Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS - Certified Developer - Associate 2020 > Section 15 - Advanced IAM > Flashcards

Section 15 - Advanced IAM Flashcards

1
Q

Web Identity Federation?

A

Simplifies authentication and authorization for web applications.

  • User Access to AWS Resources
    • User access AWS resources after successfully authenticating with a web-based identity provider like Facebook, Amazon or Google
  • Authentication
    • Following successful authentication users receive an authentication code from the web ID provider.
  • Authorization
    • Users can trade this authentication code for temporary AWS security credentials, authorizing access to AWS resources.
  • An authentication token (JWT token) is exchanged for temporary AWS credentials, allowing users to assume an IAM Role, with permissions to access AWS resources.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Web ID Federation with Amazon Cognito?

A
  • Amazon Cognito
    • Provides web ID federation, including sign-up and sign-in functionality for your applications, and access for guest users.
  • Identity Broker
    • Manages authentication between your application and web ID providers, so you don’t need to write any additional code.
  • Multiple Devices
    • Synchronizes user data for multiple devices.
  • Recommended for Mobile
    • Recommended for all mobile applications that call AWS services.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Amazon Cognito Use case?

A

Web Identity Federation Using Social Media Accounts Like facebook

  • User has to access your ecommerce site which is using both S3 and DynamoDB
  • Step1: User authenticates with Facebook
  • step2: Once authenticated successfully with facebook, Cognito will grant temp AWS credentials to the AWS resources used by the ecommerce website.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Authentication with Amazon Cognito?

A
  • Temporary Credentials
    • Cognito brokers between the app and Facebook, Amazon, or Google to provide temporary credentials.
  • IAM Role
    • The temporary credentials map to an IAM role, Allowing access to the required resources.
  • Secure and Seamless
    • No need for application to embed or store credentials locally on the device.
    • Cognito gives users a seamless experience across all devices.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Cognito User Pools and Identity Pools?

A
  • User Pools (For sign-in or sign-up)
    • User directories used to managed sign-up and sign-in functionality for mobile and web applications.
  • Sign-in
    • Users can sign-in directly to User Pool, or using Facebook, Aamazon, or Google.
  • Identity Pools(For temp credentials)
    • Identity Pools enable you to provide temporary AWS credentials Enabling access to AWS services like S3 or DynamoDB.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cognito Push Synchronization?

A

Synchronization Across Devices.

  • Devices
    • Cognito tracks the association between user identity and various different devices they sign-in from
  • Seamless
    • Cognito uses Push Synchronization to [ush updates and synchronize user data across multiple devices.
  • SNS Silent Notification
    • SNS notification to all the devices associated with a given user identity whenever data stored in the cloud changes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Advanced IAM Policies?

A
  • Used to define user acess permissions within AWS
  • IAM has the following Policies:
    • AWS Managed Policies
    • Customer Managed Policies
    • Inline Policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS Managed Policies?

A

An IAM policy created and administered by AWS.

e.g. AmazonDynamoDbFullAccess, AWSCodeCommitPowerUser

  • Assign appropriate permissions to your users without having to write the policy yourself.
  • Attach to muliple users, groups or roles in the same AWS account or across different accounts.
  • You cannit change the permisisons defined in an AWS managed policy.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Customer Managed Policies?

A
  • Created by You
    • A standalone policy that you create and administer inside your own AWS account. You can attach this policy to multiple users, groups , and roles within your own account.
  • Copy an Existing Policy
    • In order to create a customer managed policy, you can copy an existing AWS managed policy and customize it to fit the requirement of your organization.
  • Your needs
    • Recommended for use cases where the existing AWS managed policies don’t meet the needs of your environment.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Inline Policies?

A
  • 1:1 Relationship
    • There is a strict 1:1 relationship between the entity and the policy
  • Embedded
    • When you delete the user, group, or role in which the inline policy is embedded, the policy will also be deleted.
  • Single User, Group or Role
    • The policy must not be inadvertently assigned to any other user, group, or role than the one for which it is intended.
    • The policy must only ever be attached to a single user, group, or role.
  • NB: In most cases, AWS recommends using managed policies over inline policies.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

STS AssumeRoleWithWebIdentity?

A
  • Security Token Service API Call
  • STS API
    • assume-role-with-webidenity is an API provided by STS (Security Token Service)
  • Temporary Credentials
    • Return temporary security credentials for users authenticated by a mobile or web application or using a web ID provider like Amazon, facebook, Google etc..
  • Web Applications
    • Regular web applications can use the assume-role-with-web-identity API. For mobile applications, Cognito is recommended.
  • Exam Tips:
    • Authentication
      • Allows users who have authenticated with a web identity provider to access AWS resources
    • API Call
      • After the user has authenticated, the application makes the assume-role-with-web-identity API call
    • Temporary Credentials
      • If successful, STS will return temporary credentials enabling access to AWS resources.
    • AssumeRoleUser
      • Within AssumeRoleUser, the ARN and AssumedRoleID are used to programmatically reference the temporary credentials, not an IAM role or user.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Cross-Account Access?

A
  • Delegate access to resources in different AWS accounts that you own.
  • Managed Resources in Other Accounts
    • Share resources in one account with users in a different account.
  • IAM Role
    • Create a role in one account to allow access and grant permissions to users in a different account.
  • Switch Roles
    • Switch roles withon the AWS management console. No password is required.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Cross-Account Access Use Case?

A

Dev account needing access to the Production account resources, e.g. processing historic data in s3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

AWS - Certified Developer - Associate 2020 (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions