{"componentChunkName":"component---src-templates-blog-js","path":"/ctf/aws-formation/tp8-advanced-iam","result":{"data":{"markdownRemark":{"html":"

1. Web Identity Federation

\n

definition

\n

Web Identity Federation let you give your user access to AWS resouce after successfull authentification (like Gogle Facebook or Amazon).\nthey receive an authentifiaction code fro mthe web ID provider, which they can trade for temporary AWS security credentials.

\n

amazon cognito

\n

provides Web Identity Federation with folowing features :

\n\n

It is the recommended approach for web identity federation using social media accounts like facebook

\n

\"TP8-AdvancedIAM-image-20200723032104521\"

\n

Cognito can log you to different applciations

\n

2. Cognito User Pools

\n

definitions - User Pools

\n

They are users directories used to manage sign-up and sign-in for mobile and web applications

\n

Users can sign-in directly to the user pool, or indirectly provider (Facebook, Amazon, Google).\nActs as an Identiy Brokers between your AWS app and web id providers. If successful authetification it generates a JSON web tokens (JWT)

\n

definitions - Identity Pools

\n

Identity Pools enable to create unique identifies for your users and authentificate them with identity providers

\n

example

\n

\"TP8-AdvancedIAM-image-20200723032910524\"

\n

push synchronisation

\n

Cognito tracks the association between user identity and various devices.

\n

Cognito uses Push Synchronization to send a silent push notification of user data updates to multiples devie types associated with a user ID.

\n

3. Cognito Lab

\n

you can create group of users

\n

steps

\n
    \n
  1. Create an user Pools
    2. \n
  2. Add an app client
    3. \n
  3. Enable Identify providers
    4. \n
  4. Defines sign in and out URL : Callabck URL (redirection of the user after successfull authentification)
    5. \n
  5. OAuth 2.0 (JWT tokens) : Open Standard Authentification Framework
    6. \n
  6. Attach an Amazon Cognito Domain Name
    7. \n
  7. Customize Cognito (optional)
    8. \n
\n

`login?responsetype=token&clientid=1343243&redirect_url=https://example.com

\n

4. Inline Policies vs Managed Policies vs Custom Policies

\n

IAM : Identity Access Managements, is used to define user access permissions within AWS

\n

There are 3 differents types of IAM policies available :

\n
    \n
  1. \n

    Managed Policies : AWS-managed default policiies

    \n\n
    2. \n
  2. \n

    Customer Managed Policies : Managed by you

    \n\n
    3. \n
  3. \n

    Inline Policies : Managed by you and ambedded in a single user, group, or role.

    \n\n
    4. \n
\n

In most cases AWS recommends using Manages Policies over Inline Policies

\n

5. STS AssumeRoleWithWebIdentity API

\n

AssumeRoleWithWebIdentity is an API provided by STS (Security Token Service)

\n

Retuns temp security credentials for users\nAllow to authentificate users from a web identity provider to access AWS resource\nOne the user has authentificated, the application makes the assume-role-with-web-identity

\n

If you are on a mobile -> use Cognito,\nIf not you can use AssumeRoleWithWebIdentity

\n

\"TP8-AdvancedIAM-image-20200723034948990\"

\n

AssumeRoleUser with ARN (ARN identifiers which can be used refer to the temp credential) + Credentials (temporaty)

","frontmatter":{"date":"July 31, 2020","path":"ctf/aws-formation/tp8-advanced-iam","title":"TP8 - Advanced IAM","tags":["cloud","ec2","aws"],"categorie":"ctf","thumbnail":"/assets/alex-machado-80sv993luki-unsplash.jpg"},"fields":{"readingTime":{"text":"3 min read"}}},"file":{"childImageSharp":{"fluid":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAANABQDASIAAhEBAxEB/8QAFwAAAwEAAAAAAAAAAAAAAAAAAAMEBf/EABUBAQEAAAAAAAAAAAAAAAAAAAED/9oADAMBAAIQAxAAAAGFz11jKaIn/8QAGhAAAgMBAQAAAAAAAAAAAAAAAAECERMSMf/aAAgBAQABBQLm3gxwaJTxe1i8/8QAGBEAAgMAAAAAAAAAAAAAAAAAAAECElH/2gAIAQMBAT8BUdKn/8QAFhEBAQEAAAAAAAAAAAAAAAAAABEB/9oACAECAQE/Abqv/8QAGhAAAQUBAAAAAAAAAAAAAAAAAQACEBESIv/aAAgBAQAGPwJckOjObVBtR//EABwQAQACAgMBAAAAAAAAAAAAAAEAETFBIWFxkf/aAAgBAQABPyEVB9ih2jUSxfkFQDkWX4Ju5grU/9oADAMBAAIAAwAAABDjD//EABYRAQEBAAAAAAAAAAAAAAAAAAEAIf/aAAgBAwEBPxAA1M//xAAWEQEBAQAAAAAAAAAAAAAAAAABIRD/2gAIAQIBAT8QWYTP/8QAGhABAQEAAwEAAAAAAAAAAAAAAREAIUFxwf/aAAgBAQABPxAYkFlcFzRnCFCH3zCCggiKI5gk6hL1lpwEhs0zEABv/9k=","aspectRatio":1.4970059880239521,"src":"/static/11cdcb302d032fa2db3a46428a8f74c9/a7715/alex-machado-80sv993luki-unsplash.jpg","srcSet":"/static/11cdcb302d032fa2db3a46428a8f74c9/8f7df/alex-machado-80sv993luki-unsplash.jpg 250w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/0f3a1/alex-machado-80sv993luki-unsplash.jpg 500w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/a7715/alex-machado-80sv993luki-unsplash.jpg 1000w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/37d86/alex-machado-80sv993luki-unsplash.jpg 1500w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/a41d1/alex-machado-80sv993luki-unsplash.jpg 2000w,\n/static/11cdcb302d032fa2db3a46428a8f74c9/6a059/alex-machado-80sv993luki-unsplash.jpg 6000w","sizes":"(max-width: 1000px) 100vw, 1000px"}}}},"pageContext":{"slug":"ctf/aws-formation/tp8-advanced-iam","featuredImage":"alex-machado-80sv993luki-unsplash.jpg"}}}