Security Advance Flashcards
What is Symmetric encryption
Encryption key is given to end user for decryption; same key is used for encryption and decryption
What is Asymmetric encryption
Public key is used for encryption and private key is used for decryption.data is encrypted using private key and it can only be decrypted using private key by end user.no private key is exchanged in this scenario
Which encryption is good for local file storage encryption
Symmetric encryption
Which encryption is used for file transfer
Asymmetric encryption
What is STS?
Security token service generate temporary credentials for assume role functionality
Which is used to control who can assume the role
Trust policy
Can external Identity like Facebook access aws STS?
Yes as long as it is allowed in Trust policy
If you role switch between AWS accounts does it use AWS STS?
Yes
Assume Role AWS STS?
Yes
Cross accounts access using role use AWS STS?
Yes
All identity federation access use AWS STS?
Yes
Do we get new temp credentials when we use AWS STS?
Yes
How to revoke temp credentials issued by AWS STS with out affecting other users?
Add AWS Revoke Older Session inline policy which will deny any sessions older than now
What is Steganography?
Hiding information in image
Does permission boundary affect identity permission?
Yes
Does permission boundary affect resource policy permission?
No
Does permission boundary allow any access?
No it define max permission and identity can have. It act like a wall
What will happen to permissions which are out side of permissions boundary?
Permission which are outside of permissions boundary will have no effect
What are the multiple ways we can provide cross account access to S3
Bucket Policy
Access control policy
Assume Role using AWS STS
If a user upload object in S3 using bucket Policy or access controller list does bucket owner have access to the s3 object?
No
If a user upload object in S3 using assume Role with AWS STS does bucket owner have access to the s3 object?
Yes
When we use Canonical user id?
When we use legacy permissions model
Can we create one access control list for all S3 object?
No we have to create separate ACL for every object; we can’t apply one ACL to multiple objects
Can we use bucket policy to provide access to individual objects?
No bucket policy provide access only to buckets
Can we use ACL to provide access to s3 objects and bucket level permissions?
Yes
Can SAML 2.0 directly access AWS console & CLI?
No it indirectly use on premise id to access AWS console & CLI
Which credentials can directly access AWS console & CLI?
Only aws credentials can do direct access with console & CLI
All enterprise Identity provider is compatible with SAML 2.0
Yes
If you need access with AWS do we need SAML 2.0 comparability?
Yes
If you have more than 5000 users which Identity federation is required?
SAML 2.0
If GOOGLE FACEBOOK OR TWITTER is not comparable with SAML 2.0 can we use it to access AWS?
No
How SAML 2.0 compatible Identity federation access AWS
Using IAM ROLE & AWS temp credentials
AWS temp credentials are valid upto how many hrs?
12 Hrs
Which service replace SAML 2.0 implementation?
AWS SSO
AWS SSO manages access to all AWS service and external application?
Yes
Any non aws identity need to be SAML 2.0 comparable to access AWS?
Yes
SAML based identify federation use aws STS?
Yes
If identity federation user access AWS console it is authenticated by identity federation and temp credentials are provided by AWS SSO end point or SAML Endpoint
Yes
If identity federation app access AWS api it is authenticated by identity federation and temp credentials are provided by AWS IAM end point
Yes
SAML 2.0 is replaced with?
AWS SSO
What is the legacy service Used to support identify federation ?
SAML 2.0
What is the latest service Used to support identify federation ?
AWS SSO
Microsoft ADFS support aws sso?
Yes
AWS SSO is free service?
Yes
Can we create AWS SSO access for applications?
Yes
Cognito user pool is used for?
Authentication
Cognito identity pool is Used for ?
Authorization
AWS Cognito is Used for
Web and mobile apps
What does Cognito user pool provide after successfull login?
JWT TOKEN
Can we use JWT TOKEN to access AWS resources?
Not all resources
What does cognito identify pool provide?
Temp AWS credentials to access AWS resources
Who gets guest access in conito identity pool?
Unauthenticated identity
Can we use identity federation like fb to login cognito user pool?
Yea
API GATEWAY accepts JWT?
Yes
Can we use fb login and get access to aws resources using cognito identity pool?
Yea
Can we use cogito user pool to get access to aws resources ?
No user pool is used only for authentication and identity pool is used for authorization
What does Identity pool provide?
Temp credentials to access AWS resources
Can we use AWS sso for web identification federation?
No AWS cognito
Can we use AWS cognito for workplace authentication?
No AWS sso
SCP is used for?
Restricting AWS accounts
Where we can attach SCP?
Root account, Organization Unit, or individual AWS accounts
If SCP is attached to OU does it affect all of its members accounts?
Yes
SCP restrict management account?
No
Which service is used for account permission boundary?
Service control policy
Can SCP restrict Root user?
Yes
Can we use SCP to grant permissions?
No
If you need access to a service it should be allowed in?
SCP & IAM
