IAM (Pt. 2)

Question 1

The basic steps to grant an app temporary access to AWS resources (via user credentials) are:

1. __________
2. Identity broker always authenticates with LDAP first, then with STS.
3. App then gets temporary access to AWS resources allowed by the IAM user’s permissions.

Answer 1

Develop an identity broker to communicate with LDAP and STS.

Question 2

What does a new user have access to after it’s first created?

Answer 2

Nothing. Access must be granted through policies applied to the specific user or groups the user belongs to.

Question 3

True or False: A user can log into the AWS console with their access key id and secret access key.

Answer 3

False.

Question 4

What does STS stand for?

Answer 4

Security Token Service.

Question 5

Describe the three-step process for using Web Identity Federation.

Answer 5

1. Authenticate with identity provider.
2. Obtain temporary security credentials.
3. Access AWS resource.

Question 6

When using Active Directory to authenticate to AWS, what are the correct steps performed?

1. User navigates to ADFS webserver.
2. User enters SSO credentials.
3. __________
4. User’s browser POSTs SAML assertion to the AWS SAML endpoint, and the AssumeRoleWithSAML API request to get temporary security credentials.

Answer 6

User’s browser receives SAML assertion from AD server.

Question 7

What is a “root account?” What access does it have?

Answer 7

The account created when first setting up an AWS account. It has complete admin access.

Question 8

What are the four pillars of IAM?

Answer 8

Users, groups, roles, and policies.

Question 9

Combining or joining a list of users in IAM with a list of users in Active Directory is an example of __________.

Answer 9

Federation.

Question 10

The basic steps to grant an app temporary access to AWS resources (by assuming a role) are:

1. Develop an identity broker to communicate with LDAP and STS.
2. Identity broker always authenticates with LDAP first, then gets an IAM role associated with a user.
3. __________
4. App uses that IAM role to interact with AWS resources as allowed by the role.

Answer 10

App then authenticates with STS and assumes the IAM role.

Question 11

New users are assigned __________ and a secret access key when first created.

Answer 11

An access key id.

Question 12

A user’s access key id and secret access key are used for __________ access to AWS resources.

Answer 12

Programmatic.

Question 13

What does IAM stand for?

Answer 13

Identity and Access Management.

Question 14

Which region is IAM in?

Answer 14

The Global region.

Question 15

The basic steps to grant an app temporary access to AWS resources (by assuming a role) are:

1. Develop an identity broker to communicate with LDAP and STS.
2. __________
3. App then authenticates with STS and assumes the IAM role.
4. App uses that IAM role to interact with AWS resources as allowed by the role.

Answer 15

Identity broker always authenticates with LDAP first, then gets an IAM role associated with a user.

Question 16

True or False: IAM is restricted to specific regions.

Answer 16

False. IAM is universal.

Question 17

What is Web Identity Federation?

Answer 17

Allows a developer to federate their application from Facebook, Google, or Amazon with their AWS account, allowing their end users to authenticate with one of these Identity Providers and receive temporary AWS credentials.

Question 18

What is an identity store?

Answer 18

A service that holds information that uniquely describes individuals or machine entities (e.g. - Active Directory, Facebook, Google).

Question 19

True or False: A user’s access key id and secret access key may be used to log into the AWS console.

Answer 19

False.

Question 20

True or False: A user can use their access key id and secret access key to access AWS via the APIs and command line interface.

Answer 20

True.

Question 21

When using Active Directory to authenticate to AWS, what are the correct steps performed?

1. User navigates to ADFS webserver.
2. __________
3. User’s browser receives SAML assertion from AD server.
4. User’s browser POSTs SAML assertion to the AWS SAML endpoint, and the AssumeRoleWithSAML API request to get temporary security credentials.

Answer 21

User enters SSO credentials.

Question 22

What is an identity broker?

Answer 22

A service that allows you to take an identity from one domain and join it to another domain.

Question 23

What is the API call used to obtain temporary security credentials when authenticating using Web Identity Federation?

Answer 23

AssumeRoleWithWebIdentity.

Question 24

A service that allows you to take an identity from one domain and join it to another domain is called __________.

Answer 24

An identity broker.

Question 25

When using Active Directory to authenticate to AWS, what are the correct steps performed?

1. User navigates to ADFS webserver.
2. User enters SSO credentials.
3. User’s browser receives SAML assertion from AD server.
4. __________

Answer 25

User’s browser POSTs SAML assertion to the AWS SAML endpoint, and the AssumeRoleWithSAML API request to get temporary security credentials.

Question 26

When using Web Identity Federation to allow a user to access an AWS service, what is the correct order of steps?

Answer 26

1. User authenticates with identity provider and receives an ID token.
2. The ID token is used with the AssumeRoleWithWebIdentity API to obtain temporary security credentials.

Question 27

What standard is used to exchange auth information with Active Directory?

Answer 27

SAML 2.

Question 28

True or False: An app authenticates to Active Directory first, then it receives a temporary security credential from AWS.

Answer 28

True.

Question 29

New users are assigned an access key id and __________ when first created.

Answer 29

A secret access key.

Question 30

What does federation mean?

Answer 30

Combining or joining a list of users in one domain with a list of users in another domain.

Question 31

Users have __________ permissions when first created.

Answer 31

No.

Question 32

What does IAM allow you to do?

Answer 32

Manage users and their level of access to the AWS console.

Question 33

The basic steps to grant an app temporary access to AWS resources (via user credentials) are:

1. Develop an identity broker to communicate with LDAP and STS.
2. __________
3. App then gets temporary access to AWS resources allowed by the IAM user’s permissions.

Answer 33

Identity broker always authenticates with LDAP first, then with STS.

Question 34

What things can policy documents be applied to?

Answer 34

Users, groups, and roles.

Question 35

The basic steps to grant an app temporary access to AWS resources (via user credentials) are:

1. Develop an identity broker to communicate with LDAP and STS.
2. Identity broker always authenticates with LDAP first, then with STS.
3. __________

Answer 35

App then gets temporary access to AWS resources allowed by the IAM user’s permissions.

Question 36

What does SAML stand for?

Answer 36

Security Assertion Markup Language.

Question 37

What is the purpose of STS?

Answer 37

To grant users limited and temporary access to AWS resources.

Question 38

What mechanism in STS allows users to authenticate with Facebook, Google, and Amazon and receive temporary AWS credentials?

Answer 38

Web Identity Federation.

Question 39

What is the name of the API call to request temporary security credentials from the AWS platform when federating with Active Directory?

Answer 39

AssumeRoleWithSAML.

Question 40

The AWS sign-in endpoint for SAML is https://__________.

Answer 40

signin.aws.amazon.com/saml

Question 41

To gain programmatic access to AWS resources, a user must use their __________ and __________.

Answer 41

Access key id. Secret access key.

Question 42

True or False: An app receives a temporary security credential from AWS first, then authenticates to Active Directory.

Answer 42

False.

Question 43

When using Active Directory to authenticate to AWS, what are the correct steps performed?

1. __________
2. User enters SSO credentials.
3. User’s browser receives SAML assertion from AD server.
4. User’s browser POSTs SAML assertion to the AWS SAML endpoint, and the AssumeRoleWithSAML API request to get temporary security credentials.

Answer 43

User navigates to ADFS webserver.

Question 44

Which Amazon service is used to grant users limited and temporary access to AWS resources?

Answer 44

Security Token Service (STS).

Question 45

The basic steps to grant an app temporary access to AWS resources (by assuming a role) are:

1. __________
2. Identity broker always authenticates with LDAP first, then gets an IAM role associated with a user.
3. App then authenticates with STS and assumes the IAM role.
4. App uses that IAM role to interact with AWS resources as allowed by the role.

Answer 45

Develop an identity broker to communicate with LDAP and STS.

Question 46

The basic steps to grant an app temporary access to AWS resources (by assuming a role) are:

1. Develop an identity broker to communicate with LDAP and STS.
2. Identity broker always authenticates with LDAP first, then gets an IAM role associated with a user.
3. App then authenticates with STS and assumes the IAM role.
4. __________

Answer 46

App uses that IAM role to interact with AWS resources as allowed by the role.

Question 47

New __________ are assigned an access key id and a secret access key when first created.

Answer 47

Users.