Summary: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20587302

• Contents:

Advanced Identity Services

• AWS STS (Security Token Service): temporary, limited-privileges credentials to access AWS resources
  • Used any time anyone or anything assumes an IAM role (sts:assumeRole operation)
    • IAM roles can be used for same/cross-account access
    • IAM roles can be used for identity federation (identities from external Identity Service Providers or ISPs like Google, Facebook can assume a role to access AWS resources)
    • IAM roles are used by AWS services (service roles) when interacting on your behalf (e.g. Lambda execution role allows a Lambda function to write logs to CloudWatch)
• Amazon Cognito: manage a DB of users for your mobile & web applications
  • IAM has a hard limit of 5000 IAM users per account… if a mobile/web application has millions of users, IAM is not a practical solution! → can use Amazon Cognito
  • Users can also login via identity federation with social identity providers like Google, Facebook…
• AWS Directory Service: integrate a user directory (e.g. Microsoft Active Directory) in AWS
  • MS Active Directory (AD) is very common in Windows servers that use AD Domain Services → DB of users, computers, printers, file shares… → centralized security management
  • Can also use other user directories like SAMBA, even proxy your on-premises user directory
• IAM Identity Center: one login for multiple AWS accounts & applications
  • ❗ Previously AWS Single Sign-On (AWS SSO)
  • Supports SAML 2.0, EC2 Windows instances, business cloud apps (Salesforce, MS365…)
  • Can use a built-in identity store, or 3rd-party identity store (MS AD, OneLogin, Okta…)
  • Used by AWS Organizations to manage identities across many accounts