Web Identity Federation
Simplifies authentication and authorization for web applications.
An Authentication token JWT is exchanged for temporary AWS credentials, allowing users to assume an IAM role, with permission to access AWS resources.
User Access to AWS Resources
Users access AWS resources after successfully authenticating with a web-based identity prvoider like Facebook, Amazon, or Google.
Authentication
Following successful authentication, users receive an authentication code from the web ID provider.
Authorization
Users can trade this authentication code for temporary AWS security credentials, authorizing access to AWS resources.
Congnito
User Pools
Handle sign-up and sign-in functionality for mobile and web applications.
Sign-in
Users can sign-in-directly to the User Pool, or using Facebook, Google, Amazon.
Identity Pools
Identity Pools enable you to provide temporary AWS credentials. Enabling access to AWS service like S3 or DynamoDB.
Cognito Push Synchronization
Cognito Push Synchronization uses SNS to send a slient push notification of user data updates to multiple devices associated with a single user ID.
Lab: Cognito user access DynamoDB for read
Inline, AWS Managed, and Customer Managed Policies
There are three types of IAM policies
- AWS Managed Policies
- Customer Managed Policies
- Inline Policies
AWS Managed Policies
An IAM policy created and administered by AWS.
For example:
- AmazonDynamoDBFullAccess
- AWSCodeCommitPowerUser
- ....
You can assign appropriate permissions to your users without having to write the policy yourself.
Attach to multiple users, groups, or roles in the same AWS account or across different accounts.
You cannot change the permissions defined in an AWS managed policy.
Customer Managed Plicies
- Created by You: A standalone policy that you create and administer inside your own AWS account. YOu can attach this policy to multiple users, groups, and roles within your own account.
- Copy an Existing Policy: In order to create a customer managed policy, you can copy an existing AWS managed policy and customize it to fix the requirements of your organization.
- Your needed: Recommended for use cases where the existing AWS managed policies don't meet the needs of your environment.
Inline Policeis
- 1:1 Relationship: There is a strict 1:1 relationship between the entity and the policy
- Embedded: When you delete the user, group, or role in which the inline policy is embedded, the policy will also be deleted.
- Single User, Group, Role: The policy must not be inadvertently assigned to any other user, group, or role than the one for which it is intented. The policy must only ever be attached to a single user, group or role.
You cannot find inline policies which created for A user.
In most cases, AWS recommends using manged policies over inline policies.
STS AssumeRoleWithWebIdentity
- STS: Part of the Security Token Service
- Allows users who have authenticated with a web identity provider to access AWS resources.
- After the user has authenticated, the application maeks the assue-role-with-web-identity API call
- If successful, STS will return temporary credentials enabling access to AWS reources.
- With AssumedRoleUser, the Arn and AssumedRoleID are used to programmatically reference the temporary credientials, not a IAM role or user.
By setting up cross-account access, you can delegate access to resources that are in different AWS accounts, and you don't need to create individual IAM users in each account.
Reference: IAM Tutorial: Delegate access across AWS accounts using IAM roles.
Inline policy will be deleted will the user or group is deleted