AWS re:Invent 2025 - Easy cross-cloud authN : AWS outbound identity federation in action (SEC233)

AWS re:Invent 2025 - Easy cross-cloud authN: AWS outbound identity federation in action (SEC233)

Overview

This presentation from AWS re:Invent 2025 introduces a new AWS feature that enables secure and seamless authentication between AWS workloads and external services, eliminating the need to manage long-term credentials. The speakers, Rah Maharaj Puram and Vishnavi Merugu, demonstrate how this feature works and highlight its key benefits.

Key Features and Functionality

Outbound Identity Federation

• Allows AWS workloads (e.g., EC2, Lambda, EKS) to authenticate to external services using short-lived JSON Web Tokens (JWTs)
• Eliminates the need to manage long-term credentials like API keys or passwords
• Supports integration with a variety of external services, including other cloud providers (Azure, GCP), SaaS platforms (Databricks, Snowflake), and on-premises systems

JWT Generation and Validation

• AWS generates the JWTs using the AWS Security Token Service (STS), which can be customized with various claims
• The JWTs are signed using either RS256 or ES384 algorithms, and the public keys are published on a well-known endpoint for external services to validate
• JWT lifetimes can be configured, ranging from 60 seconds to 1 hour, to balance security and operational needs

Customizable Claims

• Standard OIDC claims (subject, audience, expiration, etc.) are included in the JWTs
• AWS also adds custom claims, namespaced under s.amazonaws.com, that provide additional context about the identity and workload:
  • AWS account ID, source region, organization ID (if applicable)
  • Principal tags (from IAM roles/users) and session tags
  • Compute-specific details (e.g., EC2 instance metadata)
  • Federated provider information (if the identity originated from an external source)

Access Control

• The sts:GetWebIdentityToken permission grants the ability to generate JWTs for external authentication
• Condition keys allow fine-grained control over:
  • Allowed token audiences
  • Maximum token lifetime
  • Permitted signing algorithms

Benefits and Use Cases

Enhanced Security

• Eliminates the risk of long-term credential compromise, which is a leading cause of security incidents
• Short-lived JWTs provide a more secure alternative to managing API keys, passwords, and other long-term credentials

Reduced Operational Complexity

• Simplifies the integration process with external services, replacing complex authentication flows and credential management
• Automatic token generation and rotation, reducing the burden on developers and operations teams

Improved Interoperability

• Enables secure cross-cloud and on-premises workload connectivity using a standardized JWT-based approach
• Supports a wide range of external service providers, including other cloud platforms, SaaS applications, and custom on-premises systems

Best Practices and Recommendations

• Replace long-term credentials with short-lived JWTs wherever possible to improve security
• Validate the JWT signature and claims (including custom AWS claims) before granting access in the external service
• Minimize the JWT lifetime to the shortest duration required for the specific use case
• Avoid logging or storing the JWTs, and always transmit them over a secure (TLS) channel
• Leverage the available condition keys to enforce strict access control policies

Conclusion

The AWS outbound identity federation feature provides a secure and seamless way for AWS workloads to authenticate to external services, eliminating the need to manage long-term credentials. By leveraging standardized JWTs and customizable claims, this solution enhances security, reduces operational complexity, and enables greater interoperability across cloud and on-premises environments.