AFP: secure cloud authentication for machines and humans.
When using Amazon Web Services (AWS) services from the outside AWS, there are two main authentication problems:
Authenticating humans (employees, users, etc.), and
Authenticating machines (servers, applications, etc.).
At scale, the common practice to use IDentity and Access Management (IAM) users with static credentials / access keys is generally considered harmful–they are easy to loose control over and hard to rotate systematically. Hacked credentials are a sought after commodity and allow a digital adversary to perform anything from mining digital currencies to cracking passwords.
The AWS Federation Proxy (AFP) Project, developed at ImmobilienScout24, solves the issue for both machines and humans by using a Custom Federation Broker and the Secure Token Service (STS) with IAM roles and temporary credentials. This talk introduces the project, the various components it consists of, and explains how we can use it to largely eliminate IAM users and static credentials.
Desired previous knowledge: Amazon Web Services in general and specifically IAM