Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS 2018 - By Service Section - FAQs > AWS Identity and Access Management (IAM) | Multi-Factor Authentication > Flashcards

AWS Identity and Access Management (IAM) | Multi-Factor Authentication Flashcards

1
Q

Are there any default quota limits associated with IAM?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Yes, by default your AWS account has initial quotas set for all IAM-related entities. For details see Limitations on IAM Entities and Objects.

These quotas are subject to change. If you require an increase, you can access the Service Limit Increase form via the Contact Us page, and choose IAM Groups and Users from the Limit Type drop-down list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is AWS MFA?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

AWS multi-factor authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. You can enable AWS MFA for your AWS account and for individual AWS Identity and Access Management (IAM) users you create under your account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does AWS MFA work?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

AWS MFA uses an authentication device that continually generates random, six-digit, single-use authentication codes. There are two primary ways to authenticate using an AWS MFA device:

AWS Management Console users: When a user with MFA enabled signs in to an AWS website, they are prompted for their user name and password (the first factor–what they know), and an authentication code from their AWS MFA device (the second factor–what they have). All AWS websites that require sign-in, such as the AWS Management Console, fully support AWS MFA. You can also use AWS MFA together with Amazon S3 secure delete for additional protection of your S3 stored versions.

AWS API users: You can enforce MFA authentication by adding MFA restrictions to your IAM policies. To access APIs and resources protected in this way, developers can request temporary security credentials and pass optional MFA parameters in their AWS Security Token Service (STS) API requests (the service that issues temporary security credentials). MFA-validated temporary security credentials can be used to call MFA-protected APIs and resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do I help protect my AWS resources with MFA?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Follow two easy steps:

  1. Get an authentication device. You have two options:

Purchase a hardware device from Gemalto, a third-party provider.

Install a virtual MFA–compatible application on a device such as your smartphone.

Visit the AWS MFA page for details about how to acquire a hardware or virtual MFA device.

  1. After you have an authentication device, you must activate it in the IAM console. You can also use the IAM CLI to activate the device for an IAM user.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Is there a fee associated with using AWS MFA?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

AWS does not charge any additional fees for using AWS MFA with your AWS account. However, if you want to use a physical authentication device then you will need to purchase an authentication device that is compatible with AWS MFA from Gemalto, a third party provider. For more details, please visit Gemalto’s website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Can I have multiple authentication devices active for my AWS account?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Yes. Each IAM user can have its own authentication device. However, each identity (IAM user or root account) can be associated with only one authentication device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Can I use my authentication device with multiple AWS accounts?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

No. The authentication device or mobile phone number is bound to an individual AWS identity (IAM user or root account). If you have a TOTP-compatible application installed on your smartphone, you can create multiple virtual MFA devices on the same smartphone. Each one of the virtual MFA devices is bound to a single identity, just like a hardware device. If you dissociate (deactivate) the authentication device, you can then reuse it with a different AWS identity. The authentication device cannot be used by more than one identity simultaneously.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

I already have a hardware authentication device from my place of work or from another service I use, can I re-use this device with AWS MFA?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

No. AWS MFA relies on knowing a unique secret associated with your authentication device in order to support its use. Because of security constraints that mandate such secrets never be shared between multiple parties, AWS MFA cannot support the use of your existing hardware authentication device. Only a compatible hardware authentication device purchased from Gemalto can be used with AWS MFA.

Purchasing an MFA Device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

I’m having a problem with an order for an authentication device using the third-party provider Gemalto’s website. Where can I get help?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Gemalto’s customer service can assist you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

I received a defective or damaged authentication device from the third party provider Gemalto. Where can I get help?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Gemalto’s customer service can assist you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

I just received an authentication device from the third party provider Gemalto. What should I do?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

You simply need to activate the authentication device to enable AWS MFA for your AWS account. See the IAM console to perform this task.

Provisioning a Virtual MFA Device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a virtual MFA device?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

A virtual MFA device is an entry created in a TOTP compatible software application that can generate six-digit authentication codes. The software application can run on any compatible computing device, such as a smartphone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the differences between a virtual MFA device and physical MFA devices?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Virtual MFA devices use the same protocols as the physical MFA devices. Virtual MFA devices are software based and can run on your existing devices such as smartphones. Most virtual MFA applications also allow you to enable more than one virtual MFA device, which makes them more convenient than physical MFA devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which virtual MFA applications can I use with AWS MFA?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

You can use applications that generate TOTP-compliant authentication codes, such as the Google Authenticator application, with AWS MFA. You can provision virtual MFA devices either automatically by scanning a QR code with the device’s camera or by manual seed entry in the virtual MFA application.

Visit the MFA page for a list of supported virtual MFA applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a QR code?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

A QR code is a two-dimensional barcode that is readable by dedicated QR barcode readers and most smartphones. The code consists of black squares arranged in larger square patterns on a white background. The QR code contains the required security configuration information to provision a virtual MFA device in your virtual MFA application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do I provision a new virtual MFA device?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

You can configure a new virtual MFA device in the IAM console for your IAM users as well as for your AWS root account. You can also use the aws iam create-virtual-mfa-device command in the AWS CLI or the CreateVirtualMFADevice API to provision new virtual MFA devices under your account. The aws iam create-virtual-mfa-device and the CreateVirtualMFADevice API return the required configuration information, called a seed, to configure the virtual MFA device in your AWS MFA compatible application. You can either grant your IAM users the permissions to call this API directly or perform the initial provisioning for them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How should I handle and distribute the seed material for virtual MFA devices?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

You should treat seed material like any other secret (for example the AWS secret keys and passwords).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can I enable an IAM user to manage virtual MFA devices under my account?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Grant the IAM user the permission to call the CreateVirtualMFADevice API. You can use this API to provision new virtual MFA devices.

SMS MFA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Can I still request preview access to the SMS MFA?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

We are no longer accepting new participants for the SMS MFA preview. We encourage you to use MFA on your AWS account by using either a hardware or virtual MFA device.

20
Q

How can I begin using the SMS option during the preview?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

For existing SMS MFA participants, you can navigate to the IAM console and enable SMS MFA for IAM users. The process involves entering a phone number for each IAM user. Then, when the IAM user signs in to the AWS Management Console, the user receives a six-digit security code via a standard SMS text message and must enter it when signing in.

Enabling AWS MFA Devices

21
Q

Where do I enable AWS MFA?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

You can enable AWS MFA for an AWS account and your IAM users in the IAM console, the AWS CLI, or by calling the AWS API.

22
Q

What information do I need to activate a hardware or virtual authentication device?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

If you are activating the MFA device with the IAM console then you only need the device. If you are using the AWS CLI or the IAM API then you need the following:

  1. The serial number of the authentication device. The format of the serial number depends on whether you are using a hardware device or a virtual device:
    - Hardware MFA device: The serial number is on the bar-coded label on the back of the device.
    - Virtual MFA device: The serial number is the Amazon Resource Name (ARN) value returned when you run the iam-virtualmfadevicecreate command in the AWS CLI or call the CreateVirtualMFADevice API.
  2. Two consecutive authentication codes displayed by the authentication device.
23
Q

My authentication device seems to be working normally, but I am not able to activate it. What should I do?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Please contact us for help.

Using AWS MFA

24
Q

If I enable AWS MFA for my AWS root account or my IAM users, do they always have to use an authentication code to sign in to the AWS Management Console?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Yes. The AWS root credential user and IAM users must have their MFA device with them any time they need to sign in to any AWS website.

If your MFA device is lost, damaged, stolen, or not working, you can sign in using alternative factors of authentication, deactivate the MFA device, and activate a new device. As a security best practice, we recommend that you change your root account’s password.

With virtual and hardware MFA, if your IAM users lose or damage their authentication device, or if it is stolen or stops working, you can disable AWS MFA yourself by using the IAM console or the AWS CLI.

25
Q

If I enable AWS MFA for my AWS root account or IAM users, do they always need to enter an MFA code to directly call AWS APIs?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

No, it’s optional. However, you must enter an MFA code if you plan to call APIs that are secured by MFA-protected API access.

If you are calling AWS APIs using access keys for your AWS root account or IAM user, you do not need to enter an MFA code. For security reasons, we recommend that you remove all access keys from your AWS root account and instead call AWS APIs with the access keys for an IAM user that has the required permissions.

26
Q

How do I sign in to the AWS Portal and AWS Management Console using my authentication device?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Follow these two steps:

If you are signing in as an AWS root account, sign in as usual with your user name and password when prompted. To sign in as an IAM user, use the account-specific URL and provide your user name and password when prompted.

On the next page, enter the six-digit authentication code that appears on your authentication device.

27
Q

Does AWS MFA affect how I access AWS Service APIs?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

AWS MFA changes the way IAM users access AWS Service APIs only if the account administrator(s) choose to enable MFA-protected API access. Administrators may enable this feature to add an extra layer of security over access to sensitive APIs by requiring that callers authenticate with an AWS MFA device. For more information, see the MFA-protected API access documentation in more detail.

Other exceptions include S3 PUT bucket versioning, GET bucket versioning, and DELETE object APIs, which allow you to require MFA authentication to delete or change the versioning state of your bucket. For more information see the S3 documentation discussing Configuring a Bucket with MFA Delete in more detail.

For all other cases, AWS MFA does not currently change the way you access AWS service APIs.

28
Q

Can I use a given authentication code more than once?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

No. For security reasons, you can use each authentication code only once.

29
Q

I was recently asked to resync my authentication device because my authentication codes were being rejected. Should I be concerned?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

No, this can happen occasionally. AWS MFA relies on the clock in your authentication device being in sync with the clock on our servers. Sometimes, these clocks can drift apart. If this happens, when you use the authentication device to sign in to access secure pages on the AWS website or the AWS Management Console, AWS automatically attempts to resync the authentication device by requesting that you provide two consecutive authentication codes (just as you did during activation).

30
Q

My authentication device seems to be working normally, but I am not able to use it to sign in to the AWS Management Console. What should I do?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

We suggest you resynchronize MFA devices for your IAM user’s credentials. If you already tried to resync and are still having trouble signing in, you can sign in using alternate factors of authentication and reset your MFA device. If you are still encountering issues, contact us for help.

31
Q

My authentication device is lost, damaged, stolen, or not working, and now I can’t sign in to the AWS Management Console. What should I do?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

If your authentication device is associated with an AWS root account:

You can reset your MFA device on the AWS Management Console by first signing in with your password and then verifying the email address and phone number associated with your root account.

If your MFA device is lost, damaged, stolen or not working, you can sign in using alternative factors of authentication, deactivate the MFA device, and activate a new MFA device. As a security best practice, we recommend that you change your root account’s password.

If you need a new authentication device, you can purchase a new hardware authentication device from the third-party provider, Gemalto, or provision a new virtual MFA device under your account by using the IAM console.

If you have tried the preceding approaches and are still having trouble signing in, contact AWS Support.

32
Q

How do I disable AWS MFA?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

To disable AWS MFA for your AWS account, you can deactivate your authentication device using the Security Credentials page. To disable AWS MFA for your IAM users, you need to use the IAM console or the AWS CLI.

33
Q

Can I use AWS MFA in GovCloud?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Yes, you can use AWS virtual MFA and hardware MFA devices in GovCloud.

MFA-protected API access

34
Q

What is MFA-protected API access?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

MFA-protected API access is optional functionality that lets account administrators enforce additional authentication for customer-specified APIs by requiring that users provide a second authentication factor in addition to a password. Specifically, it enables administrators to include conditions in their IAM policies that check for and require MFA authentication for access to selected APIs. Users making calls to those APIs must first get temporary credentials that indicate the user entered a valid MFA code.

35
Q

What problem does MFA-protected API access solve?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Previously, customers could require MFA for access to the AWS Management Console, but could not enforce MFA requirements on developers and applications interacting directly with AWS service APIs. MFA-protected API access ensures that IAM policies are universally enforced regardless of access path. As a result, you can now develop your own application that uses AWS and prompts the user for MFA authentication before calling powerful APIs or accessing sensitive resources.

36
Q

How do I get started with MFA-protected API access?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

You can get started in two simple steps:

Assign an MFA device to your IAM users. You can purchase a hardware key fob, or download a free TOTP-compatible application for your smartphone, tablet, or computer. See the MFA detail page for more information on AWS MFA devices.

Enable MFA-protected API access by creating permission policies for the IAM users and/or IAM groups from which you want to require MFA authentication. To learn more about access policy language syntax, see the access policy language documentation.

37
Q

How do developers and users access APIs and resources secured with MFA-protected API access?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Developers and users interact with MFA-protected API access both in the AWS Management Console and at the APIs.

In the AWS Management Console, any MFA-enabled IAM user must authenticate with their device to sign in. Users that do not have MFA do not receive access to MFA-protected APIs and resources.

At the API level, developers can integrate AWS MFA into their applications to prompt users to authenticate using their assigned MFA devices before calling powerful APIs or accessing sensitive resources. Developers enable this functionality by adding optional MFA parameters (serial number and MFA code) to requests to obtain temporary security credentials (such requests are also referred to as “session requests”). If the parameters are valid, temporary security credentials that indicate MFA status are returned. See the temporary security credentials documentation for more information.

38
Q

Who can use MFA-protected API access?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

MFA-protected API access is available for free to all AWS customers.

39
Q

Which services does MFA-protected API access work with?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

MFA-protected API access is supported by all AWS services that support temporary security credentials. For a list of supported services, see AWS Services that Work with IAM and review the column labeled Supports temporary security credentials.

40
Q

What happens if a user provides incorrect MFA device information when requesting temporary security credentials?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

The request to issue temporary security credentials fails. Temporary security credential requests that specify MFA parameters must provide the correct serial number of the device linked to the IAM user as well as a valid MFA code.

41
Q

Does MFA-protected API access control API access for AWS root accounts?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

No, MFA-protected API access only controls access for IAM users. Root accounts are not bound by IAM policies, which is why we recommend that you create IAM users to interact with AWS service APIs rather than use AWS root account credentials.

42
Q

Do users have to have an MFA device assigned to them in order to use MFA-protected API access?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Yes, a user must first be assigned a unique hardware or virtual MFA device.

43
Q

Is MFA-protected API access compatible with S3 objects, SQS queues, and SNS topics?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Yes.

44
Q

How does MFA-protected API access interact with existing MFA use cases such as S3 MFA Delete?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

MFA-protected API access and S3 MFA Delete do not interact with each other. S3 MFA Delete currently does not support temporary security credentials. Instead, calls to the S3 MFA Delete API must be made using long-term access keys.

45
Q

Does MFA-protected API access work in the GovCloud (US) region?

Multi-Factor Authentication

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

A

Yes.

AWS 2018 - By Service Section - FAQs (744 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions