villahyper.blogg.se - Aws solution architect associate exam questions

AWS SOLUTION ARCHITECT ASSOCIATE EXAM QUESTIONS FULL
AWS SOLUTION ARCHITECT ASSOCIATE EXAM QUESTIONS PASSWORD

Identity Broker always authenticates with LDAP first, THEN with AWS STS.Develop an Identity Broker to communiate with LDAP (Lightweight Directory Access Protocol, one of the protocols that you can use to talk to Active Directory) and STS.To use STS Federation, you must implement the following steps in the following order: Cross-account access - allowing users from AWS account to access resources in another.Using Facebook/Amazon/Google or other OpenID provider to log in.Does not need to be a user in IAM, or need any IAM credentials.Active Directory) - does not need to be IAM credentials Allows you to use credentials from another provider (i.e.Federation (typically Active Directory).The temporary security credentials are valid for the duration that you specified when calling AssumeRole, which can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). STS is used for requesting temporary, limited-privilege credentials for AWS IAM users or for federated users which you authenticate.

AWS SOLUTION ARCHITECT ASSOCIATE EXAM QUESTIONS FULL

The “ PowerUserAccess” policy provides full access to AWS services and resources, but does not allow management of users and groups.įor example, here’s one of the default AWS policy documents for assigning full access to S3: More info on STS API Operations Policy DocumentsĪn IAM policy is a document which formally defines permissions, and can be attached to users, groups, and roles. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. … this gives you a way to further restrict the permissions for the resulting temporary security credentials.

the permissions that are allowed by both the access policy of the role that is being assumed.

If you pass a policy to this operation, the temporary security credentials that are returned by the operation have: When assuming a role, you can futher restrict access via passing an IAM access policy on each request. Including an IAM access policy with AssumeRole

AssumeRoleWithWebIdentity (when users have been authenticated in a mobile app or web app with a web identity provider suh as Facebook, Google, or OpenID connect).

AssumeRoleWithSAML - for when users have been authenticated via a SAML authentication response, i.e.

You must use credentials for an IAM user or an IAM role to call AssumeRole.

You cannot call AssumeRole by using AWS root account credentials access is denied.

Web Identity (Amazon, Cognito, Facebook, Google).

Another AWS Account (allows entities in other accounts to perform actions in the current account).

Limited to 500 IAM roles under your AWS account. That way the EC2 instance can directly access S3 without having to manage usernames, passwords, etc. you might have an EC2 instance, and give it a role saying it can access S3. You can create roles, then assign them to AWS resources. you can have groups for different departments such as Sales, Developers, HR, etc, which may all require different levels of AWS access. Save them in a secure location.Īre a collection of IAM users, simplifying the assigning of permissions. If you lose them, they need to be regenerated.

Can be used to interact via the AWS command line, SDKs, or APIs.

Can be used to sign in via a custom sign-in link which you can create via the IAM console i.e.

Cannot be used to interact with the API.

AWS SOLUTION ARCHITECT ASSOCIATE EXAM QUESTIONS PASSWORD

IAM can be used to create and customise password rotation policies. IAM consists of Users, Groups Roles, and Policy Documents Usersīy default, new users don’t have access to any AWS services.Īlways set up MFA (Multifactor Authentication) on your root account. Supports Identity Federation which can be used for Single Sign-on i.e.Is global - there is no concept of regional IAM at this time all users, groups, policies, etc are available in all regions.Gives you centralised control of an AWS account.This post was last updated in March, 2019. Please let me know in the comments below if you have any corrections or updates which you’d like me to add. Since the AWS platform is changing so quickly, it’s possible that some of these notes may be out of date, so please take that into consideration if you are reading them. Primarily, they’re notes for me, but you might find them useful too. These notes are partly from the videos, and also from various other online sources. These notes were written while working through the A Cloud Guru AWS Certified Solutions Architect - Associate online course.