Provides the ability to assume a role , provides temporary credentials and identity federation
(15m - 12h) using the AssumeRole API ****
Ability to revoke active sessions and credentials for a role using theAWSRevokeOlderSessions
<aside> 💡 When you assume a role you give up your original permissions and take the one of the role
</aside>
“Zone of trust” includes accounts that you own, out side the “zone of trust” = 3rd party entity
<aside> 👩🏻🍳 use IAM Access Analyzer to find exposed resources
</aside>
To provide access to 3rd party entity - need to define an External ID and define permissions using IAM policy
Session tags - to limit who can assume the role based on specific tags (dependent)
AssumeRole - access a role within or cross accountAssumeRoleWithSAML - for users logged with SAML federationAssumeRoleWithWebIdentity - FB, Google - recommended to use CognitoGetSessionToken - for MFAGetFederationToken - temp credentials for federated user