AWS Certified Security - Specialty Cram Sheet: Authentication Strategies

This document focuses on Domain 4.1: Design, implement, and troubleshoot authentication strategies. Authentication is the process of verifying identity (Who are you?) before authorization (What can you do?) occurs.

Topic Weighting

[!IMPORTANT] Expect a high concentration of questions on IAM Identity Center, Amazon Cognito, and AWS STS (Temporary Credentials).

Key Concepts Summary

1. Identity Providers (IdP) & Federation

• IAM Identity Center (formerly SSO): The recommended service for centralizing workforce auth across multiple AWS accounts and SAML-based cloud apps.
• SAML 2.0 vs. OIDC: Use SAML for enterprise workforce identity (Active Directory, Okta). Use OIDC for web/mobile apps (Google, Facebook, Amazon).
• Identity Pools vs. User Pools (Cognito):
  • User Pools: Authentication (Sign-up/Sign-in, JWT tokens).
  • Identity Pools: Authorization (Exchange tokens for AWS temporary credentials).

2. AWS Security Token Service (STS)

• AssumeRole: Returns temporary credentials (Access Key, Secret Key, Session Token) for a specific role.
• GetSessionToken: Used for MFA-protected API calls.
• AssumeRoleWithWebIdentity: Used for mobile/web apps authenticating via OIDC/Cognito.

3. Multi-Factor Authentication (MFA)

• Must be enforced for the Root User.
• Can be implemented via hardware TOTP, virtual apps (Google Authenticator), or FIDO security keys.

4. Visualizing Authentication Flows

Common Pitfalls

• Long-Term Credentials: Avoid IAM User Access Keys in code. Always prefer IAM Roles for EC2 and Lambda.
• Root User Usage: Never use the Root user for daily tasks. Only use it for changing support plans, closing accounts, or changing the root password.
• Presigned URLs: Forgetting that a presigned URL is limited by the permissions of the principal that created it. If the creator loses access, the URL fails.
• Cognito Misconfig: Confusing User Pools with Identity Pools. Remember: User Pool = Directory of users; Identity Pool = AWS Credential dispenser.

Mnemonics / Memory Triggers

• C-U-P (Cognito User Pool): Collection of Users and Passwords.
• S-T-S (Security Token Service): Short Term Secrets.
• A-A-A: Authentication (Who?), Authorization (What?), Accounting (What did they do?).

Formula / Equation Sheet

Key STS API Operations

Principal Comparison

\begin{tikzpicture} \draw[thick, fill=blue!10] (0,0) circle (1.5cm) node[yshift=0.5cm] {\textbf{Human User}}; \draw[thick, fill=green!10] (3,0) circle (1.5cm) node[yshift=0.5cm] {\textbf{IAM Role}}; \draw[thick, fill=orange!10] (1.5,-2) circle (1.5cm) node[yshift=-0.5cm] {\textbf{Application}};

\node at (0, -0.2) {\small Federation}; \node at (3, -0.2) {\small STS Tokens}; \node at (1.5, -2.5) {\small SDK/CLI};

\draw[<->] (1.1,0) -- (1.9,0); \draw[<->] (0.5,-1.2) -- (1,-1.8); \draw[<->] (2.5,-1.2) -- (2,-1.8); \end{tikzpicture}

Practice Set

1. Scenario: A company wants to use their on-premises Active Directory to allow employees to log into the AWS Management Console. Which service should they use?
   • Answer: AWS IAM Identity Center (or IAM SAML Federation).
2. Scenario: A mobile application needs to upload photos to an S3 bucket. Users sign in via Facebook. How do they get AWS credentials?
   • Answer: Authenticate with Facebook (OIDC), exchange token via Cognito Identity Pools for temporary credentials.
3. Scenario: An administrator needs to perform a one-time emergency change using the Root account. What is the first security step?
   • Answer: Ensure MFA is enabled and used for the login.
4. Scenario: You notice an unauthorized entity is using a compromised Access Key. How do you revoke this access immediately?
   • Answer: Delete/Deactivate the Access Key in IAM and, if using a role, attach a policy to deny all or use the "Revoke Sessions" feature.
5. Scenario: A developer is getting a 403 Access Denied error when trying to use a presigned S3 URL. What is the most likely cause?
   • Answer: The IAM Principal that generated the URL no longer has s3:GetObject permissions or the URL has expired.

Worked Examples

Step-by-Step: Cross-Account Authentication using STS

Goal: User in Account A needs to access a DynamoDB table in Account B.

1. Account B (Resource Account): Create an IAM Role with a Trust Policy allowing Account A's ID to assume it.
   • Example Trust Policy Principal: "AWS": "arn:aws:iam::AccountA_ID:root".
2. Account A (Identity Account): Grant the User permission to call sts:AssumeRole on the ARN of the role in Account B.
3. Authentication Action: The User calls aws sts assume-role --role-arn <Account_B_Role_ARN> --role-session-name "CramSession".
4. Result: STS returns AccessKeyId, SecretAccessKey, and SessionToken. The user configures their CLI with these temporary values to interact with DynamoDB.

Fact Recall Blanks

1. The __________ is the only principal that cannot have its permissions restricted by IAM policies (though SCPs can restrict the account).
2. To investigate who authenticated and from which IP address, you should check __________ logs.
3. Cognito __________ Pools are used for the actual sign-in/sign-up process.
4. __________ credentials should always be used for EC2 instances instead of hardcoded keys.
5. A SAML assertion is exchanged for temporary credentials via the __________ API.

▶Click to reveal answers

1. Root User
2. AWS CloudTrail
3. User
4. Temporary (IAM Role)
5. AssumeRoleWithSAML