Account/Physical Organization Flashcards Preview

AWS Certified Solution Architecture -- Associate > Account/Physical Organization > Flashcards

Flashcards in Account/Physical Organization Deck (18)
Loading flashcards...
1
Q

Availability Zones work together, across regions, to allow for highly available and fault-tolerant applications.

A

False. not across region, within a region.

2
Q

High availability

A

A durable system that can operate for long periods of time without failure.High availability refers to a system that has been tested to be durable and has its components highly or always available to its users.

3
Q

IAM Policies

A

policies can not be directly attached to AWS resources(such as an EC2 instance).
more than one policy can be attached to a user or group at the same time.

4
Q

How to create a policy?

A

using policy generator or written from scratch.

5
Q

policy simulator

A

run test based on the policy you created to make sure policy works.

6
Q

Power user access

A

Admin access except it does not allow user/group management.

7
Q

Read Only Access

A

Only view aws resources.

8
Q

IAM User

A

User credentials should NEVER be stored or “passed” to an EC2 instance.

9
Q

IAM Groups

A

Allow you to assign IAM permission policies to more than one user at a time.

10
Q

IAM Roles

A

You can now assign/change a role that is assigned to an RC2 instance after the creation process via the CLI or the EC2 management console.
– an EC2 instance can only have one role attached at a time.

11
Q

IAM Role use case

A

you are using an EC2 instance and it need to access an S3 bucket.

    • Instance should assume a role from IAM with the proper required permissions.(S3 read only);
    • Instance can then perform actions based on the role it assumes. (read from S3).
    • You “can” but should never pass or store credentials in or to an EC2 instance so roles are used instead.
12
Q

IAM Role Other Users

A

assume a “role” for temporary access to AWS accounts and resources through having something like Active Directory or single sign-on service assume an “Identity Provider Access” role.
Create “cross account” access where a user from one account can assume a role with permissions in another account.

13
Q

STS

A

3 components: Session Toke; An Access Key ID; A Secret Access key;

14
Q

When to use STS

A

Identity Federation; Roles for Cross_account Access; Roles for amazon EC2.

15
Q

STS API Calls

A

AssumeRole: cross-account delegation and federation through a custom identity broker;
AssumeRoleWithWebIdentity: Federation through a web-based identity provider;
AssumeRoleWIthSAML: Federation Through an ENterprise Identity Provider Compatible with SAML 2.0;
GetFederationToken: Federation Through a Custom Identity Broker;
GetSessionToken: Temproary Credentials for Users in Untrusted Environments.

16
Q

IAM API Keys

A

required to make programmatic calls to AWS from the:
CLI;
Tools for windows powershell;
AWS SDKs;
Direct HTTP calls using the APIs for individual AWS services;

17
Q

API Access key Facts:

A
    • only available ONE time when a new user is created OR when you reissue a new set of keys;
    • AWS will NOT regenerate the same set of access keys;
    • API credentials must be associated with a USER;
    • Roles do not have API credentials;
    • In AWS console, you can only see Acess Key ID - never the secret Key ID;
    • If you require new API credentials – you must deactivate the current one and generate new one;
    • never create or store API keys on an EC2 instance.
18
Q

API Access key Facts:

A
    • only available ONE time when a new user is created OR when you reissue a new set of keys;
    • AWS will NOT regenerate the same set of access keys;
    • API credentials must be associated with a USER;
    • Roles do not have API credentials;
    • In AWS console, you can only see Access Key ID - never the secret Key ID;
    • If you require new API credentials – you must deactivate the current one and generate new one;
    • never create or store API keys on an EC2 instance.