29. Advanced Identity Flashcards
What is AWS STS?
Security Token Service
allows you to grant limited and temporary access to AWS resources (up to 1 hour)
What STS API operation should you use to assume roles within your account or cross account?
AssumeRole
What STS API operation should you use to return a set of temporary credentials for an AWS account or IAM user?
GetSessionToken
What STS API operation should you use to decode the error message when an AWS API is denied?
DecodeAuthorizationMessage
What does GetSessionToken return?
- Access ID
- Secret Key
- Session Token
- Expiration Date
What should you include in an IAM policy to enable MFA?
aws:MultiFactorAuthPresent:true
How do you assign each user a /home/ folder in an S3 bucket?
Create one dynamic policy with IAM and leverage the special policy variable ${aws:username}
What is an AWS Managed Policy?
- maintained by AWS
- good for power users and admins
- updated in case of new services / new APIs
What is a Customer Managed Policy?
- best practice, re-usable, can be applied to many principals
- version controlled + rollback
- central change management
What is an Inline Policy?
- strict one-to-one relationship between policy and principal
- policy is deleted if you delete the IAM principal
What is the IAM permission required to be able to pass a role?
iam:PassRole
How do you view the role being passed?
iam:GetRole
What policy grants the user of the role the needed permissions to carry out the intended tasks on the resource?
Permissions policy
A permissions document in JSON format in which you define what actions and resources the role can use.
What policy specifies which trusted account members are allowed to assume the role?
Trust policy
A role trust policy is a required resource-based policy that is attached to a role in IAM. The principals that you can specify in the trust policy include users, roles, accounts, and services.
What are the 3 AWS Directory Service Types?
- AWS Managed Microsoft AD
- AD Connector
- Simple AD
