-Root account will always have full access to all resources.
- You can delegate access to AWS resources using an IAM role.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html
- With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task.
-MFA can be applied to root user and IAM users.
-We can reference the role in the instance profile property of the application instance.
Roles can be used by the following:
- An IAM user in the same AWS account as the role
- An IAM user in a different AWS account than the role
- A web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2)
- An external user authenticated by an external identity provider (IdP) service that is compatible with - SAML 2.0 or OpenID Connect, or a custom-built identity broker.
- You can delegate access to AWS resources using an IAM role.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html
- With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task.
-MFA can be applied to root user and IAM users.
-We can reference the role in the instance profile property of the application instance.
Roles can be used by the following:
- An IAM user in the same AWS account as the role
- An IAM user in a different AWS account than the role
- A web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2)
- An external user authenticated by an external identity provider (IdP) service that is compatible with - SAML 2.0 or OpenID Connect, or a custom-built identity broker.
STS:
-Token valid for an hour.
- Cross account access.
AWS Managed AD: - On-premise AD and AWS Managed AD trust each other. You can manage users locally.MFA support is avaialable.
AD Connector: It works as a proxy. It proxies the request back/redirect to on -perimse AD.Users are solely managed on-presmise.
Simple AD : Standalone AD. Cannot joined with On-premsie AD.
IAM :
IAM Policy. Resource allow/deny
Permission Boundary.
Identity Based Policy.
Organization SCP.
-->Final access = intersection of all the above three.
Resouce Account manger: For sharing resource across account. For eg. VPC Subnet can be shared.
AWS SSO
-Supports SAML2.0 Markup
-AssumeRoleWithSAML has to be integrated with 3rd Party portal/Indentity provider thne talk to STS get the tokens
-SSO portal already integrated with SSO.
- Cognito is made to federate mobile user accounts and provide them with their own IAM policy.
Cognito User Pool: Serverless database user pool for mobile users. Can be integrated with API gateway
Cognito Federated Pool: Direct access to resources. Gets temporary credentials.
AWS app Sync
Cognito User Pool: Serverless database user pool for mobile users. Can be integrated with API gateway
Cognito Federated Pool: Direct access to resources. Gets temporary credentials.
AWS app Sync
No comments:
Post a Comment