AWS STS - Security Token Service
- Allows to grant limited and temporary access to AWS resource (up to 1 hour)
- AssumeRole: Assume roles within your account or cross account
- GetSessionToken: for MFA, from a user or AWS account root user
- DecodeAuthorizationMessage: decode error message when an AWS API is denied
- AssumeRoleWithSAML: return credentials for users logged with SAML
- GetRederationToken: obtaini temporary creds for a federated user
- GetCallerIdentity: return details about the IAM user or role userd in the API called
STS with MFA
- User GetSessionToken from STS
- Appropriate IAM policy using IAM conditions
- aws:MultiFactorAuthPresent: true
- Reminder, GetSessionToken
- return:
- AccessID
- Secrect Key
- SessionToken
- Expiration date
IAM Policies & S3 Bucket Policies
- IAM Policies are attached to user, roles, groups
- S3 Bukcet Policies are attached to bucekts
- When evaluating if an IAM Principal can perform an operation X on a bucket, the union of its assigned IAM policeis and S3 bucket policies will be evaluated
