AWS Security Blog
Tag: AWS STS
SaaS tenant isolation with ABAC using AWS STS support for tags in JWT
As independent software vendors (ISVs) shift to a multi-tenant software-as-a-service (SaaS) model, they commonly adopt a shared infrastructure model to achieve cost and operational efficiency. The more ISVs move into a multi-tenant model, the more concern they may have about the potential for one tenant to access the resources of another tenant. SaaS systems include […]
How to access AWS resources from Microsoft Entra ID tenants using AWS Security Token Service
September 20, 2024: Updated with information on the v1.0 and v2.0 access tokens in the Microsoft identity platform and changes in the Audience value when v2.0 access tokens are used. Removed a note about obtaining access tokens from managed identities. Use of long-term access keys for authentication between cloud resources increases the risk of key […]
How to use regional SAML endpoints for failover
August 10, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here. Many Amazon Web Services (AWS) customers choose to use federation with SAML 2.0 in order to use their existing identity provider (IdP) and avoid […]
How to integrate AWS STS SourceIdentity with your identity provider
You can use third-party identity providers (IdPs) such as Okta, Ping, or OneLogin to federate with the AWS Identity and Access Management (IAM) service using SAML 2.0, allowing your workforce to configure services by providing authorization access to the AWS Management Console or Command Line Interface (CLI). When you federate to AWS, you assume a […]
How to relate IAM role activity to corporate identity
September 8, 2021: The post was updated to correct a typo about the CloudTrail log snippet. April 14, 2021: In the section “Use the SourceIdentity attribute with identity federation,” we updated “AWS SSO” to “sign-in endpoint” for clarity. AWS Security Token Service (AWS STS) now offers customers the ability to specify a unique identity attribute […]
Easily control the naming of individual IAM role sessions
AWS Identity and Access Management (IAM) now has a new sts:RoleSessionName condition element for the AWS Security Token Service (AWS STS), that makes it easy for AWS account administrators to control the naming of individual IAM role sessions. IAM roles help you grant access to AWS services and resources by using dynamically generated short-term credentials. […]
Create fine-grained session permissions using IAM managed policies
As a security best practice, AWS Identity and Access Management (IAM) recommends that you use temporary security credentials from AWS Security Token Service (STS) when you access your AWS resources. Temporary credentials are short-term credentials generated dynamically and provided to the user upon request. Today, one of the most widely used mechanisms for requesting temporary […]
SAML Identity Federation: Follow-Up Questions, Materials, Guides, and Templates from an AWS re:Invent 2016 Workshop (SEC306)
As part of the re:Source Mini Con for Security Services at AWS re:Invent 2016, we conducted a workshop focused on Security Assertion Markup Language (SAML) identity federation: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery. As part of this workshop, attendees were able to submit their own federation-focused questions to […]
AWS CloudTrail Now Tracks Cross-Account Activity to Its Origin
You can use AWS Identity and Access Management (IAM) roles and AWS Security Token Service (STS) to set up cross-account access between AWS accounts. When you assume an IAM role in another AWS account to obtain cross-account access to services and resources in that account, AWS CloudTrail logs the cross-account activity. Starting today, CloudTrail logs […]
Enable Your Federated Users to Work in the AWS Management Console for up to 12 Hours
AWS Identity and Access Management (IAM) supports identity federation, which enables external identities, such as users in your corporate directory, to sign in to the AWS Management Console via single sign-on (SSO). Now with a small configuration change, your AWS administrators can allow your federated users to work in the AWS Management Console for up […]