[AWS

AWS STS - Security Token Service

• Allows to grant limited and temporary access to AWS resource (up to 1 hour)
• AssumeRole: Assume roles within your account or cross account
• GetSessionToken: for MFA, from a user or AWS account root user
• DecodeAuthorizationMessage: decode error message when an AWS API is denied
• AssumeRoleWithSAML: return credentials for users logged with SAML
• GetRederationToken: obtaini temporary creds for a federated user
• GetCallerIdentity: return details about the IAM user or role userd in the API called

STS with MFA

• User GetSessionToken from STS
• Appropriate IAM policy using IAM conditions
• aws:MultiFactorAuthPresent: true
• Reminder, GetSessionToken
• return:
  • AccessID
  • Secrect Key
  • SessionToken
  • Expiration date

IAM Policies & S3 Bucket Policies

• IAM Policies are attached to user, roles, groups
• S3 Bukcet Policies are attached to bucekts
• When evaluating if an IAM Principal can perform an operation X on a bucket, the union of its assigned IAM policeis and S3 bucket policies will be evaluated