- Allows to grant limited and temporary access to AWS resources.
- Token is valid for up to one hour (must be refreshed)
- First issue a token using API service
- AssumeRole
- Within your own account: for enhanced security
- Cross Account Access: assume role in target account to perform actions there
- AssumeRoleWithSAML
- return credentials for users logged with SAML
- AssumeRoleWithWebIdentity
- return creds for users logged with an IdP (Facebook Login, Google Login, OIDC compatible…)
- AWS recommends against using this, and using Cognito instead
- GetSessionToken
- for MFA, from a user or AWS account root user
- Define an IAM Role within your account or cross-account
- Define which principals can access this IAM Role
- Use AWS STS (Security Token Service) to retrieve credentials and impersonate the IAM Role you have access to (AssumeRole API)
- Temporary credentials can be valid between 15 minutes to 1 hour
- STS Version 1
- By default, STS is available as a global single endpoint STS Ref
- Only support AWS Regions that are enabled by default
- Option to enable “All Regions”
- STS Version 2
- Version 1 tokens do not work for new AWS Regions (e.g., me-south-1)
- Regional STS endpoints is available in all AWS Regions
- Reduce latency, built-in redundancy, increase session token validity
- STS Session Tokens from regional endpoints (STS Version 2) are valid in all AWS Regions
[Troubleshooting]:
- Error : "An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials.”
- To solve, two options:
- Use the Regional STS Endpoint (any region) which will return STS Tokens Version 2. Use the closest regional endpoint for lowest latency
- By default, the AWS STS calls to the STS global endpoint issues session tokens which are of Version 1 (Default AWS Regions). You can configure STS global endpoint to issue STS Tokens Version 2 (All AWS Regions)
- External ID is a piece of data that can be passed to AssumeRole API
- Allowing the IAM role to be assumed only if a certain value is present (External ID)
- It solves the Confused Deputy problem
- Prevent any other customer from tricking 3rd party into unwittingly accessing your resources
- External ID is generated by the Deputy and stored in our AWS account
- Users usually have a long session duration time (e.g., 12 hours)
- If credentials are exposed, they can be used for the duration of the session
- Immediately revoke all permissions to the IAM role’s credentials issued before a certain time
- AWS attaches a new inline IAM policy to the IAM role that denies all permissions (forces users to reauthenticate) if the token is too old
- Doesn’t affect users who assumes the IAM role after you revoke sessions (don’t worry about deleting the policy)
AWSRevokeOlderSessions Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMicroInstanceType",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}Note: It provides exemptions for operations in approved global services.
The NotAction element enables you to list services whose operations (or individual operations) are exempted from this restriction. Because global services have endpoints that are physically hosted by the us-east-1 Region , they must be exempted in this way.
With an SCP structured this way, requests made to global services in the us-east-1 Region are allowed if the requested service is included in the NotAction element. Any other requests to services in the us-east-1 Region are denied by this example policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideEU",
"Effect": "Deny",
"NotAction": [
"a4b:*",
"acm:*",
"aws-marketplace-management:*",
"aws-marketplace:*",
"aws-portal:*",
"budgets:*",
"ce:*",
"chime:*",
"cloudfront:*",
"config:*",
"cur:*",
"directconnect:*",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnGateways",
"fms:*",
"globalaccelerator:*",
"health:*",
"iam:*",
"importexport:*",
"kms:*",
"mobileanalytics:*",
"networkmanager:*",
"organizations:*",
"pricing:*",
"route53:*",
"route53domains:*",
"s3:GetAccountPublic*",
"s3:ListAllMyBuckets",
"s3:PutAccountPublic*",
"shield:*",
"sts:*",
"support:*",
"trustedadvisor:*",
"waf-regional:*",
"waf:*",
"wafv2:*",
"wellarchitected:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1"
]
},
"ArnNotLike": {
"aws:PrincipalARN": [
"arn:aws:iam::*:role/Role1AllowedToBypassThisSCP",
"arn:aws:iam::*:role/Role2AllowedToBypassThisSCP"
]
}
}
}
]
}