Lab: Designing and Troubleshooting AWS Authentication Strategies
Design, implement, and troubleshoot authentication strategies
Lab: Designing and Troubleshooting AWS Authentication Strategies
This hands-on lab focuses on Task 4.1 of the AWS Certified Security - Specialty curriculum. You will design a secure authentication workflow using AWS IAM, Security Token Service (STS), and Amazon Cognito, followed by a troubleshooting exercise using AWS CloudTrail.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges for Amazon Cognito or other provisioned resources.
Prerequisites
Before starting this lab, ensure you have:
- An AWS Account with Administrator access.
- AWS CLI installed and configured with a named profile or default credentials.
- A local terminal (Bash or Zsh preferred).
- Basic familiarity with JSON syntax for IAM policies.
Learning Objectives
By the end of this lab, you will be able to:
- Create and assume IAM Roles to generate temporary security credentials via STS.
- Configure an Amazon Cognito User Pool for application-level authentication.
- Identify and remediate authentication failures using AWS CloudTrail logs.
- Implement Multi-Factor Authentication (MFA) requirements within a policy.
Architecture Overview
This lab simulates a scenario where an application identity (via Cognito) and a system identity (via IAM Roles) must authenticate to access protected resources.
Step-by-Step Instructions
Step 1: Create an IAM Role for Cross-Account Simulation
We will create a role that allows a principal to access S3, simulating a "System Authentication" strategy using temporary credentials.
# 1. Create the trust policy
echo '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:root" },
"Action": "sts:AssumeRole"
}
]
}' > trust-policy.json
# 2. Create the role
aws iam create-role --role-name "LabAuthRole" --assume-role-policy-document file://trust-policy.json▶Console alternative
- Navigate to IAM > Roles > Create role.
- Select AWS Account as the entity type.
- Choose This account and click Next.
- Skip permissions for now and name it
LabAuthRole. - Create the role.
Step 2: Implement MFA-Protected Authentication
Update the role to require MFA for authentication. This is a core security best practice mentioned in the SCS-C03 guide.
# Update the trust policy to include an MFA condition
echo '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:root" },
"Action": "sts:AssumeRole",
"Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
}
]
}' > trust-policy-mfa.json
aws iam update-assume-role-policy --role-name "LabAuthRole" --policy-document file://trust-policy-mfa.jsonStep 3: Request Temporary Credentials via STS
Now, attempt to assume the role. This will demonstrate the "issue temporary credentials" skill.
aws sts assume-role --role-arn "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/LabAuthRole" --role-session-name "LabSession"[!IMPORTANT] This command should FAIL with an
AccessDeniederror because you have not provided an MFA token in the CLI command. This leads us to the troubleshooting section.
Checkpoints
| Verification Task | Expected Result |
|---|---|
| Create Role | LabAuthRole appears in the IAM Console. |
| STS AssumeRole (No MFA) | An AccessDenied error is returned in the terminal. |
| CloudTrail Check | An AssumeRole event exists with errorMessage: "Encoded authorization failure message". |
Troubleshooting
When authentication fails, use this matrix to diagnose the cause.
| Problem | Potential Cause | Fix |
|---|---|---|
AccessDenied on AssumeRole | MFA is required by the Trust Policy but not provided. | Use --serial-number and --token-code in the CLI command. |
InvalidClientTokenId | The AWS credentials in your environment are expired or wrong. | Run aws configure to refresh access keys. |
NotAuthorized in Cognito | User Pool client is not configured for the correct OAuth flow. | Check the App Client Settings in the Cognito Console. |
Activity: Analyze the Failure in CloudTrail
- Navigate to CloudTrail > Event history.
- Filter by
Event name: AssumeRole. - Look for the recent failure. Under
userIdentity, note thatarn:aws:iam::...attempted the call, but theresponseElementsshows a failure. - Observe the
serviceEventDetails(if available) to see the condition check that failed (aws:MultiFactorAuthPresent).
Teardown
To avoid costs and maintain a clean environment, delete the resources created.
# 1. Delete the IAM Role
aws iam delete-role --role-name "LabAuthRole"
# 2. Remove local JSON files
rm trust-policy.json trust-policy-mfa.json[!NOTE] If you created a Cognito User Pool via the console, navigate to Cognito > User Pools, select your pool, and click Delete.
Stretch Challenge
Modify the LabAuthRole trust policy to allow a specific Lambda Function to assume it, rather than the root account. This demonstrates transition from human to "system/application" authentication strategies.