is there a way to disable programmatic access for users Signing in using AWS SSO?
Is it possible to control the programmatic and console access using polices or Groups?
No, you cannot prevent users to login and deny the programmatic access, because once users sign-in they have option to get required details to access programmatically.
The permissions a user has through SSO can still be managed through AWS IAM (Identity and Access Management) groups and rols. The same permissions a user has through IAM in the AWS console can be used by the user when accessing AWS programatically throught the CLI or an SDK.
No permissions are required for a user to get a session token. The purpose of the GetSessionToken operation is to authenticate the user using MFA. You cannot use policies to control authentication operations.
Source
Therefore, I don't think that you can prevent a user from using access keys to get temporary session tokes for programmatic access.
Why do you want to prevent programmatic access for users and am I right assuming that you mean CLI and SDK access to AWS by programmatic access?
Yes, you can, but exactly how will be buried in the implementation details of your organization's SSO implementation. Your SSO's custom identity broker is in charge of mapping a particular user's AD credentials to an AWS IAM role, which may or may not have permissions to login to the CLI. Exactly which role a user gets needs to be controllable in the broker. Another way is to control access to the AWS access keys needed to use the CLI or SDKs. Your SSO users shouldn't have permission to generate their own keys. They should come from IT or should be a configurable feature of your SSO implementation. For example, in my organization, there are 2 links in the AWS portal; one for console access and one to display temporary access keys that can be copied into the bash environment or used with an SDK.
At my employer, we have an AWS account that uses SAML 2.0 to federate in your user access from the company SSO login to the AWS console. The net effect is that everyone has admin access. Is there a way to place federated users into different IAM groups, thereby giving least privilege access?
The answer we came up with is that all federated users would have very limited access to the console with no programmatic access. Then, create separate IAM users for everyone for programmatic access (no console login) and to place these separate users into IAM groups with varying access. Would this method be considered best practice or is there a better way to accomplish what we would like to do in this case?
The best practices is to use groups to set permissions (policies) for each class of user.
Grant users SSO access to AWS accounts in your organization by
selecting the AWS accounts from a list populated by AWS SSO, and then
selecting users or groups from your directory and the permissions you
want to grant them.
AWS Single Sign-On
Your SSO SAML 2.0 provider should be able to pass role information to AWS at sign-in. You can then have corresponding IAM roles setup in AWS.
We use Azure AD for SSO and set it up using this example: https://blog.flux7.com/aws-best-practice-azure-ad-saml-authentication-configuration-for-aws-console
Basically you create Azure AD Security Groups and map them to IAM roles.
What is the difference between an IAM role and an IAM user? The IAM FAQ has an entry explaining it, but it was vague and not very clear:
An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
I think an IAM role is used for federated logins (using an IdP with SAML tokens for example), and they don't have permanent access keys that you can download like regular IAM users have (the "an IAM role doesn't have any credentials" part).
What do they mean when they say an IAM role can't make direct requests to AWS services? I can login to AWS Console (the web console) and create stacks etc, so it can't be that.
To understand the difference, let us go through IAM basic knowledge
IAM controls: Who (authentication) can do What (authorization) in your AWS account.
Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.
Here the term
User - End user think about people
Groups- a set of users under one set of permission(policies)
Roles - are used to grant specific permission to specific actors for a set of duration of time. These actors can be authenticated by AWS or some trusted external system.
User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.
Answer the following questions and you will differentiate between a user and a role:
Can have a password? Yes-> user, No-> role
Can have an access key? Yes-> user, No-> role
Can belong to a group? Yes-> user, No -> role
Can be associated with AWS resources (for example EC2 instances)? No-> user, Yes->role
AWS supports 3 Role Types for different scenarios
AWS service roles (for example: EC2, Lambda, Redshift,...)
Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not.
Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation:
- Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect
- SAML 2.0 identity such as Active Directory, LDAP.
To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents:
https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
Hope it helps.
Main actors in IAM are users, groups, roles and policies. And what you need to understand about AWS and never forget is that
Everything in AWS is an API
And to execute any API or any of its methods, first we have to authenticate and then authorize that particular user/group/role.
Ex: An operator wants to put an object to a S3 bucket. This process happens through a set of API calls within AWS. Basically we call the S3 API and a method of it to put the object into the particular bucket (say method put_object_in_s3). For that we may want to provide the name of the bucket, the object, and most importantly we need to provide set of credentials (username with password or secret key or etc) in order to tell the AWS API Engine who this user/group/role is.
The first thing API Engine does is, look at those credentials sent with the API. Then it validate those (whether they are correct, active) credentials indicating that this request is coming from a actual valid user, group or role. Then what the API Engine does is (as it now knows who sent this API request) it takes the policy documents associated with the particular operator (user or role) and evaluate them as a single view. That is we check whether the action called in the API is authorized for that operator.
IAM user - In the context of IAM, a user is a “permanent” named operator (human or machine). What’s important to note is that it’s credentials (credentials maybe username password or access key or a secret key) are permanent and stays with that named user. So by that AWS knows that what are the authentication methods (username password authentication method or secret key method or etc) for this user (as its permanent and stays with the user).
IAM group - As in the above image, a group is a collection of users. And note that a user can be in many groups as well.
IAM roles - Roles are not Permissions !!!. A role is also an authentication method just as IAM users and groups. As a user, a role is also a operator (could be a human, could be a machine). Difference is that credentials with roles are temporary.
Policy Documents - As stated earlier, roles are not Permissions. Permissions in AWS are completely handled by objects called Policy Documents. Policy Documents are JSON documents. Policy Documents can directly be attached to Users, Groups or Roles. When a policy document gets attached to any of above operator, then only they get permissions do stuff.
A policy document lists things like: Specific API or wildcard group of APIs that gets whitelisted against which resources, and Conditions for those API executions (like allow only if this user, group or role in the home network or allow from any location, allow only at certain times of day and etc)
Last but not least, Authentication in AWS is done via (IAM users,
groups and roles) whereas Authorization is done by Policies.
What do they mean when they say an IAM role can't make direct requests to AWS services? I can login to AWS Console (the web console) and create stacks etc, so it can't be that.
You are an IAM User (with some attached IAM Roles).
Think of IAM Roles as capabilities.
You give an IAM User capabilities (e.g. "can create Lambda function", "can upload to S3").
Note on Federated Users:
From http://docs.aws.amazon.com/IAM/latest/UserGuide/id.html:
A role can be assigned to a federated user who signs in by using an external identity provider instead of IAM. AWS uses details passed by the identity provider to determine which role is mapped to the federated user.
So, a federated user is similar to an IAM user which you can attach IAM Roles to. Except that you have an external identity provider.
Technically, you are NOT using a role as your identity when you login to AWS console. You are using your federated user account (with its own attached roles) as your identity.
An IAM user is an account which can be used by a person or an application. A user has credentials to log in and perform actions with the privileges assigned to that account.
An IAM role is something virtual that a resource can assume. For example, an EC2 instance can assume a role and execute AWS command with that assigned privileges. The same goes for other services like API gateway, Lambda, Kinesis, RDS and so on.
What do they mean when they say an IAM role can't make direct requests to AWS services?
The role itself is not able to perform any tasks since it has to be assumed by somebody or something. Somebody can also be someone logged in through identity federation and then assume a role.
I am practically new to AWS but I have implemented similar concepts in backend applications. Therefore, I would make an attempt to simplify this more from a newbie perspective.
IAM User - This is an actual account registered into the AWS IAM platform. This means that this is a person/application that is an actual entity. Note that this entity can do nothing, just an existence. Like when I signup for an application, my user entity is created and I can log in with provided credentials and have a profile.
IAM Group - This is a collection of specific users. Although this can also give identity, the focus is on the specific individuals that make the group. For example, how we group employees into departments in organizations based on their specific specialities and skillsets.
IAM Policies - This part seems easiest to understand. This is a specific rule/permission/access to a resource spelt out in clear dos and don'ts in a JSON format. Each policy is about a particular resource. A resource can be anything from an EBS volume, a Lamda Function, or even IAM itself.
IAM Role - This is like a title with specific responsibilities, i.e. a group of policies(permissions/access) that anyone with this title will have. For example, if we have a title of "Note-Taker", anyone from different departments can be assigned this title temporarily for a meeting, a period etc. And only those with this permission will be able to access the note-taking app. However, we can have some roles that will fit well with a group, e.g. all members of the accounting department can have the title of an accountant, which gives access to the books of account. But we can have another title of director, which has access to delete books of account, and this will cut across all departments.
Federated Users - These are entities also, but with no profile in the company(IAM). They are like contractors who can be assigned certain roles or titles through an acquired trust from the Federating platform as well as the access due to those titles. The good thing is that if the Federating platforms replace a user, there would be no reason to deactivate the old user and give access to the new one because the platform is the one with the access and not the "user".
IAM User - An user/application accessing AWS Resources
IAM Roles - Set of permissions/policy that can be applicable to an user or resource.
You can apply Roles to IAM user and to an AWS Resource too.
E.g., Apply IAM Role to Lambda Function. Function can only with that IAM Role.
IAM role is an entity which has specific access defined by the policy. And that access is. It doe snot have the permanent creds (Access keys and Secrets Access Keys)- it works on the "AssumeRole" method where token is granted for accessing the different AWs resources.
IAM User has the permanent access keys and secret access keys, we can define the permissions on the resources , IAM ROLE can be assumed by the IAM USER , as it has the keys - it can have access to the resources all the time...
IAM Policy (permissions- read,write etc.) apply to User,Group and Roles.
User- when a user want to access anything in AWS cloud, it must have IAM policy assigned.
Group - when a group of users is assigned with common IAM policy.
Roles - It needs when a service want to access another service. Service must be assigned with role that have policy assigned to perform certain actions in the AWS cloud. In other words, We can't directly assign policies on Service, first we need to create Role and then assign policy on that role.
Note: Roles are intended to be not used by physical people, instead use by AWS services only.
I've received a set of credentials (access key and secret) that were generated for me to access a different AWS account's resources, in this case specific S3 buckets.
Can I define an IAM role in my account, based on these keys?
I would like not to embed the credentials directly on the machines in my account that will access those resources.
Just to clarify, I know that access can be given directly from the other account to a role in my account. However given that I already have the set of keys, I would like to set up my own roles without needing to ask for an admin operation in the other account every time I make a change.
Thanks
No, you can't do this.
IAM roles are not "based on" other credentials. They are primary entities, identities independent of any user or credential set.
Consider the documented description of a role, with a couple of highlights to illustrate the gaps:
An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have any credentials (password or access keys) associated with it. Instead, if a user is assigned to a role, access keys are created dynamically and provided to the user. (emphasis added)
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
We're using Auth0 to give (federated) users access to Auth0 (we've followed these instructions for setup: https://auth0.com/docs/integrations/aws#sso-with-the-aws-dashboard)
In Auth0 we've setup a simple rule system where the federated user's group membership maps to one of two different IAM roles, which gives the user either full access or read-only access (or no access at all) in the aws console.
However, I'm struggling to see how I can provide federated users with the means to get an access key id/secret linked to their account. Our wishlist is:
The access key id/secret is unique per federated user, and as such is void if the federated user is deleted from the identity provider.
I could manually provision a IAM role per federated user and link each user to his/her "personal" IAM role, but I'd obviously prefer not to.
All in all I guess I'd like there to be a "linked" IAM user representing each federated account.
So I guess my question is: How do allow my federated users access to personal access key id's in aws?
Federated users require temporary access keys which you can grant with aws sts assume-role.