Identity and access Management Advanced Flashcards
What is the AWS Secure Token Service
What is the AssumeRole API?
What is AssumeRoleWithSaml?
What is AssumeRoleWithWebIdentity?
What is get session token?
The AWS Security Token Service (STS) Allows to grant limited temporary access to AWS resources for up to one hour via a token
(Think sudo) Provides enhanced security to allow users to to assume a role within the same account to have additional privileges such as deleting an s3 bucket. You can also assume a role for cross account access in order to perform actions there.
Returns role for users logged in with SAML
Return creds for users logged in with an IdP (Facebook Login, Google Login, etc). However this is not recommended and AWS recommends using Cognito instead.
MFA from a user or AWS account root user
How can STS be used to Assume a Role or cross account access?
- Create an IAM role for that user
- Assign that role to a principal (user)
- The user will request to retrieve credentials and impersonat teh IAM Role you have access to.
- Credentials are granted for 15 min - 1hr
What does Identity Federation in AWS do?
Do you need to create IAM users when using federation?
It allows users outside AWS to assume a temporary role for accessing AWS resources. These users assume identity provided access role. Note - Even though these users are outside of AWS, they are still on-prem users
No, the user management is outside of AWS.
Describe the flow for accessing an S3 bucket via SAML federation.
- Log into the SAML iDP
- Receive a SAML assertion
- Pass the assertion the the secure token service STS AssumeRole API
- STS will validate the token and return temporary credentials
- The temporary credentials can then be used to access the S3 bucket
How do you configure SAML
You begin by registering AWS with your IdP. In your organization’s IdP you register AWS as a service provider (SP) by using the SAML metadata document that you get from the following URL:
https://signin.aws.amazon.com/static/saml-metadata.xml
Using your organization’s IdP, you generate an equivalent metadata XML file that can describe your IdP as an IAM identity provider in AWS. It must include the issuer name, a creation date, an expiration date, and keys that AWS can use to validate authentication responses (assertions) from your organization.
In the IAM console, you create a SAML identity provider entity. As part of this process, you upload the SAML metadata document that was produced by the IdP in your organization in Step 2. For more information, see Creating IAM SAML identity providers.
In IAM, you create one or more IAM roles. In the role’s trust policy, you set the SAML provider as the principal, which establishes a trust relationship between your organization and AWS. The role’s permission policy establishes what users from your organization are allowed to do in AWS. For more information, see Creating a role for a third-party Identity Provider (federation).
In your organization’s IdP, you define assertions that map users or groups in your organization to the IAM roles. Note that different users and groups in your organization might map to different IAM roles. The exact steps for performing the mapping depend on what IdP you’re using. In the earlier scenario of an Amazon S3 folder for users, it’s possible that all users will map to the same role that provides Amazon S3 permissions. For more information, see Configuring SAML assertions for the authentication response.
How does the flow work if you have a custom identity provider (not SAML or OIDC)?
If the application is not compatible with SAML, the flow then changes to:
- User authenticates with the custom IdP
- The IdP will make a request to the secure token service (STS) to get security credentials via the GetFederationToken API
- The IdP will then return these credentials the the browser
- The browser can then use these credentials to access AWS resources
You must call the GetFederationToken operation using the long-term security credentials of an IAM user
How do you use AssumeRoleWithWebIdentity?
You shouldn’t, you should use Cognito instead, however, if you must, the flow is:
- Log into web application and receive token
- Send the token from the browser to STS - AssumeRoleWithWebIdentity API. This will return temporary credentials
- These temporary credentials can then be used to access AWS resources
What is the goal of cognito?
To provide direct access to AWS resources from the Client Side (Mobile, web app) without creating IAM users for our app users.
What is AWS AD Connector?
What is AWS Managed AD?
What is Simple AD?
Which service can support MFA?
It allows AWS to broker (proxy) authentication to an on-prem active directory. (Users only stored in AD)
It is similar to AWS AD Connector, except user can exist in both ADs (AWS and on prem). And can authenticate at either. SUPPORTS MFA
AWS managed AD usefule when you have EC2 instances running windows you want users logging into the instances to be able to authenticate with AD
AWS Managed AD.
What is an AWS organization?
What is the structure of an AWS organization?
How man organizations can a member account belong to?
If you wanted to have separate per-account service limits or an isolated account for logging how would you do that?
It allows you to manage multiple AWS accounts under one. This allows you to have consolidated billing for all accounts.
There is one master account and other member accounts.
One, but they can be migrated to another account.
User member accounts in an organization
How can you organize or nest member accounts?
By using organizational units
What are service control policies.
When would you use a service control policy?
Which can an SCP not be applied to?
How does inheritance work for service control policies
They are policies to restrict access to services. They are applied at the OU or account level. They default to no access and access must be added to the policy.
You would use a service control policy to restrict access to certain service. Ex restrict access to services that are not PCI compliant.
The master account and service linked roles.
Service control policies that are applied at the organizational level are inherited by accounts and other organizations below them. This applies to both allow and deny policies.
How do you migrate an account from one organization to another?
How do you migrate a master account?
- Remove the member from the old organization
- Send an invite to the new organization
- Accept the invite to the new organization from the member account
- Migrate all of the member accounts below it
- Remove the master account from it’s organization
- Migrate the master account.
How can you use an IAM policy restrict the source IPs that are allowed to call a service?
How can you restrict the outgoing APIs calls that are made from an AWS service to specific regions?
How can you apply tag based restrictions via an IAM policy?
How can you force MFA?
On an S3 bucket, what does the trailing /* indicate?
What is a Resource-based policy?
Use the SourceIP attribute in the condition in the IAM policy.
Use the RequestedRegion attribute in the condition in the IAM policy.
Use the ResourceTag or PrincipalTag attributes in the condition in the IAM policy to restrict based on the tag of the resource or the tag of the Principal (user)
Use the MultiFactorAuthPresent attribute in the condition in the IAM policy.
To apply the policy to the bucket objects.
It allows you to specify a policy directly on an aws resource. Through this mechanism, you can provide accesss to external AWS accounts.
What is an IAM permission boundary?
What is the order that policies are evaluated?
Allows out to restrict policies that can be applied to a user or group to a specific subset of all available policies.
Deny - Check all explicit denies Organization SCP Resource based policy Permission Boundary Session based policies (Assumed roles) Identity based policies (User orGroup)
