Identity & Access Management Flashcards Preview

AWS Developer Associate > Identity & Access Management > Flashcards

Flashcards in Identity & Access Management Deck (49)
Loading flashcards...
1
Q

AWS Definition and 4 key areas.

A

Amazon Web Services. Comprehensive Collection of Infrastructure Services.

  1. Compute
  2. Storage
  3. Database
  4. Networking Services
2
Q

AWS Platform Capabilities

A

Offered as a pay-as-you-go service.

  1. Mobile Services
  2. Analytics
  3. Machine Learning
3
Q

Root User

A

User account you use to sign in to AWS Management Console.

4
Q

AWS Management Console

A
  1. Create
  2. Configure
  3. Monitor
5
Q

AWS SDK

A
AWS Software Development Kit. Available for these languages: 
Allows user to interact with AWS MC through code. 
1. Java
2. .NET
3. JavaScript
4. PHP
5. Python
6. Others
6
Q

Specialty SDKs

A
  1. AWS Mobile SDK

2. AWS Internet of Things (IoT) Device SDK

7
Q

AWS CLI

A
Command Line
Available for different OS:
1. Windows
2. Linus/Unix
3. macOS
*Also a PowerShell option if you prefer over the Amazon CLI.
8
Q

Authentication

A

Verifying Identity.

Involves the method or process, action used for verifying identity of user or process.

9
Q

Authorization

A

Determining access level.
Determines access level of an authenticated user/process to various resources like files, services, applications, data, and others.

10
Q

AWS IdP

A

AWS can be used as an Identity Provider.
Entails storing identities and providing method used for authentication. Applies to AWS Services, AWS infrastructure and non-AWS applications (web/mobile)

11
Q

AWS Planes of Access

A

2 planes of access.

  1. Control plane - allows access to perform operations on instances. Managed through API operations.
  2. Data plane - controls access to sign in to compute instances. (Secure Shell & Remote Desktop.
12
Q

Policies (related to access)

A

JSON docs with 3 key value pairs.

  1. Effect - if the user or group is allow/denied to execute associated API
  2. Action - if API is allowed/denied
  3. Resource - defines where API is allowed/denied
13
Q

AWS Federation

A

Federation allows user to centrally manage access to AWS Resources.
2 components:
1. Identity provider - “Who are you?”
2. Identity consumer - Stores reference of identity, grants access based on Identity Provider. (Granular)

14
Q

SAML

A

Security Assertion Markup Language.

  • Provides federation between and entity and service provider.
  • Option in AWS
  • Both exchange meta data using an XML document
15
Q

OIDC

A

Open ID Connect.

  • Supersedes SAML
  • easier to configure than SAML
  • uses tokens (instead of assertions) to provide access
16
Q

3 types of OIDC tokens

A

Open ID Connect

  1. ID
  2. Access - access to API
  3. Refresh - obtain new ID token
17
Q

AWS AD

A

Active Directory is a common identity provider.

  • Used to establish trust between AD domain controller and AWS Directory Service for Microsoft AD.
  • Domain controller may be on premise or in cloud.
18
Q

AWS STS

A
Security Token System. 
- Creates and provides trusted users with temporary security credentials. 
Consists of: 
1. Access key ID
2. Secret Access Key
3. Security Token
19
Q

Amazon Cognito

A

Managed Service for handling mobile and web applications.

  • Integrates with AWS STS to identify users and provide them with consistent identity over lifetime of an application.
  • Useful b/c many business already have Microsoft AD and it’s easier to integrate with Cognito that implement a new identity store.
20
Q

Ways to implement Microsoft AD on AWS (4).

A
  1. Running AD on an EC2 instance.
  2. Use an AD Connector to connect to AWS Services with an existing, on-premise Microsoft AD
  3. Create a Simple AD. (Microsoft AD that provides compatability with AWS Directory Services.)
  4. Deploying AWS Managed Microsoft AD . (Actual Microsoft Windows server managed by AWS on AWS servers.)
21
Q

AWS Management Console

A

A web-based console that encompasses a set of service consoles for managing AWS.

  • Access Service Consoles (S3 buckets, EC2, CloudWatch, AmazonAccount)
  • Can choose region
  • Access to Billing and common troubleshooting topics
  • Create shortcuts to other consoles
  • Can change password
  • Compatible with tables and phones
  • Can download app store, iTunes, google play
22
Q

AWS Root account

A

AWS Root account created when user signs-up.

  • Can use this root account to manage AWS account and services.
  • Very powerful. AWS deletes root account access keys automatically.
  • Never use this for day-to-day interactions with AWS
23
Q

Root Account capabilities (5)

A
  1. Change account name
  2. Change root user email / password
  3. Change contact information
  4. Change local currency
  5. Add alternate account contacts (alternate contact information)
24
Q

Logic behind multiple AWS Accounts (4).

A

Want to design strategy to maximize security and align with business/ governance requirements.

  1. Ex - Centralized security Management - would require 1 AWS account.
  2. Ex - Separate Environments (Dev, Test, Prod) - would require 3 accounts.
  3. Ex - Different Departments (esp. Autonomous Departments) - Each department would have an AWS account. Then each could have it’s own policies/ projects.
  4. Independent projects - Can create multiple AWS accounts (one for common services like AD) and then each project would get it’s own account and different access to resources. (Could have a common billing account for all projects).
25
Q

IAM

A

Identity Access Management. Enables the creation of multiple users (w/ different security credentials)
1. IAM user can be authorized to create new users, manage/ delete existing users.

26
Q

IAM users can be… (3)

A
  1. Person
  2. Service
  3. Application (that requires AWS resources through MC, CLI, or APIs)
27
Q

IAM Groups

A

Identity Access Management groups contain multiple users under 1 IAM account.

  • users can be grouped based on functional aspects, organizational requirements, geographical, projects, etc..
  • IAM group is given permission to access resources by giving policies, these are inherited by IAM users belonging to a group
  • Even if one user, best practice to assign a group for access
28
Q

IAM user represents…

A

A unique identity with unique, long-term credentials.

29
Q

Main IAM credential types (2)

A
  1. Those for signing-in to AWS MC

2. Those used for programmatic access to AWS API

30
Q

IAM Credentials vs. AWS Credentials

A
  1. Username/password for both
    - AWS: username = email address
    - IAM: more flexibility
    - AWS account password: can be anything you define
    - IAM password: can be forced to comply with rules you define
31
Q

MFA

A

Multi-Factor Authentication. AWS MFA offers extra level of security.

  • username/password + authentication code from MFA device
  • can also require and MFA in order for users to be able to delete S3 objects
32
Q

Identity Federation

A

Some users may have identities outside of AWS, ex: Corporate directory, they may need access to AWS resources.

33
Q

Identity Federation

A

System of trust between two parties for the purpose of authenticating users and convenying the information needed to authorize their access to resources.

  • In this system an IdP is responsible for user authentication.
  • Ex: Some users may have identities outside of AWS, ex: Corporate directory, they may need access to AWS resources.
34
Q

Can you have multiple users with IAM?

A

Yes. Each can have their own security credentials and all are centrally managed under 1 AWS account.

35
Q

Give me an example of an IAM role for EC2.

A

Applications running on EC2 instances that require access to AWS Services.

  • Ex: Developer running application on an EC2 instance that needs read-only access to an S3 bucket.
  • Admin can create a suitable role. This includes policies that grant read permissions to the bucket and allows the developer to launch the EC2 instance.
  • Therefore, the admin doesn’t have to create access to the bucket for the developer and the developer doesn’t have to share their crednetials.
  • The developer would launch the EC2 instance and associate the new rule with the instance.
  • When the application runs, it retrieves credentials from the instance metadata on EC2 instance and using role credentials it accesses S3 bucket with read-only.
36
Q

Cross-account access

A
  • Enables IAM users from different AWS accounts to gain access to another AWS account.
  • In trusting account, create an IAM policy that grants trusted account with access to specific resources.
37
Q

Explain how IAM roles address Identity Federation.

A
  1. Creates an Identity Broker
  2. This ID broker (IDB) goes between the corporate user and the AWS resources.
  3. Enterprise user accesses the IDB application, the application authenticates user against the corporate identity store
  4. the IDB application has permissions to allow it access to the AWS security token service to request temporary security credentials.
  5. Enterprise users can access the API and Amazon MC.
38
Q

AWS Regions

A

Separate geographical regions.

  • Each region maintains it’s own copy of AWS services
  • Each AWS Region comprises multiple data centers
  • These are grouped together to form availabilty zones
  • Enables AWS to provide highly available resources
39
Q

Data center vs Availability Zone

A

Data centers are grouped together to form availability zones.

40
Q

Visibility Zones

A

Physically separated from each other, designed to operated independently from each other.

41
Q

Availability Zones (connection)

A
  • Connected by low latency, high throughput redundant networking
42
Q

API

A

Application Programming Interface

- Software intermediary that allows two applications to talk to one another.

43
Q

Endpoint (API)

A

URL that enables API to gain access to resources on a server.

44
Q

AWS Regions MC vs CLI / SDK

A
  1. US East (N. Virginia) MC = us-east-1 (CLI / SDK)
  2. US West (Oregon) = us-west-2
  3. EU (London) = eu-west-2
  4. Asia Pacific (Tokyo) = ap-northeast-1
45
Q

IAM Services that aren’t limited to a specific region

A

Region = global

  • API endpoint for the IAM service = same
  • ex: @iam.amazonaws.com
46
Q

Choosing Regions

A

Factors:

  1. Availability of services required by organization / applications. (Not all services are in all regions.)
  2. Latency
  3. Cost - price per region, but don’t want to sacrifice service, availabilty, latency
  4. Data Residency - allows us to stay compliant within a region
    - Choose a region that as at least most services
    - What to choose regions that are closer to users, this will decrease latency when making API calls
    - business continuity, choosing regions for disaster recovery
    - choose a target region for recovery based on proximity
47
Q

What are the 2 IAM roles automatically created when you set up the account?

A
  1. AWSServiceRoleForSupport

2. AWSServiceRoleForTrustedAdvisor

48
Q

After creating new AWS account…

A
  1. Create 1st IAM user
  2. require password reset
  3. Create a group for Admins
  4. Assign this user to the Admin group
  5. Sign out sign back in not as root user but as IAM user
49
Q

Security Status 5 Steps when first create an account.

A
  1. Delete your root access keys (this should be done automatically?)
  2. Activate MFA on your root account.
  3. Create individual IAM users
  4. Use groups to assign permissions
  5. Apply an IAM password policy.