1 - Access Control Flashcards
What are the basic concepts of IAM?
Users are people
Groups are a set of users with the same permissions.
Roles are permissions assigned to one or more resources, not people
Permissions are applied to users, groups and roles
What credentials are used for programmatic access?
An access key ID and a secret access key.
The latter can’t be retrieved again but can be regenerated.
These credentials cannot be used for console access
Is IAM region based?
No, it’s global
What is cross-account access?
A feature of the console for ease of use when working in multi-account or multi-role environments
What is STS generally used for?
- Federation using SAML i.e. from AD
- Federation from mobile apps using OpenID via Cognito
- Cross-account access
What are the key concepts of STS?
Federation is the process of joining users from one domain to another
An identity broker performs the matching (federation) from A to B
Identity stores are services like AD or Facebook that store the identities
Identities are users of that service
What is the general for federation against AD?
Ther users enters their username and password into an application, which forwards them to the identity broker
The identity broker forwards the credentials to the identity store which validates them.
If the credentials are valid, the identity broker calls STS to generate a token and returns it to the application
What fields fo tokens returned from STS have?
An access key, secret access key, session token, and a duration
What range of durations does STS support?
1 to 36 hours
What does an object in S3 consists of?
The key, value (actual data), version ID, metadata (tags) and sub-resources.
Sub-resources include the ACL, a torrent file, and transfer acceleration configuration
What are the size limits for S3?
Individual objects can be 0 bytes to 5 terabytes
There is no limit on total bucket size
What are the restrictions of bucket names in S3?
Bucket names must be globally unique. They can’t contain underscores, spaces, or capital letters
What is the DNS name for an object?
https://s3-region.amazonaws.com/bucket/object
What is the data consistency model for S3?
Read after write for PUTs of new objects
Eventual consistency for overwrite PUTs and DELETEs
How can an application tell if an upload to S3 was successful?
Successful PUTs return a status code of 200
Do objects inherit tags from their buckets?
No
Can buckets be synchronised across regions?
Yes, using the Cross Region Replication (CRR) feature
What are the requirements for CRR to be set up?
Both buckets must have versioning enabled.
The target bucket may be in another account and could have a different storage class
Replication can only be between two buckets - daisy chaining is not supported
What are the rules for CRR?
Existing objects are not synchronised when CRR is first set up - only new ones
Filtering can limit the objects replicated by prefix
Once set up:
- Delete markers are propagated
- Deleting delete markers does not propagate - objects must be restored from both buckets
- Changes to the ACL are not replicated
- Permanently deleting an old version does not replicate
What are the basic storage classes for S3?
S3 Standard has 99.99% availability (SLA guarantees 99.9%) and 11 nines durability.
S3 - IA has a lower storage fee but higher request fees. It maintains 11 nines durability but is slightly less available.
S3 - IA - One Zone has an even lower cost but is stored in only one AZ. It still has 11 nines durability.
Note: objects smaller than 128kb in either IA tier are charged as though they were 128kb
How is access to S3 controlled?
ACLs which are per object and per bucket
Bucket policies and public access settings are per bucket
What forms of encryption does S3 support?
Encryption in transit as uploads and downloads are over SSL/TLS
Client-side encryption involves manually encrypting it before uploading
Amazon S3 Managed Keys (SSE-S3) - each object is given its own key which is in turn encrypted by Amazon’s master key
Amazon Key Management Service (SSE-KMS) adds a separate envelope key which is either provided by AWS or the customer. In the latter case, it is unique per user x region x service
SSE-C uses as customer key
In the context of S3, what is versioning?
An option to keep all previous version of objects. Deleting them merely adds a delete marker.
Once enabled, it cannot be disabled. It can be suspended in which case existing versions are retained but new ones won’t be added
What is MFA delete?
An optional feature for S3 which requires an MFA code to delete a version or disable versioning.
It only works on versioned buckets.