Leveraging Access Delegation – Determining an Authentication and Access Control Strategy for Complex Organizations – SAP-C02 Study Guide

Leveraging Access Delegation

You are now going to investigate access delegation. Access delegation is essentially used for the following reasons:

  • Providing an entity temporary access to resources that they do not have access to with their current privileges. This could be one of the following:
    • A user that needs temporarily elevated privileges to perform a specific task
    • An application or AWS service that requires specific privileges
  • Providing an entity access to resources located in another AWS account.

Now, start by examining these cases.

Temporary Access Delegation

Take for instance, the first use case where you need to provide trusted users, applications, or AWS services with temporary security credentials so that they can access your AWS resources. As the name implies, the security credentials that will be provided are temporary, which has the following benefits:

  • The access provided is limited to a short period of time, typically ranging from a few minutes to a few hours.
  • No need to store or manage (for example, rotate) temporary credentials like you would have to with permanent credentials because they are short-lived.
  • No need to define an AWS identity for each user that requires access. Instead, you can leverage identity federation, which relies on temporary security credentials.

AWS STS is the central AWS service for requesting temporary security credentials on AWS. In a nutshell, AWS STS creates a new session on AWS with temporary security credentials that include an access key pair (access key, secret access key) and a session token. These credentials can then be used by end users or applications to access your resources. You can additionally programmatically pass session policies and session tags using AWS STS. As you noticed earlier, the resulting permissions are then the intersection of the temporarily assumed IAM role’s identity-based policies and the session policies.

Accessing Resources from One Account to Another

Complex organizations, as with most enterprises, will maintain multiple AWS accounts to host their workloads on AWS. In some circumstances, entities in one account need to access resources in another account. Access across accounts is not permitted by default on AWS; resources in one account are fully isolated within the account and cannot be accessed from other AWS accounts unless specific permissions are explicitly given.