0

We are implementing SAML based federation with AWS to acceess S3 bucket.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

There is a security flaw with this approach. If we do STS:AssumeRole, any one can debug, get SAML Assertion and use it to generate his own Temporary Access Keys. So we moved the key generation process at server side (using STS Java SDK) to get keys at server. Anyhow we could not restrict STS calls with IP check so that STS invocation can only be valid from our server (or DP).

How can I write an IAM Policy that ensures no one can invoke any Security Token Service (sts:*) from anywhere but registered IP ? Which entity should I attach this policy to ? (Role?)

I tried all possible policy combinations at IAM and nothing is fruitful.And I can not restrict STS service totally ( I can do for particular region, but global STS service will always be active)

I just don't understand why would Amazon keep STS open for anyone.

Thanks in advance...

Naren Karanam
  • 61
  • 1
  • 3
  • 10

0 Answers0