Advanced IAM (ACG) Flashcards

1
Q

What is Web Identity Federation?

A

Simplifies authentication and authorization for web apps.

Users access AWS resources after authenticating with a web-based identity provider like Google or Facebook.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What Amazon services provides web ID federation, including sign-up and sign-in functionality for your app and access for guest users?

A

Amazon Cognito

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are user pools for?

A

Sign-up and sign-in functionality for mobile and web apps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are identity pools for?

A

Provide temporary AWS credentials to AWS services such as S3 or DynamoDB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is exchanged for AWS credentials when someone authenticates their Cognito user pool with a successful Facebook log in?

A

Facebook will send a JWT token or a JSON web token which is exchanged for AWS credentials. The credentials are mapped to an IAM role which provides access to AWS services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the AWS recommended approach for web ID federation for mobile apps?

A

Cognito

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does Cognito use to send silent push notifications of user data updates to multiple devices?

A

Congnito Push Synchronization uses SNS so send a silent push notification of user data updates to multiple devices associated with a single user ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are AWS Managed Policies?

A

Includes AWS managed default policies like AmazonDynamoDBFullAccess or AmazonEC2ReadOnlyAccess.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the difference between a Customer Managed Policy and an Inline Policy?

A

They are both created by you, but an inline policy only applies to a single user, group or role. Inline policies cannot be shared.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In most cases, what is AWS recommendation for policies?

A

In most cases, AWS recommends using managed policies over inline policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is STS AssumeRoleWithWebIdentity?

A

Security Token Service API Call that returns temporary security credentials for authenticated users using a web ID provider like Google, Amazon or Facebook. Cognito does this automatically on your behalf.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the identifiers your application code refers to for temporary AWS credentials?

A

Within AssumedRoleUser, the Arn and AssumedRoleId are the identifiers used to reference temporary credentials (not an IAM role or user).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

With STS, after the user has authenticated, what API call does the application make?

A

assume-role-with-web-identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which IAM feature allows you to have your users Authenticate using Facebook, Google or Amazon?

A

Web Identity Federation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which Amazon Cognito component enables you to provide user temporary credentials to grant access only to allowed AWS services?

A

Identity Pools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are developing a new mobile application to share photos, which AWS technology can you use to ensure your users have a seamless experience across all their devices?

17
Q

How can you allow a user from one AWS account to access and manage resources in another AWS account?

A

Configure cross-account access

18
Q

Amazon Cognito provides Web Identity Federation with which of the following features? (choose 3)

  • Sign-up and sign-in to your applications
  • Multi-Factor Authentication
  • Single sign-on for Active Directory users
  • Synchronization of user data across multiple device types
A
  • Sign-up and sign-in to your applications
  • Multi-Factor Authentication
  • Synchronization of user data across multiple device types
19
Q

Which API call can be used to enable a user authenticated by Facebook to access your web application hosted in AWS?

A

STS assume-role-with-web-identity

20
Q

What does Cognito use to manage sign-up and sign-in functionality for mobile and web applications?

A

User Pools

21
Q

When using Web Identity Federation to allow a Facebook user to access an AWS service (such as an S3 bucket), what is the correct order of steps?

A

A user authenticates with Facebook first. They are then given an ID token by Facebook, which they can then trade for temporary security credentials.

22
Q

You are working on a mobile phone app for an online retailer that stores customer data in DynamoDB. You would like to allow new users to sign-up using their Facebook credentials. What is the recommended approach?

A

After the user has successfully logged in to Facebook and received an authentication token, Cognito should be used to exchange the token for temporary access to DynamoDB.

23
Q

Which of the following correctly describes an Inline Policy? (choose 2)

  • It is embedded in a user, group or role
  • The policy will be deleted if you delete the user, group or role it is associated with
  • You cannot change the permissions defined in the policy
  • It can be attached to multiple users and groups within your AWS account
A
  • It is embedded in a user, group or role

- The policy will be deleted if you delete the user, group or role it is associated with

24
Q

Which policies are provided by AWS to allow you to easily assign IAM permissions to your users based on pre-defined common use cases?

A

AWS Managed Policy

25
What allows users to use their social media account to gain temporary access to the AWS platform?
Web Identity Federation
26
When would you use an Inline Policy over a Managed Policy?
To add permissions that are only ever intended to be used for a single user in your account
27
Which is the best way to enable S3 read-access for an EC2 instance?
Create an IAM role with read-access to S3 and assign the role to the EC2 instance
28
What can you use to test that an IAM policy attached to a user, group or role works as expected?
IAM Policy Simulator
29
Which IAM entity can you use to delegate access to trusted entities such as IAM users, applications, or AWS services such as EC2?
IAM Role