{"id":1778,"date":"2019-08-07T07:04:38","date_gmt":"2019-08-07T07:04:38","guid":{"rendered":"https:\/\/www.testpreptraining.com\/tutorial\/?page_id=1778"},"modified":"2020-05-02T06:46:10","modified_gmt":"2020-05-02T06:46:10","slug":"security-token-service","status":"publish","type":"page","link":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/","title":{"rendered":"Security Token Service"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>Grants users limited and temporary access to AWS resources<\/li><li>Users can come from 3 different sources:<\/li><li>Federation (Active Directory):<ul><li>Uses Security Assertion Markup Language (SAML)<\/li><\/ul><ul><li>Grants temporary access based off hte users AD credentials<\/li><\/ul><ul><li>Does not need to be an IAM user<\/li><\/ul><ul><li>Single sign on allows users to log into the AWS console without assigning IAM credentials<\/li><\/ul><\/li><li>Federation with Mobile Apps:<ul><li>Use Facebook, Amazon, Google, or other OpenID providers to log in<\/li><\/ul><\/li><li>Cross Account Access:<ul><li>Lets users from one AWS account access to resources in another AWS account<\/li><\/ul><\/li><li>Federation &#8211; Combining or joining a list of users in one domain with a list of users in another domain (Active Directory -&gt; IAM for example)<\/li><li>Identity Broker &#8211; A service that allows you to take an identity from Domain A and join it (federate it) to Domain B<\/li><li>Identity Store &#8211; Services like Active Directory, Facebook, Google, Amazon, etc..<\/li><li>Identities &#8211; A user of a service like Amazon, Facebook, Google, etc.. <\/li><li>Steps of Authentication:<\/li><li>User enters username\/password<\/li><li>Application calls an Identity Broker. The broker is passed the username\/password<\/li><li>The Identity Broker uses the organizations centralized authentication to validate the identity of the user (Think Active Directory)<\/li><li>The Identity Broker then calls the new GetFederationToken function using IAM credentials. The call must include an IAM policy and duration (1-36 hours), along with a policy that specifies the permissions to be granted to the temporary security credentials<\/li><li>STS confirms that the policy of the user making the call gives permission to create new tokens and then returns 4 values<ul><li>Access Key<\/li><\/ul><ul><li>Secret Access Key<\/li><\/ul><ul><li>Token<\/li><\/ul><ul><li>Duration of token<\/li><\/ul><\/li><li>Identity Broker returns the temporary security credentials to the requesting application<\/li><li>The requesting application uses the temporary security credentials and token to make requests to Amazon<\/li><li>Amazon uses IAM to verify that the credentials allow the requested operation on the given service using the given key<\/li><li>IAM provides the service with an allowed action to perform the requested operation<\/li><li>Steps in Simplicity:<\/li><li>Develop an Identity Broker to communicate with LDAP and AWS STS<\/li><li>Identity Broker should always authenticate with LDAP first, then the STS service<\/li><li>Application gets temporary access to AWS resources<\/li><\/ul>\n\n\n\n<p>Web Identity Federation<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Useful for mobile apps to access AWS resources<\/li><li>allows the app to receive an auth token<\/li><li>then use that token for temporary credentials.<\/li><li>not embed or distribute long-term AWS credentials with apps <\/li><li>Supports the following providers<ul><li>Amazon<\/li><\/ul><ul><li>Facebook<\/li><\/ul><ul><li>Google<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>Any other OpenID Connect (OIDC) compatible id provider <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Grants users limited and temporary access to AWS resources Users can come from 3 different sources: Federation (Active Directory): Uses Security Assertion Markup Language (SAML) Grants temporary access based off hte users AD credentials Does not need to be an IAM user Single sign on allows users to log into the AWS console without assigning&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":383,"menu_order":42,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[7,306],"class_list":["post-1778","page","type-page","status-publish","hentry","category-amazon-aws","tag-aws","tag-security-token-service"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Security Token Service - Testprep Training Tutorials<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security Token Service - Testprep Training Tutorials\" \/>\n<meta property=\"og:description\" content=\"Grants users limited and temporary access to AWS resources Users can come from 3 different sources: Federation (Active Directory): Uses Security Assertion Markup Language (SAML) Grants temporary access based off hte users AD credentials Does not need to be an IAM user Single sign on allows users to log into the AWS console without assigning...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/\" \/>\n<meta property=\"og:site_name\" content=\"Testprep Training Tutorials\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-02T06:46:10+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/\",\"name\":\"Security Token Service - Testprep Training Tutorials\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\"},\"datePublished\":\"2019-08-07T07:04:38+00:00\",\"dateModified\":\"2020-05-02T06:46:10+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS Certified SysOps Administrator &#8211; Associate (SOA-C01)\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Security Token Service\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"name\":\"Testprep Training Tutorials\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\",\"name\":\"Testprep Training\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"contentUrl\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"width\":583,\"height\":153,\"caption\":\"Testprep Training\"},\"image\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Security Token Service - Testprep Training Tutorials","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/","og_locale":"en_US","og_type":"article","og_title":"Security Token Service - Testprep Training Tutorials","og_description":"Grants users limited and temporary access to AWS resources Users can come from 3 different sources: Federation (Active Directory): Uses Security Assertion Markup Language (SAML) Grants temporary access based off hte users AD credentials Does not need to be an IAM user Single sign on allows users to log into the AWS console without assigning...","og_url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/","og_site_name":"Testprep Training Tutorials","article_modified_time":"2020-05-02T06:46:10+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/","url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/","name":"Security Token Service - Testprep Training Tutorials","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website"},"datePublished":"2019-08-07T07:04:38+00:00","dateModified":"2020-05-02T06:46:10+00:00","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/security-token-service\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/tutorial\/"},{"@type":"ListItem","position":2,"name":"AWS Certified SysOps Administrator &#8211; Associate (SOA-C01)","item":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/"},{"@type":"ListItem","position":3,"name":"Security Token Service"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","name":"Testprep Training Tutorials","description":"","publisher":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization","name":"Testprep Training","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","contentUrl":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","width":583,"height":153,"caption":"Testprep Training"},"image":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/1778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/comments?post=1778"}],"version-history":[{"count":3,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/1778\/revisions"}],"predecessor-version":[{"id":5243,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/1778\/revisions\/5243"}],"up":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/383"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/media?parent=1778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/categories?post=1778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/tags?post=1778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}