Advanced IAM Flashcards
1
Q
AWS Directory Service
A
Family of managed services - stand alone directory in the cloud
- (Microsoft | AD Compatible) AWS Managed Microsfot AD
- AD domiain controllers running Window servers
- AWS managed
- multi-az
- patch, monitor recover, instacne rotation, snapshots
- Customer managed
- users, groups
- federation
- certs
- can have trusts
- (Microsoft | AD Compatible) Simple AD
- Standalone managed directorey
- small/500 - large 5,000
- easier to manage EC2
- linux
- NO TRUSTS
- (Microsoft | AD Compatible) AD connector
- Directory gateway to on-premise AD
- Allows on-premisee users to log in to AWS using AD
- Cloud Directory
- intended for devs
- multiple hierarchies with tons of objects
- Cognito User Pools
- Managed user directory for SaaS
What is active directory(AD)? - on-premise directory service of hierarchical users, groups and computers
2
Q
IAM Policies
A
- ARN (Amazon Resource Name)
- arn:partition:service:region:account_id:resource_type/resource
- ex: arn:aws:iam::123456789:user/mark
- IAM Policies - JSON documaent that defines permissions - Effct/action/resource
- Identity policy
- Resource policy
- Have to attach the policy to work
- Permissions boundry
- Additionally set policy that filters access to a specific service or set of actions
TIPS
- Nothing is explicitly allow == implicitly denied
- Explicit deny > everything else
- AWS joins all applicable policies
- AWS-managed vs customer-managed policies
3
Q
AWS Resource access manager (RAM)
A
Allows resource sharing between accounts
4
Q
AWS Single Sing-on (SSO)
A
Service that helps centreally manage acces to AWS accounts and business applications.
- Can also sign on to 3rd party services through AWS
TIPS:
If you see SAML in a question look for SSO for an answer
