AWS Solutions Architect - Associate

AWS Solutions Architect - Associate

Fundamentals
Deep Dive
Serverless
Security and Disaster Recovery
Other Services
Whitepapers
- Well Architectured Framework
- AWS Truster Advisor

Advanced IAM

AWS STS - Security Token Service

Allows to grant limited and temporary access to AWS resources
Token valid for up to one hour (must be refreshed)
STS most important APIs:
- AssumeRole:
  - Usage within our account: for temporary enhanced security
  - Cross account: assume role on target account to perform actions there
- AssumeRoleWithSAML:
  - Return credentials for user logging in with SAML
- AssumeRoleWithWebIdentity:
  - Return credentials for users logged in with IdP (Facebook login, Google login, OIDC)
  - AWS recommends against using this, use Cognito instead
- GetSessionToken:
  - Fro MFA, from an user or AWS account root user

Using STS to Assume a Role

Define an IAM Role within an account or cross-account
Define which principals can access this IAM Role
Use AWS STS to retrieve credentials and impersonate the IAM Role you have access to (AssumeRole API)
Temporary credentials will be valid for 15 minutes up to 1 hour