5.1.2. Federation, IAM Identity Center, and MFA
š” First Principle: Creating individual IAM users for every employee in a company is an anti-pattern. Users need different permissions in different accounts, credentials need to be revoked when employees leave, and MFA needs to be enforced consistently. Federation solves this by connecting AWS to your existing corporate identity system ā employees log in with their corporate credentials, and AWS trusts the assertion that they are who they say they are.
Federation Methods:
| Method | Protocol | Use Case |
|---|---|---|
| IAM Identity Center (SSO) | SAML 2.0 / OIDC | Recommended for multi-account access; single sign-on across AWS accounts and business apps |
| SAML 2.0 Federation | SAML | Direct federation to a specific account; requires configuring trust in IAM |
| Web Identity Federation | OIDC | Mobile/web apps authenticating with Google, Facebook, Amazon Cognito |
| AWS STS AssumeRole | STS API | Cross-account access; service-to-service; programmatic role assumption |
IAM Identity Center is the modern, recommended approach for multi-account human access:
Identity Center manages permission sets ā templates of IAM policies that are applied to accounts. When you assign a user (or group) to an account with a permission set, Identity Center creates a corresponding IAM role in that account automatically. No manual role creation needed per account.
MFA (Multi-Factor Authentication):
| MFA Type | Description | Recommendation |
|---|---|---|
| Virtual MFA | Authenticator app (Google Authenticator, Authy) | Good for most users |
| Hardware MFA | Physical device (YubiKey, Gemalto) | Best for root account and privileged users |
| TOTP | Time-based one-time password | Standard virtual MFA |
| WebAuthn/FIDO2 | Phishing-resistant hardware key | Strongest option |
Enforcing MFA with IAM Conditions: You can require MFA for specific actions using the aws:MultiFactorAuthPresent condition key:
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
}
}
This denies all actions unless the session was authenticated with MFA ā a common pattern for protecting sensitive operations.
AWS STS (Security Token Service): Issues temporary credentials when roles are assumed. Key API calls:
| API | Use Case |
|---|---|
AssumeRole | Cross-account access; EC2/Lambda to AWS services |
AssumeRoleWithSAML | Federation via SAML 2.0 |
AssumeRoleWithWebIdentity | Mobile/web apps with OIDC provider |
GetSessionToken | MFA-enabled access for IAM users |
Temporary credentials have a configurable duration (15 minutes to 12 hours for AssumeRole) and automatically expire ā no manual rotation needed.
ā ļø Exam Trap: When a user assumes a role, they give up their original permissions and gain only the role's permissions for the duration of the session. If the role doesn't have permission to do something the user's personal policies allow, the operation fails. The assumed role's permissions are the only thing that matters for that session.
Reflection Question: A company uses Azure Active Directory as its identity provider. They want employees to access 15 different AWS accounts with different permission levels in each, using their existing Azure AD credentials. What AWS service do you configure, and what is the AWS-side concept that maps to "which permissions a user gets in a specific account"?
