Identity Center 2

Question 1

Provisioning

What is “Provisioning”?

Answer 1

Making users and groups available in Identity Center (creating by hand, connecting to an IdP) and syncing.

Question 2

Provisioning

So why not just use Federation instead?

Answer 2

Would set it up per-application. This works across apps and across AWS accounts.

Question 3

Provisioning

Two types of Provisioning with external IdP?

Answer 3

Automatic and Manual

Question 4

Provisioning

Why not have Identity Center just search an IdP like with AD?

Answer 4

SAML doesn’t support search feature. No auto-discovery.

Question 5

Provisioning

How does manual provisioning work with an external IdP?

Answer 5

Manually create usernames in Identity Center matching the external IdP.

Question 6

Provisioning

how does automatic provisioning work with an external IdP?

Answer 6

Has to support SCIM (cross-domain sync protocol). Syncs things automatically.

Question 7

Access and Security

What user attributes are generally kept in Identity Center?

Answer 7

Common ones, but never credentials: name, phone, email, …

Question 8

Access and Security

How does app access security work with Organizations?

Answer 8

Set perms using SCPs in Org to control which attributes which apps have access to.

Question 9

Access and Security

How do you control which apps are available in which AWS accounts?

Answer 9

Organizations: enable in management account for access by all member accounts, or in individual member accounts.

Question 10

Access and Security

What creds does Identity Center keep/maintain?

Answer 10

One for Identity Center, another for the individual apps to exchange with them for SSO.

Question 11

Access and Security

How long do the stored creds in Identity Center last?

Answer 11

I.C. creds are up to 7 days, app creds refresh hourly.

Question 12

Access and Security

How do the two creds work?

Answer 12

I.C. creds used to acquire app creds and refresh them on-going.

Question 13

Access and Security

What is a Permission Set?

Answer 13

Template that defines IAM Policies. Assign PS to users/groups. That user gets all the policies thru SSO.

Question 14

Access and Security

Two types of Permission Sets?

Answer 14

Predefined (by AWS, like Admin or Readonly) and Custom (you build from scratch)

Question 15

Access and Security

Concrete example of a Permission Set?

Answer 15

“DBOps” has Dynamo, RDS, and Redshift managed R/W Policies, use the P.S. across AWS accounts in the console.

Question 16

Access and Security

What do you attach to a Permission Set so it restricts what users can do?

Answer 16

AWS managed Policies, custom Policies, and Permissions Boundaries

Question 17

Access and Security

What does “Provisioned” mean for a Permission Set?

Answer 17

It’s associated with a user or group

Question 18

Identity Center and Active Directory

What if you have multiple Active Directories to coordinate?

Answer 18

Use AWS Directory Service (which is AD). Set up connector to other AD Domains using AD Trust.

Question 19

Identity Center and Active Directory

What if you don’t want to use AWS Directory Service? That’s just another AD to maintain…

Answer 19

AWS AD Connector: an AD proxy that forwards requests to your on-prem AD (for example).

Question 20

Identity Center and Active Directory

How does sync work with AD?

Answer 20

Two ways, you pick one: AD Sync, or AD Configurable Sync. Both keep data up to date by actively syncing between Identity Center and AD.

Question 21

Identity Center and Active Directory

How does AD Sync work?

Answer 21

When assigning users or groups to an app, AD Sync searches AD directly, then keeps those users/groups in Identity Center.

Question 22

Identity Center and Active Directory

How does AD Configurable Sync work?

Answer 22

First pick users/groups to keep in sync in Identity Center. When assigning u/g to an app, only uses u/g synced to Identity Center (doesn’t search AD).