1
00:00:00,230 --> 00:00:01,780
‫So let's talk about STS,

2
00:00:01,780 --> 00:00:03,770
‫which is a Security Token Service.

3
00:00:03,770 --> 00:00:06,340
‫So STS allows you to get temporary

4
00:00:06,340 --> 00:00:08,820
‫security credentials up to one hour to

5
00:00:08,820 --> 00:00:11,160
‫access those resources directly.

6
00:00:11,160 --> 00:00:12,960
‫And so there's a bunch of API you need

7
00:00:12,960 --> 00:00:15,520
‫to know them at a high level going into the exam.

8
00:00:15,520 --> 00:00:17,260
‫So the first one is AssumeRole,

9
00:00:17,260 --> 00:00:18,650
‫to assume roles within your accounts

10
00:00:18,650 --> 00:00:21,470
‫or cross accounts, which is fundamental.

11
00:00:21,470 --> 00:00:23,590
‫AssumeRoleWithSAML in case your users are

12
00:00:23,590 --> 00:00:24,910
‫logged in with SAML, this is allowing

13
00:00:24,910 --> 00:00:26,810
‫us to get them allowing them to

14
00:00:26,810 --> 00:00:28,939
‫get temporary credentials.

15
00:00:28,939 --> 00:00:31,990
‫AssumeRoleWithWebIdentity to return roles

16
00:00:31,990 --> 00:00:33,610
‫for users if they're logged with

17
00:00:33,610 --> 00:00:34,443
‫an identity provider.

18
00:00:34,443 --> 00:00:36,300
‫So Facebook Login, Google Login, or

19
00:00:36,300 --> 00:00:38,880
‫OIDC compatible. But we don't use this

20
00:00:38,880 --> 00:00:40,460
‫really anymore. Now we use

21
00:00:40,460 --> 00:00:42,510
‫Cognito Identity Pools instead.

22
00:00:42,510 --> 00:00:44,750
‫Instead of AssumeRoleWithWebIdentity.

23
00:00:44,750 --> 00:00:46,970
‫Then we have GetSessionToken and we will

24
00:00:46,970 --> 00:00:49,020
‫see this very in-depth so this is

25
00:00:49,020 --> 00:00:52,570
‫when you have MFA for a user or AWS root account.

26
00:00:52,570 --> 00:00:54,640
‫Then GetFederationToken to get

27
00:00:54,640 --> 00:00:56,830
‫temporary credentials for a federated user.

28
00:00:56,830 --> 00:01:00,030
‫GetCallerIdentity, which is return details

29
00:01:00,030 --> 00:01:03,160
‫about the IAM user or role used into the API call.

30
00:01:03,160 --> 00:01:04,900
‫So if you don't know who you are

31
00:01:04,900 --> 00:01:07,116
‫while using AWS, just call the STS

32
00:01:07,116 --> 00:01:09,180
‫GetCallerIdentity and you'll get information

33
00:01:09,180 --> 00:01:11,760
‫about who you are and what's your account number.

34
00:01:11,760 --> 00:01:13,040
‫And then we've seen that one as

35
00:01:13,040 --> 00:01:13,960
‫well in the beginning.

36
00:01:13,960 --> 00:01:17,170
‫DecodeAuthorizationMessage to decode an error

37
00:01:17,170 --> 00:01:20,370
‫message when it AWS API is denied.

38
00:01:20,370 --> 00:01:21,840
‫So the most important ones going

39
00:01:21,840 --> 00:01:23,610
‫into the exam is going to be AssumeRole,

40
00:01:23,610 --> 00:01:27,022
‫GetSessionToken, GetCallerIdentity and

41
00:01:27,022 --> 00:01:29,260
‫DecodeAuthorizationMessage.

42
00:01:29,260 --> 00:01:31,890
‫So STS can assume, can be used to assume a role,

43
00:01:31,890 --> 00:01:33,450
‫so let's see how that works.

44
00:01:33,450 --> 00:01:36,760
‫So first we define an IAM role in our accounts

45
00:01:36,760 --> 00:01:38,880
‫if we want to AssumeRole within our accounts.

46
00:01:38,880 --> 00:01:40,450
‫Or in another account if you want to do

47
00:01:40,450 --> 00:01:41,960
‫cross-accounts.

48
00:01:41,960 --> 00:01:45,280
‫Then you define which principles can access

49
00:01:45,280 --> 00:01:47,720
‫this IAM role and we authorize everything

50
00:01:47,720 --> 00:01:48,890
‫with IAM policies.

51
00:01:48,890 --> 00:01:52,180
‫And then we would use the STS API to do

52
00:01:52,180 --> 00:01:54,624
‫the AssumeRole API call to impersonate

53
00:01:54,624 --> 00:01:57,440
‫the IAM role we have access to.

54
00:01:57,440 --> 00:01:59,580
‫Then the credentials valid between 15 minutes

55
00:01:59,580 --> 00:02:00,810
‫up to one hour.

56
00:02:00,810 --> 00:02:03,700
‫So in the diagram, our users wants to access

57
00:02:03,700 --> 00:02:06,330
‫a role within the same or another account.

58
00:02:06,330 --> 00:02:07,690
‫And to do so, it's going to do the AssumeRole

59
00:02:07,690 --> 00:02:09,200
‫API onto STS.

60
00:02:09,200 --> 00:02:13,020
‫STS will check the permissions are correct or not.

61
00:02:13,020 --> 00:02:14,190
‫And then will return to us the

62
00:02:14,190 --> 00:02:15,780
‫temporary security credentials,

63
00:02:15,780 --> 00:02:19,050
‫which would allow us to act as if we were the role.

64
00:02:19,050 --> 00:02:20,700
‫Then for cross accounts access,

65
00:02:20,700 --> 00:02:22,020
‫this is pretty similar,

66
00:02:22,020 --> 00:02:24,490
‫we would create the role in another account.

67
00:02:24,490 --> 00:02:26,920
‫Then we would write the correct permissions

68
00:02:26,920 --> 00:02:29,640
‫in to our own account and the target account,

69
00:02:29,640 --> 00:02:33,250
‫and finally run the AssumeRole API to access

70
00:02:33,250 --> 00:02:34,120
‫the target accounts.

71
00:02:34,120 --> 00:02:36,160
‫And for example, the role allowed us to access

72
00:02:36,160 --> 00:02:38,290
‫an S3 bucket, then we can access that

73
00:02:38,290 --> 00:02:39,890
‫S3 bucket in to our account, great.

74
00:02:39,890 --> 00:02:43,040
‫Finally, for STS with MFA, so this is

75
00:02:43,040 --> 00:02:45,420
‫very important to understand, going in to

76
00:02:45,420 --> 00:02:47,330
‫certified developer exam.

77
00:02:47,330 --> 00:02:51,200
‫So for this, you use the GetSessionToken API

78
00:02:51,200 --> 00:02:53,640
‫from STS to get a session token.

79
00:02:53,640 --> 00:02:55,280
‫Once you're logged in with an API with an

80
00:02:55,280 --> 00:02:58,270
‫MFA device, and we've seen this in the CLS section.

81
00:02:58,270 --> 00:03:00,390
‫Then we need the IAM policy with the

82
00:03:00,390 --> 00:03:02,170
‫proper IAM conditions.

83
00:03:02,170 --> 00:03:03,970
‫And then in the IAM policy, you need to

84
00:03:03,970 --> 00:03:07,510
‫add this aws:MultiFactorAuthPresent:true,

85
00:03:07,510 --> 00:03:10,030
‫which is very explicit and this looks like this.

86
00:03:10,030 --> 00:03:12,460
‫For example, this role only allows us to

87
00:03:12,460 --> 00:03:16,140
‫stop instances or terminate instances only if

88
00:03:16,140 --> 00:03:19,860
‫we have MFA on, so MultiFactorAuthPresent:true.

89
00:03:19,860 --> 00:03:21,370
‫And this is how we would use it.

90
00:03:21,370 --> 00:03:23,990
‫So GetSessionToken is the API to use,

91
00:03:23,990 --> 00:03:24,823
‫and why is it?

92
00:03:24,823 --> 00:03:26,800
‫Well because it returns an Access ID,

93
00:03:26,800 --> 00:03:29,260
‫a secret key but also a session token

94
00:03:29,260 --> 00:03:30,093
‫that we have to include.

95
00:03:30,093 --> 00:03:32,370
‫So three things to do our API call,

96
00:03:32,370 --> 00:03:34,420
‫and the last one, GetSessionToken returns

97
00:03:34,420 --> 00:03:35,955
‫the expiry date of our credentials,

98
00:03:35,955 --> 00:03:38,360
‫so we know when to renew them.

99
00:03:38,360 --> 00:03:40,900
‫Okay, so that's it for STS, I hope you liked it

100
00:03:40,900 --> 00:03:42,850
‫and I will see you in the next lecture!