Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Developer Certification > Advanced Identity > Flashcards

Advanced Identity Flashcards

1
Q

What is STS?

A

Security Token Service - grant limited and temporary access to AWS resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the four main API calls to know?

A

AssumeRole - assume roels within your account or cross account
GetSessionToken - for MFA, from a user or AWS account root user
GetCallerIdentity - return details about the IAM user or role used in the API call
DecodeAuthorizationMessage - decode error message when an AWS API is denied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do you mandate that MFA is required for an API call?

A

Add aws:MultiFActorAuthPresent:true as a condition to the IAM policy provided by the GetSessionToken call to STS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does IAM evaluate whether a policy allows or denies?

A

Decision starts in the DENY state
-> Evaluate all applicable policies
-> Explicit deny present? Then DENY
-> Then, Explicit allow present? Then ALLOW
-> Else, DENY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How do you work out if an IAM user has access to an AWS resource (e.g., S3)?

A

Take a UNION of the IAM policy of the user and the S3 bucket policy to get the overall policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can you dynamically insert a user’s username into a policy?

A

${aws:username}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Why are Customer Managed Policies considered best practice, and over what are they preferred?

A

Preferred over AWS managed and Inline policies
- Best practice as they are versioned, and provide fine grained access
- Inline is specific to the service, lost on service delete
- AWS policies are not fine grained

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How can a user allow a service to assume a role and perform actions?

A

User needs the IAM permission iam:PassRole
-> Allows them to pass the IAM role during setup of that service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can a role be passed to any service?

A

No - roles can only be passed to what their ‘trust’ allows
- this is an ‘sts:AssumeRole’ Action for a specified ‘Principal.Service’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What AD would you recommend for:
- Creating your own AD in AWS, manage users locally and supports MFA

A

AWS managed Microsoft AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What AD would you recommend for:
- Directory Gateway (proxy) to redirect to on-premises AD, supports MFA

A

AD Connector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What AD would you recommend for:
- AD compatible managed directory on AWS

A

Simple AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

AWS Developer Certification (27 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions