 2: Broker authenticates with LDAP, retrieves IAM role, and uses STS to assume the role.

Cross-Account Access: Allows users from one AWS account to access resources in another account.

⁠

Cross Account Access

Overview

Use Case: Useful for scenarios where an AWS customer maintains separate AWS accounts, such as for development and production resources.

Benefits: Facilitates productivity in a multi-account environment by simplifying role switching within the AWS Management Console.

Console Sign-In

Single Sign-On: Sign in to the AWS Management Console using your IAM user name.

Role Switching: Easily switch the console to manage another account without re-entering user credentials.

Resource Access

Inter-Account Resource Access: Allows users from one AWS account to access resources in another.

Permission Mechanisms:

Resource-Based Policy: Resource in the target account must have an attached resource-based policy granting necessary permissions.

Role Assumption: User must assume a role (identity-based policy) within the target account with the required permissions.

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.