Advanced IAM Flashcards
What is Directory Service and what is it used for?
family of managed services that allow you
to connect AWS resources with on-premises AD (active directory)
Main difference between AD and Simple AD
Simple AD does not support trusts
AD trust
used to extend existing AD to on-premises AD, and create a resource forest.
What is AWS Cognito User Pools
managed user directory for SaaS application, intended for sign-up and sign-in for web or mobile apps.
AD vs Non-AD compatible services
- Managed Microsoft AD
- AD Connector
- Simple AD
- Cloud Directory
- Cognito User Pools
AD 1,2,3
Non AD 4,5
AD supports what authentication protocols?
Kerberos, LDAP, NTLM
AWS managed Microsoft AD
provides domain controllers running Windows Server, which you get 2 of by default
AWS vs customer responsibility
1. Multi-AZ deployment, Patch, monitor, recover
2. Users, groups GROs, Standard AD tools
3. Scale out DCs, Trusts, certificate authorities
4. Instance rotation, Snapshot and restore
50/50
AWS 1,4
customer 2,3
T/F AWS Directory Service is a standalone directory in the cloud
True
ARN
Amazon resource name
partition:service:region:account_id:
How do you manage users and groups on an AD network?
apply group policies
Policy evaluation logic
Not explicitly allowed == implicitly denied
explicit deny > everything else
What are Permission boundaries used for?
used to delegate administration to other users. Controls the level of permissions users can grant.
What is RAM (not random access memory) and what does it do
Resource Access Manager - allows resource sharing between accounts. Works on individual accounts and AWS Organizations
What kind of resources can you share (RAM)
App Mesh, Aurora, CodeBuild, EC2, EC2 Image Builder, License Manager, Resource Groups, Route 53
