Identity & Federation Flashcards
Access Advisor
See permissions granted and when last accessed
Access Analyzer
Analyze resources that are shared with an external entity, e.g. S3 buckets
NotAction with Allow
NotAction with Allow, allows all actions except those specified in NotAction. This is better than explicit deny which will automatically reject exception Actions specified in any additional Allow Policies
NotAction with Deny
NotAction with Deny, denies all actions except those specified in NotAction
IfExists Condition Operator Example
If the resources being checked has condition key then check it against permission policy, otherwise skip the check. For cases when given action accesses multiple services, which might not have specified condition key
Null Condition Operator
Policy checks if the condition key exists at the time of authorization, e.g. condition value is false
Sevice-Linked Role Sessions and Session Revocation
Cannot be revoked.
How to revoke sts temporary access
By using AWSRevokeOlderSessions inline policy, which adds another explicit deny permissions to all actions for all sessions before the revocation time. Must have PutRolePolicy permission for the role.
Trust Policy Principals
Cannot specify *. Only users, roles, services.
External Id
Only you and authorized third party know External Id. Used when granting access to your AWS Resources to a Trusted Third Party.
Is not like secret, can be viewed again by anyone with permissions to view the role.
Used to avoid confused deputy scenario. Prevents access from unauthorized thirds party accounts, by requiring external id in addition to role arn where assuming the role.
AssumeRoleWithWebIdentity
For use with any OpenID Connect-compatible IdPs. No longer recommended, use AWS Cognito instead
Identity Federation Flavours
SAML 2.0, Custom Identity Broker, Web Identity Federation using Cognito, Web Identity Federation without Cognito, SSO, Microsoft AD
Custom Identity Broker vs SAML
The difference is in CIB it is all powered and CIB itself, not the user, talks to STS and receives temporary credentials which are used for interactions with AWS
STS Web Identity Federation vs Cognite Web Identity Federation
Cognito preferred, replaces TVM:
• Supports anonymous users
• Supports MFA
• Data synchronization
App generates ID token from IdP, gets Cognito token, then uses that token to get credentials from STS.
Web Identity Federation IAM Policy Variables examples
• cognito- identity.amazonaws.com:sub • www.amazon.com:user_id • graph.facebook.com:id • accounts.google.com:sub
What is AD Federation Services?
Provides SSO across applications
AWS Directory Service: Managed Microsoft AD
Create AD in cloud, manage users locally, supports MFA, RDS integration, can connect to on-prem AD by establishing “trust”. Needs Direct Connect (DX) or VPN connection.
Management and Auth can be done in both.
Multi-AZ. 2 AZs minimum. Automated backups
AWS Directory Service: AD Connector
Serves as a proxy (Directory Gateway) to on-prem AD, users managed only in on-prem AD. Auth can be defined only in on-prem. Needs Direct Connect (DX) or VPN connection. If connection dies - useless. More latency than AWS Managed AD.
No caching, no mfa.
AWS Directory Service: Simple AD
AD-compatible managed directory. Cannot be joined with on-prem AD. No MFA, SSO. Cheaper and simpler. Large - 5000 users. No trust relationships. Powered by Samba 4.
Forest Trust in AWS Managed AD
AWS -> On-prem
AWS On-prem
Forest trust does not mean synchronisation, so there is no replication
Active Directory Replication
Replicate to AWS to minimize latency, and in case DX or VPN connection failure.
Setup replication of on-prem AD to EC2 in the same VPC as AWS Managed AD. Establish two-way forest trust between EC2 self-managed replicated AD and AWS Managed AD
AWS Organization Features
- Consolidated Billing
- All features (Default).
SCP.
Includes consolidated billing.
Invited accounts must approve enabling All Features
Once enabled cannot go back to Consolidated billing.
Strategies
Can send all CouldTrail/CloudWatch to centralized logging account.
Create Cross Account roles for Admin Purposes
Multi Account vs One account, multiple VPC
Multi Account VPCs
Harder to setups inter VPC communication, could use VPC peering. But better isolation
One Account
Easier to setup, but can potentially have access to all VPCs in the account.
AWS Organizations SCP
Allows to blacklist or whitelist IAM actions. Restricts access to/disable services (Cannot use EMR for example)
Must have explicit allow, deny everything by default
Applied at Root, OU or Account.
Applied to all users and roles on the account including Root.
Does not affect service-linked roles.
AWS Organizations Reserved instances
Can share reserved instances and savings plan amongst organizations for cost savings. Sharing must be turned on. Master account can switch off sharing in child accounts.
Sharing must be switched on both accounts.
AWS Resource Access Manager
Enables to share your resources with other accounts. Avoid duplication.
Allows to provision resources into same subnets in single VPC. Must be from same organization.
Can manage/view and control only your own resources.
Cannot share security groups and default VPC.
Can also share:
AWS Transit Gateway
Route53 resolver rules
License Manager Configurations
AWS SSO
- Supports SAML 2.0 markup
- Integrates with AWS Organizations
- Integrates with on-prem AD
- Centralized permission management and auditing (CloudTrail)
AWS SSO Permissions
Can be managed within AWS SSO itself
OR using AD. Managed or on-prem. On-prem could be either using AD connector or two-way forest trust with Managed AD + on-prem.
SSO vs AssumeRoleWithSaml
AssumeRoleWithSaml:
- Uses 3rd party IDP Login Portal (Management overhead)
- SAML assertion + STS temporary creds = two steps
SSO
- AWS SSO login Portal (No management overhead)
- sts credentials straight away => one step
