IAM

Question 1

Elements of IAM

Answer 1

Users;
Access key;
Secret key;
Password policy;
Multi-factor Authentication;
Group – collection of users that allows for management of permissions/policies on a group level;
Role – access management for AWS services; created from policies then attached to services;
Policy – JSON document that enables permissions throughout AWS to be given or restricted to users, groups or roles.

Question 2

STS

Answer 2

Simple Token Service;

Question 3

Active Directory Federation

Answer 3

use an on-premises active directory(ADFS) server to gain temporary access to AWS.

1. user access a webpage on the ADFS server and log in
2. ADFS authenticates user and returns a SAML assertion;
3. CLient browser uses the SAML assertion to redirect to an AWS SAML endpoint and uses the ASSUMEROLEWITHSAML API to get temporary credentials;
4. Client browser receives and redirects to a signin URL for AWS.

Question 4

Web Identity Federation

Answer 4

ability to use 3rd party providers such as Google, Facebook… to grant permissions to resources without creating explicit users.

1. authenticate with third party provider and if successful a token is returned.
2. Using the token provided by the 3rd party provider use the AssumeRoleWithWebIdentity call to gain temporary credentials from AWS.
3. Using temp credentials, you can now use the CLO or SDK’s to access the AWS account with the permission of the role that was assumed.

Question 5

SAML

Answer 5

Security Assertion Markup Language(SAML) endpoint: https://signin.aws.amazon.com/saml

Question 6

IAM GROUPS

Answer 6

can not belong to other groups; can not be nested

Question 7

IAM users can have any combination of credentials that AWS supports

Answer 7

such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device

Question 8

users vs roles

Answer 8

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
CANNOT add an IAM role to an IAM group

Question 9

Policy

Answer 9

Add as many inline policies as you want to IAM role, and up to 10 managed policies

Question 10

service-linked role

Answer 10

a type of role that links to an AWS service.

Question 11

temporary security credential limits

Answer 11

default–12 hours;
min – 15 minutes;
max – 36 hours;

Question 12

temporary security credential limits

Answer 12

default–12 hours;
min – 15 minutes;
max – 36 hours;
you can not restrict the temporary security credentials to a particular region or subset of regions.

Question 13

Federated users CAN access the AWS Management Console

Answer 13

You can specify a session limit between 15 minutes and 36 hours (for GetFederationToken and GetSessionToken) and between 15 minutes and 12 hours (for AssumeRole* APIs), during which time the federated user can access the console