Security Token Service (AWS STS)

1

~ Kaushik Mohanraj

Blazeclan

Agenda

Cloud IT Better 2

• What is STS and what it has to offer…

• Recap on AWS IAM as prerequisite

• Why STS ????

• Brief information on its Details

• Use cases

Blazeclan

What is STS ??

Cloud IT Better 3

• AWS STS : Security Token Service

• The AWS Security Token Service is a web service that enables you to request

temporary, limited-privilege credentials for AWS Identity and Access Management

(IAM) users or for users that you authenticate (federated users).

Blazeclan

And what was IAM …???

Cloud IT Better 4

• AWS Identity and Access Management (IAM) enables you to securely control

access to AWS services and resources for your users.

• IAM enables you to create and manage users in AWS and access AWS

resources.

• IAM offers greater security, flexibility, and control when using AWS.

• IAM enables you to:

Manage IAM users and their access

Manage access for federated users

Blazeclan

A brush up on IAM Role, IAM User and IAM Group is…

Cloud IT Better 5

• IAM User:

A user is an individual, system, or application that interacts with AWS

programmatically

• IAM Group:

A group is a collection of users. Groups don't directly interact with AWS; only

users do

• IAM Role:

A role is an entity that has a set of permissions, and that another entity assumes

to make calls to access your AWS resources.

GET http://169.254.169.254/latest/meta-data/iam/security-credentials/[role]

Blazeclan

Why STS…

When requested for Access through an STS API call it would typically return

Temporary Security credentials consisting of :

• Security Token

• An Access Key ID

• A Secret Access Key

Cloud IT Better 6

• The access Key ID & Secret Access Key generated with the token cannot be used

without the token.

• There are No limits on the number of “Sets” that we can create.

• STS service is designed to have limited access on a couple of Services.(Link)

Blazeclan

Ways to Access STS

• API Calls

• AWS offers SDK’s for selected languages, namely

• Java

• PHP

• .Net

• Ruby

Cloud IT Better 7

Link for any further

reference

Blazeclan

Types of User for whom you would Enable Access..

• Enable Access for IAM Users

• Enable Access for Federated Users

• Delegating API Access to Services

Cloud IT Better 8

Blazeclan

Creating Temporary Security Credentials to Enable Access for

IAM Users

• IAM users can use the AWS Security Token Service

GetSessionToken API action to create temporary security

credentials for themselves

Cloud IT Better 9

Example Request:

https://sts.amazonaws.com/

?Version=2011-06-15

&Action=GetSessionToken

&DurationSeconds=3600

&AUTHPARAMS

Action

Validity

Blazeclan

GetSessionToken Request Description

•Request Parameters • DurationSeconds

• SerialNumber

• The identification number of the MFA device for

the user.

• TokenCode

• The value provided by the MFA device.

(Non of them are mandatory)

Cloud IT Better 10

Note: You can specify the duration of the temporary security credentials to be from 15

minutes to 36 hours. By default, the credentials are valid for 12 hours.

Link for further Details

Blazeclan

Continued….

Cloud IT Better 11

Expiration Time

Secret Access Key

Access Key ID

Blazeclan

You Still think you account would be compromised ??

Temporary Security Credentials for IAM Users with Multi-Factor

Authentication (MFA)

• The following is an example of a GetSessionToken request with an MFA verification

code and device serial number using the STS Query API.

Cloud IT Better 12

Blazeclan

Creating Temporary Security Credentials to Enable Access for

Federated Users

So who is a Federated User ? A Non-AWS user whose identity can be authenticated.

Cloud IT Better 13

Blazeclan Cloud IT Better 14

Creating Temporary Security Credentials to Enable Access for

Federated Users

Grant temporary access to a non-AWS user whose identity you

can authenticate (a federated user) use the AWS

STS GetFederationToken action

Action

Validity

Authentication From the Identity Broker

Blazeclan

GetFederationToken Request Description

•Request Parameters

• DurationSeconds –

(Optional)

• Name – (Mandatory)

• Policy – (Optional)

Cloud IT Better 15

Note: You can specify the duration of the temporary security credentials to be from 15 minutes to 36

hours. By default, the credentials are valid for 12 hours only if created by IAM USERs; credentials

created using account credentials have a maximum duration of one hour. Link for further Details

Blazeclan

Continued…..

Cloud IT Better 16

Expiration Time

Secret Access Key

Access Key ID

Federated User ID

Blazeclan

GetFederationToken Response Description

•Response Parameters

• Credentials

• FederatedUser

• Identifiers for the federated user associated with the

credentials. You can use the federated user's ARN in your

resource policies.

• PackedPolicySize

• A percentage value indicating the size of the policy in packed

form. Policies for which the packed size is greater than 100%

of the allowed value are rejected by the service.

Cloud IT Better 17

Blazeclan

Creating Temporary Security Credentials for Delegating API

Access

• We Know that we can delegate access to our AWS resources by

using IAM roles.

• IAM roles allow you to establish trusted relationships with other

AWS accounts (trusted entities)

• IAM users from trusted entities can use the AWS Security Token

Service AssumeRole action to obtain temporary security

credentials

• With the temporary security credentials, callers are granted the

permissions that are defined in the role.(only)

Note: You can specify the duration of the temporary security credentials to be from 15

minutes to one hour. By default, the credentials are valid for one hour.

Link for further Details

Cloud IT Better 18

Blazeclan

Continued…

Cloud IT Better 19

Requirements for assuming a role

To assume a role, the caller must meet the following

requirements:

•The caller must have permission to call AssumeRole for the

specific role.

•The role defines the caller's AWS account ID as a trusted entity.

•The caller must use IAM user credentials to assume a role.

•If the role has an external ID defined, the caller must pass that

external ID when calling AssumeRole

Blazeclan

External ID (Use-case Specific)

Cloud IT Better 20

• An external ID is an additional piece of information that you can

specify when assuming an IAM role.

• As a third party, you might have multiple customers who use your

service to access or manage their AWS resources. You assign an

external ID that is associated with each customer. Customers

include this ID when they create a role that you can assume.

• Then each time you assume a role, you include the external ID as

part of the request.

• The external ID can be any identifier that is used to identify each

customer (it doesn't have to be a secret value). The only

requirement is that the external ID must be unique for each

customer.

Blazeclan

AssumeRole Request Description

Cloud IT Better 21

Action

Validity

External ID

Blazeclan

AssumeRole Request Description

Request Parameters

• DurationSeconds – (Optional)

• ExternalId – (Optional)

• Policy – (Optional)

• RoleArn – (Mandatory)

• The ARN of the role that the caller is assuming.

• RoleSessionName – (Mandatory)

• An identifier for the assumed role session. The session name is

included as part of the AssumedRoleUser

Cloud IT Better 22

Blazeclan

AssumeRole Response Description

Cloud IT Better 23

Expiration Time

Packed Policy Size

Assumed Role

ARN

Blazeclan

AssumeRole Response Description

•Response Parameters

• AssumedRoleUser

• Credentials

• PackedPolicySize

• A percentage value indicating the size of the policy in packed

form. Policies for which the packed size is greater than 100%

of the allowed value are rejected by the service.

Cloud IT Better 24

Blazeclan

How Permissions Work ?

Cloud IT Better 25

Source : http://docs.aws.amazon.com/STS/latest/UsingSTS/FederationPermissions.html

Blazeclan

Use Cases

Cloud IT Better 26

Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html

Blazeclan

Use Cases

Cloud IT Better 27

Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html

Blazeclan

Cross Account Delegation(Clouldlytics Scenario)

Cloud IT Better 28

Source : http://docs.aws.amazon.com/IAM/latest/UserGuide/Delegation.html

Blazeclan

Content References and Suggested Pages:

AWS Documentation - Using Temporary Security Credentials

AWS Documentation - AWS Security Token Service

AWS Documentation - Using Temporary Security Credentials

AWS Documentation - AWS Identity and Access Management

AWS Documentation - Using Temporary Security Credentials

AWS Documentation - AWS Identity and Access Management

Cloud IT Better 29

Thank you

Thank You

Follow Us On :

Our Blog : http://blog.blazeclan.com/