Identity & Security Flashcards
What kind of identity providers can you use with SAML 2.0?
Enterprise Identity Providers that are SAML 2.0 Compatible, for instance Auth0, Okta, Salesforce, Microsoft AD FS.
NOT Google, Facebook, Twitter, etc. as these do not use SAML 2.0
How long are temporary credentials that were provided via SAML 2.0 typically valid?
Up to 12 hours
What are the steps in a SAML-based federation for API access to AWS?
1 - Client makes request to Identity Provider
2 - Identity Provider authenticates client
3 - Identity Provider sends SAML assertion (token) back to client
4 - Client calls STS:AssumeRoleWithSAML
5 - AWS returns temporary security credentials
6 - Client uses temp. credentials to access AWS Service
What are the steps in a SAML-based federation for AWS Console access?
1 - User browses Identity Provider portal
2 - Identity Provider authenticates user
3 - Identity Provider sends SAML assertion (token) back to user
4 - User’s browser redirects to AWS SSO endpoint and posts the SAML assertion
5 - AWS SSO endpoint requests temporary security credentials (using STS)
6 - AWS SSO endpoint sends sign-in URL to user’s browser
7 - User’s browser redirects to AWS Console
What’s the recommended way of identify federation in AWS? SAML Identity Federation, or AWS SSO?
AWS SSO, as it abstracts the identity store and therefore is much more flexible than SAML.
What is the right product to use in a workplace environment identities (vs end-customer environment)?
AWS SSO (vs. Cognito)
What’s an User Pool used for in Cognito?
For sign-in (providing a JSON Web Token (JWT) after successful sign-in). Sign-in is either provided directly through Cognito, or through Social Login providers such as Google, Facebook or Twitter. A User Pool represents a user directory in Amazon Cognito.
What’s an Identity Pool used for in Cognito?
Provides access to temporary AWS Credentials, so it’s used to “swap” the credentials provided through a Social Login, SAML 2.0, or Cognito User Pool, by temporary AWS credentials so that AWS Resources can be used. It also supports Unauthenticated Identities (Guest Users).
What are key limitations of Simple AD?
- No MFA
- No trust relationship with other domains
- Lack of integration with other AWS Services such as AWS SSO
To how many AZs is AWS Managed Microsoft AD deployed and how many domain controllers (DC) are deployed in this context?
To 2 or more AZs, with 1 DC per AZ
When evaluating Active Directory solutions of AWS, where you need RADIUS-based MFA. more than 5000 users, or a trust-relationship between AWS and your on-prem directories, what’s the right product to use?
- AWS Managed Microsoft AD
- Simple Active Directory
- Active Directory Connector
AWS Managed Microsoft AD
What’s the max. size of data you can encrypt with a KMS CMK?
4 KB
If you want to encrypt data that is larger than 4 KB with KMS, what do you have to do?
Generate a Data Encryption Key (DEK) using the Customer Master Key (CMK) and use the DEK for the encryption.
If you want to perform encryption operations using PKCS#11, Java Cryptography Extensions (JCE) or Microsoft CryptoNG (CNG) libraries, what AWS service is this typically used in conjunction with?
AWS CloudHSM
What’s the benefit of using CloudHSM as Custom Key Store in KMS?
This way you can benefit from the rich integration of KMS with other AWS services, but you keep full control of the key material used for the encryption operation.
What’s a benefit of CloudHSM regarding SSL/TLS?
It can be used to offload the SSL/TLS processing, which would otherwise typically have to be performed by the web server. CloudHSM appliances are much more efficient for this operation, making it a cost-effective and performant solution for SSL/TLS processing.
Are certificates in ACM auto-renewed if they were generated by ACM? And does the same apply to manually imported certificates?
Yes, they are auto-renewed. But this does NOT apply to imported certificates.
Which of the following services support AWS Certificate Manager (ACM)?
- Amazon CloudFront
- Elastic Load Balancer
- Amazon EC2
- AWS Elastic Beanstalk
- Amazon API Gateway
All, except for EC2
Are service-linked roles affected by Service Control Policies (SCPs) of Amazon Organizations?
No
In which policy types can you use the IAM “Principal” element?
- Trust policies for IAM roles
- Resource-based policies
What’s a “Trust Policy”? And what does it prevent?
Defines which identities can assume an IAM role, therefore serving as a way to prohibit privilege escalation.
Note: Trust Policies are resource-based policies whereas the IAM role that they’re attached to are the resource.
What’s the hard limit for user count at which you’ll have to use AWS Directory Service for Microsoft Active Directory rather than Simple AD?
5000
When a user assumes an IAM role, does this accumulate the permissions of the role with the permissions the user already had?
No. The permissions of your IAM user and any roles that you switch to are not cumulative. Only one set of permissions is active at a time. When you switch to a role, you temporarily give up your user permissions and work with the permissions that are assigned to the role. When you exit the role, your user permissions are automatically restored.
In an IAM policy, what does the following resource statement apply to?
arn:aws:ec2:.:instance/*
An EC2 instance of any name (instance/), in any region and any account (ec2:.*).
Name three OpenID Connect (OIDC)-compatible Identity Providers.
Facebook, Google, Amazon
What three authentication standards does Amazon Cognito User Pools support?
OAuth 2.0, SAML 2.0, and OpenID Connect
What’s a typical use case for GetFederationToken, and where would you NOT use it?
Server-side application that serves as proxy for other applications. GetFederationToken uses long-term credentials, so they credentials must be securely stored.
Because of the latter, GetFederationToken should NOT be used on client-side applications such as a mobile app.
What AWS feature allows you to implement admin permissions delegation within AWS (choose one)?
- IAM Roles
- IAM Users
- SCP
- Permission Boundaries (also sometimes referred to as Policy Boundaries)
- Resource Policies
- KMS
Policy Boundaries
See: https://aws.amazon.com/blogs/security/delegate-permission-management-to-developers-using-iam-permissions-boundaries/
What’s permissions does the AWs-managed IAM role “PowerUserAccess” provide?
Access to all AWS services, except IAM and Organizations (but does allow to view information about the user’s organization, including the management account email and organization limitations).
Can you use Service Control Policies (SCPs) to grant permissions to perform a certain action?
No. Unlike IAM permission, SCPs are guardrails only that define what permissions may be granted. They do not actually provide permissions. They can however DENY a permission.
Can you use Customer Managed Keys (CMKs) with Systems Manager Parameter Store?
Yes, but only symmetric ones.
