[AWS] IDF, Cognito, and SSO

IDF (Identity Federation) is an architecture where the identities of an external identity provider (IDP) are recognized.

Types of IDF

  • Cross-account roles: A remote account is allowed to assume a role and access your account’s resources,
  • SAML 2.0 IDF: It allows users of SAMAL compatible system such as Active Directory (AD) to log in to the AWS services.
  • Web Identity Federation: External web-based IDPs (Google, Facebook) are allowed to assume roles.
Continue reading “[AWS] IDF, Cognito, and SSO”

[AWS] AWS Organizations

AWS Organizations is a centralized global management service of AWS accounts (up to 20) and billings.

  • All accounts within an AWS Organization can consolidate bills into a single account.
    • A paying account should be used for billing purposes only.
    • Economy of scale – by using more, you can save more. (Volume pricing discount)
Continue reading “[AWS] AWS Organizations”

[AWS] Identity and Access Management (IAM)

Identity and Access Management (IAM) provides the centralized management of your AWS account. It manages who can access what in your AWS services. Access control is done via policies that can be attached to users, groups, and roles.

  • IAM is a global service that is not tied to a region.
    • Users and policies can be used globally.
  • Users are given long-term credentials to access AWS resources (username/password or access keys).
  • Roles allow for short-term access to resources when assumed, using temporary access credentials.
  • IAM can work with Identity Federation such as Active Directory or Web Identity Federation (Facebook, Google, etc.)
Continue reading “[AWS] Identity and Access Management (IAM)”

[AWS] Storage Gateway

Storage Gateway is a hybrid storage service that allows you to migrate data into AWS, extending on-premise storage capacity using AWS.

  • It is used when you want to integrate the existing on-premise application data with AWS cloud storage services without fully migrating to AWS. Applications in your network can access data in the cloud.
  • Data may be moved to AWS and cached them locally at the on-premise data center.
  • Key Management Service (KMS) can encrypt data at rest in the cloud.
  • CloudWatch can be used for monitoring, and CloudTrail can be used for logging account activity.
Continue reading “[AWS] Storage Gateway”