AWS Cross-Account Delegation Access: Difference between revisions
Jump to navigation
Jump to search
| Line 12: | Line 12: | ||
=Overview= | =Overview= | ||
Cross-account delegation access mechanism allows a user that does not have direct access to an [[Amazon_AWS_Security_Concepts#AWS_Account|AWS account]] (no [[Amazon_AWS_Security_Concepts#IAM_User|IAM user]], and no [[Amazon_AWS_Security_Concepts#API_Access_Keys|API access key]]) to perform [[Amazon_AWS_Concepts#API|API calls]] against resources in the account. Normally, all API calls against the resources of an account are [[Amazon_AWS_Concepts#Signing_API_Calls|signed]] with the API access key issued for an IAM user under that account. Cross-account delegation access mechanism leverages [[Amazon_AWS_Security_Concepts#Temporary_Security_Credentials|temporary AWS security credentials]], by using [[AWS Security Token Service|AWS Security Token Service (STS)]] and [[Amazon_AWS_Security_Concepts#IAM_Role|IAM roles]]. | Cross-account delegation access mechanism allows a user that does not have direct access to an [[Amazon_AWS_Security_Concepts#AWS_Account|AWS account]] (no [[Amazon_AWS_Security_Concepts#IAM_User|IAM user]], and no [[Amazon_AWS_Security_Concepts#API_Access_Keys|API access key]]) to perform [[Amazon_AWS_Concepts#API|API calls]] against resources in the account. Normally, all API calls against the resources of an account are [[Amazon_AWS_Concepts#Signing_API_Calls|signed]] with the API access key issued for an IAM user under that account. Cross-account delegation access mechanism leverages [[Amazon_AWS_Security_Concepts#Temporary_Security_Credentials|temporary AWS security credentials]], by using [[AWS Security Token Service|AWS Security Token Service (STS)]] and [[Amazon_AWS_Security_Concepts#IAM_Role|IAM roles]]. This is achieved by making an API call to [[AWS Security Token Service|AWS Security Token Service]] STS:AssumeRole. The service returns a temporary access key ID, a secret key and a security token that can then be used to sign future API calls. | ||
[[File:AWSCross_AccountDelegationAccess.png]] | |||
Revision as of 02:51, 26 November 2019
External
- https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
- https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
- https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/
Internal
Overview
Cross-account delegation access mechanism allows a user that does not have direct access to an AWS account (no IAM user, and no API access key) to perform API calls against resources in the account. Normally, all API calls against the resources of an account are signed with the API access key issued for an IAM user under that account. Cross-account delegation access mechanism leverages temporary AWS security credentials, by using AWS Security Token Service (STS) and IAM roles. This is achieved by making an API call to AWS Security Token Service STS:AssumeRole. The service returns a temporary access key ID, a secret key and a security token that can then be used to sign future API calls.
