25. Identity and Access Management (IAM) - Advanced Flashcards
1
Q
AWS Organization
A
- Global service
- Allow to manage multiple AWS accounts
- The main account is the management account
- Consolidated billing accross all account - single payment method
- Pricing benefits
2
Q
AWS Organization Advantages
A
Multi account vs One Account Multi VPC
Use tagging standards for billing purpouses
Enable CloudTrail on all accounts, send logs to central S3 account
Send CloudWatch Logs to central loggins account
3
Q
AWS Organization Security
A
- IAM policies appliedo to OU or Accounts to restrict Users and Roles
- They do not apply to the management account
- Must have an explicit allow
4
Q
IAM Conditions
aws:SourceIP
restrict the client IP from which the API calls are being made
A
“Conditions”: {
“NotIpAddress” : {
“aws:SourceIP”: [“192.0.2.0/24”, “203.0.113.0/24”]
}
}
5
Q
IAM Permission Boudaries
A
- IAM Permission Boundaries are supported for users and roles (not groups)
- Advanced feature to use a manage policy to set the maximum permissions an IAM entity can get.
6
Q
AWS IAM Identity Center
(successor to AWS Single Sing-On)
A
- One Login (single sign-on) for all your AWS Accounts in AWS Organizations
Business cloud applications (SalesForce, Box, Microsoft 365)
SAML2.0-enable applications
EC2 Windows Instances
7
Q
Microsoft Active Directory (AD)
A
- Found in any Windows Server with AD Domain Service
- Database of objects: User, Accounts, Computers, Printers, File Shares, Security Group
- Centralized security management, create accouts, assign permissions
- Object are organized in trees
- Agroup of trees is a forest
8
Q
AWS Directory Service
A
- AWS Managed Microsoft AD
Create your own AD in AWS, manage users locally support MFA
Stablish trust connections with your on premise AD - AD Connector
Directory Gateway (proxy) to redirect to on-premise AD, support MFA
Users are managed on the on-premise AD
9
Q
AWS Control Tower
A
- Easy way to set up and govern a secure and compliant multi-account AWS Environment based on the best practices
- AWS Control Tower uses AWS Organization to create accounts
- Benefits:
Automate the set up of your environment in a few clicks
Automate ongoing policy management using guardrails
Detect policy violations and demediate them
Monitor compliance through an interactive dashboard