SAP 3: Identity & Federation

RTO

Recovery Time Objectives

RPO

Recovery Point Objectives

KMS keys are protected by...

FIPS 140-2 validated hardware security modules (HSM)

HSM

Hardware Security Module

Which keys does KMS protect?

Root Keys

How do you manage who has access to KMS Keys?

Create and manage key policies

What permissions are required by a user to access the KMS console?

KMS permissions list IAM users & roles

What's the name of the managed policy for users to work with KMS?

AWSKeyManagementServicePowerUser

JSON IAM Policies have what fields?

effect

In an IAM Policy

what happens if there is a conflicting DENY and ALLOW?

What tools can be used to verify least privilege?

Access advisor

What is Access Advisor?

See permissions granted and when last accessed

What is access analyzer?

Analyze resources that are shared with an external entity. use zone of trust to determine what counts as "findings"

access advisor vs access analyzer?

access advisor shows granted permission and last access

What can an IAM policy be attached to?

user

Types of identity based policies?

AWS managed

Are additional permissions required for performing actions in the IAM console?

Yes

AWS managed policies

administrator vs power user?

What NotAction restrictions are on the PowerUserAccess policy?

iam:CreateServiceLinkedRole
iam:DeleteServiceLinkedRole
iam:ListRoles
organizations:DescribeOrganization
account:ListRegions

NotAction vs Effect:Deny

NotAction = exception to action
Effect:Deny = deny access to indicated resource/action

Types of IAM Policies Conditions

String (i.e. stringEquals)

List types of IAM Policies Variables and Tags

AWS Specific

When using a role for attaching a resource policy

the role is acting as a _____

IAM Role vs Resource Based Policies

With role

When using a resource-based policy

the principal doesn't have to give up any __________

What is an IAM permission boundary?

Define what is allowed

What are IAM permission boundary uses cases?

-delegate responsibilities to non administrators with their permission boundaries

-allow developers to self-assign policies without overreaching

-useful to restrict one specific user. Easier than using organization SCP

What resources are analyzed by Access Analyzer?

S3 buckets

IAM roles

KMS Keys

Lambda Functions & Layers

SQS queues

Secrets Manager Secrets

What is a zone of trust in access analyzer?

AWS Account or Organization

Features of IAM Access Analyzer

Policy Validation Policy Generation

What is IAM Access Analyzer Policy Validation?

Provides recommendations against best practices

What is IAM Access Analyzer Policy Generation?

Generates IAM policy based on access activity Uses cloudtrail logs to generate Up to 90 days

Up to how many days can cloudtrail logs be analyzed for IAM Access analyzer Policy Generation?

90 days

What is STS?

Security Token Service Request temporary

Through what endpoint do you retrieve temporary STS credentials?

AssumeRole API

What time range can STS credentials be valid for?

15 min - 12 hour

What are some use cases for assuming a role using STS?

Provide access for a user on another account or 3rd party Provide access for services Provide access for externally authenticated users

What permissions are required and what line is added to revoke active sessions for a role?

Required: PutRolePolicy Inline policy: AWSRevokeOlderSessions

What are the benefits of using role based access?

-Users must be granted permission explicitly -Users must actively switch (console

What is a zone of trust?

accounts

What service would be used to determine which resources are used outside zone of trust?

Access Analyzzer

List steps to grant access to 3rd party

Account ID external ID (secret between you and 3rd party) IAM policy permissions

What type of attack does an external ID prevent when granting access to a 3rd party?

confused deputy

What is a confused deputy attack?

When an external ID is not used

What is a session tag in STS?

Tags passed when you assume a role or federate a user in STS. Can be used to require a 3rd party to pass a tag to access specific resources

What is the condition name for requiring a tag for a 3rd party to access an STS enabled resource?

aws:PrincipalTag

Which API to access a role within your account or cross-account?

AssumeRole

Which API to return credentials for users logged with SAML?

AssumeRoleWithSAML

Which API to return credentials for users logged with an ldP?

AssumeRoleWithWebIdentity

IdP

Identity Provider (i.e. facebook etc)

What is the preferred option over the API AssumeRoleWithWebIdentity?

AWS Cognito

Which API is used for MFA

from a user or AWS account root user?

Which API is used to obtain temporary creds for a federated user

usually a proxy app that will give the creds to a distributed app inside a corporate network?

When would you use identity federation over an IAM user?

User management is outside AWS (i.e. active directory

What are some example of identity federation flavors?

SAML Custom Identity Broker Web Identity Federation with(out) Amazon Cognito SSO

SAML

Security Assertions Markup Language

ADFS

Active Directory Federation Services

SAML definition?

Open standard used by many identity providers (such as ADFS)

What does SAML use under the hood? (API)

STS API AssumeRoleWithSAML

SAML vs AWS SSO?

SSO is the new and simpler way

IdP

Identity Provider

SAML Federation steps

App makes Auth request to IdP Authenticates with identity store Return SAML assertion to user User calls AssumeRoleWithSAML API to STS STS returns temporary credentials User can access AWS APIs

IdP vs Active Directory FS

authentication happens with AD

What to use if IdP is NOT compatible with SAML 2.0?

Custom Identity Broker Application

What is the trick with using a custom identity broker?

the IdP must determine the appropriate IAM role

Which AWS APIs would a custom identity broker use?

STS APIs: AssumeRole or GetFederationToken

What is Web Identity Federation?

Web identity federation allows you to create AWS-powered mobile apps that use public identity providers (such as Amazon Cognito

Which API is used by Web Identity Federation?

AssumeRoleWithWebIdentity

OIDC

OpenID Connect

Web Identity Federation with Cognito steps

Login ID Token from IdP ID Token to Cognito Cognito Token from Cognito Cognito Token to STS Get Temporary Security Credentials

Cognito benefits?

Support anonymous users Supports MFA Data Synchronization

TVM

Token Vending Machine

Can you use IAM Policy for cognito auth?

Yes

Examples:

cognito-identity.amazonaws.com:sub

www.amazon.com:user_id

graph.facebook.com:id

account.google.com:sub

AD Objects are organized as ______

trees

What is ADFS used for?

SSO across apps

List AWS Directory Services

AWS Managed Microsoft AD AD Connector Simple AD

What is AWS Managed Microsoft AD

Create your own AD in AWS

What is an AD Connector

Directory Gateway (proxy) to redirect to on-prem AD

What is Simple AD

AD-compatible managed directory

Benefits of using AWS Managed Microsoft AD

-EC2 Windows instances can join the domain -Domain join EC2 instances from multiple accounts & VPCs -Integrates with RDS

What are the 3 types of forest trusts between AWs Microsoft AD and on-prem AD?

One way trust: AWS => On-Premise
One way trust: On-premise => AWS
Two way trust: AWS

Is replication supported between AWS Microsoft AD and On-prem?

No

Forest trust == synchronization?

No. Users live independently but 2 ADs can talk to each other.

on-prem AD DC in VPC can talk to on-prem AD?

Yes

Can replication be configured between on-prem and AWS AD?

Yes

Give an example of AD architecture with replication to an AWS VPC

on-prem AD => | Microsoft AD in EC2

Describe AWS AD Connector

Directory gateway to redirect to on-prem AD. -- No caching -- Only on-prem users -- VPN or Direct Connect (DX) -- No SQL Server

Give AD Connector use case example

on-prem user -> AWS sign-in -> authenticate to on-prem AD -> STS -> user authenticated to AWS

Describe AWS Simple AD

cheap support joining EC2 instances

Role for managing organization

OrganizationAccountAccessRole

T/F: Existing member account invited to an Organization automatically have the OrganizationAccountAccessRole added

False

SCP

Service Control Policy

2 AWS Organization Feature Modes

Consolidated billing features All features (default)

T/F: You cannot return to consolidated billing features from 'All features'

True

What is consolidated billing features?

Consolidated billing across all accounts (single payment method) Pricing benefits from aggregated usage (volume discount for ec2

T/F: All accounts in an organization can receive the hourly cost benefits or Reserved Instances that are purchased by any other account

True (if sharing is turned on)

What are the steps to move an account between orgs?

Remove account from first org Send invite to the account from the new org Accept invite to new org from the account

SCP are applied at the ______ or the ______ level

OU or the Account Level

What are service control policies (SCP)?

Define allowlist or blocklist IAM actions via organization

T/F: SCP are not applied to management accounts?

True