Advanced Identity

AWS STS (SecurityToken Service)

Enables you to create temporary, limited- privileges credentials to access your AWS resources
Short-term credentials: you configure expiration period
Use cases
- Identity federation: manage user identities in external systems, and provide them with STS tokens to access AWS resources
- IAM Roles for cross/same account access
- IAM Roles for Amazon EC2: provide temporary credentials for EC2 instances to access AWS resources

Found on any Windows Server with AD Domain Services
Database of objects: User Accounts, Computers, Printers, File Shares, Security Groups
Centralized security management, create account, assign permissions

AWS Managed Microsoft AD
- Create your own AD in AWS, manage users locally, supports MFA
- Establish “trust” connections with your on- premise AD
AD Connector
- Directory Gateway (proxy) to redirect to on- premise AD, supports MFA
- Users are managed on the on-premise AD
Simple AD
- AD-compatible managed directory on AWS
- Cannot be joined with on-premise AD

One login (single sign-on) for all your
- AWS accounts in AWS Organizations
- Business cloud applications (e.g., Salesforce, Box, Microsoft 365, …)
- SAML2.0-enabled applications
- EC2 Windows Instances
Identity providers
- Built-in identity store in IAM Identity Center

IAM
- Identity and Access Management inside your AWS account
- For users that you trust and belong to your company
Organizations: manage multiple AWS accounts
Security Token Service (STS): temporary, limited-privileges credentials to access AWS resources
Cognito: create a database of users for your mobile & web applications
Directory Services: integrate Microsoft Active Directory in AWS
IAM Identity Center: one login for multiple AWS accounts & applications

Download PDF : AWS Cloud Practitioner Study Notes (PDF)