I'm a newbie to AWS, I'm building an application where the users should be logged in via AWS account.
So I created a user pool and authenticated via AWS SDK using the federated identities. But the users were created manually in the Cognito UI.But the requirement is to authenticate the user if they already resides in AWS as an IAM user. But AWS cognito does not provide a workflow to import the IAM users to cognito pool. So is there another way to accomplish this via AWS ? Thanks in Advance.
This is currently not possible. Although AWS Cognito Federated Identities allows, federating an external identity provider to grant AWS access, the other way around is not possible.
In addition, there is no method in AWS IAM SDK to verify AWS Username and Password, which also limits verifying them through your own implementation.
Related
As an admin, I wanted my AWS users not to enable unauthenticated user identity in AWS Cognito. Is there any way to restrict this action? Can this be achieved through service control policy?
Basically I don't want my AWS users to enable AWS resource access to any guest users.
I don't think you can do anything but prevent them from creating Cognito resources entirely.
There is nothing in the Cognito SAR pages that indicates that you can differentiate on authenticated/unauthenticated identities.
I am setting up an AWS Account, the account will be used by an organization of employees for EC2 use/experimentation. Obviously, I do not want to distribute the root login info or set up one single IAM user for everyone to use. Unfortunately, I do not have the time to manage creating individual IAM users for everyone on a regular basis.
So, is there a way to auto-create IAM users based on a given email's domain on their first login attempt? The users should have read-only roles to begin, then an Administrator could give more roles as needed to each user. I am open to suggestions, perhaps lambda functions or linking to an identity provider?
Keep in mind that these new IAM users need to have access to the AWS Management Console, this is not necessarily intended for login to applications hosted on AWS.
Update:
Moving forward using this AWS Management Console Federation Proxy Sample found in Amazon's code reference, using with Microsoft Exchange hosted email.
If your existing identity provider supports SAML2 Federation, you can set it up to login to the AWS Management Console.
For more details refer Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Else you can implement a custom Federation Broker to return an URL to the user, after they authenticate with their corporate credentials.
For more details refer Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).
I know that user pools allow to authenticate users to my apps, but what about federated identities? As far as I understand, they allow only to grant access to the AWS resources, not to the app. Or am I not right?
Yes, Federated Identities only provide you short term AWS Credentials to access AWS resources. If access to your app is based on AWS resources then you can use Federated Identities otherwise User Pools is a better fit.
I login to AWS with my Active Directory account in my company. We are using federated login, as described here:
Federated Users and Roles
Federated users don't have permanent identities in your AWS account the way that IAM users do. To assign permissions to federated users, you can create an entity referred to as a role and define permissions for the role. When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. For more information, see Creating a Role for a Third-Party Identity Provider (Federation).
My company has a Security Token Service (STS) which is a SAML provider.
I can use that to login to AWS management console, but can I login to AWS CLI as well with my federated login?
saml2aws can be used for AWS CLI for the federated user.
Refer https://github.com/Versent/saml2aws this is based on python code from https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/
You can use the below command to login to default IDP AWS account, your organization will provide you the IDP account name.
saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD
For using the federated user for automation, you need to use exec
saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD exec command
Yes, it is possible, however it's not straight forward. There is a rather long blog post in the AWS Security Blog explaining how to be able to use the CLI as SAML-federated user: https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/
Isit possible to login as an IAM user from Cognito? I am creating a tool that does AWS management functions and I want users to login as their IAM users ideally. Is this possible?
2 alternatives I am considering is:
App will have its own IAM credentials and perform actions on behalf of app users. App will implement ACLs to determine who can do what (but this is implementing what IAM already does)
Users will login via Cognito and inherit IAM roles, but its still having 2 "IAM users" (1 Cognito + 1 IAM user) for 1 "real" user
Of these 2 which is better and is there a better way?
You can achieve your purpose with AWS Cognito with the newly introduced user groups feature which allows you to assume different IAM roles to groups of users.
For the implementation if you go with AWS serverless stack you can use API Gateway IAM authorizer and pass through the role to Lambda to execute code with assumed role permissions. Another approach is to have different API endpoints to provide different privileges for AWS Management Access where you can authorize access through API Gateway using assumed role IAM policies(Policy to authorize API Gateway resource access). Here you can assign a different IAM role for Lambda.