Allow access to S3 bucket to any user authenticated by AWS SSO - amazon-s3

We've implemented AWS SSO authentication with ActiveDirectory, corporate wise, for all our users. We use multiple AWS sub-accounts, so that ActiveDirectory users can connect to different AWS sub-accounts with their AD credentials, according to the AD group association with AWS policies.
This all works pretty well, however, it is not clear to me, how to implement following authorization properly. Some of our accounts have S3 buckets which should be available for all the users authenticated by the SSO, without regards of the user access rights.
What is the right way to organize that?

Related

AWS-Cognito or AWS SSO, which one should I choose

We are planning to setup three applications, two of them are based on WordPress, and third one is based on Magento. We will deploy these three apps on AWS. We are looking for a tool to centralize the management of all the users for these three apps. We could grant different privilege and allow the different users have different right to these three apps. So, we should choose AWS Cognito or SSO?
You can use both if you go with cognito route. Cognito User pools handles your user management (registration, login, granting tokens) while Cognito Identity Pool lets you use any of the identity providers including user pool to exchange tokens for temporary aws credentials based on what role you have attached to the group of users.
Identity pools also accept SSO with 3rd part authentication providers (federated identity). You can sign in users on your user pool using social identity providers (facebook, google, amazon) or create one using Auth0.
AWS Cognito is the right fit for your application. AWS SSO is essentially a layer between active directories and services like Cognito or Firebase. AWS SSO helps in delegating access to AWS services and provides SAML/Oauth gateways connected to the active directories.
AWS Cognito on the other hand, allows you to easily integrate your login systems with any auth providers like AWS SSO, Okta, Auth0 and social media channels too. Hence, definitely considering your requirements, AWS Cognito user pool is the best fit.

What is difference between AWS-Cognito and Shibboleth?

I want to know the difference between AWS-Cognito and Shibboleth. I am unable to find the difference.
From what I can see shibboleth is a general SSO solution. It is comparable with cognito user pool which too provides user management services. The main difference between user pool and shibboleth would be that since user pools are a service offered by AWS they can be used by other AWS services directly like api gateway. IAM can be used to restrict access to signed admin API calls in userpool (eg: adminInitiateAuth)
Then we have cognito identity pool. This is used to grant access to aws resources. You can use various federated identities like facebook, amazon, openid etc as well as cognito user pool to authenticate and request for resources. You can also allow unauthenticated users to access resources.

Creating custom Roles and Policies

I am looking into using AWS-Cognito as a means to manage and authenticate users. I do not want to use aws api-gateway or any of their other services really. It seems though you can only create roles or policies if they are related to some other aws service. I'd like to have these custom roles or policies on the user's id token returned from Cognito. Is it possible to create these custom roles or policies or am I restricted to only roles and policies related to amazon services? I have found tried the Create your own policy, but it throws an error if it doesn't match a specific action or resource known to aws services. Thanks.
You can use Cognito User Pools to authenticate your users. Then you can call STS to issue temporary credentials based upon your own rules (policies). Look into examples using assumeRole().
If you want an integrated / managed service then use Cognito Federated Identities for authorization and Cognito Users Pools or Google, etc. for authentication.
Sort of confusing, but think of Cognito User Pools (or Facebook, etc.) as the Identity Provider and Cognito Federated Users as the Permissions broker.

How can I allow limited access to API created in aws API gateway?

I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.

How to authenticate and authorize with AWS Identity and Access Management?

I am writing my own reporting software in Java and planning to use RDS for data storage. I want to do the A.A. with AWS IAM. Is there any example(s) of authenticating and authorizing with AWS Identity and Access Management that you might be aware and share with me?
I am not looking on how to set up the user from Amazon's console or how to issue console commands. Instead I would like to see some Java code how to identify if user is authenticated with his/her credentials (user id, password combination) and whether that person authorized to get access to specific report.
AWS IAM is not designed to authenticate users with your own app. AWS IAM is designed to authenticate users with AWS services.
The only way to see if a user is a real user(authentication) and if that user is authorized is to actually make an AWS API call.
For example, you can create a policy that looks like this and attach it to a user/group:
{
"Statement":[{
"Effect":"Allow",
"Action":["rds:CreateDBSecurityGroup",
"rds:DeleteDBSecurityGroup",
"rds:DescribeDBSecurityGroup",
"rds:AuthorizeDBSecurityGroupIngress",
"rds:RevokeDBSecurityGroupIngress"],
"Resource":"*"
}
]
}
And the user or group who has this policy can only make these API calls and not others.
See here: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
Amazon has something called Cognito which is designed to sync application profiles across mobile devices. What applies to your question, though, is that it also allows users to authenticate with Google, Facebook, or Amazon (it uses OAuth).
http://aws.amazon.com/cognito/