25. Identity and Access Management (IAM) - Advanced Flashcards

1
Q

AWS Organization

A
  • Global service
  • Allow to manage multiple AWS accounts
  • The main account is the management account
  • Consolidated billing accross all account - single payment method
  • Pricing benefits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AWS Organization Advantages

A

Multi account vs One Account Multi VPC
Use tagging standards for billing purpouses
Enable CloudTrail on all accounts, send logs to central S3 account
Send CloudWatch Logs to central loggins account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AWS Organization Security

A
  • IAM policies appliedo to OU or Accounts to restrict Users and Roles
  • They do not apply to the management account
  • Must have an explicit allow
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IAM Conditions
aws:SourceIP

restrict the client IP from which the API calls are being made

A

“Conditions”: {
“NotIpAddress” : {
“aws:SourceIP”: [“192.0.2.0/24”, “203.0.113.0/24”]
}
}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IAM Permission Boudaries

A
  • IAM Permission Boundaries are supported for users and roles (not groups)
  • Advanced feature to use a manage policy to set the maximum permissions an IAM entity can get.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AWS IAM Identity Center
(successor to AWS Single Sing-On)

A
  • One Login (single sign-on) for all your AWS Accounts in AWS Organizations
    Business cloud applications (SalesForce, Box, Microsoft 365)
    SAML2.0-enable applications
    EC2 Windows Instances
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Microsoft Active Directory (AD)

A
  • Found in any Windows Server with AD Domain Service
  • Database of objects: User, Accounts, Computers, Printers, File Shares, Security Group
  • Centralized security management, create accouts, assign permissions
  • Object are organized in trees
  • Agroup of trees is a forest
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS Directory Service

A
  • AWS Managed Microsoft AD
    Create your own AD in AWS, manage users locally support MFA
    Stablish trust connections with your on premise AD
  • AD Connector
    Directory Gateway (proxy) to redirect to on-premise AD, support MFA
    Users are managed on the on-premise AD
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AWS Control Tower

A
  • Easy way to set up and govern a secure and compliant multi-account AWS Environment based on the best practices
  • AWS Control Tower uses AWS Organization to create accounts
  • Benefits:
    Automate the set up of your environment in a few clicks
    Automate ongoing policy management using guardrails
    Detect policy violations and demediate them
    Monitor compliance through an interactive dashboard
How well did you know this?
1
Not at all
2
3
4
5
Perfectly