Identity and Federation Flashcards
An IAM Policy document can contain 5 sections. What are they and which is optional?
Effect, Action, Resource, Conditions, Policy Variables (Optional)
EAR Conditions Policy
How does an IAM user differ from an IAM role in terms of the term of the policy (I.e. which would be used for long term vs short term)? What do IAM Roles use for issuing credentials?
IAM user is for long term IAM credentials. You would use a IAM Role for issuing short term credentials via STS
I need to perform an audit over my IAM policies to determine which policies grant which permissions and when they were last used. Which AWS tool would I use,
AWS Access Analyser or AWS Access Advisor?
AWS access advisor
What is the default Effect for an IAM policy?
DENY
Which 3 services in AWS support Resource based policies?
SQS, S3, SNS Topics
When a user assues a role, what happens to that users permissions. I.e If a user has access to a DynamoDB table to perform scans in Account A, and needs to output the results to an S3 bucket Account B if they assumed the role to access S3 in account B would they still be able to scan the DynamoDB table in Account A?
A user gives up their permissions for the duration of the assumption of the role. So, if a user assumes the Role in Account B to access the S3 bucket, they will not be able to access the table in DynamoDB
By default what belongs in your zone of trust?
By default your zone of trust consists of AWS accounts and organisations that you own. Anything outside of that is classified as a third party.
What would you use to allow a user access in an account you own to a resource in another account that you own?
Typically, you would use STS assume role to allow cross account access in accounts that you own.
What mechanism do AWS services use to access AWS resources in terms of authentication and authorisation?
Assume Role is used by AWS services to AWS roles.
What API is used to provide access for IAM users in other accounts from 3rd parties?
the AssumeRole API is used to provide access to AWS resources for IAM users in third party accounts
Is it possible to revoke active sessions and credentials for a role? If so how?
You can use the AwsRevokeOlderSessions API to revoke all active sessions for a role based on a revocation time stamp.
When defining a access for a third party outside your zone of trust what THREE things must you define to allow them to safely access resources inside your account to avoid a confused deputy attack?
you need to define:
- The 3rd party AWS account ID
- Define and External ID
- Define an IAM permissions policy
What is the role of an External ID with respect to granting access for a third party AWS account outside of your zone of trust?
An external ID is a shared secret between you and the external third party. It is passed to YOUR account when assuming the role by the third party and it must match.
In a third party relationship out side of your zone of trust who chooses the external ID?
The third party does
Describe a confused deputy attack.
A confused deputy attack involves an attacking account providing a role ARN that matches an ARN for a role within my account to a trusted third party. If no external ID is involved, the trusted third party does not know where the ARN submission has come from and will use it to assume a role within my account and allow the attacking account to access that resource.
