Identity Center 2 Flashcards
Provisioning
What is “Provisioning”?
Making users and groups available in Identity Center (creating by hand, connecting to an IdP) and syncing.
Provisioning
So why not just use Federation instead?
Would set it up per-application. This works across apps and across AWS accounts.
Provisioning
Two types of Provisioning with external IdP?
Automatic and Manual
Provisioning
Why not have Identity Center just search an IdP like with AD?
SAML doesn’t support search feature. No auto-discovery.
Provisioning
How does manual provisioning work with an external IdP?
Manually create usernames in Identity Center matching the external IdP.
Provisioning
how does automatic provisioning work with an external IdP?
Has to support SCIM (cross-domain sync protocol). Syncs things automatically.
Access and Security
What user attributes are generally kept in Identity Center?
Common ones, but never credentials: name, phone, email, …
Access and Security
How does app access security work with Organizations?
Set perms using SCPs in Org to control which attributes which apps have access to.
Access and Security
How do you control which apps are available in which AWS accounts?
Organizations: enable in management account for access by all member accounts, or in individual member accounts.
Access and Security
What creds does Identity Center keep/maintain?
One for Identity Center, another for the individual apps to exchange with them for SSO.
Access and Security
How long do the stored creds in Identity Center last?
I.C. creds are up to 7 days, app creds refresh hourly.
Access and Security
How do the two creds work?
I.C. creds used to acquire app creds and refresh them on-going.
Access and Security
What is a Permission Set?
Template that defines IAM Policies. Assign PS to users/groups. That user gets all the policies thru SSO.
Access and Security
Two types of Permission Sets?
Predefined (by AWS, like Admin or Readonly) and Custom (you build from scratch)
Access and Security
Concrete example of a Permission Set?
“DBOps” has Dynamo, RDS, and Redshift managed R/W Policies, use the P.S. across AWS accounts in the console.
Access and Security
What do you attach to a Permission Set so it restricts what users can do?
AWS managed Policies, custom Policies, and Permissions Boundaries
Access and Security
What does “Provisioned” mean for a Permission Set?
It’s associated with a user or group
Identity Center and Active Directory
What if you have multiple Active Directories to coordinate?
Use AWS Directory Service (which is AD). Set up connector to other AD Domains using AD Trust.
Identity Center and Active Directory
What if you don’t want to use AWS Directory Service? That’s just another AD to maintain…
AWS AD Connector: an AD proxy that forwards requests to your on-prem AD (for example).
Identity Center and Active Directory
How does sync work with AD?
Two ways, you pick one: AD Sync, or AD Configurable Sync. Both keep data up to date by actively syncing between Identity Center and AD.
Identity Center and Active Directory
How does AD Sync work?
When assigning users or groups to an app, AD Sync searches AD directly, then keeps those users/groups in Identity Center.
Identity Center and Active Directory
How does AD Configurable Sync work?
First pick users/groups to keep in sync in Identity Center. When assigning u/g to an app, only uses u/g synced to Identity Center (doesn’t search AD).
