SEC306: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery

Advanced use cases (Microsoft variant)

After you complete the initial exercise, you are ready to advance your journey into the more advanced use cases. Complete these advanced use cases in the order and combination that you choose. To continue, read each brief summary and then choose the appropriate link below to continue with your own SAML adventure. If you are unsure about which use case to choose, we have put them in our recommended order, and labeled them with approximate completion times.

Automating federation setup across multiple accounts and roles (25 mins)

In most situations, AWS customers move toward a multiple AWS account strategy as their maturity on the AWS platform increases. In these scenarios, it is not uncommon for a single AWS customer to have hundreds or even thousands of AWS accounts. In this exercise, we implement a solution for automating the required federation components, both within AWS and the back-end Active Directory, which allows your cloud identity infrastructure to scale to any number of AWS accounts. Choose this path to continue your SAML adventure.

Traceability of federated user actions in AWS CloudTrail (15 mins)

AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. In this exercise, we review various aspects of AWS CloudTrail usage for actions taken by SAML federated users. Choose this path to continue your SAML adventure.

Use SAML attributes to enforce role assumption conditions, a.k.a. MFA-for-SAML (20 mins)

When you use SAML federation with AWS, the Identity Provider (IdP) is solely responsible for the authentication and coarse-grained authorization of users, including multi-factor authentication. In this exercise, you walk through how to implement additional role assumption conditions in AWS that can be used to ensure that these types of conditions have been met. Choose this path to continue your SAML adventure.

Using SAML identities in Amazon S3 bucket policies (15 mins)

In most situations, AWS customers store a range of data in Amazon S3. In this exercise, you implement S3 bucket policies that limit access to a particular bucket to a list of named federated users and Amazon EC2 instances launched with a specific instance profile. Choose this path to continue your SAML adventure.

Implementing longer SAML session durations (10 mins)

By default, the temporary credentials that are issued during SAML federation expire after 60 minutes. In this exercise, you walk through how to extend the session duration to a value of your choice. Choose this path to continue your SAML adventure.

Implement a SAML version of "Amazon S3 home directories" (15 mins)

In this exercise, you go over how to create an S3 bucket where every federated user has access to only his or her own "home directory." The inspiration for this advanced use case comes from a non–federation oriented example in the AWS documentation. Choose this path to continue your SAML adventure.


Return to the home page