Section 23: Identity and Access Management(IAM)

Question 1

What is AWS STS(Security Token Service)?

Answer 1

1. Allows to grant limited and temporary access to AWS resources.
   - Token is valid for up to one hour
2. AssumeRole
   - Within your own account
   - Cross Account Access
3. AssumeRoleWithSAML
   - Return credentials for users logged with SAML
4. AssumeRoleWithWebIdentity
   - Return creds for users logged with an Id (Facebook, Google)
   - AWS recommends against using this and recommends Cognito instead
5. GetSessionToken
   -> for MFA, from a user or AWS account root user

Question 2

What is Identity Federation in AWS?

Answer 2

• Federation lets users outside of AWS to assume temporary role for accessing AWS resources
• These users assume identity provided access role.
• Using federation, you dont need to create IAM users

Question 3

What is SAML 2.0 Federation?

Answer 3

• To integrate Active Directory with AWS
• Provide access to AWS Console or CLI
• No need to create an IAM user for each of the employees.

Question 4

What is Web Identity Federation?

Answer 4

• The user logs first in by facebook which return credentials and then exchange it with STS which will return a temporary token to access AWS resources.
• This is not recommended by AWS, you should instead use Cognito

Question 5

Name the 3 AWS Directory Services?

Answer 5

1) AWS Managed Microsoft AD
- Create your own AD in AWS, manage users locally, support MFA(Multi factor authentication)

2) AD Connector
- Directory Gateway(proxy) to redirect to on-premise AD
- Users are managed on the on-premise AD
3) Simple AD
- AD-compatible managed directory on AWS
- Cannot be joined with on-premise AD