Identity & Access Management

Question 1

AWS Definition and 4 key areas.

Answer 1

Amazon Web Services. Comprehensive Collection of Infrastructure Services.

1. Compute
2. Storage
3. Database
4. Networking Services

Question 2

AWS Platform Capabilities

Answer 2

Offered as a pay-as-you-go service.

1. Mobile Services
2. Analytics
3. Machine Learning

Question 3

Root User

Answer 3

User account you use to sign in to AWS Management Console.

Question 4

AWS Management Console

Answer 4

1. Create
2. Configure
3. Monitor

Question 5

AWS SDK

Answer 5

AWS Software Development Kit. Available for these languages: 
Allows user to interact with AWS MC through code. 
1. Java
2. .NET
3. JavaScript
4. PHP
5. Python
6. Others

Question 6

Specialty SDKs

Answer 6

1. AWS Mobile SDK

2. AWS Internet of Things (IoT) Device SDK

Question 7

AWS CLI

Answer 7

Command Line
Available for different OS:
1. Windows
2. Linus/Unix
3. macOS
*Also a PowerShell option if you prefer over the Amazon CLI.

Question 8

Authentication

Answer 8

Verifying Identity.

Involves the method or process, action used for verifying identity of user or process.

Question 9

Authorization

Answer 9

Determining access level.
Determines access level of an authenticated user/process to various resources like files, services, applications, data, and others.

Question 10

AWS IdP

Answer 10

AWS can be used as an Identity Provider.
Entails storing identities and providing method used for authentication. Applies to AWS Services, AWS infrastructure and non-AWS applications (web/mobile)

Question 11

AWS Planes of Access

Answer 11

2 planes of access.

1. Control plane - allows access to perform operations on instances. Managed through API operations.
2. Data plane - controls access to sign in to compute instances. (Secure Shell & Remote Desktop.

Question 12

Policies (related to access)

Answer 12

JSON docs with 3 key value pairs.

1. Effect - if the user or group is allow/denied to execute associated API
2. Action - if API is allowed/denied
3. Resource - defines where API is allowed/denied

Question 13

AWS Federation

Answer 13

Federation allows user to centrally manage access to AWS Resources.
2 components:
1. Identity provider - “Who are you?”
2. Identity consumer - Stores reference of identity, grants access based on Identity Provider. (Granular)

Question 14

SAML

Answer 14

Security Assertion Markup Language.

• Provides federation between and entity and service provider.
• Option in AWS
• Both exchange meta data using an XML document

Question 15

OIDC

Answer 15

Open ID Connect.

• Supersedes SAML
• easier to configure than SAML
• uses tokens (instead of assertions) to provide access

Question 16

3 types of OIDC tokens

Answer 16

Open ID Connect

1. ID
2. Access - access to API
3. Refresh - obtain new ID token

Question 17

AWS AD

Answer 17

Active Directory is a common identity provider.

• Used to establish trust between AD domain controller and AWS Directory Service for Microsoft AD.
• Domain controller may be on premise or in cloud.

Question 18

AWS STS

Answer 18

Security Token System. 
- Creates and provides trusted users with temporary security credentials. 
Consists of: 
1. Access key ID
2. Secret Access Key
3. Security Token

Question 19

Amazon Cognito

Answer 19

Managed Service for handling mobile and web applications.

• Integrates with AWS STS to identify users and provide them with consistent identity over lifetime of an application.
• Useful b/c many business already have Microsoft AD and it’s easier to integrate with Cognito that implement a new identity store.

Question 20

Ways to implement Microsoft AD on AWS (4).

Answer 20

1. Running AD on an EC2 instance.
2. Use an AD Connector to connect to AWS Services with an existing, on-premise Microsoft AD
3. Create a Simple AD. (Microsoft AD that provides compatability with AWS Directory Services.)
4. Deploying AWS Managed Microsoft AD . (Actual Microsoft Windows server managed by AWS on AWS servers.)

Question 21

AWS Management Console

Answer 21

A web-based console that encompasses a set of service consoles for managing AWS.

• Access Service Consoles (S3 buckets, EC2, CloudWatch, AmazonAccount)
• Can choose region
• Access to Billing and common troubleshooting topics
• Create shortcuts to other consoles
• Can change password
• Compatible with tables and phones
• Can download app store, iTunes, google play

Question 22

AWS Root account

Answer 22

AWS Root account created when user signs-up.

• Can use this root account to manage AWS account and services.
• Very powerful. AWS deletes root account access keys automatically.
• Never use this for day-to-day interactions with AWS

Question 23

Root Account capabilities (5)

Answer 23

1. Change account name
2. Change root user email / password
3. Change contact information
4. Change local currency
5. Add alternate account contacts (alternate contact information)

Question 24

Logic behind multiple AWS Accounts (4).

Answer 24

Want to design strategy to maximize security and align with business/ governance requirements.

1. Ex - Centralized security Management - would require 1 AWS account.
2. Ex - Separate Environments (Dev, Test, Prod) - would require 3 accounts.
3. Ex - Different Departments (esp. Autonomous Departments) - Each department would have an AWS account. Then each could have it’s own policies/ projects.
4. Independent projects - Can create multiple AWS accounts (one for common services like AD) and then each project would get it’s own account and different access to resources. (Could have a common billing account for all projects).

Question 25

IAM

Answer 25

Identity Access Management. Enables the creation of multiple users (w/ different security credentials)
1. IAM user can be authorized to create new users, manage/ delete existing users.

Question 26

IAM users can be… (3)

Answer 26

1. Person
2. Service
3. Application (that requires AWS resources through MC, CLI, or APIs)

Question 27

IAM Groups

Answer 27

Identity Access Management groups contain multiple users under 1 IAM account.

• users can be grouped based on functional aspects, organizational requirements, geographical, projects, etc..
• IAM group is given permission to access resources by giving policies, these are inherited by IAM users belonging to a group
• Even if one user, best practice to assign a group for access

Question 28

IAM user represents…

Answer 28

A unique identity with unique, long-term credentials.

Question 29

Main IAM credential types (2)

Answer 29

1. Those for signing-in to AWS MC

2. Those used for programmatic access to AWS API

Question 30

IAM Credentials vs. AWS Credentials

Answer 30

1. Username/password for both
   - AWS: username = email address
   - IAM: more flexibility
   - AWS account password: can be anything you define
   - IAM password: can be forced to comply with rules you define

Question 31

MFA

Answer 31

Multi-Factor Authentication. AWS MFA offers extra level of security.

• username/password + authentication code from MFA device
• can also require and MFA in order for users to be able to delete S3 objects

Question 32

Identity Federation

Answer 32

Some users may have identities outside of AWS, ex: Corporate directory, they may need access to AWS resources.

Question 33

Identity Federation

Answer 33

System of trust between two parties for the purpose of authenticating users and convenying the information needed to authorize their access to resources.

• In this system an IdP is responsible for user authentication.
• Ex: Some users may have identities outside of AWS, ex: Corporate directory, they may need access to AWS resources.

Question 34

Can you have multiple users with IAM?

Answer 34

Yes. Each can have their own security credentials and all are centrally managed under 1 AWS account.

Question 35

Give me an example of an IAM role for EC2.

Answer 35

Applications running on EC2 instances that require access to AWS Services.

• Ex: Developer running application on an EC2 instance that needs read-only access to an S3 bucket.
• Admin can create a suitable role. This includes policies that grant read permissions to the bucket and allows the developer to launch the EC2 instance.
• Therefore, the admin doesn’t have to create access to the bucket for the developer and the developer doesn’t have to share their crednetials.
• The developer would launch the EC2 instance and associate the new rule with the instance.
• When the application runs, it retrieves credentials from the instance metadata on EC2 instance and using role credentials it accesses S3 bucket with read-only.

Question 36

Cross-account access

Answer 36

• Enables IAM users from different AWS accounts to gain access to another AWS account.
• In trusting account, create an IAM policy that grants trusted account with access to specific resources.

Question 37

Explain how IAM roles address Identity Federation.

Answer 37

1. Creates an Identity Broker
2. This ID broker (IDB) goes between the corporate user and the AWS resources.
3. Enterprise user accesses the IDB application, the application authenticates user against the corporate identity store
4. the IDB application has permissions to allow it access to the AWS security token service to request temporary security credentials.
5. Enterprise users can access the API and Amazon MC.

Question 38

AWS Regions

Answer 38

Separate geographical regions.

• Each region maintains it’s own copy of AWS services
• Each AWS Region comprises multiple data centers
• These are grouped together to form availabilty zones
• Enables AWS to provide highly available resources

Question 39

Data center vs Availability Zone

Answer 39

Data centers are grouped together to form availability zones.

Question 40

Visibility Zones

Answer 40

Physically separated from each other, designed to operated independently from each other.

Question 41

Availability Zones (connection)

Answer 41

• Connected by low latency, high throughput redundant networking

Question 42

API

Answer 42

Application Programming Interface

- Software intermediary that allows two applications to talk to one another.

Question 43

Endpoint (API)

Answer 43

URL that enables API to gain access to resources on a server.

Question 44

AWS Regions MC vs CLI / SDK

Answer 44

1. US East (N. Virginia) MC = us-east-1 (CLI / SDK)
2. US West (Oregon) = us-west-2
3. EU (London) = eu-west-2
4. Asia Pacific (Tokyo) = ap-northeast-1

Question 45

IAM Services that aren’t limited to a specific region

Answer 45

Region = global

• API endpoint for the IAM service = same
• ex: @iam.amazonaws.com

Question 46

Choosing Regions

Answer 46

Factors:

1. Availability of services required by organization / applications. (Not all services are in all regions.)
2. Latency
3. Cost - price per region, but don’t want to sacrifice service, availabilty, latency
4. Data Residency - allows us to stay compliant within a region
   - Choose a region that as at least most services
   - What to choose regions that are closer to users, this will decrease latency when making API calls
   - business continuity, choosing regions for disaster recovery
   - choose a target region for recovery based on proximity

Question 47

What are the 2 IAM roles automatically created when you set up the account?

Answer 47

1. AWSServiceRoleForSupport

2. AWSServiceRoleForTrustedAdvisor

Question 48

After creating new AWS account…

Answer 48

1. Create 1st IAM user
2. require password reset
3. Create a group for Admins
4. Assign this user to the Admin group
5. Sign out sign back in not as root user but as IAM user

Question 49

Security Status 5 Steps when first create an account.

Answer 49

1. Delete your root access keys (this should be done automatically?)
2. Activate MFA on your root account.
3. Create individual IAM users
4. Use groups to assign permissions
5. Apply an IAM password policy.