IAM Flashcards

1
Q

Elements of IAM

A

Users;
Access key;
Secret key;
Password policy;
Multi-factor Authentication;
Group – collection of users that allows for management of permissions/policies on a group level;
Role – access management for AWS services; created from policies then attached to services;
Policy – JSON document that enables permissions throughout AWS to be given or restricted to users, groups or roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

STS

A

Simple Token Service;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Active Directory Federation

A

use an on-premises active directory(ADFS) server to gain temporary access to AWS.

  1. user access a webpage on the ADFS server and log in
  2. ADFS authenticates user and returns a SAML assertion;
  3. CLient browser uses the SAML assertion to redirect to an AWS SAML endpoint and uses the ASSUMEROLEWITHSAML API to get temporary credentials;
  4. Client browser receives and redirects to a signin URL for AWS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Web Identity Federation

A

ability to use 3rd party providers such as Google, Facebook… to grant permissions to resources without creating explicit users.

  1. authenticate with third party provider and if successful a token is returned.
  2. Using the token provided by the 3rd party provider use the AssumeRoleWithWebIdentity call to gain temporary credentials from AWS.
  3. Using temp credentials, you can now use the CLO or SDK’s to access the AWS account with the permission of the role that was assumed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SAML

A

Security Assertion Markup Language(SAML) endpoint: https://signin.aws.amazon.com/saml

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IAM GROUPS

A

can not belong to other groups; can not be nested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IAM users can have any combination of credentials that AWS supports

A

such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

users vs roles

A

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
CANNOT add an IAM role to an IAM group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Policy

A

Add as many inline policies as you want to IAM role, and up to 10 managed policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

service-linked role

A

a type of role that links to an AWS service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

temporary security credential limits

A

default–12 hours;
min – 15 minutes;
max – 36 hours;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

temporary security credential limits

A

default–12 hours;
min – 15 minutes;
max – 36 hours;
you can not restrict the temporary security credentials to a particular region or subset of regions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Federated users CAN access the AWS Management Console

A

You can specify a session limit between 15 minutes and 36 hours (for GetFederationToken and GetSessionToken) and between 15 minutes and 12 hours (for AssumeRole* APIs), during which time the federated user can access the console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly