IAM Authentication

1. s

1. IAM authenticates a principal (human or application) using one the following three ways:
   1. UserId/Password
      1. Password policy ensures complexity and duration of password
      2. MFA enables multi factor authentication
   2. Access Key
      1. Access Key is a combination of 20 char Access Key Id and 40 char Secret Access Key
      2. Using Access Key, an application can interact with AWS SDK/API via IAM
      3. aws config cli command can store access key id and secret access key
      4. For security purposes you need to rotate keys from time to time
   3. Access Key/Session Token
      1. Process can assume a role and a temp security token is obtained by the process from IAM STS
      2. Security token contains Access Key (Access Key Id/Secret Access Key combo) and a session token
      3. Calls to SDK API must be passed with both the above values to access AWS resource
      4. Security Token Service (STS) grants users temporary access to resources on AWS. There are three types of users
         1. Federation users such as active directory or any other LDAP based directory service users
         2. Federation with well known services such as Google/FB/Twitter users
         3. Users from another AWS account
      5. Identity broker is a service that can take identity from Identity Store/Pool 1 and join (federate) it with Identity Store/Pool 2
         1. In a typical scenarios, a user logs into a website with id/pwd
         2. Identity broker then calls LDAP first and authenticates the user
            1. Then identity broker talks to AWS STS to get authenticated and get security token to access AWS services (like S3)
            2. Or alternatively it can request IAM role and assume that role to authenticate with STS and then get access permissions to talk to S3
      6. Active Directory users can access AWS using SAML (Security Assertive Markup Language). AD Connector is designed to give you an easy way to establish a trusted relationship between your Active Directory and AWS. When AD Connector is configured, the trust allows you to:
         1. Sign in to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials.
         2. Seamlessly join Windows instances to your Active Directory domain either through the Amazon EC2 launch wizard or programmatically through the EC2 Simple System Manager (SSM) API.
         3. Provide federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles.
2. Credentials that are created by using account credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1 hour.
3. The GetSessionToken action must be called by using the long-term AWS security credentials of the AWS account or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours)