AWS →IAM part -3

Message →First read 1st and 2nd part of AWS IAM

Goal →Here we discuss all about what is IAM Identity Federation in AWS

Now let’s talk about how to create maangement polices for IAM →

1. JSON →you can create your own JSON syntex
2. IMPORT →you can import you ready to go policy from your remote location
3. Visual Editor →You can create a new policy from scratch in the visual editor

What is Identity federation →

1. If your account have users who have facebook ,gmail etc account than you build or create a trust relationship with facebook and gmail that allows if your user have account in fb and gmail than they use that account for authentication

Identity fedration using fb and amazon

2. But first you have to provide that id and pass of users of facebook or gmal to aws

3. And after this that user is able to work in amazon management console

federation is particularly useful in these cases →

1. If your users already have identities in a corporate directory.

a .If your corporate directory is compatible with security Assertion Markup Language(SAML) 2.0 then only you will able to use Identity federation.

b. If you do not have SAML 2.0 then another agent provide this service using their SAML

c. You can configure your corporate directory to provide single sign on access to the AWS Management Console for your users.

2. If your corporate directory is not compatible with SAML 2.O

a. You can create identity broker application to provide single sign on(SSO) Access to the AWS Management console for the user.

b. If our corporate directory is Microsoft Active Directory. You can use a AWS directory service to establish trust between your corporate directory and your AWS account.

3. If your users already have internet identities →

a. If you are creating a mobile app or web based app that can let users identity themselves through an Internet identity provider like login with Amazon, Facebook, Google or any Open ID Connect Compatible(OIDC) identity provider then app can Use Web Federation to access AWS.

b. AWS recommends to use AWS cognito for Identity Federation.

IAM users and SSO →

1. IAM users in your account have access only to the AWS resources that you can specify in the policy that is attached to the users or to an IAM group that the user belongs to.
2. To work in the console, user must have permission to perform the action that the console perform such as listing and creating AWS resources.