Security

Question 1

What are the functions of OAuth 2.0?

Answer 1

OAuth 2.0 provides authorization only (not authentication) and issues tokens to clients. It is best suited to API authorization between apps rather than SSO. It does not contain group and membership information

Question 2

How does an IAM user assume a role?

Answer 2

First, the Policy attached to the User must allow the action STS AssumeRole. This is already true according to the question. Second, the Trust Policy of the Role itself must allow the User in question to assume the Role. This second condition can be met if we specify the arn of the User in the Principal element of the Trust Policy.

Question 3

What is an IAM principal?

Answer 3

A Principal within an Amazon IAM Role specifies the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied to assume or impersonate that Role.

Question 4

What is a grant in KMS?

Answer 4

A grant is a policy instrument that allows AWS principals to use KMS keys in cryptographic operations. It also can let them view a KMS key (DescribeKey) and create and manage grants

Question 5

What are grants used for?

Answer 5

Grants are often used for temporary permissions because you can create one, use its permissions, and delete it without changing your key policies or IAM policies.

Grants are commonly used by AWS services that integrate with AWS KMS to encrypt your data at rest. The service creates a grant on behalf of a user in the account, uses its permissions, and retires the grant as soon as its task is complete.

Question 6

How do you create an IAM SAML IdP

Answer 6

1. Get the SAML metadata document from the IdP
2. Add SAML provider in IAM (aws iam create-saml-provider)
3. Upload metadata doc (aws iam update-saml-provider)
4. Assign an IAM role to IdP to give external user identities access to AWS resources

Question 7

What does the SAML metadata document contain?

Answer 7

This document includes the issuer’s name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP.

The metadata file must be encoded in UTF-8 format without a byte order mark (BOM). Also, the X.509 certificate that is included as part of the SAML metadata document must use a key size of at least 1024 bits. If the key size is smaller, the IdP creation fails with an “Unable to parse metadata” error. To remove the BOM, you can encode the file as UTF-8 using a text editing tool, such as Notepad++.

Question 8

Customers choosing to use AWS KMS with customer managed keys also get what benefits, which can support additional compliance requirements?

Answer 8

You maintain the ownership of keys with the ability to revoke access, rendering access to the data impossible.

You can create, rotate, and disable auditable customer managed CMKs from the AWS KMS console inline with your own compliance requirements.

The security controls in AWS KMS can help you meet encryption-related compliance requirements.

Question 9

What are the considerations when switching from SSE-S3 to SSE-KMS?

Answer 9

AWS KMS establishes request per second (RPS) quotas to ensure that it can provide fast and resilient service. For example, the default number of requests to AWS KMS is limited anywhere between 5,500 and 30,000 RPS (depending on the AWS Region).

Adds cost for encryption/decryption operations

Question 10

What security capabilities are identified in the CAF Security Perspective?

Answer 10

1. IAM
2. Detective Controls
3. Infrastructure Security
4. Data Protection
5. Incident Response

Question 11

What are KMS key policies?

Answer 11

Resource-based policies that you must attach to your customer master keys (CMKs) to control access to a CMK.

IAM policies by themselves are not sufficient to allow access to a CMK, although you can use them in combination with a CMK key policy. To do so, ensure that the CMK key policy includes the policy statement that enables IAM policies.

Question 12

How do you enforce least privilege with KMS keys?

Answer 12

By using an identity-based IAM policy, you can enforce least privilege by granting granular access to KMS
API calls within an AWS account. Remember, IAM policies are based on a policy of default-denied unless
you explicitly grant permission to a principal to perform an action.

Question 13

What pieces of information are required to configure a social IdP correctly?

Answer 13

App Client ID
App Client Secret
List of scopes (user attributes)

Question 14

What does IAM Roles Anywhere do?

Answer 14

IAM Roles Anywhere enables you to use IAM roles for your applications outside of AWS to access AWS APIs securely, the same way that you use IAM roles for workloads on AWS.

Question 15

How do workloads outside of AWS use IAM Roles Anywhere to obtain access?

Answer 15

Your workloads outside of AWS use IAM Roles Anywhere to exchange X.509 certificates for temporary AWS credentials. The certificates are issued by a CA that you register as a trust anchor (root of trust) in IAM Roles Anywhere. The CA can be part of your existing PKI system, or can be a CA that you created with AWS Certificate Manager Private Certificate Authority (ACM PCA).