Security, Identity & Compliance | Amazon Cloud Directory Flashcards
What is Amazon Cloud Directory?
General
Amazon Cloud Directory | Security, Identity & Compliance
Amazon Cloud Directory is a cloud-native, highly scalable, high-performance, multi-tenant directory service that provides web-based directories to make it easy for you to organize and manage all your application resources such as users, groups, locations, devices, and policies, and the rich relationships between them. Cloud Directory is a foundational building block for developers to create directory-based solutions easily and without having to worry about deployment, global scale, availability, and performance.
Unlike existing traditional directory systems, Cloud Directory does not limit organizing directory objects in a single fixed hierarchy. In Cloud Directory, you can organize directory objects into multiple hierarchies to support multiple organizational pivots and relationships across directory information. For example, a directory of users may provide a hierarchical view based on reporting structure, location, and project affiliation. Similarly, a directory of devices may have multiple hierarchical views based on its manufacturer, current owner, and physical location.
Cloud Directory provides virtually unlimited directories. It scales each directory to hundreds of millions of nodes automatically while offering consistent performance. Cloud Directory is optimized for a high rate of low-latency, eventually consistent reads. Developers model directory objects using extensible schemas to enforce data correctness constraints automatically and to make it easier to program against. Cloud Directory offers rich information lookup based on customer-defined indexed attributes, thus enabling fast tree traversals and searches within the directory trees. Cloud Directory data is encrypted at rest and in transit.
What are the important characteristics of Amazon Cloud Directory?
General
Amazon Cloud Directory | Security, Identity & Compliance
Important characteristics include:
Support for the multi-hierarchical organization of information to capture rich relationships between entities.
Optimization for fast lookups and searches to retrieve values.
Support of a high rate of eventually consistent read operations.
Extensible object schema support to simplify application development and ease interoperability across multiple applications interacting with common directory information.
Seamless scaling to millions of objects and classifications.
The ability to define various types of application-specific policies on directory objects.
Encryption at rest and in transit.
What are core use cases for Cloud Directory?
General
Amazon Cloud Directory | Security, Identity & Compliance
Customers can use Cloud Directory to build applications such as IoT device registries, social networks, network configurations, and user directories. Each of these use cases typically needs to organize data hierarchically, perform high-volume and low-latency lookups, and scale to hundreds of millions of objects with global availability.
What kind of customers can use Cloud Directory?
General
Amazon Cloud Directory | Security, Identity & Compliance
Customers of all sizes can use Amazon Cloud Directory to build directory-based applications easily.
How is Cloud Directory different than traditional directories?
General
Amazon Cloud Directory | Security, Identity & Compliance
Amazon Cloud Directory is a foundational service for developers to build cloud-native directories for hundreds of millions of objects and relationships. It provides the necessary APIs for you to create a directory with a schema, add objects and relationships, and attach policies to those objects and relationships.
Traditional LDAP-based directories are designed as IT tools for organizations to manage users and devices. They provide authentication and policy frameworks, but lack the scalability to manage hundreds of millions of objects and relationships. Traditional directories are optimized for IT use cases, not for developers building cloud, mobile, and IoT applications.
When should I use Cloud Directory versus AWS Directory Service for Microsoft Active Directory (Enterprise Edition) or Amazon Cognito User Pools?
Core Concepts
Amazon Cloud Directory | Security, Identity & Compliance
AWS Directory Service for Microsoft Active Directory (Enterprise Edition), or AWS Microsoft AD, is designed to support Windows-based workloads that require Microsoft Active Directory. AWS Microsoft AD is intended for enterprise IT use cases and applications that depend on Microsoft Active Directory.
Amazon Cognito User Pools is an identity solution for developers that need authentication, federation, and credentials management for users.
Amazon Cloud Directory is designed for developers who need to manage large volumes of hierarchical data, and need a flexible directory solution that supports multiple sets of relationships and built-in data validation.
What are the key terms and concepts that I need to be aware of to use Amazon Cloud Directory?
Core Concepts
Amazon Cloud Directory | Security, Identity & Compliance
To use Amazon Cloud Directory, you need to know the following key terms:
Directory
Schema
Facet
Object
Attribute
Hierarchy
Policy
What is a directory?
Core Concepts
Amazon Cloud Directory | Security, Identity & Compliance
A directory defines the scope for the data store (like a table in Amazon DynamoDB), completely isolating it from all other directories in the service. It also defines the transaction scope, query scope, and the like. A directory also represents the root object for a customer’s tree and can have multiple directory objects as its children. Customers must apply schemas at the directory level.
What is a schema?
Core Concepts
Amazon Cloud Directory | Security, Identity & Compliance
A schema defines facets, attributes, and constraints allowed within a directory. This includes defining:
One or more types of facets that may be contained within a directory (such as Person, Organization_Person).
Attributes required or allowed on various types of facets.
Constraints (such as required or unique, primitive data types such as integer, string, and others).
What is a facet?
Core Concepts
Amazon Cloud Directory | Security, Identity & Compliance
A facet is a collection of attributes and constraints. A single or multiple facets when combined help define the objects in a directory. For example, Person and Device can be facets that define corporate employees with the associations of multiple devices.
What is an object?
Core Concepts
Amazon Cloud Directory | Security, Identity & Compliance
An object represents a structured data entity in a directory. An object in a directory is intended to capture metadata about a physical or logical entity, usually for the purpose of information discovery and enforcing policies. For example, users, devices, and applications are all types of objects. An object’s structure and type information are expressed using a collection of facets.
What is an attribute?
Core Concepts
Amazon Cloud Directory | Security, Identity & Compliance
An attribute is a user-defined unit of metadata associated with an object. For example, the user object can have an attribute called email-address. Attributes are always associated with an object.
What is a hierarchy?
Core Concepts
Amazon Cloud Directory | Security, Identity & Compliance
A hierarchy is a view in which groups and objects are organized in parent-child relationships similar to a file system in which folders have files and subfolders beneath them. Amazon Cloud Directory supports organizing objects into multiple hierarchies.
What is a policy?
Setup
Amazon Cloud Directory | Security, Identity & Compliance
A policy is a specialized object type with attributes that define the type of policy and policy document. A policy can be attached to objects or the root of a hierarchy. By default, objects inherit policies from their parents. Amazon Cloud Directory does not interpret policies.
How do I provision a new directory in Amazon Cloud Directory?
Schemas
Amazon Cloud Directory | Security, Identity & Compliance
You can provision a new directory in Amazon Cloud Directory with the following steps:
Sign in to any of your AWS accounts with privileges to manage Cloud Directory.
Open the AWS Management Console and navigate to the Amazon Cloud Directory console.
Click Create New Directory.
Provide a name for your new directory.
Select a predefined schema, or create a new schema for your directory
After you have created the new directory, you can use the Amazon Cloud Directory APIs to start populating your container with objects that comply with the associated schema. If you have a single directory, you can start populating the directory with the objects based on schemas and facets you choose (such as products for a product catalog). If you have multiple directories of different entities, you can create a root node for each entity directory and then start populating your directory (such as user and device as two types of directories that you can build in one directory).
You can also use the AWS Command Line Interface (CLI) to perform the same steps to create a new Amazon Cloud Directory container. Amazon Cloud Directory provides an SDK to create, read, delete, and update directories programmatically.
