• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
A guide on Aws Security Token Service
 

A guide on Aws Security Token Service

on

  • 5,100 views

A service provided by AWS to enhance the Security Measures for your resources (STS - Security Token Service )

A service provided by AWS to enhance the Security Measures for your resources (STS - Security Token Service )

Statistics

Views

Total Views
5,100
Views on SlideShare
4,257
Embed Views
843

Actions

Likes
2
Downloads
20
Comments
0

7 Embeds 843

http://www.blazeclan.com 488
http://blazeclan.com 266
http://107.22.182.66 60
http://localhost 26
http://46.137.245.143 1
http://webinardemo.blazeclan.com 1
http://122.248.250.33 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    A guide on Aws Security Token Service A guide on Aws Security Token Service Presentation Transcript

    • Security Token Service (AWS STS)1~ Kaushik Mohanraj
    • BlazeclanAgendaCloud IT Better2• What is STS and what it has to offer…• Recap on AWS IAM as prerequisite• Why STS ????• Brief information on its Details• Use cases
    • BlazeclanWhat is STS ??Cloud IT Better3• AWS STS : Security Token Service• The AWS Security Token Service is a web service that enables you to requesttemporary, limited-privilege credentials for AWS Identity and Access Management(IAM) users or for users that you authenticate (federated users).
    • BlazeclanAnd what was IAM …???Cloud IT Better4• AWS Identity and Access Management (IAM) enables you to securely controlaccess to AWS services and resources for your users.• IAM enables you to create and manage users in AWS and access AWSresources.• IAM offers greater security, flexibility, and control when using AWS.• IAM enables you to: Manage IAM users and their access Manage access for federated users
    • BlazeclanA brush up on IAM Role, IAM User and IAM Group is…Cloud IT Better5• IAM User: A user is an individual, system, or application that interacts with AWSprogrammatically• IAM Group: A group is a collection of users. Groups dont directly interact with AWS; onlyusers do• IAM Role: A role is an entity that has a set of permissions, and that another entity assumesto make calls to access your AWS resources. GET http://169.254.169.254/latest/meta-data/iam/security-credentials/[role]
    • BlazeclanWhy STS…When requested for Access through an STS API call it would typically returnTemporary Security credentials consisting of :• Security Token• An Access Key ID• A Secret Access KeyCloud IT Better6• The access Key ID & Secret Access Key generated with the token cannot be usedwithout the token.• There are No limits on the number of “Sets” that we can create.• STS service is designed to have limited access on a couple of Services.(Link)
    • BlazeclanWays to Access STS• API Calls• AWS offers SDK’s for selected languages, namely• Java• PHP• .Net• RubyCloud IT Better7Link for any furtherreference
    • BlazeclanTypes of User for whom you would Enable Access..• Enable Access for IAM Users• Enable Access for Federated Users• Delegating API Access to ServicesCloud IT Better8
    • BlazeclanCreating Temporary Security Credentials to Enable Access forIAM Users• IAM users can use the AWS Security Token ServiceGetSessionToken API action to create temporary securitycredentials for themselvesCloud IT Better9Example Request:https://sts.amazonaws.com/?Version=2011-06-15&Action=GetSessionToken&DurationSeconds=3600&AUTHPARAMSActionValidity
    • BlazeclanGetSessionToken Request Description•Request Parameters• DurationSeconds• SerialNumber• The identification number of the MFA device forthe user.• TokenCode• The value provided by the MFA device.(Non of them are mandatory)Cloud IT Better10Note: You can specify the duration of the temporary security credentials to be from 15minutes to 36 hours. By default, the credentials are valid for 12 hours.Link for further Details
    • BlazeclanContinued….Cloud IT Better11Expiration TimeSecret Access KeyAccess Key ID
    • BlazeclanYou Still think you account would be compromised ??Temporary Security Credentials for IAM Users with Multi-FactorAuthentication (MFA)• The following is an example of a GetSessionToken request with an MFA verificationcode and device serial number using the STS Query API.Cloud IT Better12
    • BlazeclanCreating Temporary Security Credentials to Enable Access forFederated UsersSo who is a Federated User ?A Non-AWS user whose identity can be authenticated.Cloud IT Better13
    • Blazeclan Cloud IT Better14Creating Temporary Security Credentials to Enable Access forFederated UsersGrant temporary access to a non-AWS user whose identity youcan authenticate (a federated user) use the AWSSTS GetFederationToken actionActionValidityAuthentication From the Identity Broker
    • BlazeclanGetFederationToken Request Description•Request Parameters• DurationSeconds –(Optional)• Name – (Mandatory)• Policy – (Optional)Cloud IT Better15Note: You can specify the duration of the temporary security credentials to be from 15 minutes to 36hours. By default, the credentials are valid for 12 hours only if created by IAM USERs; credentialscreated using account credentials have a maximum duration of one hour.Link for further Details
    • BlazeclanContinued…..Cloud IT Better16Expiration TimeSecret Access KeyAccess Key IDFederated User ID
    • BlazeclanGetFederationToken Response Description•Response Parameters• Credentials• FederatedUser• Identifiers for the federated user associated with thecredentials. You can use the federated users ARN in yourresource policies.• PackedPolicySize• A percentage value indicating the size of the policy in packedform. Policies for which the packed size is greater than 100%of the allowed value are rejected by the service.Cloud IT Better17
    • BlazeclanCreating Temporary Security Credentials for Delegating APIAccess• We Know that we can delegate access to our AWS resources byusing IAM roles.• IAM roles allow you to establish trusted relationships with otherAWS accounts (trusted entities)• IAM users from trusted entities can use the AWS Security TokenService AssumeRole action to obtain temporary securitycredentials• With the temporary security credentials, callers are granted thepermissions that are defined in the role.(only)Note: You can specify the duration of the temporary security credentials to be from 15minutes to one hour. By default, the credentials are valid for one hour.Link for further DetailsCloud IT Better18
    • BlazeclanContinued…Cloud IT Better19Requirements for assuming a roleTo assume a role, the caller must meet the followingrequirements:•The caller must have permission to call AssumeRole for thespecific role.•The role defines the callers AWS account ID as a trusted entity.•The caller must use IAM user credentials to assume a role.•If the role has an external ID defined, the caller must pass thatexternal ID when calling AssumeRole
    • BlazeclanExternal ID (Use-case Specific)Cloud IT Better20• An external ID is an additional piece of information that you canspecify when assuming an IAM role.• As a third party, you might have multiple customers who use yourservice to access or manage their AWS resources. You assign anexternal ID that is associated with each customer. Customersinclude this ID when they create a role that you can assume.• Then each time you assume a role, you include the external ID aspart of the request.• The external ID can be any identifier that is used to identify eachcustomer (it doesnt have to be a secret value). The onlyrequirement is that the external ID must be unique for eachcustomer.
    • BlazeclanAssumeRole Request DescriptionCloud IT Better21ActionValidityExternal ID
    • BlazeclanAssumeRole Request DescriptionRequest Parameters• DurationSeconds – (Optional)• ExternalId – (Optional)• Policy – (Optional)• RoleArn – (Mandatory)• The ARN of the role that the caller is assuming.• RoleSessionName – (Mandatory)• An identifier for the assumed role session. The session name isincluded as part of the AssumedRoleUserCloud IT Better22
    • BlazeclanAssumeRole Response DescriptionCloud IT Better23Expiration TimePacked Policy SizeAssumed RoleARN
    • BlazeclanAssumeRole Response Description•Response Parameters• AssumedRoleUser• Credentials• PackedPolicySize• A percentage value indicating the size of the policy in packedform. Policies for which the packed size is greater than 100%of the allowed value are rejected by the service.Cloud IT Better24
    • BlazeclanHow Permissions Work ?Cloud IT Better25Source : http://docs.aws.amazon.com/STS/latest/UsingSTS/FederationPermissions.html
    • BlazeclanUse CasesCloud IT Better26Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
    • BlazeclanUse CasesCloud IT Better27Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html
    • BlazeclanCross Account Delegation(Clouldlytics Scenario)Cloud IT Better28Source : http://docs.aws.amazon.com/IAM/latest/UserGuide/Delegation.html
    • BlazeclanContent References and Suggested Pages: AWS Documentation - Using Temporary Security Credentials AWS Documentation - AWS Security Token Service AWS Documentation - Using Temporary Security Credentials AWS Documentation - AWS Identity and Access Management AWS Documentation - Using Temporary Security Credentials AWS Documentation - AWS Identity and Access ManagementCloud IT Better29
    • Thank youThank You