Advanced Identity Flashcards
What is AWS STS used for?
To grant temporary, limited access to AWS resources (valid up to 1 hour).
What STS API is used to assume roles within your account or cross-account?
AssumeRole
Which STS API returns credentials for users authenticated via SAML?
AssumeRoleWithSAML
What is AWS’s recommendation instead of using AssumeRoleWithWebIdentity?
Use Cognito Identity Pools.
Which STS API is used to authenticate with MFA?
GetSessionToken
Which STS API returns the IAM user or role making the API call?
GetCallerIdentity
Which STS API decodes AWS error messages for denied requests?
DecodeAuthorizationMessage
What credentials are returned by STS GetSessionToken?
Access Key ID, Secret Access Key, Session Token, Expiration Time
What IAM condition key enforces MFA use?
aws:MultiFactorAuthPresent:true
What is the IAM best practice regarding root credentials?
Never use root credentials; enable MFA on the root account.
What is the IAM best practice for assigning roles to EC2 or Lambda?
Assign a separate IAM role per EC2 or Lambda function.
What is the IAM best practice for on-premises servers?
Use STS to request temporary credentials (not permanent ones).
How does AWS evaluate IAM policies?
Explicit DENY > ALLOW > (default) DENY
If there’s a conflict between IAM and S3 bucket policies, what happens?
Explicit DENY in either policy overrides any ALLOW.
How do dynamic IAM policies improve scalability?
Use policy variables like ${aws:username}.
What’s the difference between AWS Managed, Customer Managed, and Inline Policies?
AWS Managed = reusable by AWS; Customer Managed = reusable by you; Inline = tied to a single user/role.
What IAM permission is required to allow a user to pass a role to a service?
iam:PassRole
Can a role be passed to any AWS service?
No, the service must be trusted in the role’s trust policy.
What AWS service acts as a proxy to on-prem Active Directory?
AD Connector
What is AWS Simple AD?
A lightweight, standalone AD-compatible directory in AWS; cannot connect to on-prem AD.
