A guide on Aws Security Token Service
blazeclantechnologies
18,390 views
30 slides
May 24, 2013
Slide 1 of 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
About This Presentation
A service provided by AWS to enhance the Security Measures for your resources (STS - Security Token Service )
Slide Content
Security Token Service (AWS STS)
1
~ KaushikMohanraj
1
~ KaushikMohanraj
Blazeclan
Agenda
Cloud IT Better2
•What is STS and what it has to offer…
•Recap on AWS IAM as prerequisite
•Why STS ????
•Brief information on its Details
•Use cases
Agenda
Cloud IT Better2
•What is STS and what it has to offer…
•Recap on AWS IAM as prerequisite
•Why STS ????
•Brief information on its Details
•Use cases
Blazeclan
What is STS ??
Cloud IT Better3
•AWS STS : Security Token Service
•The AWS Security Token Service is a web service that enables you to request
temporary, limited-privilege credentials for AWS Identity and Access Management
(IAM) users or for users that you authenticate (federated users).
What is STS ??
Cloud IT Better3
•AWS STS : Security Token Service
•The AWS Security Token Service is a web service that enables you to request
temporary, limited-privilege credentials for AWS Identity and Access Management
(IAM) users or for users that you authenticate (federated users).
Blazeclan
And what was IAM …???
Cloud IT Better4
•AWS Identity and Access Management (IAM) enables you to securely control
accessto AWS services and resources for your users.
•IAM enables you to create and manage users in AWS and access AWS
resources.
•IAM offers greater security, flexibility, and control when using AWS.
•IAM enables you to:
Manage IAM users and their access
Manage access for federated users
And what was IAM …???
Cloud IT Better4
•AWS Identity and Access Management (IAM) enables you to securely control
accessto AWS services and resources for your users.
•IAM enables you to create and manage users in AWS and access AWS
resources.
•IAM offers greater security, flexibility, and control when using AWS.
•IAM enables you to:
Manage IAM users and their access
Manage access for federated users
Blazeclan
A brush up on IAM Role, IAM User and IAM Group is…
Cloud IT Better5
•IAM User:
A user is an individual, system, or application that interacts with AWS
programmatically
•IAM Group:
A group is a collection of users. Groups don't directly interact with AWS; only
users do
•IAM Role:
A role is an entity that has a set of permissions, and that another entity assumes
to make calls to access your AWS resources.
GET http://169.254.169.254/latest/meta-data/iam/security-credentials/[role]
A brush up on IAM Role, IAM User and IAM Group is…
Cloud IT Better5
•IAM User:
A user is an individual, system, or application that interacts with AWS
programmatically
•IAM Group:
A group is a collection of users. Groups don't directly interact with AWS; only
users do
•IAM Role:
A role is an entity that has a set of permissions, and that another entity assumes
to make calls to access your AWS resources.
GET http://169.254.169.254/latest/meta-data/iam/security-credentials/[role]
Blazeclan
Why STS…
When requested for Access through an STS API call it would typically return
Temporary Security credentials consisting of :
•Security Token
•An Access Key ID
•A Secret Access Key
Cloud IT Better6
•The access Key ID & Secret Access Key generated with the token cannot be used
without the token.
•There are No limits on the number of “Sets” that we can create.
•STS service is designed to have limited access on a couple of Services.(Link)
Why STS…
When requested for Access through an STS API call it would typically return
Temporary Security credentials consisting of :
•Security Token
•An Access Key ID
•A Secret Access Key
Cloud IT Better6
•The access Key ID & Secret Access Key generated with the token cannot be used
without the token.
•There are No limits on the number of “Sets” that we can create.
•STS service is designed to have limited access on a couple of Services.(Link)
Blazeclan
Ways to Access STS
•API Calls
•AWS offers SDK’s for selected languages, namely
•Java
•PHP
•.Net
•Ruby
Cloud IT Better7
Link for any further
reference
Ways to Access STS
•API Calls
•AWS offers SDK’s for selected languages, namely
•Java
•PHP
•.Net
•Ruby
Cloud IT Better7
Link for any further
reference
Blazeclan
Types of User for whom you would Enable Access..
•Enable Access for IAM Users
•Enable Access for Federated Users
•Delegating API Access to Services
Cloud IT Better8
Types of User for whom you would Enable Access..
•Enable Access for IAM Users
•Enable Access for Federated Users
•Delegating API Access to Services
Cloud IT Better8
Blazeclan
Creating Temporary Security Credentials to Enable Access for
IAM Users
•IAM users can use the AWS Security Token Service
GetSessionTokenAPI action to create temporary security
credentials for themselves
Cloud IT Better9
Example Request:
https://sts.amazonaws.com/
?Version=2011-06-15
&Action=GetSessionToken
&DurationSeconds=3600
&AUTHPARAMS
Action
Validity
Creating Temporary Security Credentials to Enable Access for
IAM Users
•IAM users can use the AWS Security Token Service
GetSessionTokenAPI action to create temporary security
credentials for themselves
Cloud IT Better9
Example Request:
https://sts.amazonaws.com/
?Version=2011-06-15
&Action=GetSessionToken
&DurationSeconds=3600
&AUTHPARAMS
Action
Validity
Blazeclan
GetSessionTokenRequest Description
•Request Parameters
•DurationSeconds
•SerialNumber
•The identification number of the MFA device for
the user.
•TokenCode
•The value provided by the MFA device.
(Non of them are mandatory)
Cloud IT Better10
Note: You can specify the duration of the temporary security credentials to be from 15
minutesto 36 hours. By default, the credentials are valid for 12 hours.
Linkfor further Details
GetSessionTokenRequest Description
•Request Parameters
•DurationSeconds
•SerialNumber
•The identification number of the MFA device for
the user.
•TokenCode
•The value provided by the MFA device.
(Non of them are mandatory)
Cloud IT Better10
Note: You can specify the duration of the temporary security credentials to be from 15
minutesto 36 hours. By default, the credentials are valid for 12 hours.
Linkfor further Details
Blazeclan
Continued….
Cloud IT Better11
Expiration Time
Secret Access Key
Access Key ID
Continued….
Cloud IT Better11
Expiration Time
Secret Access Key
Access Key ID
Blazeclan
You Still think you account would be compromised ??
Temporary Security Credentials for IAM Users with Multi-Factor
Authentication (MFA)
•The following is an example of aGetSessionTokenrequest with an MFA verification
code and device serial number using the STS Query API.
Cloud IT Better12
You Still think you account would be compromised ??
Temporary Security Credentials for IAM Users with Multi-Factor
Authentication (MFA)
•The following is an example of aGetSessionTokenrequest with an MFA verification
code and device serial number using the STS Query API.
Cloud IT Better12
Blazeclan
Creating Temporary Security Credentials to Enable Access for
Federated Users
So who is a Federated User ?
A Non-AWS user whose identity can be authenticated.
Cloud IT Better13
Creating Temporary Security Credentials to Enable Access for
Federated Users
So who is a Federated User ?
A Non-AWS user whose identity can be authenticated.
Cloud IT Better13
Blazeclan Cloud IT Better14
Creating Temporary Security Credentials to Enable Access for
Federated Users
Grant temporary access to a non-AWS user whose identity you
can authenticate (a federated user) use the AWS
STSGetFederationTokenaction
Action
Validity
Authentication From the Identity Broker
Creating Temporary Security Credentials to Enable Access for
Federated Users
Grant temporary access to a non-AWS user whose identity you
can authenticate (a federated user) use the AWS
STSGetFederationTokenaction
Action
Validity
Authentication From the Identity Broker
Blazeclan
GetFederationTokenRequest Description
•Request Parameters
•DurationSeconds–
(Optional)
•Name –(Mandatory)
•Policy –(Optional)
Cloud IT Better15
Note: You can specify the duration of the temporary security credentials to be from 15 minutesto 36
hours. By default, the credentials are valid for 12 hours only if created by IAM USERs; credentials
created using account credentials have a maximum duration of one hour.
Linkfor further Details
GetFederationTokenRequest Description
•Request Parameters
•DurationSeconds–
(Optional)
•Name –(Mandatory)
•Policy –(Optional)
Cloud IT Better15
Note: You can specify the duration of the temporary security credentials to be from 15 minutesto 36
hours. By default, the credentials are valid for 12 hours only if created by IAM USERs; credentials
created using account credentials have a maximum duration of one hour.
Linkfor further Details
Blazeclan
Continued…..
Cloud IT Better16
Expiration Time
Secret Access Key
Access Key ID
Federated User ID
Continued…..
Cloud IT Better16
Expiration Time
Secret Access Key
Access Key ID
Federated User ID
Blazeclan
GetFederationTokenResponse Description
•Response Parameters
•Credentials
•FederatedUser
•Identifiers for the federated user associated with the
credentials. You can use the federated user's ARN in your
resource policies.
•PackedPolicySize
•A percentage value indicating the size of the policy in packed
form. Policies for which the packed size is greater than 100%
of the allowed value are rejected by the service.
Cloud IT Better17
GetFederationTokenResponse Description
•Response Parameters
•Credentials
•FederatedUser
•Identifiers for the federated user associated with the
credentials. You can use the federated user's ARN in your
resource policies.
•PackedPolicySize
•A percentage value indicating the size of the policy in packed
form. Policies for which the packed size is greater than 100%
of the allowed value are rejected by the service.
Cloud IT Better17
Blazeclan
Creating Temporary Security Credentials for Delegating API
Access
•We Know that we can delegate access to our AWS resources by
using IAM roles.
•IAM roles allow you to establish trusted relationships with other
AWS accounts (trusted entities)
•IAM users from trusted entities can use the AWS Security Token
ServiceAssumeRoleaction to obtain temporary security
credentials
•With the temporary security credentials, callers are granted the
permissions that are defined in the role.(only)
Note: You can specify the duration of the temporary security credentials to be from 15
minutesto one hour. By default, the credentials are valid for one hour.
Linkfor further Details
Cloud IT Better18
Creating Temporary Security Credentials for Delegating API
Access
•We Know that we can delegate access to our AWS resources by
using IAM roles.
•IAM roles allow you to establish trusted relationships with other
AWS accounts (trusted entities)
•IAM users from trusted entities can use the AWS Security Token
ServiceAssumeRoleaction to obtain temporary security
credentials
•With the temporary security credentials, callers are granted the
permissions that are defined in the role.(only)
Note: You can specify the duration of the temporary security credentials to be from 15
minutesto one hour. By default, the credentials are valid for one hour.
Linkfor further Details
Cloud IT Better18
Blazeclan
Continued…
Cloud IT Better19
Requirements for assuming a role
To assume a role, the caller must meet the following
requirements:
•The caller must have permission to callAssumeRolefor the
specific role.
•The role defines the caller's AWS account ID as a trusted entity.
•The caller must use IAM user credentials to assume a role.
•If the role has an external ID defined, the caller must pass that
external ID when calling AssumeRole
Continued…
Cloud IT Better19
Requirements for assuming a role
To assume a role, the caller must meet the following
requirements:
•The caller must have permission to callAssumeRolefor the
specific role.
•The role defines the caller's AWS account ID as a trusted entity.
•The caller must use IAM user credentials to assume a role.
•If the role has an external ID defined, the caller must pass that
external ID when calling AssumeRole
Blazeclan
External ID (Use-case Specific)
Cloud IT Better20
•Anexternal IDis an additional piece of information that you can
specify when assuming an IAM role.
•As a third party, you might have multiple customers who use your
service to access or manage their AWS resources. You assign an
external ID that is associated with each customer. Customers
include this ID when they create a role that you can assume.
•Then each time you assume a role, you include the external ID as
part of the request.
•The external ID can be any identifier that is used to identify each
customer (it doesn't have to be a secret value). The only
requirement is that the external ID must be unique for each
customer.
External ID (Use-case Specific)
Cloud IT Better20
•Anexternal IDis an additional piece of information that you can
specify when assuming an IAM role.
•As a third party, you might have multiple customers who use your
service to access or manage their AWS resources. You assign an
external ID that is associated with each customer. Customers
include this ID when they create a role that you can assume.
•Then each time you assume a role, you include the external ID as
part of the request.
•The external ID can be any identifier that is used to identify each
customer (it doesn't have to be a secret value). The only
requirement is that the external ID must be unique for each
customer.
Blazeclan
AssumeRoleRequest Description
Cloud IT Better21
Action
Validity
External ID
AssumeRoleRequest Description
Cloud IT Better21
Action
Validity
External ID
Blazeclan
AssumeRoleRequest Description
Request Parameters
•DurationSeconds–(Optional)
•ExternalId–(Optional)
•Policy –(Optional)
•RoleArn–(Mandatory)
•The ARN of the role that the caller is assuming.
•RoleSessionName–(Mandatory)
•An identifier for the assumed role session. The session name is
included as part of the AssumedRoleUser
Cloud IT Better22
AssumeRoleRequest Description
Request Parameters
•DurationSeconds–(Optional)
•ExternalId–(Optional)
•Policy –(Optional)
•RoleArn–(Mandatory)
•The ARN of the role that the caller is assuming.
•RoleSessionName–(Mandatory)
•An identifier for the assumed role session. The session name is
included as part of the AssumedRoleUser
Cloud IT Better22
Blazeclan
AssumeRoleResponse Description
Cloud IT Better23
Expiration Time
Packed Policy Size
Assumed Role
ARN
AssumeRoleResponse Description
Cloud IT Better23
Expiration Time
Packed Policy Size
Assumed Role
ARN
Blazeclan
AssumeRoleResponse Description
•Response Parameters
•AssumedRoleUser
•Credentials
•PackedPolicySize
•A percentage value indicating the size of the policy in packed
form. Policies for which the packed size is greater than 100%
of the allowed value are rejected by the service.
Cloud IT Better24
AssumeRoleResponse Description
•Response Parameters
•AssumedRoleUser
•Credentials
•PackedPolicySize
•A percentage value indicating the size of the policy in packed
form. Policies for which the packed size is greater than 100%
of the allowed value are rejected by the service.
Cloud IT Better24
Blazeclan
How Permissions Work ?
Cloud IT Better25
Source : http://docs.aws.amazon.com/STS/latest/UsingSTS/FederationPermissions.html
How Permissions Work ?
Cloud IT Better25
Source : http://docs.aws.amazon.com/STS/latest/UsingSTS/FederationPermissions.html
Blazeclan
Use Cases
Cloud IT Better26
Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
Use Cases
Cloud IT Better26
Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
Blazeclan
Use Cases
Cloud IT Better27
Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
Use Cases
Cloud IT Better27
Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
Blazeclan
Cross Account Delegation(ClouldlyticsScenario)
Cloud IT Better28
Source : http://docs.aws.amazon.com/IAM/latest/UserGuide/Delegation.html
Cross Account Delegation(ClouldlyticsScenario)
Cloud IT Better28
Source : http://docs.aws.amazon.com/IAM/latest/UserGuide/Delegation.html
Blazeclan
Content References and Suggested Pages:
AWS Documentation -Using Temporary Security Credentials
AWS Documentation -AWS Security Token Service
AWS Documentation -Using Temporary Security Credentials
AWS Documentation -AWS Identity and Access Management
AWS Documentation -Using Temporary Security Credentials
AWS Documentation -AWS Identity and Access Management
Cloud IT Better29
Content References and Suggested Pages:
AWS Documentation -Using Temporary Security Credentials
AWS Documentation -AWS Security Token Service
AWS Documentation -Using Temporary Security Credentials
AWS Documentation -AWS Identity and Access Management
AWS Documentation -Using Temporary Security Credentials
AWS Documentation -AWS Identity and Access Management
Cloud IT Better29
Thank you
Thank You
Thank You
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 18,390
- Slides 30
- Favorites 13
- Age 4578 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
49 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
48 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views