AWS CSA
  • Introduction
  • 1. AWS Overview
    • 1.1 AWS global Infrastructure
    • 1.2 Networking and Content Delivery
    • 1.3 Computing
    • 1.4 Storage
    • 1.5 Databases
    • 1.6 Migration Services
    • 1.7 Analytics
    • 1.8 Security and Identity
    • 1.9 Management Tools
    • 1.10 Application Services
    • 1.11 Developer Tools
    • 1.12 Mobile Services
    • 1.13 Desktop and App Streaming
    • 1.14 Artificial Intelligence
    • 1.15 Messaging
  • 2. IAM - Identity Access Management
    • 2.1 IAM Introduction
    • 2.2 IAM Labs
    • 2.3 Create a billing alart
    • 2.4 IAM Conclusion
  • 3. S3 - Simple Storage Service
    • 3.1 S3 Introduction
    • 3.2 S3 Labs
    • 3.3 Version Control Labs
    • 3.4 Cross Region Replication
    • 3.5 Life Cycle Management
    • 3.6 CloudFront
    • 3.7 CloudFront Labs
    • 3.8 S3 Security and Encryption
    • 3.9 Storage Gateway
    • 3.10 Snowball
    • 3.11 Snowball Labs
    • 3.12 S3 Transfer Acceleration
    • 3.13 Create a static web page using S3
    • 3.14 Storage Summary
  • 4. EC2 - Elastic Compute Cloud
    • 4.1 EC2 Introduction I
    • 4.2 EC2 Introduction II
    • 4.3 EC2 Lab 1
    • 4.4 EC2 Lab 2
    • 4.5 Security Groups Lab
    • 4.6 Upgrade EBS Volume Types - Lab1
    • 4.7 Upgrade EBS Volume Types - Lab2
    • 4.8 RAID, Volumes & Snapshots
    • 4.9 Create An AMI - Lab
    • 4.10 AMI's EBS Root Volumes vs. Instance Store
    • 4.11 Elastic Load Balancer & Health Check - Lab
    • 4.12 CloudWatch EC2 - Lab
    • 4.13 The AWS Command Line & EC2
    • 4.14 Using IAM Roles with EC2
    • 4.15 S3 CLI & Regions
    • 4.16 Using Bootstrap Scripts
    • 4.17 EC2 Instance Metadata
    • 4.18 Launch Configurations & Auto Scaling Groups
    • 4.19 EC2 Placement Groups - Exam Must Know
    • 4.20 Elastic File System (EFS) Lab
    • 4.21 Lambda Concepts
    • 4.22 Build A Serverless Webpage Using API Gateway & Lambda
    • 4.23 Use Polly to Pass Your Exam - Lab of a Serverless Application
    • 4.24 Use Polly to Pass Your Exam - Lab of a Serverless Application
    • 4.25 EC2 - Summary & Exam Tips
  • 5. Route53
    • 5.1 DNS 101
    • 5.2 Route53 - Register A Domain Name - Lab
    • 5.3 Setup Our EC2 Instances - Lab
    • 5.4 Routing Policies - Lab
  • 6. Databases on AWS
    • 6.1 Databases 101
    • 6.2 Launching an RDS Instance - Lab
    • 6.3 RDS - Backups, Multi-AZ & Read Replicas
    • 6.4 DynamoDB
    • 6.5 Redshift
    • 6.6 ElastiCache
    • 6.7 Aurora
    • 6.8 Database Summary
  • 7. VPC
    • 7.1 VPC Overview
    • 7.2 VPC Lab - Part 1
    • 7.3 VPC Lab - Part 2
    • 7.4 NAT Instances & NAT Gateways
    • 7.5 Network Access Control Lists vs. Security Groups
    • 7.6 Load Balancers & Custom VPCs
    • 7.7 VPC Flow Logs
    • 7.8 NATs vs. Bastions
    • 7.9 VPC End Points
    • 7.10 VPC Clean Up
    • 7.11 VPC Summary
  • 8. Application Services
    • 8.1 SQS - Simple Queue Service
    • 8.2 SWF - Simple Workflow Service
    • 8.3 SNS - Simple Notification Service
    • 8.4 Elastic Transcoder
    • 8.5 API Gateway
    • 8.6 Kinesis 101
    • 8.7 Kinesis Streams Lab
    • 8.8 Application Services Summary
  • 9. White Paper Reviews
    • 9.1 Overview of AWS
    • 9.2 Overview of Security Processes - Part 1
    • 9.3 Overview of Security Processes - Part 2
    • 9.4 Risk & Compliance Whitepaper
    • 9.5 Storage Options in the Cloud Whitepaper
    • 9.6 Architecting For The Cloud Best Practices Whitepaper
  • 10. Well Architected Framework
    • 10.1 Introduction of Well Architected Framework
    • 10.2 Pillar One - Security
    • 10.3 Pillar Two - Reliability
    • 10.4 Pillar Three - Performance
    • 10.5 Pillar Four - Cost Optimization
    • 10.6 Pillar Five - Operational Excellence
    • 10.7 Well Architected Framework - Summary
  • 11. Additional Exam Tips
    • 11.1 Exam Tips Based On Student Feedback
    • 11.2 Consolidated Billing
    • 11.3 AWS Organizations - Lab
    • 11.4 Cross Accounts Access
    • 11.5 Resource Groups & Tagging
    • 11.6 VPC Peering & ClassicLink
    • 11.7 Direct Connect
    • 11.8 Security Token Service
    • 11.9 Active Directory Integration
    • 11.10 Workspaces
    • 11.11 ECS - Part 1 - What is Docker
    • 11.12 ECS - Part 2 - What is ECS
    • 11.13 CloudFormation - A Brief Introduction
    • 11.14 Step Functions - A Brief Introduction
  • 12. Practice Tests Questions Summary
    • 12.1 Whizlabs - Free Test
    • 12.2 Whizlabs - Diagnosis Test
    • 12.3 Whizlabs - Practice Test I
    • 12.4 Whizlabs - Practice Test II
    • 12.5 Whizlabs - Practice Test III
    • 12.6 Whizlabs - Practice Test IV
    • 12.7 Whizlabs - Practice Test V
    • 12.8 Whizlabs - Practice Test VI
    • 12.9 Whizlabs - Practice Test VII
    • 12.10 Whizlabs - Section Tests - Part 1
    • 12.11 Whizlabs - Section Tests - Part 2
    • 12.12 Udemy - Final Quiz
  • 13. The Real World - Creating a fault tolerant Word Press Site
    • 13.1 Getting Setup
Powered by GitBook
On this page
  • Security Token Service (STS)
  • Understanding The Key Terms
  • Scenario
  • Solution:

Was this helpful?

  1. 11. Additional Exam Tips

11.8 Security Token Service

Security Token Service (STS)

AWS STS can be used to achieve integration between AWS IAM and an on-premise Active Directory infrastructure or LDAP directory service. Grants users limited and temporary access to AWS resources (using Identity Providers and Federations, i.e. IdP, instead of using IAM User or Role). Users can come from three sources:

  • Federation (typical Active Directory) ---- SAML 2.0-based Identity Federation

    • Uses Security Assertion Markup Language (SAML)

    • Grants temporary access based off the users Active Directory credentials. Does not need to be a user in IAM.

    • Single sign on allows users to log in to AWS console without assigning IAM credentials.

  • Federation with Mobile Apps ---- Web Identity Federation

    • Use Facebook/Amazon/Google or other OpenID providers to log in.

  • Cross Account Access

    • Let's users from one AWS account access resources in another. The cross account delegation is useful for allowing existing IAM users to access AWS resources that they don't already have access to. It is useful for existing IAM users as a means to temporarily gain privileged access.

  • (Custom Identity Broker)

Understanding The Key Terms

  • Federation

    • Combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (such as Active Directory, Facebook, etc)

  • Identity Broker

    • A service that allows you to take an identity from point A and join it (federate it) to point B

  • Identity Store

    • Services like Active Directory, Facebook, Google, etc.

  • Identities

    • A user of a service like Facebook etc.

Scenario

You are hosting a company website on some EC2 web servers in your VPC. Users of the website must log in to the site which then authenticates against the companies active directory servers which are based on site at the companies HQ.

Your VPC is connected to your company HQ via a secure IPSEC VPN. Once logged in the user can only have access to their own S3 bucket. How do you set this up?

Solution:

Enterprise Reporting Application - employees are using enterprise reporting application and this application needs to communicate with object inside S3. What they do is that they log into the reporting application and they enter their usernames and passwords, this is step 1. In step 2, the application calls an identity broker, so the broker captures the usernames and passwords. In step 3, the identity broker check with the LDAP Directory server as to whether or not the username and password is valid and confirm that it is valid. In step 4 and step 5, identity broker initiate a call to the AWS Security Token Service (STS) and /*that call is calling the new GetFederationToken function using IAM credentials. And the call must include an IAM policy and a duration (between 1 to 36 hours) and that is the length of time that this user is going to be logged into the system. You also need to include a policy that specifies the permissions to be granted to the temporary security credentials. The STS then confirm the policy of the IAM user making the call to the GetFederationToken and then gives permission to create new tokens and then*/ AWS STS returns the temporary security credentials with four values: an access key, secret access key, a token and a duration (i.e. the token's lifetime). Once the identity broker has that four values, in step 6, it returns the temporary security credentials to the enterprise recording application, and then in step 7, the enterprise recording application (data storage application) makes a call to S3 using the temporary security credentials (including the token) in order to get some objects from S3. In step 8, S3 uses IAM to verify the credentials/tokens, if correct, then in step 9, IAM will allow the request operation on the given S3 bucket. (So S3 is just like saying that is this security token correct? can this user to do this? And then IAM will say yes to S3.)

And you should remember that procedure when you are going in to the exam, three steps really involved:

  • Develop an Identity Broker to communicate with LDAP and AWS STS.

  • Identity Broker always authenticates with LDAP first, then with AWS STS.

  • Application then gets temporary access to AWS resources.

Previous11.7 Direct ConnectNext11.9 Active Directory Integration

Last updated 5 years ago

Was this helpful?