Identity & Security

Question 1

What kind of identity providers can you use with SAML 2.0?

Answer 1

Enterprise Identity Providers that are SAML 2.0 Compatible, for instance Auth0, Okta, Salesforce, Microsoft AD FS.

NOT Google, Facebook, Twitter, etc. as these do not use SAML 2.0

Question 2

How long are temporary credentials that were provided via SAML 2.0 typically valid?

Answer 2

Up to 12 hours

Question 3

What are the steps in a SAML-based federation for API access to AWS?

Answer 3

1 - Client makes request to Identity Provider
2 - Identity Provider authenticates client
3 - Identity Provider sends SAML assertion (token) back to client
4 - Client calls STS:AssumeRoleWithSAML
5 - AWS returns temporary security credentials
6 - Client uses temp. credentials to access AWS Service

Question 4

What are the steps in a SAML-based federation for AWS Console access?

Answer 4

1 - User browses Identity Provider portal
2 - Identity Provider authenticates user
3 - Identity Provider sends SAML assertion (token) back to user
4 - User’s browser redirects to AWS SSO endpoint and posts the SAML assertion
5 - AWS SSO endpoint requests temporary security credentials (using STS)
6 - AWS SSO endpoint sends sign-in URL to user’s browser
7 - User’s browser redirects to AWS Console

Question 5

What’s the recommended way of identify federation in AWS? SAML Identity Federation, or AWS SSO?

Answer 5

AWS SSO, as it abstracts the identity store and therefore is much more flexible than SAML.

Question 6

What is the right product to use in a workplace environment identities (vs end-customer environment)?

Answer 6

AWS SSO (vs. Cognito)

Question 7

What’s an User Pool used for in Cognito?

Answer 7

For sign-in (providing a JSON Web Token (JWT) after successful sign-in). Sign-in is either provided directly through Cognito, or through Social Login providers such as Google, Facebook or Twitter. A User Pool represents a user directory in Amazon Cognito.

Question 8

What’s an Identity Pool used for in Cognito?

Answer 8

Provides access to temporary AWS Credentials, so it’s used to “swap” the credentials provided through a Social Login, SAML 2.0, or Cognito User Pool, by temporary AWS credentials so that AWS Resources can be used. It also supports Unauthenticated Identities (Guest Users).

Question 9

What are key limitations of Simple AD?

Answer 9

• No MFA
• No trust relationship with other domains
• Lack of integration with other AWS Services such as AWS SSO

Question 10

To how many AZs is AWS Managed Microsoft AD deployed and how many domain controllers (DC) are deployed in this context?

Answer 10

To 2 or more AZs, with 1 DC per AZ

Question 11

When evaluating Active Directory solutions of AWS, where you need RADIUS-based MFA. more than 5000 users, or a trust-relationship between AWS and your on-prem directories, what’s the right product to use?

• AWS Managed Microsoft AD
• Simple Active Directory
• Active Directory Connector

Answer 11

AWS Managed Microsoft AD

Question 12

What’s the max. size of data you can encrypt with a KMS CMK?

Answer 12

4 KB

Question 13

If you want to encrypt data that is larger than 4 KB with KMS, what do you have to do?

Answer 13

Generate a Data Encryption Key (DEK) using the Customer Master Key (CMK) and use the DEK for the encryption.

Question 14

If you want to perform encryption operations using PKCS#11, Java Cryptography Extensions (JCE) or Microsoft CryptoNG (CNG) libraries, what AWS service is this typically used in conjunction with?

Answer 14

AWS CloudHSM

Question 15

What’s the benefit of using CloudHSM as Custom Key Store in KMS?

Answer 15

This way you can benefit from the rich integration of KMS with other AWS services, but you keep full control of the key material used for the encryption operation.

Question 16

What’s a benefit of CloudHSM regarding SSL/TLS?

Answer 16

It can be used to offload the SSL/TLS processing, which would otherwise typically have to be performed by the web server. CloudHSM appliances are much more efficient for this operation, making it a cost-effective and performant solution for SSL/TLS processing.

Question 17

Are certificates in ACM auto-renewed if they were generated by ACM? And does the same apply to manually imported certificates?

Answer 17

Yes, they are auto-renewed. But this does NOT apply to imported certificates.

Question 18

Which of the following services support AWS Certificate Manager (ACM)?

• Amazon CloudFront
• Elastic Load Balancer
• Amazon EC2
• AWS Elastic Beanstalk
• Amazon API Gateway

Answer 18

All, except for EC2

Question 19

Are service-linked roles affected by Service Control Policies (SCPs) of Amazon Organizations?

Answer 19

No

Question 20

In which policy types can you use the IAM “Principal” element?

Answer 20

• Trust policies for IAM roles

- Resource-based policies

Question 21

What’s a “Trust Policy”? And what does it prevent?

Answer 21

Defines which identities can assume an IAM role, therefore serving as a way to prohibit privilege escalation.

Note: Trust Policies are resource-based policies whereas the IAM role that they’re attached to are the resource.

Question 22

What’s the hard limit for user count at which you’ll have to use AWS Directory Service for Microsoft Active Directory rather than Simple AD?

Answer 22

5000

Question 23

When a user assumes an IAM role, does this accumulate the permissions of the role with the permissions the user already had?

Answer 23

No. The permissions of your IAM user and any roles that you switch to are not cumulative. Only one set of permissions is active at a time. When you switch to a role, you temporarily give up your user permissions and work with the permissions that are assigned to the role. When you exit the role, your user permissions are automatically restored.

Question 24

In an IAM policy, what does the following resource statement apply to?

arn:aws:ec2:.:instance/*

Answer 24

An EC2 instance of any name (instance/), in any region and any account (ec2:.*).

Question 25

Name three OpenID Connect (OIDC)-compatible Identity Providers.

Answer 25

Facebook, Google, Amazon

Question 26

What three authentication standards does Amazon Cognito User Pools support?

Answer 26

OAuth 2.0, SAML 2.0, and OpenID Connect

Question 27

What’s a typical use case for GetFederationToken, and where would you NOT use it?

Answer 27

Server-side application that serves as proxy for other applications. GetFederationToken uses long-term credentials, so they credentials must be securely stored.

Because of the latter, GetFederationToken should NOT be used on client-side applications such as a mobile app.

Question 28

What AWS feature allows you to implement admin permissions delegation within AWS (choose one)?

• IAM Roles
• IAM Users
• SCP
• Permission Boundaries (also sometimes referred to as Policy Boundaries)
• Resource Policies
• KMS

Answer 28

Policy Boundaries

See: https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/

Question 29

What’s permissions does the AWs-managed IAM role “PowerUserAccess” provide?

Answer 29

Access to all AWS services, except IAM and Organizations (but does allow to view information about the user’s organization, including the management account email and organization limitations).

Question 30

Can you use Service Control Policies (SCPs) to grant permissions to perform a certain action?

Answer 30

No. Unlike IAM permission, SCPs are guardrails only that define what permissions may be granted. They do not actually provide permissions. They can however DENY a permission.

Question 31

Can you use Customer Managed Keys (CMKs) with Systems Manager Parameter Store?

Answer 31

Yes, but only symmetric ones.