Domain 4

PreviousDomain 3 NextDomain 5

Last updated 4 years ago

Was this helpful?

Domain 4

Federation

System of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources.
Identity provider (IdP), such as Enterprise, is responsible for user authentication.
Service provider (SP), such as AWS, controls access to resources.
SP (AWS) trusts the IdP (Enterprise) to authenticate users and relies on the information provided by the IdP about them.

AWS Federated Authentication with Active Directory Federation Services (AD FS)

Corporate user logs into the corporate ADFS portal sign-in page.
AD FS authenticates the user against Active Directory.
AD returns the user’s information, including AD group membership information.
AD FS dynamically builds ARNs by using AD group memberships for the IAM roles and user attributes for the AWS account IDs.
Temporary credentials are returned using STS AssumeRoleWithSAML.
The user is authenticated and provided access to the AWS management console.

External ID

When you need to grant access to your AWS resources to a third party, use IAM roles + External ID.
The external ID is a piece of data that can be passed to the AssumeRole API of STS.
You can then use the external ID in the condition element in a role’s trust policy, allowing the role to be assumed only when a certain value is present in the external ID.
For example, you are getting help from Example Corp's AWS account and they help a lot of AWS accounts. To let them access your account, you provide them the ARN of an IAM role to get temporary security credentials to access resources in your AWS account, so you are trusting Example Corp as a “deputy” that can act on your behalf. Then, another AWS customer also provides the ARN of your account's IAM role for Example Corp to use and when the other customer asks Example Corp to access AWS resources in “its” account, Example Corp will use your account's IAM role to access resources in your account.
- This is how the other customer could gain unauthorized access to your resources because this other customer was able to trick Example Corp into unwittingly acting on your resources, Example Corp is now a “confused deputy.”
Before External ID:

After External ID:

Delegate access across AWS accounts using IAM roles

Create an IAM role to allow users from one AWS account to access resources in another AWS account and define who can access it and what permissions it grants to users that switch to it.
Make sure to grant access to the role with a policy allowing sts:AssumeRole.
Verify the External ID and the appropriate RoleArn is added properly.

Directory Services

Directory Service for Microsoft AD (AWS Managed Microsoft AD) (Standalone AD in AWS):
- Need actual Active Directory features to support AWS applications or Windows workloads, including RDS for Microsoft SQL Server.
AD Connector (Forwards sign-in requests to your existing on-premises Active Directory):
- When you want to use your existing on-premises directory with compatible AWS services.
Simple AD (Powered by Samba 4) (Standalone AD in AWS):
- Should use AWS Managed Microsoft AD for a full AD service; this only has basic features.
- Support Windows workloads that need basic AD features, compatible AWS applications.
DNS forwarders can be configured with Microsoft AD; use it to route requests to Route 53 or to on-premises DNS servers.

AWS Organizations Service Control Policies (SCPs)

SCPs are a type of organization policy that you can use to manage permissions in your organization.
SCPs are available only in an organization that has all features enabled.
No permissions are granted by an SCP; an SCP just sets limits on the actions an account can take.
SCPs don't affect users or roles in the management account.
They affect only the member accounts in your organization.

IAM Roles Trust Policies

"Resource-based policy for the IAM role."
This policy defines which principals can assume the role, and under which conditions.

Trusts in Active Directory

Configure one and two-way external and forest trust relationships:
- Between your AWS Microsoft AD and on-premises directories.
- Between multiple AWS Managed Microsoft AD directories in AWS.
AWS Managed Microsoft AD supports all three trust relationship directions: Incoming, Outgoing and Two-way (Bi-directional).
You can use AD trusts to connect AWS Microsoft AD to your existing AD.

Cognito

Provides authentication, authorization, and user management for your web and mobile apps.
Users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.
User pool is a user directory in Cognito and users can sign in to your web or mobile app.
Identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers and users can obtain temporary, limited-privilege AWS credentials to access other AWS services.

Cross-account access to S3 buckets using Resource-based policies and IAM policies

Create an S3 bucket in Account A.
Create an IAM role or user in Account B and give it permission to download (s3:GetObject) and upload objects (s3:PutObject) to and from a specific S3 bucket.
In Account A, configure the bucket policy to grant a the IAM role or user in Account B the permissions to GetObject and PutObject for objects in a bucket owned by Account A.

S3 Access Control Lists (ACLs)

AWS recommends using S3 bucket policies or IAM policies for access control.
- S3 ACLs is a legacy access control mechanism that predates IAM.
When a request is received against a resource, S3 checks the corresponding ACL to verify that the requester has the necessary access permissions.
When you create a bucket or an object, S3 creates a default ACL that grants the resource owner full control over the resource.
You specify a canned ACL in your request using the x-amz-acl request header:
- public-read - Bucket and object Owner gets FULL_CONTROL. The AllUsers group gets READ access.
- bucket-owner-full-control - Both the object owner and the bucket owner get FULL_CONTROL over the object.

S3 Object Lock/Vault Lock

Governance mode - Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions.
Compliance mode - A protected object version can't be overwritten or deleted by any user, including the root user in your AWS account.
You must complete the vault locking process within 24 hours after the vault lock enters the InProgress state.
After a vault lock is in the Locked state, you cannot initiate a new vault lock for the vault.

PreviousDomain 3 NextDomain 5

Last updated 4 years ago

Was this helpful?

Federation

System of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources.
Identity provider (IdP), such as Enterprise, is responsible for user authentication.
Service provider (SP), such as AWS, controls access to resources.
SP (AWS) trusts the IdP (Enterprise) to authenticate users and relies on the information provided by the IdP about them.

AWS Federated Authentication with Active Directory Federation Services (AD FS)

Corporate user logs into the corporate ADFS portal sign-in page.
AD FS authenticates the user against Active Directory.
AD returns the user’s information, including AD group membership information.
AD FS dynamically builds ARNs by using AD group memberships for the IAM roles and user attributes for the AWS account IDs.
Temporary credentials are returned using STS AssumeRoleWithSAML.
The user is authenticated and provided access to the AWS management console.

External ID

When you need to grant access to your AWS resources to a third party, use IAM roles + External ID.
The external ID is a piece of data that can be passed to the AssumeRole API of STS.
You can then use the external ID in the condition element in a role’s trust policy, allowing the role to be assumed only when a certain value is present in the external ID.
For example, you are getting help from Example Corp's AWS account and they help a lot of AWS accounts. To let them access your account, you provide them the ARN of an IAM role to get temporary security credentials to access resources in your AWS account, so you are trusting Example Corp as a “deputy” that can act on your behalf. Then, another AWS customer also provides the ARN of your account's IAM role for Example Corp to use and when the other customer asks Example Corp to access AWS resources in “its” account, Example Corp will use your account's IAM role to access resources in your account.
- This is how the other customer could gain unauthorized access to your resources because this other customer was able to trick Example Corp into unwittingly acting on your resources, Example Corp is now a “confused deputy.”
Before External ID:

After External ID:

Delegate access across AWS accounts using IAM roles

Create an IAM role to allow users from one AWS account to access resources in another AWS account and define who can access it and what permissions it grants to users that switch to it.
Make sure to grant access to the role with a policy allowing sts:AssumeRole.
Verify the External ID and the appropriate RoleArn is added properly.

Directory Services

Directory Service for Microsoft AD (AWS Managed Microsoft AD) (Standalone AD in AWS):
- Need actual Active Directory features to support AWS applications or Windows workloads, including RDS for Microsoft SQL Server.
AD Connector (Forwards sign-in requests to your existing on-premises Active Directory):
- When you want to use your existing on-premises directory with compatible AWS services.
Simple AD (Powered by Samba 4) (Standalone AD in AWS):
- Should use AWS Managed Microsoft AD for a full AD service; this only has basic features.
- Support Windows workloads that need basic AD features, compatible AWS applications.
DNS forwarders can be configured with Microsoft AD; use it to route requests to Route 53 or to on-premises DNS servers.

AWS Organizations Service Control Policies (SCPs)

SCPs are a type of organization policy that you can use to manage permissions in your organization.
SCPs are available only in an organization that has all features enabled.
No permissions are granted by an SCP; an SCP just sets limits on the actions an account can take.
SCPs don't affect users or roles in the management account.
They affect only the member accounts in your organization.

IAM Roles Trust Policies

"Resource-based policy for the IAM role."
This policy defines which principals can assume the role, and under which conditions.

Trusts in Active Directory

Configure one and two-way external and forest trust relationships:
- Between your AWS Microsoft AD and on-premises directories.
- Between multiple AWS Managed Microsoft AD directories in AWS.
AWS Managed Microsoft AD supports all three trust relationship directions: Incoming, Outgoing and Two-way (Bi-directional).
You can use AD trusts to connect AWS Microsoft AD to your existing AD.

Cognito

Provides authentication, authorization, and user management for your web and mobile apps.
Users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.
User pool is a user directory in Cognito and users can sign in to your web or mobile app.
Identity pools (federated identities) enable you to create unique identities for your users and federate them with identity providers and users can obtain temporary, limited-privilege AWS credentials to access other AWS services.

Cross-account access to S3 buckets using Resource-based policies and IAM policies

Create an S3 bucket in Account A.
Create an IAM role or user in Account B and give it permission to download (s3:GetObject) and upload objects (s3:PutObject) to and from a specific S3 bucket.
In Account A, configure the bucket policy to grant a the IAM role or user in Account B the permissions to GetObject and PutObject for objects in a bucket owned by Account A.

S3 Access Control Lists (ACLs)

AWS recommends using S3 bucket policies or IAM policies for access control.
- S3 ACLs is a legacy access control mechanism that predates IAM.
When a request is received against a resource, S3 checks the corresponding ACL to verify that the requester has the necessary access permissions.
When you create a bucket or an object, S3 creates a default ACL that grants the resource owner full control over the resource.
You specify a canned ACL in your request using the x-amz-acl request header:
- public-read - Bucket and object Owner gets FULL_CONTROL. The AllUsers group gets READ access.
- bucket-owner-full-control - Both the object owner and the bucket owner get FULL_CONTROL over the object.

S3 Object Lock/Vault Lock

Governance mode - Users can't overwrite or delete an object version or alter its lock settings unless they have special permissions.
Compliance mode - A protected object version can't be overwritten or deleted by any user, including the root user in your AWS account.
You must complete the vault locking process within 24 hours after the vault lock enters the InProgress state.
After a vault lock is in the Locked state, you cannot initiate a new vault lock for the vault.