Advanced IAM Flashcards
What does ARN stand for?
Amazon Resource Name
What is the component syntax of an ARN?
- All ARNs begin with
**arn:partition:service:region:account\_id:**- If not applicable, section is empty (so you can see
::)
- If not applicable, section is empty (so you can see
- And end with a resource
- resource
- resource_type/resource
- resource_type/resource/qualifier
- resource_type/resource:qualifier
- resource_type:resource
- resource_type:resource:qualifier
What are the major differences between the two types of IAM Policies?
-
Identity Policies
- attached to an IAM user, group, or role
- specify what an identity can do
-
Resource policies
- attached to a resource
- specify who can do what to the resource
Do IAM policies take effect upon creation?
No. An IAM Policy has no effect until it is attached to a resource or role.
What is the basic format of an IAM policy document?
- Version # (YYYY-MM-DD)
- List of statements, each individual statement enclosed in {}
- Each statement matches an AWS API Request
- Each statement has an Effect, either allow or deny
- Each statement has A list of Actions with the effect, of the form
*servicename:ActionName* - Each statement has a Resource the Action is against (in ARN form)
- Idea: (Allow/Deny) Resource to do Actions
What is an AWS API Request?
Any action you can perform against AWS
If an IAM policy does not explicitly allow an API action, might it still be implicitly allowed?
No
If an action is not explicitly allowed, it is implicitly denied
In general, how does AWS reconcile multiple attached policies to the same user or resource?
AWS joins all applicable policies
Suppose your IAM user has 2 policies, one of which explicitly denies access to all S3 buckets, the other of which explicitly allows access to a specific S3 bucket. Will this user be allowed to access to the specific S3 bucket?
No
An explicit deny overrides anything else in any other policy
What is the purpose of AWS Permission Boundaries?
- The idea is to prevent priviledge escalation or unnecessarily overbroad permissions
- Controls maximum permissions an IAM policy can grant
What are some use cases for AWS Permission Boundaries?
- Developers creating roles for Lambda functions
- Application owners creating roles for EC2 instances
- Administrators creating ad hoc users
In the context of IAM, what does RAM stand for?
Resource Access Manager
What is the general use case of AWS Resource Access Management?
- Resource Sharing between accounts
- can be between individual accounts or within accounts in AWS Organizations
Which AWS Resources can I share using AWS Resource Access Management?
- App Mesh
- Aurora
- CodeBuild
- EC2
- EC2 Image Builder
- License Manager
- Resource Groups
- Route53
What does SSO stand for?
Single Sign-On
What does SAML stand for?
Security Assertion Markup Language
What are the general use cases for AWS SSO?
- Centrally manage access to AWS Resources
- Using existing identities to log in to AWS
- Governing account-level permissions
- SAML
Suppose you have a fleet of EC2 instances, all joined to the same active directory domain. Do you need to manage the credentials on the individual EC2 instances?
No
AWS Directory Service provides SSO to any domain-joined EC2 instance
What is the purpose of AWS Directory Service?
Connecting AWS resources with on-premises AD
When using AWS Managed Microsoft AD, who is responsible for ensuring multi-AZ deployment?
AWS
What does AD stand for?
Active Directory
What is Active Directory?
- On-premises directory service
- Uses a Hierarchical database of users, groups, computers, organized in trees and forests
- You apply group policies to help you manage users and devices on a network
What is the key feature of AWS Managed Microsoft AD?
AD Domain Controllers – to which you have exclusive access– running Windows Server that are reachable by applications in your VPCs,
How does AWS Managed Microsoft AD ensure high availability?
- You get 2 DCs by default,
- You can also add DCs for additional HA and Performance
When using AWS Managed Microsoft AD, who is responsible for backup operations?
AWS
When using AWS Managed Microsoft AD, who is responsible for ensuring you are on the most up-to-date version of the software?
AWS
When using AWS Managed Microsoft AD, who is responsible for scaling out domain controllers?
You
When using AWS Managed Microsoft AD, who is responsible for maintaining users, groups, and group policy objects?
You
Suppose you want to extend existing AD to your on-premises infrastructure. What tool might you use to do this?
AD Trust
When using AWS Managed Microsoft AD, who is responsible for any identity federation?
You
When using AWS Managed Microsoft AD, who is responsible for dealing with certificate authorities?
You
What is AWS Simple AD?
A standalone managed directory in the cloud used for Basic AD features
Does AWS Simple AD support trusts?
No
How many users can a small Simple AD handle?
up to 500
How many users can a large Simple AD handle?
Up to 5000
Does Simple AD allow you to join with on-premises AD?
No, Simple AD does not support trusts
What is AD Connector?
- AD Connector is a directory gateway (proxy) for on-premises AD
What is AWS Cloud Directory?
- A fully-managed directory-based store for developers
- Used in applications that implement org charts, course catalogs, device registries
What are Amazon Cognito User Pools?
- Managed User directory for SaaS Applications
- sign-up and sign-in for web / mobile
- typically used with social media identities
What does SaaS stand for?
Software As A Service
What are the key benefits of AD Connector?
- Avoid cacheing information in the cloud
- Allow on-premises users to log in to AWS using AD
- Join EC2 instances to your existing AD domain
- Scale across multiple AD connectors
