Identity & Federation

Question 1

Access Advisor

Answer 1

See permissions granted and when last accessed

Question 2

Access Analyzer

Answer 2

Analyze resources that are shared with an external entity, e.g. S3 buckets

Question 3

NotAction with Allow

Answer 3

NotAction with Allow, allows all actions except those specified in NotAction. This is better than explicit deny which will automatically reject exception Actions specified in any additional Allow Policies

Question 4

NotAction with Deny

Answer 4

NotAction with Deny, denies all actions except those specified in NotAction

Question 5

IfExists Condition Operator Example

Answer 5

If the resources being checked has condition key then check it against permission policy, otherwise skip the check. For cases when given action accesses multiple services, which might not have specified condition key

Question 6

Null Condition Operator

Answer 6

Policy checks if the condition key exists at the time of authorization, e.g. condition value is false

Question 7

Sevice-Linked Role Sessions and Session Revocation

Answer 7

Cannot be revoked.

Question 8

How to revoke sts temporary access

Answer 8

By using AWSRevokeOlderSessions inline policy, which adds another explicit deny permissions to all actions for all sessions before the revocation time. Must have PutRolePolicy permission for the role.

Question 9

Trust Policy Principals

Answer 9

Cannot specify *. Only users, roles, services.

Question 10

External Id

Answer 10

Only you and authorized third party know External Id. Used when granting access to your AWS Resources to a Trusted Third Party.
Is not like secret, can be viewed again by anyone with permissions to view the role.

Used to avoid confused deputy scenario. Prevents access from unauthorized thirds party accounts, by requiring external id in addition to role arn where assuming the role.

Question 11

AssumeRoleWithWebIdentity

Answer 11

For use with any OpenID Connect-compatible IdPs. No longer recommended, use AWS Cognito instead

Question 12

Identity Federation Flavours

Answer 12

SAML 2.0, Custom Identity Broker, Web Identity Federation using Cognito, Web Identity Federation without Cognito, SSO, Microsoft AD

Question 13

Custom Identity Broker vs SAML

Answer 13

The difference is in CIB it is all powered and CIB itself, not the user, talks to STS and receives temporary credentials which are used for interactions with AWS

Question 14

STS Web Identity Federation vs Cognite Web Identity Federation

Answer 14

Cognito preferred, replaces TVM:
• Supports anonymous users
• Supports MFA
• Data synchronization

App generates ID token from IdP, gets Cognito token, then uses that token to get credentials from STS.

Question 15

Web Identity Federation IAM Policy Variables examples

Answer 15

• cognito-
identity.amazonaws.com:sub
• www.amazon.com:user_id
• graph.facebook.com:id
• accounts.google.com:sub

Question 16

What is AD Federation Services?

Answer 16

Provides SSO across applications

Question 17

AWS Directory Service: Managed Microsoft AD

Answer 17

Create AD in cloud, manage users locally, supports MFA, RDS integration, can connect to on-prem AD by establishing “trust”. Needs Direct Connect (DX) or VPN connection.

Management and Auth can be done in both.

Multi-AZ. 2 AZs minimum. Automated backups

Question 18

AWS Directory Service: AD Connector

Answer 18

Serves as a proxy (Directory Gateway) to on-prem AD, users managed only in on-prem AD. Auth can be defined only in on-prem. Needs Direct Connect (DX) or VPN connection. If connection dies - useless. More latency than AWS Managed AD.

No caching, no mfa.

Question 19

AWS Directory Service: Simple AD

Answer 19

AD-compatible managed directory. Cannot be joined with on-prem AD. No MFA, SSO. Cheaper and simpler. Large - 5000 users. No trust relationships. Powered by Samba 4.

Question 20

Forest Trust in AWS Managed AD

Answer 20

AWS -> On-prem
AWS On-prem

Forest trust does not mean synchronisation, so there is no replication

Question 21

Active Directory Replication

Answer 21

Replicate to AWS to minimize latency, and in case DX or VPN connection failure.

Setup replication of on-prem AD to EC2 in the same VPC as AWS Managed AD. Establish two-way forest trust between EC2 self-managed replicated AD and AWS Managed AD

Question 22

AWS Organization Features

Answer 22

1. Consolidated Billing
2. All features (Default).

SCP.
Includes consolidated billing.
Invited accounts must approve enabling All Features
Once enabled cannot go back to Consolidated billing.

Strategies

Can send all CouldTrail/CloudWatch to centralized logging account.

Create Cross Account roles for Admin Purposes

Question 23

Multi Account vs One account, multiple VPC

Answer 23

Multi Account VPCs
Harder to setups inter VPC communication, could use VPC peering. But better isolation

One Account
Easier to setup, but can potentially have access to all VPCs in the account.

Question 24

AWS Organizations SCP

Answer 24

Allows to blacklist or whitelist IAM actions. Restricts access to/disable services (Cannot use EMR for example)

Must have explicit allow, deny everything by default
Applied at Root, OU or Account.
Applied to all users and roles on the account including Root.
Does not affect service-linked roles.

Question 25

AWS Organizations Reserved instances

Answer 25

Can share reserved instances and savings plan amongst organizations for cost savings. Sharing must be turned on. Master account can switch off sharing in child accounts.

Sharing must be switched on both accounts.

Question 26

AWS Resource Access Manager

Answer 26

Enables to share your resources with other accounts. Avoid duplication.

Allows to provision resources into same subnets in single VPC. Must be from same organization.
Can manage/view and control only your own resources.

Cannot share security groups and default VPC.

Can also share:
AWS Transit Gateway
Route53 resolver rules
License Manager Configurations

Question 27

AWS SSO

Answer 27

• Supports SAML 2.0 markup
• Integrates with AWS Organizations
• Integrates with on-prem AD
• Centralized permission management and auditing (CloudTrail)

Question 28

AWS SSO Permissions

Answer 28

Can be managed within AWS SSO itself
OR using AD. Managed or on-prem. On-prem could be either using AD connector or two-way forest trust with Managed AD + on-prem.

Question 29

SSO vs AssumeRoleWithSaml

Answer 29

AssumeRoleWithSaml:

• Uses 3rd party IDP Login Portal (Management overhead)
• SAML assertion + STS temporary creds = two steps

SSO

• AWS SSO login Portal (No management overhead)
• sts credentials straight away => one step