Advanced Identity Section

AWS STS

• Security Token Service (STS) enables you to create temporary, limited-privileges credentials to access your AWS resources
• You configure the expiration period of short-term credentials
• Use cases:
  • Identity federation: Manage user identities in external systems, providing STS tokens to access AWS resources
  • IAM Roles for cross / same account access
  • IAM Roles for Amazon EC2: Provide temporary credentials for EC2 instances to access AWS resources

Amazon Cognito

• A way to provide identity for web and mobile application users (up to millions)
• Instead of creating an IAM user, you create a user in Cognito

Directory Services

• What is Microsoft Active Directory (AD)?

  • A database of objects (user accounts, computers, printers, file shares, security groups)
  • Centralised security management, create account, assign permissions
  • Found on any Windows Server with AD Domain Services

• AWS Directory Services

  • AWS Managed Microsoft AD
    • Create your own AD in AWS, manage users locally and supports MFA
    • Establish "trust" connections with your on-premise AD
  • AD Connector
    • A Directory Gateway (proxy) to redirect to on-premise AD and supports MFA
    • Users are managed on the on-premise AD
  • Simple AD
    • AD-compatible managed directory on AWS
    • Can't be joined with on-premise AD

AWS IAM Identity Center

• The successor to AWS Single Sign-On
• The feature provides a single sign-on (one login) for all your:
  • AWS accounts in AWS Organizations
  • Business cloud applications (ex. Salesforce, Box, Microsoft 365, etc.)
  • SAML2.0-enabled applications
  • EC2 Windows Instances
• Identity providers
  • Built-in identity store in IAM Identity Center
  • 3rd party: Active Directory (AD), OneLogin, Okta