IAM – Federated Access

Federation Access to AWS IAM Roles or Users

Federation access in AWS allows users to access AWS resources using existing identities from an external identity provider (IdP) such as Active Directory (AD), Okta, or other SAML-compliant IdPs. This enables organizations to manage user identities in a central directory (like AD) and grant temporary access to AWS resources without needing to create separate IAM users for each individual in AWS.

Key Concepts

  1. Identity Provider (IdP):

    • An external system that manages user identities and provides authentication services. Examples include Active Directory Federation Services (AD FS), Okta, and other SAML-compliant IdPs.
  2. SAML (Security Assertion Markup Language):

    • An open standard for exchanging authentication and authorization data between parties, particularly between an IdP and a service provider (in this case, AWS).
  3. Federation:

    • The process of establishing trust between the IdP and AWS, allowing users authenticated by the IdP to access AWS resources.
  4. IAM Roles:

    • AWS IAM roles define a set of permissions for making AWS service requests. Unlike IAM users, roles are intended to be assumed temporarily and do not have long-term credentials associated with them.
  5. Temporary Security Credentials:

    • Credentials that are valid for a limited period of time. When a user federates into AWS, they receive temporary security credentials to access AWS resources.

How Federation Access Works

  1. User Authentication:

    • A user authenticates with the external IdP using their existing credentials (e.g., username and password in Active Directory).
  2. SAML Assertion:

    • After successful authentication, the IdP generates a SAML assertion, which contains user information and any group memberships or attributes defined in the IdP.
  3. Assume Role:

    • The SAML assertion is sent to AWS, where it is mapped to an IAM role. AWS STS (Security Token Service) uses the assertion to generate temporary security credentials.
  4. Access AWS Resources:

    • The user can use the temporary credentials to access AWS resources according to the permissions defined in the assumed IAM role.

Benefits of Federation Access

  1. Centralized Identity Management:

    • Manage user identities and credentials in a central directory, reducing administrative overhead and improving security.
  2. Seamless User Experience:

    • Users can use their existing credentials to access AWS resources, providing a seamless single sign-on (SSO) experience.
  3. Temporary Access:

    • Users receive temporary security credentials, reducing the risk associated with long-term credentials.
  4. Scalability:

    • Simplifies access management for large organizations by leveraging existing identity infrastructure.

Example Scenario: Active Directory Federation

Setup Overview

  1. Configure IdP (AD FS):

    • Set up AD FS as the IdP to authenticate users.
  2. Create IAM Roles:

    • Define IAM roles in AWS that users can assume.
  3. Establish Trust:

    • Create a trust relationship between AD FS and AWS, allowing AWS to accept SAML assertions from AD FS.
  4. Map IdP Attributes to IAM Roles:

    • Map user attributes (e.g., group memberships) in AD FS to corresponding IAM roles in AWS.

Detailed Steps

  1. Configure AD FS:

    • Install and configure AD FS on a server within your domain.
    • Create a relying party trust in AD FS for AWS, specifying the AWS SAML endpoint (https://signin.aws.amazon.com/saml).
  2. Create IAM Roles in AWS:

    • In the AWS Management Console, create IAM roles that define the permissions for federated users.
    • Define trust policies for these roles to allow SAML assertions from your IdP.
  3. Establish Trust Relationship:

    • In AD FS, configure claim rules to include user attributes and group memberships in the SAML assertion.
    • Upload the AD FS metadata file to AWS IAM to create a SAML provider.
  4. Map Attributes to Roles:

    • Use claim rules in AD FS to map AD group memberships to specific IAM roles.
    • Ensure the SAML assertion includes the necessary information for AWS to map users to the correct roles.

Use Cases

  1. Single Sign-On (SSO):

    • Provide seamless access to AWS resources using corporate credentials, improving user experience and security.
  2. Temporary Project Access:

    • Grant temporary access to AWS resources for contractors or project teams using their existing identities.
  3. Cross-Account Access:

    • Allow users from one AWS account to access resources in another account using federated roles.

Security Considerations

  1. Session Duration:

    • Configure appropriate session durations to balance security and usability. Temporary credentials should be valid only as long as necessary.
  2. Least Privilege Principle:

    • Define IAM roles with the minimum permissions required for users to perform their tasks.
  3. Monitoring and Auditing:

    • Enable logging and monitoring of federated access using AWS CloudTrail and other monitoring tools.

By leveraging federation access, organizations can streamline their identity management processes, improve security, and provide a better user experience for accessing AWS resources.