Advanced IAM

Question 1

What is AWS Directory Service?

Answer 1

connects your AWS resources to on prem AD, allows you to use your existing corporate credentials and allows you to SSO to any domain joined EC2 instance

Question 2

What is AWS Managed MS AD?

Answer 2

AD Domain Controllers (DC’s) running windows servers reachable by application in your VPC.

Question 3

What responsibilities lie on the customer in AWS Managed MS AD?

Answer 3

scale out your own DC’s and manage your own trusts

Question 4

What is simple AD?

Answer 4

AWS Managed AD’s baby brother. Offers basic AD features, but does not support trusts.

Question 5

What sizes can you get Simple AD in?

Answer 5

Small (up to 500 users) and Large (up to 5k users)

Question 6

What is AD connector?

Answer 6

Supports trusts. Directory gateway for on prem AD, allowing on prem users to log in to AWS using AD. You can also join EC2 instances in your existing AD domain.

Question 7

What is cloud directory and what are some use cases for it?

Answer 7

Hierarchical based store for up to hundreds of millions of objects. Can be used for org charts, device registries, etc.

Question 8

Amazon Cognito User Pools

Answer 8

Managed user directory for SaaS applications. Typically used to login with social media login info.

Question 9

What is a Amazon Resource Name ( ARN)?

Answer 9

unique ID for all resources in AWS

Question 10

how are ARN’s formatted?

Answer 10

arn:partition:service:region:account_id:

Question 11

what is an IAM policy?

Answer 11

a JSON doc that defines permissions

Question 12

What are the two types of IAM policies?

Answer 12

Identity and Resource

Question 13

What are the three parts of an IAM policy and what do they control?

Answer 13

Effect - Either allow or deny
Action - API call
Resource - The entity

Question 14

T or F: Policies don’t have any effect until attached to an identity or resource

Answer 14

T

Question 15

T o F: Policies are attached to Roles, which are then assigned to either an object or a user

Answer 15

T

Question 16

What is an inline policy?

Answer 16

a policy applied just to one role, created straight from the role itself

Question 17

T o F: Any permission that is not explicitly allowed is implicitly denied

Answer 17

T

Question 18

What overrules the other? Explicit deny, or explicit allow?

Answer 18

Explicit deny overrules everything else

Question 19

What are permission boundaries

Answer 19

Granting a permission but only for a specific resource. Ex. Give someone admin access, but only for dynamoDB

Question 20

T or F: You can edit AWS managed policies

Answer 20

F

Question 21

What does AWS Resource Access Manager (RAM) do?

Answer 21

Allows for resource sharing between accounts

Question 22

With RAM, what must the receiving party do in order to see the shared resource?

Answer 22

Accept the invitation

Question 23

Where is AWS SSO info recorded?

Answer 23

CloudTrail

Question 24

What does AWS SSO integrate with?

Answer 24

Active directory or any SAML 2.0 application