AWS - Security Token Service (STS)

• Grants users temporary limited access to AWS resources.
• Supports users from following 3 sources:
• Federation with Active Directory
• Uses Security Assertion Markup Language (SAML)
• Grants access based on users Active Directory credentials. User does not need to be IAM user.
• Single Sign On allows user to login to AWS console with using an IAM account.
• Federation in Mobile App
• Use Facebook/Google/Amazon or other OpenID providers.
• Cross account access
• Lets user from one account access resources from another account.
• Federation:
• Combining or joining a list of users in one domain ( eg IAM) with list of users in another domain (eg. Facebook, Google etc)
• Identity Broker:
• A custom service that allows you to take identity from point A and join it to point B.
• Identity Store:
• Services like Facebook, Google, Active Directory etc
• Identity:
• A user of the service.
• Example scenario:
• Accessing S3 object from companies intranet site.
• Application flow of intranet site:
• Users enter credentials on the website.
• Website sends credentials to Identity Broker.
• Identity Broker validates credentials through an Identity Service (eg Active directory)
• Identity Broker calls GetFederationToken function of STS using IAM credentials of Identity Broker. The call must include IAM policy,  duration (1hr to 36 hrs) and policy permissions that should be granted.
• After validation, STS generates response with 4 values:
• Access key
• Secret access key
• Token
• Duration
• Identity Broker sends token to website.
• Website sends request to S3 with token.
• S3 verifies token with IAM service.
• On successful verification, S3 sends object to website.
• Identity Broker always verifies user credentials first with Identity Store and then sends request to STS.