Advanced Permissions and Accounts

Question 1

STS generates these when the sts:AssumeRole API call is made

Answer 1

Temporary credentials

Question 2

STS credentials are similar to secret/access keys except for these 2 thigns

Answer 2

Don’t below to the identity that assumes the role (unlike IAM user)

Temporay (they expire)

Question 3

The trust policy on a role defines this

Answer 3

Who is allowed to assume the role

Question 4

The permissions policy on a role defines this

Answer 4

The AWS services and actions the role gives access to

Question 5

STS creds includ these 4 items

Answer 5

AccessKeyId -unique identifier

Expiration

SecretAccessKey - Used to sign requests

Session Token - unique token that must come along with all requests.

Question 6

sts:AssumeRole* calls are made by existing identities of either one of these two types

Answer 6

AWS Identity

External(Federation) Identity

Question 7

Are roles meant to have complex logic determining who gets what set of permissions?

Answer 7

No, a role gives a set of permissions to anyone who is enabled to assume in the trust policy. Different set of permissions implies a different role is needed.

Question 8

If you knew of a crediential leak for a role, why wouldn’t you remove all permissions of that role or just delete the role outright?

Answer 8

There may be other users who assume the role that still need the access.

Question 9

If you knew of a credential leak for a role, why would you not change the trust policy for the role to limit the access?

Answer 9

The malicous user already has valid credentials (Access key, secret key, token) to assume the role. In essence, the cat is already out of the bag.

Question 10

Can you manually invalidate temporary credentials like roles?

Answer 10

No, but you can update the role permissions policy with an inline DENY of AWSRevokeOlderSessions for any sessions older than now. Valid users will be forced to re authenticate, bad actor will be SOL.

Question 11

When does the session token come into play for AWS creds?

Answer 11

Any temporary credentials

Question 12

First step in interpreting a policy doc?

Answer 12

Identify the number of Statement block {Effect:…..}

Question 13

What implicit permissions exist if nothing is defined?

Answer 13

Nothing. Said another way, implicit deny

Question 14

What always takes precident in AWS?

Answer 14

Deny permission

Question 15

When looking a Resource in a policy statement detailing with S3, what does /* represent?

Answer 15

Sub-objects, not the bucket itself

Question 16

Why is it unlikely that you will find a policy with only a deny statement?

Answer 16

By default, everything is denied anway.

Question 17

What S3 actions require a * resource?

Answer 17

ListAllMyBuckets

GetBucketLocation

CreateBucket

Question 18

Only these types of permissions are impacted by Permissions Boundaries

Answer 18

Identity permissions (any resource policies are applied in full)

Question 19

Permissions Boundaries can only be applied to these two things

Answer 19

IAM Users

IAM Roles

Question 20

Do permissions boundaries grant access on their own?

Answer 20

No, they define maximum permissions an identity can have.

Question 21

Common Variables to use in IAM

Answer 21

aws: CurrentTime This can be used for conditions that check the date and time.
aws: EpochTime This is the date in epoch or Unix time, for use with date/time conditions.
aws: TokenIssueTime This is the date and time that temporary security credentials were issued and can be used with date/time conditions. Note: This key is only available in requests that are signed using temporary security credentials. For more information about temporary security credentials, see Temporary security credentials in IAM.
aws: PrincipalType This value indicates whether the principal is an account, user, federated, or assumed role—see the explanation that follows later.
aws: SecureTransport This is a Boolean value that represents whether the request was sent using SSL.
aws: SourceIp This is the requester’s IP address, for use with IP address conditions. Refer to IP address condition operators for information about when SourceIp is valid and when you should use a VPC-specific key instead.
aws: UserAgent This value is a string that contains information about the requester’s client application. This string is generated by the client and can be unreliable. You can only use this context key from the AWS CLI.
aws: userid This value is the unique ID for the current user—see the chart that follows.
aws: username This is a string containing the friendly name of the current user—see the chart that follows.
ec2: SourceInstanceARN This is the Amazon Resource Name (ARN) of the Amazon EC2 instance from which the request is made. This key is present only when the request comes from an Amazon EC2 instance using an IAM role associated with an EC2 instance profile.

Question 22

What to things have to happen for an entity in Account A to access something in Account B?

Answer 22

Account A has to allow the access out, account B has to allow the access to the resource.

Question 23

If an SCP is in place, what happens if an incoming action is not allowed?

Answer 23

Implicitly denied

Question 24

Six checkpoints of resource access

Answer 24

Explict Deny

SCPs

Resource Policies (if access granted here, stop processing)

Permission Boundaries

Session Policies (for IAM Roles)

Identity Policies

Question 25

What is the S3 Canonical ID?

Answer 25

Legacy ID used in ACLs

Question 26

What level do you define in the trust relationship of a role?

Answer 26

The account level that you will permit to use the role.

Question 27

There levels of an AWS Org that SCPs can be attached to

Answer 27

Root level of the org (entire)

1 to many OUs

Individual account level

Question 28

IN an AWS organization, how to you apply an SCP so it impacts the root AWS account/management account?

Answer 28

You cannot. It is special.

Question 29

Do SCPs grant permissions?

Answer 29

No, they are account level permissions boundaries. They limit what can be done in an AWS account, not grant access.

Question 30

Can you limit what the root account in an AWS account can do?

Answer 30

Not exactly, but you can use SCP’s to limit what can be done in an AWS account, inherintly limiting what the root account can do.

Question 31

What is the default SCP setting when enabled?

Answer 31

Allow *. If you didn’t do this, the default implicit deny would apply at the SCP level, and there would be no access.

Question 32

From an SCP perspective, how do you 1) implement a deny list approach 2)implement an allow list approach and 3) why

Answer 32

1) Keep the default allow *, use deny statements for services you want to block
2) Remove the default allow, add allow statements for services you want
3) 1 is easier admin overhead

Question 33

Can you apply an S3 ACL to multiple objects?

Answer 33

No, each object needs an ACL (no inheritance)

Question 34

In S3, who becomes the object owner of an S3 object?

Answer 34

The source account of the thing uploading the object

Question 35

Using ACLs and S3 in a cross account scenario does the destination account get access by default to the object uploaded by the souce?

Answer 35

No, this is a limitation of ACLs. Destination bucket account will only have access if the source entity granted access.

Question 36

Why might you choose to use Cross Account Roles when granting an external party access to store objects in S3?

Answer 36

That way the object owner of the S3 objects will be your account.

Question 37

Regarding a trust policy in an IAM Role, do you put in a user or the root AWS account user of who will be assuming?

Answer 37

Root:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::639767416172:root”
},
“Action”: “sts:AssumeRole”
}
]
}

Question 38

RAM, or Resource Access Manager, allows for sharing of AWS assets between other AWS Principles. What three types of things fall into the principles definition?

Answer 38

Accounts, OUs, and Orgs.

Question 39

What is the per hour charge for RAM?

Answer 39

Nothing, it is free, aside from the cost of the service you are using.

Question 40

While availability zone names are not consistent across different accounts, what identified is?

Answer 40

AZ IDs (use1-az1, use1-az2, etc)

Question 41

Once an asset is shared with RAM, which entities have full control?

Answer 41

Only the owner

Question 42

Is RAM bi?

Answer 42

No, the owner creates and names the share.

Question 43

If a priniciple is inside an ORG with sharing enabled, this is the default behavior for accesses shared by RAM

Answer 43

auto accept

Question 44

For non org account, or for AWS orgs where sharing is not enabled, this is the default behavior for RAM invites

Answer 44

Have to be accepted by the priniciple of the destination

Question 45

If a VPC is shared with RAM to another member account (participant), can you refenence security groups and see network assets (subnets, VPCs)?

Answer 45

Yes, can’t change network layer tho. And if the owner was to provision EC2 instances in the shared subnet, participant account wouldn’t see EC2 instances.

Question 46

If you provision an EC2 instance into a subnet that is shared with you via RAM, who is the owner of those assets?

Answer 46

The provisioning account retains ownership

Question 47

SCP inherit…

Answer 47

down the chain

Question 48

Name a service level quota that can’t be changed

Answer 48

IAM (5000 users)

Question 49

Each AWS service have this per region

Answer 49

quota

Question 50

Service Quota Dashboard

Answer 50

sweeet interface in the console giving visibility, can also request quota increases here. Can also create CloudWatch alarms from here! Service Quota console is preferred over legacy support ticket. CLI is also available. Can also set up Org template that will get submitted for new accounts.

Question 51

What is one cavaet to object owernship using S3 ACls?

Answer 51

There is a setting on the bucket that can be used to say everything created in the bucket with an ACL is owned by the account, or can allow other accounts to own. If you allow other accounts to own, you can choose between bucket owner owned or Object Writer owned.

Question 52

Do SCPs apply to external accounts?

Answer 52

SCPs affect only IAM users and roles that are managed by accounts that are part of the organization. SCPs don’t affect resource-based policies directly. They also don’t affect users or roles from accounts outside the organization.

Question 53

Cognito provides these three things for web/mobile apps

Answer 53

Authentication

Authorization

User management

Question 54

Cognito User Pool does two things

Answer 54

Allows Sign-In

Creates a JWT for you to use

Question 55

Do Cognito User pools grant access to anything?

Answer 55

No, they just manage sign in and creation of JWTs. Most AWS resources can’t use JWTs straight up, you need a translation layer.

Question 56

SOme things Cognito User Pools provides

Answer 56

Signup/Sign In

Cusomizable sign in web user interface

MFA and other security features

Can do signin from Facebook and others

Question 57

Primary purpose of identity pool

Answer 57

Exchange unauthenticated users or an external identity info for temporary AWS creds. Includes user pool identities, Facebook, SAML, and others.

Question 58

What services can you easily use with a JWT created from a successul Cognito User Pool login?

Answer 58

API Gateway can natively use the JWT and pass you through to Lambda

Question 59

Can you use an identity pool with a user pool?

Answer 59

Yes, you can create an identity pool config to support external user repositories. The result though is that you now have to have a config for each different kind of token you will get from the external identity provider.

Question 60

Benefit of using user pools integrated with external identitiy providers?

Answer 60

You will get a user pool JWT back, and then you can have a standard way to configure your identity pool to swap for creds (role for authenticated users and role for unauthenticated)

Question 61

If you are setting up a real application to use a third party provider like Google to authenticate, what is likely needed?

Answer 61

Registering your app with the provider to know about it.

Question 62

Once you complete and Identity Pool, what do you need to do to ensure proper access?

Answer 62

Go to IAM, configure the unauthenticated and authenticated access for the roles.

Question 63

Key benefit of Workspaces

Answer 63

Access a desktop from anywhere maintaining apps and state

Question 64

Key requirement for using Workspaces?

Answer 64

Implementation of a Directory Services product: Simple, Managed AD, or AD Connector

Question 65

How do Workspaces handle networking?

Answer 65

ENI in a networking VPC

You can use VPN or DX to get back to on-prem resources

Question 66

Does Workspaces provide encryption at rest?

Answer 66

Yes. EBS +KMS. You can encrypt both root and user volumes, one of them, or none of them.

Question 67

What are authentication and streaming gateways in Workspace?

Answer 67

The proxy if you will for external people connecting to the Workspaces. Talk to Directory Services to let people in.

Question 68

Do workspaces run in your VPC?

Answer 68

No, they run in an AWS hosted VPC. They are injected into your networking VPC as are your directory services. Relize this means SG’s come into play for direct ingress access.

Question 69

Are Workspaces HA?

Answer 69

No, they run in one AZ and are susceptable to AZ outages. You can distribute WOrkspaces across AZs, but each Workspace is susceptable to AZ outage.

Question 70

Does the Directoy Services - Managed Microsoft AD suport schema updates/exentions?

Answer 70

Yes, means you can install things like Exchange, Sharepoint, etc.

Question 71

What types of trusts does Directory Services - Microsoft AD support?

Answer 71

All of them, one way and two way.

Question 72

Is the Directory Services - Microsoft Ad HA?

Answer 72

Yes, minimum of two AZ with a DC in each.

Question 73

MFA Directory Service - Microsoft AD supports?

Answer 73

RADIUS-based MFA

Question 74

Best choice for > 5000 users, trust relationships between your on prem diretory?

Answer 74

Directory Services - Microsoft AD

Question 75

Can Directory Services -Managed AD support AWS services?

Answer 75

Yes, things like the Console, Workspaces, Connect, Chime, etc.

Question 76

Does Directory Services - Microsoft AD run in your VPC?

Answer 76

No, runs in an AWS VPC, but is injected into your VPC via ENIs for the AD DCs. Becuase of this, there are SGs you need to be awaare of and configure.

Question 77

Do you need to patch AD in Directory Services - Managed AD?

Answer 77

No, AWS handles.

Question 78

Can you use multiple Directory Service - AD Connectors for resiliency?

Answer 78

Yes

Question 79

What does Directory Services - AD connector need from a networking perspective?

Answer 79

2 subnets in a VPC

Networking connectivity via VPN/DX to on prem AD.

Injects ENI’s into your VPC

Question 80

What does Directory Services -AD connector give you for sizing options?

Answer 80

Small or larger

Question 81

Where can you attach SCPs

Answer 81

ORG root container, ous, individual accounts

Question 82

Do SCPs apply to the root management AWS account?

Answer 82

no

Question 83

Role trust policy enabling all users of an account

Answer 83

“Version”: “2012-10-17”, “Statement”: [{ “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::111122223333:root” }, “Action”: “sts:AssumeRole” }] }

Question 84

Product formerly known as AWS SSO

Answer 84

IAM Identity Center

Question 85

The region in which Control Tower Landing Zone is deployed into is called this

Answer 85

Home Region

Question 86

Key services Control Tower uses to build an LZ

Answer 86

Service Catalog

Cloudformation

AWS Config

IAM Identity Center (AWS SSO)

Question 87

Default Control Tower OUs

Answer 87

Security

Sandbox

Question 88

Function of Security OU Sandbox in Control Tower

Answer 88

Log Archive and Audit Accounts (CloudTrail and Config Logs)

Question 89

Control Tower Guardrail Types

Answer 89

Mandatory

Strongly Recommended

Elective

Question 90

Preventative Guard Rail in CT

Answer 90

Stop you from doing things (SCPs). Enforced or not enabled. Used to block regions, disallow bucket changes, etc

Question 91

Detective Guardrail in CT

Answer 91

Compliance checks via AWS Config

Question 92

Control Tower Account Factory Benefits

Answer 92

Guardrails automatically added

Admins or users can be self serve

User can be automatically given admin to account

Can apply standard network configuration

Accounts can be closed or repurposed