AuthZ AuthN Flashcards

1
Q

What is required of all AWS IAM or Resource policies?

A
  • Effect can be Allow or Deny
  • Action is required - service identifier: action is the form of an action
  • Resource is required - must be ARN
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IAM Policies

A

IAM policies are attached to the users, enabling centralized control of permissions for users under your AWS Account to access aws resources. With IAM policies, you can only grant users within your own AWS account permission to access your Amazon resources.

IAM policies don’t have principals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

IAM Permission Boundary

A

A permissions boundary is for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
IAM permission boundary can only be applied to roles or users, not IAM groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identity Policy vs Resource Policies

A

Identity policies don’t have a principal (group or user) that will access the resource because they are attached to users/groiups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SCP, what must be enabled to use?

A

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SCP Limitation

A

SCPs alone are not sufficient to granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles in the affected accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AWS Single Sign-On (AWS SSO)

A

you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization. You can choose to manage access just to your AWS accounts or cloud applications

unified administration experience to define, customize, and assign fine-grained access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS SSO Features

A

create user identities directly in AWS SSO, or you can bring them from your Microsoft Active Directory or a standards-based identity provider

user portal to access assigned AWS accounts or cloud applications for users

Integrated with AWS Organizations

Manage SSO access for multiple AWS accounts

Audit SSO activity

MFA

SAML integration

Enable SSO access to your Amazon EC2 Windows instances

ABAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AWS Directory Service

A

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active Directory (AD)

managed service offering, providing directories that contain information about your organization, including users, groups, computers, and other resources

directory is deployed across multiple Availability Zones, and monitoring automatically detects and replaces domain controllers that fail

data replication and automated daily snapshots are configured

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

service-linked role

A

a unique type of IAM role that is linked directly to an AWS service

predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf

not affected by SCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly