AWS Cross-Account Delegation Access: Difference between revisions
Jump to navigation
Jump to search
Line 12: | Line 12: | ||
=Overview= | =Overview= | ||
Cross-account delegation access mechanism allows a user that does not have direct access to an [[Amazon_AWS_Security_Concepts#AWS_Account|AWS account]] (no [[Amazon_AWS_Security_Concepts#IAM_User|IAM user]], and no [[Amazon_AWS_Security_Concepts#API_Access_Keys|API access key]]) to perform [[Amazon_AWS_Concepts#API|API calls]] against resources in the account. Normally, all API calls against the resources of an account are [[Amazon_AWS_Concepts#Signing_API_Calls|signed]] with the API access key issued for an IAM user under that account. Cross-account delegation access mechanism leverages [[Amazon_AWS_Security_Concepts#Temporary_Security_Credentials|temporary AWS security credentials]], by using AWS Security Token Service (STS) and IAM roles. | Cross-account delegation access mechanism allows a user that does not have direct access to an [[Amazon_AWS_Security_Concepts#AWS_Account|AWS account]] (no [[Amazon_AWS_Security_Concepts#IAM_User|IAM user]], and no [[Amazon_AWS_Security_Concepts#API_Access_Keys|API access key]]) to perform [[Amazon_AWS_Concepts#API|API calls]] against resources in the account. Normally, all API calls against the resources of an account are [[Amazon_AWS_Concepts#Signing_API_Calls|signed]] with the API access key issued for an IAM user under that account. Cross-account delegation access mechanism leverages [[Amazon_AWS_Security_Concepts#Temporary_Security_Credentials|temporary AWS security credentials]], by using [[AWS Security Token Service|AWS Security Token Service (STS)]] and [[Amazon_AWS_Security_Concepts#IAM_Role|IAM roles]]. |
Revision as of 02:26, 26 November 2019
External
- https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
- https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
- https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/
Internal
Overview
Cross-account delegation access mechanism allows a user that does not have direct access to an AWS account (no IAM user, and no API access key) to perform API calls against resources in the account. Normally, all API calls against the resources of an account are signed with the API access key issued for an IAM user under that account. Cross-account delegation access mechanism leverages temporary AWS security credentials, by using AWS Security Token Service (STS) and IAM roles.