Advanced IAM Flashcards
How does Web Identity Federation work?
- The user authenticates with a Web Identity Provider (like Google, Facebook, Amazon)
- The user receives an authentication/web token from the Web ID Provider
- The token is exchanged for temporary AWS credentials allowing them to assume an IAM role (if Cognito is used then it is the service which performs the exchange of token to temporary AWS credentials)
What is Cognito?
Cognito is a Identity Broker which handles interaction between your applications and the Web ID Provider.
What is a User Pool?
Cognito uses User Pools to manage sign-up and sign-in directly or via Web Id Providers (Facebook et cetera).
How does Cognito make sure that data is synchronized between a users devices?
Cognito uses Push Synchronization with SNS to send a silent push notification of user data updates to multiple devices types associated with a user ID.
Which are the three different types of IAM policies available?
- Managed Policies
- An IAM policy which is created and administrated by AWS
- A single Managed Policy can be attached to multiple users, groups, or roles within the same AWS account and across different accounts.
- You cannot change the permission defined in a AWS Managed Policy
- Customer Managed Policies
- A standalone policy that you create and administer inside your own AWS account.
- You can attach this policy to multiple users, groups, and roles - but only within you own account
- Recommended when AWS Managed Policies don’t meet the needs of your environment
- Inline Policies
- A IAM policy which is embedded within the user, group, or role to which it applies.
- When you delete the user, group, or role in which the Inline policy is embedded, the policy will also be deleted
- In most cases, AWS recommends using Managed Policies over inline Policies
What is assume-role-with-web-identity?
It’s an API provided by Security Token Service. It returns temporary security credentials for users authenticated by a mobile or web application or using a Web ID Provider like Amazon, Facebook, Google, et cetera.
- Cognito makes this call to STS assume-role-with-web-identity
- Regular web applications can use the STS assume-role-with-web-identity API
What is the main parts of the response you get after making a ‘assume-role-with-web-identity’ call?
- AssumedRoleUser:
- Contains ARN and AssumedRoleId
- Can be used to refer to the temporary credentials programmatically
- Remember that these are NOT IAM roles or users
- Credentials
- SessionToken
- SecretAccessKey
- AccessKey
- Expiration (default 1 hour)
How can you allow a user from one AWS account to access and manage resources in another AWS account?
Configure cross-account access.
What AWS service can be used to securely store confidential information like credentials or license codes so that the can be accessed by EC2 instances?
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values.
