Developing Secure Solutions Flashcards
What is AWS ACM ?
AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
What are the advantages of AWS ACM
ACM removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
With ACM, you can quickly :
- request a certificate,
- deploy it on ACM-integrated AWS resources, such as Elastic Load Balancing, Amazon CloudFront distributions, and APIs on API Gateway,
- let ACM handle certificate renewals,
- create private certificates for your internal resources,
- manage the certificate lifecycle centrally.
What is AWS Secret Manager
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Secrets Manager offers secret rotation with built-in integration for Amazon RDS for MySQL, PostgreSQL, and Amazon Aurora.
The service is extensible to other types of secrets, including API keys and OAuth tokens.
In scenario where Secret Manager is used, no human being ever touches the secret or sees it in plaintext.
What is AWS STS
The AWS Security Token Service (AWS STS) enables you to provide trusted (federated) users with temporary credentials that provide controlled access to your AWS resources.
The temporary security credentials have a limited (3600 seconds, by default) and configurable lifetime. You can specify how long the credentials are valid. After they expire, they cannot be reused.
Describe AWS STS use for MFA and SSO
Some AWS STS APIs allow you to pass information about a multi-factor authentication (MFA) device. This lets you make sure that the temporary security credentials that result from the API call can be used only by users who have authenticated with an MFA device.
To support SSO, AWS lets you call a federation endpoint, passing temporary security credentials. The endpoint returns a token that can be used to construct a URL that signs a user directly into the console without requiring a password.
AWS STS Important points
By default, AWS Security Token Service (AWS STS) is available as a global service, and all AWS STS requests go to a single endpoint. Here are some important points:
• All calls go to the global endpoint, by default.
• Global endpoint maps to the US East (N. Virginia) region.
• Regional endpoints are activated by default. Except for US East (N. Virginia).
• Use AWS CloudTrail to log STS calls.
• Credentials work globally.
How to deal with organization’s own identity system or well-known identity providers
As an alternative to creating IAM users in your AWS account, IAM lets you use identity providers. This is useful if your organization has its own identity system, such as a corporate user directory.
Users of a mobile app or web applications can sign in using a well-known identity provider, such as Amazon Cognito, Login with Amazon, Facebook, or Google, and you can give permissions to use AWS resources in your account to that external identity.
Using an identity provider helps you keep your AWS account secure, because you don’t have to distribute long-term security credentials, such as IAM user access keys, with your application.
IAM supports identity providers that are compatible with SAML 2.0 (Security Assertion Markup Language 2.0) or with OpenID Connect (OIDC).
What is SAML 2.0
Security Assertion Markup Language 2.0 (SAML) is an open standard for exchanging identity and security information with applications and service providers.
Applications and service providers that support SAML enable you to sign in using your corporate directory credentials. SAML-enabled applications delegate authentication requests to your corporate directory.
What is Amazon Cognito
Amazon Cognito is a service that makes it easy to save mobile user data, such as app preferences or game state, in the AWS Cloud without writing any backend code or managing any infrastructure.
Amazon Cognito offers mobile identity management and data synchronization across devices.
Amazon Cognito creates a random, unique identifier for each unauthenticated guest so you can start saving application data for those users. When your users decide to authenticate using one of the supported public login providers, Amazon Cognito ensures that the data you saved against the unauthenticated profile is now associated with the new authenticated profile, thus removing the complexity of managing user conversion.
What is Amazon Cognito user pool
A user pool is a user directory in Amazon Cognito.
- Sign-up and sign-in services,
- Built-in, customizable web UI to sign in users,
- Social sign-in with Facebook, Google, Apple, and Login with Amazon, as well as sign-in with SAML Identity providers,
- User directory management and user profiles,
- MFA, checks for compromised credentials, account takeover protection, and phone and email verification,
- Customized workflows and user migration through AWS Lambda triggers.
Which object is issued after authenticating with Amazon Cognito
Amazon Cognito issues JSON web tokens (JWT) that you can use to secure and authorize access to your own APIs, or exchange for AWS credentials.
What happens after user authenticates
When a user authenticates, the user pool returns ID, access, and refresh tokens. The ID token is a standard OIDC token for identity management, and the access token is a standard OAuth 2.0 token.
As a developer, you can choose the expiration time of refresh tokens, and therefore how frequently users need to re-authenticate. The user pool automatically uses the refresh token to get new ID and access tokens when they expire.
