STS, SNS, SQS

Question 1

STS vs SNS vs SQS

Answer 1

"STS - security Token Service
SNS - simple notification service
    pub/sub one pub and multi subs
SQS - simple Queue service
    persistant until polled"

Question 2

short polling vs long polling

Answer 2

“Short polling - RecieveMessage request queries only a subset of the servers to find messages
Long polling - RecieveMessage request queries all servers for messages”

Question 3

What are the SQS batch actions?

Answer 3

“SendMessageBatch
DeleteMessageBatch
ChangeMessageVisibilityBatch”

Question 4

SQS encryption by default

Answer 4

Not encrypted

Question 5

What is the STS GetFederationToken?

Answer 5

“An API action for STS

Grants IAM role based on federation or company requesting it”

Question 6

When would you use STS?

Answer 6

When you want to dynamically assign temporary IAM roles to users or services without having to embed the credentials

Question 7

What is SAML

Answer 7

“Security Assertion Markup Language
Internet SSO
an XML based protocol for exchanging authentications and authorization data between parties typically pub/sub”

Question 8

What are the different payload formats for receiving notifications?

Answer 8

“HTTP/HTTPS (delivered via POST)
Email/Email-JSON
SQS
SMS”

Question 9

How do you opt to receive only a portion of the messages from a publisher?

Answer 9

Create and assign an SNS message filer policy to the user

Question 10

What are the message Attribute Items and Validation?

Answer 10

“Each message attribute consists of the following items. All parts must not be empty or null.
Name - Assign a name to the attribute
Type - supported data type for the message
Value - user-specified attribute value”

Question 11

MessageId vs ReceiptHandle

Answer 11

“MessageId - Auto assigned by AWS and returned to you via SendMessage. For identification only. max length 100 char
ReceiptHandle - identification of a message instance in a queue. Needed to delete or change visibility”

Question 12

What is an SNS message attribute?

Answer 12

“A structured metadata item (such as timestamp, geospacial data, signatures and identifiers) about the message
up to 10 attributes per message”

Question 13

What is the max size of a message?

Answer 13

“256 KB

payload and attributes combined”

Question 14

What are the API actions to obtain STS?

Answer 14

“AssumeRole - anytime the IAM role gives you an STS
AssumeRoleWithWebIdentity - authenticate to Facebook/Google/etc…
AssumeRoleWithSAML - for Enterprise identity federation”

Question 15

What is the AssumeRoleWithWebIdentity process?

Answer 15

“Send OAuth request to web identity (facebook, google, etc.)
They respond with a JWT (Javascript web token)
We use the CLI/SDK ot call AssumeRoleWithWebIdentity, passing along the JWT
The STS service determines if a token is granted to the user”

Question 16

STS AssumeRole basic process

Answer 16

“Create a user without access to a resource
Create a Role that can access a resource, and allow user to assume the role
““Statement””: { ““Effect”” : ““Allow””, ““Principal””: { ““AWS””: ““arn:of:user”” }, ““Action””: ““sts:AssumeRole”” }
Call the UseSTSRole function and pass in the user ARN (and maybe session name)
Pass these credentials in instead of the users credentials when accessing the resource”

Question 17

what is the visibility timeout period?

Answer 17

it doesn’t need a time that a message will be hidden from other consumers. default visibility timeout is 30 seconds.