From 3c9e4c60d8756b45aace65431c539d0cd6e3b920 Mon Sep 17 00:00:00 2001 From: Rich Adams Date: Wed, 12 Oct 2016 09:45:52 -0700 Subject: [PATCH] Adding information about IAM session keys requiring a session token parameter. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 67f510d..6768958 100644 --- a/README.md +++ b/README.md @@ -516,6 +516,7 @@ We cover security basics first, since configuring user accounts is something you - IAM manages various kinds of authentication, for both users and for software services that may need to authenticate with AWS, including: - [**Passwords**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords.html) to log into the console. These are a username and password for real users. - [**Access keys**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html), which you may use with command-line tools. These are two strings, one the “id”, which is an upper-case alphabetic string of the form 'AXXXXXXXXXXXXXXXXXXX', and the other is the secret, which is a 40-character mixed-case base64-style string. These are often set up for services, not just users. + - 📜 Access keys that start with AKIA are normal keys. Access keys that start with ASIA are session/temporary keys from STS, and will require an additional "SessionToken" parameter to be sent along with the id and secret. - [**Multi-factor authentication (MFA)**](https://aws.amazon.com/iam/details/mfa/), which is the highly recommended practice of using a keychain fob or smartphone app as a second layer of protection for user authentication. - IAM allows complex and fine-grained control of permissions, dividing users into groups, assigning permissions to roles, and so on. There is a [policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) that can be used to customize security policies in a fine-grained way. - 🔸The policy language has a complex and error-prone JSON syntax that’s quite confusing, so unless you are an expert, it is wise to base yours off trusted examples or AWS’ own pre-defined [managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).