Identity & Access Management Flashcards
AWS Definition and 4 key areas.
Amazon Web Services. Comprehensive Collection of Infrastructure Services.
- Compute
- Storage
- Database
- Networking Services
AWS Platform Capabilities
Offered as a pay-as-you-go service.
- Mobile Services
- Analytics
- Machine Learning
Root User
User account you use to sign in to AWS Management Console.
AWS Management Console
- Create
- Configure
- Monitor
AWS SDK
AWS Software Development Kit. Available for these languages: Allows user to interact with AWS MC through code. 1. Java 2. .NET 3. JavaScript 4. PHP 5. Python 6. Others
Specialty SDKs
- AWS Mobile SDK
2. AWS Internet of Things (IoT) Device SDK
AWS CLI
Command Line Available for different OS: 1. Windows 2. Linus/Unix 3. macOS *Also a PowerShell option if you prefer over the Amazon CLI.
Authentication
Verifying Identity.
Involves the method or process, action used for verifying identity of user or process.
Authorization
Determining access level.
Determines access level of an authenticated user/process to various resources like files, services, applications, data, and others.
AWS IdP
AWS can be used as an Identity Provider.
Entails storing identities and providing method used for authentication. Applies to AWS Services, AWS infrastructure and non-AWS applications (web/mobile)
AWS Planes of Access
2 planes of access.
- Control plane - allows access to perform operations on instances. Managed through API operations.
- Data plane - controls access to sign in to compute instances. (Secure Shell & Remote Desktop.
Policies (related to access)
JSON docs with 3 key value pairs.
- Effect - if the user or group is allow/denied to execute associated API
- Action - if API is allowed/denied
- Resource - defines where API is allowed/denied
AWS Federation
Federation allows user to centrally manage access to AWS Resources.
2 components:
1. Identity provider - “Who are you?”
2. Identity consumer - Stores reference of identity, grants access based on Identity Provider. (Granular)
SAML
Security Assertion Markup Language.
- Provides federation between and entity and service provider.
- Option in AWS
- Both exchange meta data using an XML document
OIDC
Open ID Connect.
- Supersedes SAML
- easier to configure than SAML
- uses tokens (instead of assertions) to provide access
3 types of OIDC tokens
Open ID Connect
- ID
- Access - access to API
- Refresh - obtain new ID token
AWS AD
Active Directory is a common identity provider.
- Used to establish trust between AD domain controller and AWS Directory Service for Microsoft AD.
- Domain controller may be on premise or in cloud.
AWS STS
Security Token System. - Creates and provides trusted users with temporary security credentials. Consists of: 1. Access key ID 2. Secret Access Key 3. Security Token
Amazon Cognito
Managed Service for handling mobile and web applications.
- Integrates with AWS STS to identify users and provide them with consistent identity over lifetime of an application.
- Useful b/c many business already have Microsoft AD and it’s easier to integrate with Cognito that implement a new identity store.