Advanced IAM (ACG) Flashcards
What is Web Identity Federation?
Simplifies authentication and authorization for web apps.
Users access AWS resources after authenticating with a web-based identity provider like Google or Facebook.
What Amazon services provides web ID federation, including sign-up and sign-in functionality for your app and access for guest users?
Amazon Cognito
What are user pools for?
Sign-up and sign-in functionality for mobile and web apps.
What are identity pools for?
Provide temporary AWS credentials to AWS services such as S3 or DynamoDB.
What is exchanged for AWS credentials when someone authenticates their Cognito user pool with a successful Facebook log in?
Facebook will send a JWT token or a JSON web token which is exchanged for AWS credentials. The credentials are mapped to an IAM role which provides access to AWS services.
What is the AWS recommended approach for web ID federation for mobile apps?
Cognito
What does Cognito use to send silent push notifications of user data updates to multiple devices?
Congnito Push Synchronization uses SNS so send a silent push notification of user data updates to multiple devices associated with a single user ID.
What are AWS Managed Policies?
Includes AWS managed default policies like AmazonDynamoDBFullAccess or AmazonEC2ReadOnlyAccess.
What is the difference between a Customer Managed Policy and an Inline Policy?
They are both created by you, but an inline policy only applies to a single user, group or role. Inline policies cannot be shared.
In most cases, what is AWS recommendation for policies?
In most cases, AWS recommends using managed policies over inline policies.
What is STS AssumeRoleWithWebIdentity?
Security Token Service API Call that returns temporary security credentials for authenticated users using a web ID provider like Google, Amazon or Facebook. Cognito does this automatically on your behalf.
What are the identifiers your application code refers to for temporary AWS credentials?
Within AssumedRoleUser, the Arn and AssumedRoleId are the identifiers used to reference temporary credentials (not an IAM role or user).
With STS, after the user has authenticated, what API call does the application make?
assume-role-with-web-identity
Which IAM feature allows you to have your users Authenticate using Facebook, Google or Amazon?
Web Identity Federation
Which Amazon Cognito component enables you to provide user temporary credentials to grant access only to allowed AWS services?
Identity Pools
You are developing a new mobile application to share photos, which AWS technology can you use to ensure your users have a seamless experience across all their devices?
Cognito
How can you allow a user from one AWS account to access and manage resources in another AWS account?
Configure cross-account access
Amazon Cognito provides Web Identity Federation with which of the following features? (choose 3)
- Sign-up and sign-in to your applications
- Multi-Factor Authentication
- Single sign-on for Active Directory users
- Synchronization of user data across multiple device types
- Sign-up and sign-in to your applications
- Multi-Factor Authentication
- Synchronization of user data across multiple device types
Which API call can be used to enable a user authenticated by Facebook to access your web application hosted in AWS?
STS assume-role-with-web-identity
What does Cognito use to manage sign-up and sign-in functionality for mobile and web applications?
User Pools
When using Web Identity Federation to allow a Facebook user to access an AWS service (such as an S3 bucket), what is the correct order of steps?
A user authenticates with Facebook first. They are then given an ID token by Facebook, which they can then trade for temporary security credentials.
You are working on a mobile phone app for an online retailer that stores customer data in DynamoDB. You would like to allow new users to sign-up using their Facebook credentials. What is the recommended approach?
After the user has successfully logged in to Facebook and received an authentication token, Cognito should be used to exchange the token for temporary access to DynamoDB.
Which of the following correctly describes an Inline Policy? (choose 2)
- It is embedded in a user, group or role
- The policy will be deleted if you delete the user, group or role it is associated with
- You cannot change the permissions defined in the policy
- It can be attached to multiple users and groups within your AWS account
- It is embedded in a user, group or role
- The policy will be deleted if you delete the user, group or role it is associated with
Which policies are provided by AWS to allow you to easily assign IAM permissions to your users based on pre-defined common use cases?
AWS Managed Policy
What allows users to use their social media account to gain temporary access to the AWS platform?
Web Identity Federation
When would you use an Inline Policy over a Managed Policy?
To add permissions that are only ever intended to be used for a single user in your account
Which is the best way to enable S3 read-access for an EC2 instance?
Create an IAM role with read-access to S3 and assign the role to the EC2 instance
What can you use to test that an IAM policy attached to a user, group or role works as expected?
IAM Policy Simulator
Which IAM entity can you use to delegate access to trusted entities such as IAM users, applications, or AWS services such as EC2?
IAM Role
