Identity and Access Management (IAM) Flashcards
STS - Security Token Service
Allows to grant limited and temporary access to AWS resources.
• Token is valid for up to one hour (must be refreshed)
Normally used by assuming a role
Identity Federation
Federation lets users outside of AWS to assume user temporary role for accessing AWS resources. Basically use 3rd party authentication tools to use in AWS
Microsoft Active Directory
Found on any Windows Server with AD Domain Services
Database of objects: User Accounts, Computers, Printers, File Shares, Security Groups
AWS Organisations
Global service that allows to manage multiple AWS accounts (organisations)
Service Control Policies (SCP)
Allows whitelisting or blacklisting of IAM actions applied at the Organisation or Account level but does not apply to the Master Account
IAM Conditions
Restrict policies more strictly
- restrict the client IP from which the API calls are being made
- restrict region
- restrict based on tags
- force MFA
IAM Permission Boundaries
Manage policies to set the maximum permissions an IAM entity can get and is only supported for users and roles
i. e. permissions to for access to services
i. e. a subset of all the allowable permissions for a user/role
Resource Access Manager (RAM)
Share AWS resources that you own with other AWS accounts or within your own AWS organisation
Single Sign-On (SSO)
Centrally manage Single Sign-On to access multiple accounts and 3rd-party business applications
- Integrated with AWS Organisations