AWS IAM Best Practices

January 1, 2023 ~ Last updated on : January 2, 2023 ~ jayendrapatil ~ 10 Comments

AWS IAM Best Practices

AWS recommends the following AWS Identity and Access Management service – IAM Best Practices to secure AWS resources

Root Account – Don’t use & Lock away access keys

Do not use the AWS Root account which has full access to all the AWS resources and services including the Billing information.
Permissions associated with the AWS Root account cannot be restricted.
Do not generate the access keys, if not required
If already generated and not needed, delete the access keys.
If access keys are needed, rotate (change) the access key regularly
Never share the Root account credentials or access keys, instead create IAM users or Roles to grant granular access
Enable AWS multifactor authentication (MFA) on the AWS account

User – Create individual IAM users

Don’t use the AWS root account credentials to access AWS, and don’t share the credentials with anyone else.
Start by creating an IAM User with an Administrator role that has access to all resources as the Root except the account’s security credentials.
Create individual users for anyone who needs access to your AWS account and gives each user unique credentials and grant different permissions.

Groups – Use groups to assign permissions to IAM users

Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group as per the job function, and then associate IAM users to those groups.
Users in an IAM group inherit the permissions assigned to the group and a User can belong to multiple groups
It is much easier to add new users, remove users and modify the permissions of a group of users.

Permission – Grant least privilege

IAM user, by default, is created with no permissions
Users should be granted LEAST PRIVILEGE as required to perform a task.
Starting with minimal permissions and adding to the permissions as required to perform the job function is far better than granting all access and trying to then tighten it down.

Passwords – Enforce strong password policy for users

Enforce users to create strong passwords and enforce them to rotate their passwords periodically.
Enable a strong password policy to define password requirements forcing users to create passwords with requirements like at least one capital letter, one number, and how frequently it should be rotated.

MFA – Enable MFA for privileged users

For extra security, Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.

Role – Use temporary credentials with IAM roles

Use roles for workloads instead of creating IAM user and hardcoding the credentials which can compromise the access and are also hard to rotate.
Roles have specific permissions and do not have a permanent set of credentials.
Roles provide a way to access AWS by relying on dynamically generated & automatically rotated temporary security credentials.
Roles associated with it but dynamically provide temporary credentials that are automatically rotated

Sharing – Delegate using roles

Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) to use IAM roles to specify the permissions which can then be assumed by them
A role can be defined that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts the IAM users are allowed to assume the role

Rotation – Rotate credentials regularly

Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources
Access keys allows creation of 2 active keys at the same time for an user. These can be used to rotate the keys.

Track & Review – Remove unnecessary credentials

Remove IAM user and credentials (that is, passwords and access keys) that are not needed.
Use the IAM Credential report that lists all IAM users in the account and the status of their various credentials, including passwords, access keys, and MFA devices and usage patterns to figure out what can be removed
Passwords and access keys that have not been used recently might be good candidates for removal.

Conditions – Use policy conditions for extra security

Define conditions under which IAM policies allow access to a resource.
Conditions would help provide finer access control to the AWS services and resources for e.g. access limited to a specific IP range or allowing only encrypted requests for uploads to S3 buckets etc.

Auditing – Monitor activity in the AWS account

Enable logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in the account and the resources that were used.
Log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.

Use IAM Access Analyzer

IAM Access Analyzer analyzes the services and actions that the IAM roles use, and then generates a least-privilege policy that you can use.
Access Analyzer helps preview and analyze public and cross-account access for supported resource types by reviewing the generated findings.
IAM Access Analyzer helps to validate the policies created to ensure that they adhere to the IAM policy language (JSON) and IAM best practices.

Use Permissions Boundaries

Use IAM Permissions Boundaries to delegate permissions management within an account
IAM permissions boundaries help set the maximum permissions that you delegate and that an identity-based policy can grant to an IAM role.
A permissions boundary does not grant permissions on its own.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
1. Create individual IAM users for everyone in your organization (May not be needed as can use Roles as well)
2. Configure MFA on the root account and for privileged IAM users
3. Assign IAM users and groups configured with policies granting least privilege access
4. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate (Must be assigned only if using console or through command line)
What are the recommended best practices for IAM? (Choose 3 answers)
1. Grant least privilege
2. User the AWS account(root) for regular user
3. Use Mutli-Factor Authentication (MFA)
4. Store access key/private key in git
5. Rotate credentials regularly
Which of the below mentioned options is not a best practice to securely manage the AWS access credentials?
1. Enable MFA for privileged users
2. Create individual IAM users
3. Keep rotating your secure access credentials at regular intervals
4. Create strong access key and secret access key and attach to the root account
Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?
1. Use short but complex password on the root account and any administrators.
2. Use AWS IAM Geo-Lock and disallow anyone from logging in except for in your city.
3. Use MFA on all users and accounts, especially on the root account. (For increased security, it is recommend to configure MFA to help protect AWS resources)
4. Don’t write down or remember the root account password after creating the AWS account.
Fill the blanks: ____ helps us track AWS API calls and transitions, ____ helps to understand what resources we have now, and ____ allows auditing credentials and logins.
1. AWS Config, CloudTrail, IAM Credential Reports
2. CloudTrail, IAM Credential Reports, AWS Config
3. CloudTrail, AWS Config, IAM Credential Reports
4. AWS Config, IAM Credential Reports, CloudTrail

References

AWS IAM Roles vs Resource Based Policies

December 31, 2022 ~ Last updated on : January 2, 2023 ~ jayendrapatil ~ 5 Comments

AWS IAM Roles vs Resource-Based Policies

AWS allows granting cross-account access to AWS resources, which can be done using IAM Roles or Resource-Based Policies.

IAM Roles

Roles can be created to act as a proxy to allow users or services to access resources.
Roles support
- trust policy which helps determine who can access the resources and
- permission policy which helps to determine what they can access.
Users who assume a role temporarily give up their own permissions and instead take on the permissions of the role. The original user permissions are restored when the user exits or stops using the role.
Roles can be used to provide access to almost all the AWS resources.
Permissions provided to the User through the Role can be further restricted per user by passing an optional policy to the STS request. This policy cannot be used to elevate privileges beyond what the assumed role is allowed to access

Resource-based Policies

Resource-based policy allows you to attach a policy directly to the resource you want to share, instead of using a role as a proxy.
Resource-based policy specifies the Principal, in the form of a list of AWS account ID numbers, can access that resource and what they can access.
Using cross-account access with a resource-based policy, the User still works in the trusted account and does not have to give up their permissions in place of the role permissions.
Users can work on the resources from both accounts at the same time and this can be useful for scenarios e.g. copying objects from one bucket to the other bucket in a different AWS account.
Resources that you want to share are limited to resources that support resource-based policies
- S3 allows you to define Bucket policy to grant access to the bucket and the objects
- Simple Notification Service (SNS)
- Simple Queue Service (SQS)
- Glacier Vaults
- OpsWorks stacks
- Lambda functions
Resource-based policies need the trusted account to create users with permissions to be able to access the resources from the trusted account.
Only permissions equivalent to, or less than, the permissions granted to your account by the resource owning account can be delegated.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

What are the two permission types used by AWS?
1. Resource-based and Product-based
2. Product-based and Service-based
3. Service-based
4. User-based and Resource-based
What’s the policy used for cross-account access? (Choose 2)
1. Trust policy
2. Permissions Policy
3. Key policy

References

AWS IAM Role

December 31, 2022 ~ Last updated on : July 21, 2023 ~ jayendrapatil ~ 34 Comments

AWS IAM Role

IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS.
IAM role is not intended to be uniquely associated with a particular user, group, or service and is intended to be assumable by anyone who needs it.
Role does not have any static credentials (password or access keys) associated with it and whoever assumes the role is provided with dynamic temporary credentials.
Role helps in access delegation to grant permissions to someone that allows access to resources that you control.
Roles can help to prevent accidental access to or modification of sensitive resources.
Modification of a Role can be done anytime and the changes are reflected across all the entities associated with the Role immediately.
IAM Role plays a very important role in the following scenarios
- Services like EC2 instances running an application that needs to access other AWS services.
- Cross-Account access – Allowing users from different AWS accounts to have access to AWS resources in a different account, instead of having to create users.
- Identity Providers & Federation
  - Company uses a Corporate Authentication mechanism and doesn’t want the User to authenticate twice or create duplicate users in AWS
  - Applications allowing login through external authentication mechanisms e.g. Amazon, Facebook, Google, etc
Role can be assumed by
- IAM user within the same AWS account
- IAM user from a different AWS account
- AWS services such as EC2, EMR to interact with other services
- An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect (OIDC), or a custom-built identity broker.
Role involves defining two policies
- Trust policy
  - Trust policy defines – who can assume the role
  - Trust policy involves setting up a trust between the account that owns the resource (trusting account) and the account that owns the user that needs access to the resources (trusted account).
- Permissions policy
  - Permissions policy defines – what they can access
  - Permissions policy determines authorization, which grants the user of the role with the needed permissions to carry out the desired tasks on the resource
Federation is creating a trust relationship between an external Identity Provider (IdP) and AWS.
- Users can also sign in to an enterprise identity system that is compatible with SAML
- Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with OpenID connect (OIDC).
- When using OIDC and SAML 2.0 to configure a trust relationship between these external identity providers and AWS, the user is assigned to an IAM role and receives temporary credentials that enable the user to access AWS resources.
IAM Best Practice – Use roles for applications running on EC2 instances
IAM Best Practice – Delegate using roles instead of sharing credentials

AWS STS & Temporary Credentials

AWS Security Token Service – STS helps create and provide trusted users with temporary security credentials that control access to AWS resources
STS is a global service with a single endpoint https://sts.amazonaws.com
AWS STS API calls can be made either to a global endpoint or to one of the regional endpoints. Regional endpoint can help reduce latency and improve the performance of the API calls
Temporary Credentials are similar to long-term credentials except for
- are short-term and are regularly rotated.
- can be configured to last from a few minutes to several hours.
- do not have to be embedded or distributed.
- are not stored or attached to the User, but are generated dynamically and provided to the user as and when requested

AWS Service Roles

Some AWS services need to interact with other AWS services for e.g. EC2 interacting with S3, SQS, etc
Best practice is to assign these services with IAM roles instead of embedding or passing IAM user credentials directly into an instance, because distributing and rotating long-term credentials to multiple instances is challenging to manage and a potential security risk.
AWS automatically provides temporary security credentials for these services e.g. EC2 instance to use on behalf of its applications
Deleting a role or instance profile that is associated with a running EC2 instance will break any applications running on the instance

Complete Process Flow

Create an IAM role with services who would use it for e.g. EC2 as a trusted entity and define permission policies with the access the service needs
Associated a Role (actually an Instance profile) with the EC2 service when the instance is launched
Temporary security credentials are available on the instance and are automatically rotated before they expire so that a valid set is always available
Application can retrieve the temporary credentials either using the Instance metadata directly or through AWS SDK
Applications running on the EC2 instance can now use the permissions defined in the Role to access other AWS resources
Application, if caching the credentials, needs to make sure it uses the correct credentials before they expire

Instance Profile

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
If a Role is created for EC2 instance or any other service that uses EC2 through AWS Management Console, AWS creates an Instance profile automatically with the same name as the Role. However, if the Role is created through CLI the instance profile needs to be created as well.
An instance profile can contain only one IAM role. However, a role can be included in multiple instance profiles.

Service-linked Roles

A service-linked role is a unique type of IAM role that is linked directly to an AWS service.
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

Cross-Account access Roles

IAM users can be granted permission to switch roles within the same AWS account or to roles defined in other AWS accounts that you own.
Roles can also be used to delegate permissions to IAM users from AWS accounts owned by Third parties
- You must explicitly grant the users permission to assume the role.
- Users must actively switch to the role using the AWS Management Console.
- Multi-factor authentication (MFA) protection can be enabled for the role so that only users who sign in with an MFA device can assume the role
However, only One set of permissions are applicable at a time. User who assumes a role temporarily gives up his or her own permissions and instead takes on the permissions of the role. When the user exits, or stops using the role, the original user permissions are restored.

Complete Process Flow

IAM Role - Cross Account Access

Trusting account creates an IAM Role with a
- Trust policy which defines the account (trusted account) as a principal who can access the resources and a
- Permissions policy to define what resources can the user in the trusted account access
Trusting account provides the Account ID and the Role name (or the ARN) to the trusted account
If the Trusting account is owned by Third Party it can optionally provide an External ID (recommended for additional security), required to uniquely identify the trusted account, which can be added to the trust policy as a condition
Trusted account creates an IAM user who has permission (Permission to call the AWS Security Token Service (AWS STS) AssumeRole API for the role) to assume the role/switch to the role.
IAM User in the Trusted account switches to the Role/assumes the role and passes the ARN of the role
Trusted account belonging to the Third party would also pass the External ID mapped to the Trusting account
AWS STS verifies the request for the role ARN, External ID if any and if it is from the trusted resource matching the roles’s trust policy and
AWS STS upon successful verification returns temporary credentials
Temporary credentials allow the user to access the resources of the Trusting account
When the user exits the role, the user’s permissions revert to the original permissions held before switching to the role

External ID and Confused Deputy Problem

External ID allows the user assuming the role to assert the circumstances in which they are operating.
External ID provides a way for the account owner to permit the role to be assumed only under specific circumstances and prevents an unauthorized customer from gaining access to your resources
Primary function of the external ID is to address and prevent the “confused deputy” problem.

Confused Deputy Problem

Example Corp’s AWS Account provides the services (access, analyze and process data and provide back reports) to multiple different AWS accounts.
Preferred mechanism is to have each AWS account customer define a Role that Example Corp’s AWS Account users can assume and act upon.
You provide Example Corp’s AWS Account access to your AWS account through Role and providing Role ARN.
Example Corp when working on your account assumes the IAM role and provides the ARN with the request.
As Example Corp is already trusted by your account it will receive the temporary security credentials and gain access to your resources.
If another AWS account is able to know or guess your ARN (Role with Account ID), it can provide the same to Example Corp.
Example Corp’s would use the ARN (belonging to your AWS account) to process the data but would provide the same data to the other AWS account.
This form of privilege escalation is known as the confused deputy problem

Address Confused Deputy Problem using External ID

Using External ID, Example Corp’s generates a unique External ID for each of its Customers which is known only to them and is kept secret.
Example Corp provides you with an External ID which needs to be added as a condition while defining the trust policy.
You provide Example Corp’s AWS Account access to your AWS account through Role and providing Role ARN.
Example Corp when working on your account uses the IAM role and provides the ARN along with the External ID and as it is already trusted would be able to gain access.
Other AWS accounts registered with Example Corp would have a Unique External ID assigned to them.
If the Other AWS account is able to know or guess your ARN (Role with Account ID), it can provide the same to Example Corp
Example Corp’s would request access to your Account using the ARN (belonging to your AWS account) but with the External ID belonging to Other AWS account as the request was made on its behalf.
As the External ID provided by Example Corp does not match the condition defined in the Role trust policy, the authentication would fail and hence denied access.

Identity Providers and Federation

Refer to My Blog Post about IAM Role – Identity Providers and Federation

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
1. Enable Multi-Factor Authentication for your AWS root account.
2. Assign an IAM role to the Amazon EC2 instance.
3. Store the AWS Access Key ID/Secret Access Key combination in software comments.
4. Assign an IAM user to the Amazon EC2 Instance.
A company is preparing to give AWS Management Console access to developers. Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? (Select 2) Choose 2 answers
1. AWS Directory Service AD Connector
2. AWS Directory Service Simple AD
3. AWS Identity and Access Management groups
4. AWS identity and Access Management roles
5. AWS identity and Access Management users
A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers
1. Use AWS Consolidated Billing and disable AWS root account access for the child accounts.
2. Enable IAM cross-account access for all corporate IT administrators in each child account. (Provides IT governance)
3. Create separate VPCs for each division within the corporate IT AWS account.
4. Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account. (Will provide cost oversight)
5. Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket.
Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers)
1. Create an IAM Role that allows write access to the DynamoDB table
2. Add an IAM Role to a running EC2 instance. (With latest enhancement from AWS, IAM role can be assigned to a running EC2 instance)
3. Create an IAM User that allows write access to the DynamoDB table.
4. Add an IAM User to a running EC2 instance.
5. Launch an EC2 Instance with the IAM Role included in the launch configuration (This was the correct answer before, as AWS did not allow IAM role to be added to an existing instance)
You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal. [PROFESSIONAL]
1. Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
2. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
3. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access
4. Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts
You have an application running on an EC2 Instance which will allow users to download flies from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely? [PROFESSIONAL]
1. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
2. Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
3. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
4. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage when creating the CloudFormation template which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials? [PROFESSIONAL]
1. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
2. Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table.
3. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance.
4. Create an identity and Access Management user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.
An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise’s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions? [PROFESSIONAL]
1. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
2. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider.
3. Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
4. Create an IAM role for EC2 instances, assign it a policy mat allows only the actions required tor the SaaS application to work, provide the role ARM to the SaaS provider to use when launching their application instances.
A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
1. The user should attach an IAM role with DynamoDB access to the EC2 instance
2. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
3. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
4. The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials
A customer is in the process of deploying multiple applications to AWS that are owned and operated by different development teams. Each development team maintains the authorization of its users independently from other teams. The customer’s information security team would like to be able to delegate user authorization to the individual development teams but independently apply restrictions to the users permissions based on factors such as the users device and location. For example, the information security team would like to grant read-only permissions to a user who is defined by the development team as read/write whenever the user is authenticating from outside the corporate network. What steps can the information security team take to implement this capability? [PROFESSIONAL]
1. Operate an authentication service that generates AWS STS tokens with IAM policies from application-defined IAM roles. (no user separation, will just help generate temporary tokens)
2. Add additional IAM policies to the application IAM roles that deny user privileges based on information security policy. (Different policy with deny rules based on location, device and more restrictive wins)
3. Configure IAM policies that restrict modification of the application IAM roles only to the information security team. (Authorization should still be in developers control)
4. Enable federation with the internal LDAP directory and grant the application teams permissions to modify users.
You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch. Which method would be the best way to authenticate your CloudWatch PUT request?
1. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
2. Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the users credentials into the instance User Data
3. Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group
4. Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed

References

AWS_IAM_Role

AWS IAM – Identity Access Management

December 31, 2022 ~ Last updated on : January 2, 2023 ~ jayendrapatil ~ 36 Comments

AWS IAM – Identity Access Management

AWS IAM – Identity and Access Management is a web service that helps you securely control access to AWS resources for your users.
IAM is used to control
- Identity – who can use your AWS resources (authentication)
- Access – what resources they can use and in what ways (authorization)
IAM can also keep the account credentials private.
With IAM, multiple users can be created under the umbrella of the AWS account or temporary access can be enabled through identity federation with the corporate directory or third-party providers.
IAM also enables access to resources across AWS accounts.

IAM Features

Shared access to your AWS account
- Grant other people permission to administer and use resources in your AWS account without having to share your password or access key.
Granular permissions
- Each user can be granted a different set of granular permissions as required to perform their job
Secure access to AWS resources for applications that run on EC2
- can help provide applications running on EC2 instance temporary credentials that they need in order to access other AWS resources
Identity federation
- allows users to access AWS resources, without requiring the user to have accounts with AWS, by providing temporary credentials for e.g. through corporate network or Google or Amazon authentication
Identity information for assurance
- CloudTrail can be used to receive log records that include information about those who made requests for resources in the account.
PCI DSS Compliance
- supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being Payment Card Industry Data Security Standard (PCI DSS) compliant
Integrated with many AWS services
- integrates with almost all the AWS services
Eventually Consistent
- is eventually consistent and achieves high availability by replicating data across multiple servers within Amazon’s data centers around the world.
- Changes made to IAM would be eventually consistent and hence would take some time to reflect
Free to use
- is offered at no additional charge and charges are applied only for use of other AWS products by your IAM users.
AWS Security Token Service
- provides STS which is an included feature of the AWS account offered at no additional charge.
- AWS charges only for the use of other AWS services accessed by the AWS STS temporary security credentials.

Identities

IAM identities determine who can access and help to provide authentication for people and processes in your AWS account

IAM Identities

Account Root User

Root Account Credentials are the email address and password with which you sign in to the AWS account.
Root Credentials has full unrestricted access to AWS account including the account security credentials which include sensitive information
IAM Best Practice – Do not use or share the Root account once the AWS account is created, instead create a separate user with admin privilege
An Administrator account can be created for all the activities which also have full access to the AWS account except for the accounts security credentials, billing information, and ability to change the password.

IAM Users

IAM user represents the person or service who uses the access to interact with AWS.
IAM Best Practice – Create Individual Users, do not share credentials.
User credentials can consist of the following
- Password to access AWS services through AWS Management Console
- Access Key/Secret Access Key to access AWS services through API, CLI, or SDK
A user starts with no permissions and is not authorized to perform any AWS actions on any AWS resources and should be granted permissions as per the job function requirement
IAM Best Practice – Grant Least Privilege
Each user is associated with one and only one AWS account.
A user cannot be renamed from the AWS management console and has to be done from CLI or SDK tools.
IAM handles the renaming of user w.r.t unique id, groups, and policies where the user was mentioned as a principal. However, you need to handle the renaming in the policies where the user was mentioned as a resource

IAM Groups

IAM group is a collection of IAM users
Groups can be used to specify permissions for a collection of users sharing the same job function making it easier to manage
IAM Best Practice – Use groups to assign permissions to IAM Users
A group is not truly an identity because it cannot be identified as a Principal in an access policy. It is only a way to attach policies to multiple users at one time
A group can have multiple users, while a user can belong to multiple groups (10 max)
Groups cannot be nested and can only have users within it
AWS does not provide any default group to hold all users in it and if one is required it should be created with all users assigned to it.
IAM handles the renaming of a group name or path w.r.t to policies attached to the group, unique ids, and users within the group. However, IAM does not update the policies where the group is mentioned as a resource and must be handled manually
Deletion of the groups requires you to detach users and managed policies and delete any inline policies before deleting the group. With the AWS management console, the deletion and detachment are taken care of.

IAM Roles

IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS.
IAM role is not intended to be uniquely associated with a particular user, group, or service and is intended to be assumable by anyone who needs it.
Role does not have any static credentials (password or access keys) associated with it and whoever assumes the role is provided with dynamic temporary credentials.
Role helps in access delegation to grant permissions to someone that allows access to resources that you control.
Roles can help to prevent accidental access to or modification of sensitive resources.
Modification of a Role can be done anytime and the changes are reflected across all the entities associated with the Role immediately.
IAM Role plays a very important role in the following scenarios
- Services like EC2 instances running an application that needs to access other AWS services.
- Cross-Account access – Allowing users from different AWS accounts to have access to AWS resources in a different account, instead of having to create users.
- Identity Providers & Federation
  - Company uses a Corporate Authentication mechanism and doesn’t want the User to authenticate twice or create duplicate users in AWS
  - Applications allowing login through external authentication mechanisms e.g. Amazon, Facebook, Google, etc
Role can be assumed by
- IAM user within the same AWS account
- IAM user from a different AWS account
- AWS services such as EC2, EMR to interact with other services
- An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect (OIDC), or a custom-built identity broker.
Role involves defining two policies
- Trust policy
  - Trust policy defines – who can assume the role
  - Trust policy involves setting up a trust between the account that owns the resource (trusting account) and the account that owns the user that needs access to the resources (trusted account).
- Permissions policy
  - Permissions policy defines – what they can access
  - Permissions policy determines authorization, which grants the user of the role with the needed permissions to carry out the desired tasks on the resource
Federation is creating a trust relationship between an external Identity Provider (IdP) and AWS.
- Users can also sign in to an enterprise identity system that is compatible with SAML
- Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with OpenID connect (OIDC).
- When using OIDC and SAML 2.0 to configure a trust relationship between these external identity providers and AWS, the user is assigned to an IAM role and receives temporary credentials that enable the user to access AWS resources.
IAM Best Practice – Use roles for applications running on EC2 instances
IAM Best Practice – Delegate using roles instead of sharing credentials

Multi-Factor Authentication – MFA

For increased security and to help protect the AWS resources, Multi-Factor authentication can be configured
IAM Best Practice – Enable MFA on Root accounts and privilege users
Multi-Factor Authentication can be configured using
- Security token-based
  - AWS Root user or IAM user can be assigned a hardware/virtual MFA device
  - Device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm which needs to be provided during authentication
- SMS text message-based (Preview Mode)
  - IAM user can be configured with the phone number of the user’s SMS-compatible mobile device which would receive a 6 digit code from AWS
  - SMS-based MFA is available only for IAM users and does not work for AWS root account
MFA needs to be enabled on the Root user and IAM user separately as they are distinct entities.
Enabling MFA on Root does not enable it for all other users
MFA devices can be associated with only one AWS account or IAM user and vice versa.
If the MFA device stops working or is lost, you won’t be able to login into the AWS console and would need to reach out to AWS support to deactivate MFA.
MFA protection can be enabled for service API’s calls using "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} and is available only if the service supports temporary security credentials.

IAM Access Management

Refer Blog Post @ IAM Policy and Permissions

IAM Credential Report

IAM allows you to generate and download a credential report that lists all users in the account and the status of their various credentials, including passwords, access keys, and MFA devices.
Credential report can be used to assist in auditing and compliance efforts
Credential report can be used to audit the effects of credential lifecycle requirements, such as password and access key rotation.
IAM Best Practice – Perform Audits and Remove all unused users and credentials
Credential report is generated as often as once every four hours. If the existing report was generated in less than four hours, the same is available for download. If more than four hours, IAM generates and downloads a new report.

IAM Access Analyzer

IAM Access Analyzer helps
- identify resources in the organization and accounts that are shared with an external entity.
- validate IAM policies against policy grammar and best practices.
- generate IAM policies based on access activity in your CloudTrail logs.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Which service enables AWS customers to manage users and permissions in AWS?
1. AWS Access Control Service (ACS)
2. AWS Identity and Access Management (IAM)
3. AWS Identity Manager (AIM)
IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information
1. Read Only Access
2. Power User Access
3. AWS Cloud Formation Read Only Access
4. Administrator Access
Every user you create in the IAM system starts with _________.
1. Partial permissions
2. Full permissions
3. No permissions
Groups can’t _____.
1. be nested more than 3 levels
2. be nested at all
3. be nested more than 4 levels
4. be nested more than 2 levels
The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console.
1. Amazon RDS
2. AWS Integrity Management
3. AWS Identity and Access Management
4. Amazon EMR
An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x.509 certificate that contains the specific instanceid. In addition an x.509 certificates must be designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?
1. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
2. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
3. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
4. Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature that contains the specific instance-id.
When assessing an organization AWS use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers
1. Key pairs
2. Console passwords
3. Access keys
4. Signing certificates
5. Security Group memberships (required for EC2 instance access)
An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?
1. The organization has to create a special password policy and attach it to each user
2. The root account owner has to use CLI which forces each IAM user to change their password on first login
3. By default each IAM user can modify their passwords
4. Root account owner can set the policy from the IAM console under the password policy screen
An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level?
1. Use the IAM groups and add users as per their role to different groups and apply policy to group
2. The user can create a policy and apply it to multiple users in a single go with the AWS CLI
3. Add each user to the IAM role as per their organization role to achieve effective policy setup
4. Use the IAM role and implement access at the role level
Your organization’s security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password. Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers
1. Configure multi-factor authentication for privileged IAM users
2. Create IAM users for privileged accounts (can set password policy)
3. Implement identity federation between your organization’s Identity provider leveraging the IAM Security Token Service
4. Enable the IAM single-use password policy option for privileged users (no such option the password expiration can be set from 1 to 1095 days)
Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
1. Create individual IAM users for everyone in your organization
2. Configure MFA on the root account and for privileged IAM users
3. Assign IAM users and groups configured with policies granting least privilege access
4. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate
A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
1. Create a new IAM role and associated policies within the new region
2. Assign the existing IAM role to the Amazon EC2 instances in the new region
3. Copy the IAM role and associated policies to the new region and attach it to the instances
4. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature
After creating a new IAM user which of the following must be done before they can successfully make API calls?
1. Add a password to the user.
2. Enable Multi-Factor Authentication for the user.
3. Assign a Password Policy to the user.
4. Create a set of Access Keys for the user
An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM?
1. One IAM user can be a part of a maximum of 5 groups (Refer link)
2. Organization can create 100 groups per AWS account
3. One AWS account can have a maximum of 5000 IAM users
4. One AWS account can have 250 roles
Within the IAM service a GROUP is regarded as a:
1. A collection of AWS accounts
2. It’s the group of EC2 machines that gain the permissions specified in the GROUP.
3. There’s no GROUP in IAM, but only USERS and RESOURCES.
4. A collection of users.
Is there a limit to the number of groups you can have?
1. Yes for all users except root
2. No
3. Yes unless special permission granted
4. Yes for all users
What is the default maximum number of MFA devices in use per AWS account (at the root account level)?
1. 1
2. 5
3. 15
4. 10
When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.
1. FALSE
2. This is configurable
3. TRUE
You are setting up a blog on AWS. In which of the following scenarios will you need AWS credentials? (Choose 3)
1. Sign in to the AWS management console to launch an Amazon EC2 instance
2. Sign in to the running instance to instance some software (needs ssh keys)
3. Launch an Amazon RDS instance
4. Log into your blog’s content management system to write a blog post (need to authenticate using blog authentication)
5. Post pictures to your blog on Amazon S3
An organization has 500 employees. The organization wants to set up AWS access for each department. Which of the below mentioned options is a possible solution?
1. Create IAM roles based on the permission and assign users to each role
2. Create IAM users and provide individual permission to each
3. Create IAM groups based on the permission and assign IAM users to the groups
4. It is not possible to manage more than 100 IAM users with AWS
An organization has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The organization is planning to implement certain security best practices. Which of the below mentioned pointers will not help the organization achieve better security arrangement?
1. Apply the latest patch of OS and always keep it updated.
2. Allow only IAM users to connect with the EC2 instances with their own secret access key. (Refer link)
3. Disable the password-based login for all the users. All the users should use their own keys to connect with the instance securely.
4. Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.

AWS IAM Access Management

December 3, 2022 ~ Last updated on : July 21, 2023 ~ jayendrapatil ~ 16 Comments

IAM Access Management

IAM Access Management is all about Permissions and Policies.
Permission help define who has access & what actions can they perform.
IAM Policy helps to fine-tune the permissions granted to the policy owner
IAM Policy is a document that formally states one or more permissions.
Most restrictive Policy always wins
IAM Policy is defined in the JSON (JavaScript Object Notation) format

IAM policy basically states “Principal A is allowed or denied (Effect) to perform Action B on Resource C given Conditions D are satisfied”

{
    "Version": "2012-10-17",
    "Statement": {
        "Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},
        "Action": "s3:ListBucket",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::example_bucket",
        "Condition": {"StringLike": {
            "s3:prefix": [ "home/${aws:username}/" ]
               }
           }
     }
}

{

"Version": "2012-10-17",

"Statement": {

"Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},

"Action": "s3:ListBucket",

"Effect": "Allow",

"Resource": "arn:aws:s3:::example_bucket",

"Condition": {"StringLike": {

"s3:prefix": [ "home/${aws:username}/" ]

}

An Entity can be associated with Multiple Policies and a Policy can have multiple statements where each statement in a policy refers to a single permission.
If the policy includes multiple statements, a logical OR is applied across the statements at evaluation time. Similarly, if multiple policies are applicable to a request, a logical OR is applied across the policies at evaluation time.
Principal can either be specified within the Policy for Resource based policies while for Identity based policies the principal is the user, group, or role to which the policy is attached.

Identity-Based vs Resource-Based Permissions

Identity-based, or IAM permissions

Identity-based or IAM permissions are attached to an IAM user, group, or role and specify what the user, group, or role can do.
User, group, or the role itself acts as a Principal.
IAM permissions can be applied to almost all the AWS services.
IAM Policies can either be inline or managed (AWS or Customer).
IAM Policy’s current version is 2012-10-17.

Resource-based permissions

Resource-based permissions are attached to a resource for e.g. S3, SNS
Resource-based permissions specify both who has access to the resource (Principal) and what actions they can perform on it (Actions)
Resource-based policies are inline only, not managed.
Resource-based permissions are supported only by some AWS services
Resource-based policies can be defined with version 2012-10-17 or 2008-10-17

Managed Policies and Inline Policies

Managed policies
- Managed policies are Standalone policies that can be attached to multiple users, groups, and roles in an AWS account.
- Managed policies apply only to identities (users, groups, and roles) but not to resources.
- Managed policies allow reusability
- Managed policy changes are implemented as versions (limited to 5), an new change to the existing policy creates a new version which is useful to compare the changes and revert back, if needed
- Managed policies have their own ARN
- Two types of managed policies:
  - AWS managed policies
    - Managed policies that are created and managed by AWS.
    - AWS maintains and can upgrades these policies for e.g. if a new service is introduced, the changes automatically effects all the existing principals attached to the policy
    - AWS takes care of not breaking the policies for e.g. adding an restriction of removal of permission
    - Managed policies cannot be modified
  - Customer managed policies
    - Managed policies are standalone and custom policies created and administered by you.
    - Customer managed policies allows more precise control over the policies than when using AWS managed policies.
Inline policies
- Inline policies are created and managed by you, and are embedded directly into a single user, group, or role.
- Deletion of the Entity (User, Group or Role) or Resource deletes the In-Line policy as well

ABAC – Attribute-Based Access Control

ABAC – Attribute-based access control is an authorization strategy that defines permissions based on attributes called tags.
ABAC policies can be designed to allow operations when the principal’s tag matches the resource tag.
ABAC is helpful in environments that are growing rapidly and help with situations where policy management becomes cumbersome.
ABAC policies are easier to manage as different policies for different job functions need not be created.
Complements RBAC for granular permissions, with RBAC allowing access to only specific resources and ABAC can allow actions on all resources, but only if the resource tag matches the principal’s tag.
ABAC can help use employee attributes from the corporate directory with federation where attributes are applied to their resulting principal.

IAM Permissions Boundaries

Permissions boundary allows using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.
Permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
Permissions boundary supports both the AWS-managed policy and the customer-managed policy to set the boundary for an IAM entity.
Permissions boundary can be applied to an IAM entity (user or role ) but is not supported for IAM Group.
Permissions boundary does not grant permissions on its own.

IAM Policy Simulator

IAM Policy Simulator helps test and troubleshoot IAM and resource-based policies
IAM Policy Simulator can help test the following ways:-
- Test IAM based policies. If multiple policies are attached, you can test all the policies or select individual policies to test. You can test which actions are allowed or denied by the selected policies for specific resources.
- Test Resource based policies. However, Resource-based policies cannot be tested standalone and have to be attached to the Resource
- Test new IAM policies that are not yet attached to a user, group, or role by typing or copying them into the simulator. These are used only in the simulation and are not saved.
- Test the policies with selected services, actions, and resources
- Simulate real-world scenarios by providing context keys, such as an IP address or date, that are included in Condition elements in the policies being tested.
- Identify which specific statement in a policy results in allowing or denying access to a particular resource or action.
IAM Policy Simulator does not make an actual AWS service request and hence does not make unwanted changes to the AWS live environment
IAM Policy Simulator just reports the result Allowed or Denied
IAM Policy Simulator allows to you modify the policy and test. These changes are not propagated to the actual policies attached to the entities
Introductory Video for Policy Simulator

IAM Policy Evaluation

When determining if permission is allowed, the hierarchy is followed

Decision allows starts with Deny.
IAM combines and evaluates all the policies.
Explicit Deny
- First IAM checks for an explicit denial policy.
- Explicit Deny overrides everything and if something is explicitly denied it can never be allowed.
Explicit Allow
- If one does not exist, it then checks for an explicit allow policy.
- For granting the User any permission, the permission must be explicitly allowed
Implicit Deny
- If neither an explicit deny nor explicit allow policy exists, it reverts to the default: implicit deny.
- All permissions are implicity denied by default

IAM Policy Variables

Policy variables provide a feature to specify placeholders in a policy.
When the policy is evaluated, the policy variables are replaced with values that come from the request itself
Policy variables allow a single policy to be applied to a group of users to control access for e.g. all user having access to S3 bucket folder with their name only
Policy variable is marked using a $ prefix followed by a pair of curly braces ({ }). Inside the ${ } characters, with the name of the value from the request that you want to use in the policy
Policy variables work only with policies defined with Version 2012-10-17
Policy variables can only be used in the Resource element and in string comparisons in the Condition element
Policy variables are case sensitive and include variables like aws:username, aws:userid, aws:SourceIp, aws:CurrentTime etc.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

IAM’s Policy Evaluation Logic always starts with a default ____________ for every request, except for those that use the AWS account’s root security credentials b
1. Permit
2. Deny
3. Cancel
An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DynamoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?
1. Define the group policy and add a condition which allows the access based on the IAM name
2. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
3. Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
4. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables
An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?
1. Create an IAM policy with the security group and use that security group for AWS console login
2. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
3. Configure the EC2 instance security group which allows traffic only from the organization’s IP range
4. Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console
Can I attach more than one policy to a particular entity?
1. Yes always
2. Only if within GovCloud
3. No
4. Only if within VPC
A __________ is a document that provides a formal statement of one or more permissions.
1. policy
2. permission
3. Role
4. resource
A __________ is the concept of allowing (or disallowing) an entity such as a user, group, or role some type of access to one or more resources.
1. user
2. AWS Account
3. resource
4. permission
True or False: When using IAM to control access to your RDS resources, the key names that can be used are case sensitive. For example, aws:CurrentTime is NOT equivalent to AWS:currenttime.
1. TRUE
2. FALSE (Refer link)
A user has set an IAM policy where it allows all requests if a request from IP 10.10.10.1/32. Another policy allows all the requests between 5 PM to 7 PM. What will happen when a user is requesting access from IP 10.10.10.1/32 at 6 PM?
1. IAM will throw an error for policy conflict
2. It is not possible to set a policy based on the time or IP
3. It will deny access
4. It will allow access
Which of the following are correct statements with policy evaluation logic in AWS Identity and Access Management? Choose 2 answers.
1. By default, all requests are denied
2. An explicit allow overrides an explicit deny
3. An explicit allow overrides default deny
4. An explicit deny does not override an explicit allow
5. By default, all request are allowed
A web design company currently runs several FTP servers that their 250 customers use to upload and download large graphic files. They wish to move this system to AWS to make it more scalable, but they wish to maintain customer privacy and keep costs to a minimum. What AWS architecture would you recommend? [PROFESSIONAL]
1. Ask their customers to use an S3 client instead of an FTP client. Create a single S3 bucket. Create an IAM user for each customer. Put the IAM Users in a Group that has an IAM policy that permits access to subdirectories within the bucket via use of the ‘username’ Policy variable.
2. Create a single S3 bucket with Reduced Redundancy Storage turned on and ask their customers to use an S3 client instead of an FTP client. Create a bucket for each customer with a Bucket Policy that permits access only to that one customer. (Creating bucket for each user is not a scalable model, also 100 buckets are a limit earlier without extending which has since changed link)
3. Create an auto-scaling group of FTP servers with a scaling policy to automatically scale-in when minimum network traffic on the auto-scaling group is below a given threshold. Load a central list of ftp users from S3 as part of the user Data startup script on each Instance (Expensive)
4. Create a single S3 bucket with Requester Pays turned on and ask their customers to use an S3 client instead of an FTP client. Create a bucket tor each customer with a Bucket Policy that permits access only to that one customer. (Creating bucket for each user is not a scalable model, also 100 buckets are a limit earlier without extending which has since changed link)

AWS Identity Services Cheat Sheet

October 6, 2022 ~ Last updated on : February 22, 2023 ~ jayendrapatil

AWS Identity Services Cheat Sheet

AWS Identity and Security Services

IAM – Identity & Access Management

securely control access to AWS services and resources
helps create and manage user identities and grant permissions for those users to access AWS resources
helps create groups for multiple users with similar permissions
not appropriate for application authentication
is Global and does not need to be migrated to a different region
helps define Policies,
- in JSON format
- all permissions are implicitly denied by default
- most restrictive policy wins
IAM Role
- helps grants and delegate access to users and services without the need of creating permanent credentials
- IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls
- needs Trust policy to define who and Permission policy to define what the user or service can access
- used with Security Token Service (STS), a lightweight web service that provides temporary, limited privilege credentials for IAM users or for authenticated federated users
- IAM role scenarios
  - Service access for e.g. EC2 to access S3 or DynamoDB
  - Cross Account access for users
    - with user within the same account
    - with user within an AWS account owned the same owner
    - with user from a Third Party AWS account with External ID for enhanced security
  - Identity Providers & Federation
    - AssumeRoleWithWebIdentity – Web Identity Federation, where the user can be authenticated using external authentication Identity providers like Amazon, Google or any OpenId IdP
    - AssumeRoleWithSAML – Identity Provider using SAML 2.0, where the user can be authenticated using on premises Active Directory, Open Ldap or any SAML 2.0 compliant IdP
    - AssumeRole (recommended) or GetFederationToken – For other Identity Providers, use Identity Broker to authenticate and provide temporary Credentials
IAM Best Practices
- Do not use Root account for anything other than billing
- Create Individual IAM users
- Use groups to assign permissions to IAM users
- Grant least privilege
- Use IAM roles for applications on EC2
- Delegate using roles instead of sharing credentials
- Rotate credentials regularly
- Use Policy conditions for increased granularity
- Use CloudTrail to keep a history of activity
- Enforce a strong IAM password policy for IAM users
- Remove all unused users and credentials

AWS Organizations

is an account management service that enables consolidating multiple AWS accounts into an organization that can be centrally managed.
include consolidated billing and account management capabilities that enable one to better meet the budgetary, security, and compliance needs of your business.
As an administrator of an organization, new accounts can be created in an organization and invite existing accounts to join the organization.
enables you to
- Automate AWS account creation and management, and provision resources with AWS CloudFormation Stacksets.
- Maintain a secure environment with policies and management of AWS security services
- Govern access to AWS services, resources, and regions
- Centrally manage policies across multiple AWS accounts
- Audit your environment for compliance
- View and manage costs with consolidated billing
- Configure AWS services across multiple accounts
supports Service Control Policies – SCPs
offer central control over the maximum available permissions for all of the accounts in your organization, ensuring member accounts stay within the organization’s access control guidelines.
are one type of policy that help manage the organization.
are available only in an organization that has all features enabled, and aren’t available if the organization has enabled only the consolidated billing features.
are NOT sufficient for granting access to the accounts in the organization.
defines a guardrail for what actions accounts within the organization root or OU can do, but IAM policies need to be attached to the users and roles in the organization’s accounts to grant permissions to them.
Effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies.
with an SCP attached to member accounts, identity-based and resource-based policies grant permissions to entities only if those policies and the SCP allow the action
don’t affect users or roles in the management account. They affect only the member accounts in your organization.

AWS Directory Services

gives applications in AWS access to Active Directory services
different from SAML + AD, where the access is granted to AWS services through Temporary Credentials
Simple AD
- least expensive but does not support Microsoft AD advanced features
- provides a Samba 4 Microsoft Active Directory compatible standalone directory service on AWS
- No single point of Authentication or Authorization, as a separate copy is maintained
- trust relationships cannot be setup between Simple AD and other Active Directory domains
- Don’t use it, if the requirement is to leverage access and control through centralized authentication service
AD Connector
- acts just as an hosted proxy service for instances in AWS to connect to on-premises Active Directory
- enables consistent enforcement of existing security policies, such as password expiration, password history, and account lockouts, whether users are accessing resources on-premises or in the AWS cloud
- needs VPN connectivity (or Direct Connect)
- integrates with existing RADIUS-based MFA solutions to enabled multi-factor authentication
- does not cache data which might lead to latency
Read-only Domain Controllers (RODCs)
- works out as a Read-only Active Directory
- holds a copy of the Active Directory Domain Service (AD DS) database and respond to authentication requests
- they cannot be written to and are typically deployed in locations where physical security cannot be guaranteed
- helps maintain a single point to authentication & authorization controls, however needs to be synced
Writable Domain Controllers
- are expensive to setup
- operate in a multi-master model; changes can be made on any writable server in the forest, and those changes are replicated to servers throughout the entire forest

AWS Single Sign-On SSO

is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of the AWS accounts and cloud applications.
helps manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support SAML 2.0.
includes a user portal where the end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.

Amazon Cognito

Amazon Cognito provides authentication, authorization, and user management for the web and mobile apps.
Users can sign in directly with a username and password, or through a third party such as Facebook, Amazon, Google, or Apple.
Cognito has two main components.
- User pools are user directories that provide sign-up and sign-in options for the app users.
- Identity pools enable you to grant the users access to other AWS services.
Cognito Sync helps synchronize data across a user’s devices so that their app experience remains consistent when they switch between devices or upgrade to a new device.

IAM Role – Identity Providers and Federation

January 1, 2022 ~ Last updated on : January 2, 2023 ~ jayendrapatil ~ 29 Comments

IAM Role – Identity Providers and Federation

Identity Provider can be used to grant external user identity permissions to AWS resources without having to be created within your AWS account.
External user identities can be authenticated either through the organization’s authentication system or through a well-known identity provider such as Amazon, Google, etc.
Identity providers help keep the AWS account secure without having the need to distribute or embed long-term in the application
To use an IdP, an IAM identity provider entity can be created to establish a trust relationship between the AWS account and the IdP.
IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0)

Web Identity Federation without Cognito

IAM Web Identity Federation

Mobile or Web Application needs to be configured with the IdP which gives each application a unique ID or client ID (also called audience)
Create an Identity Provider entity for OIDC compatible IdP in IAM.
Create an IAM role and define the
1. Trust policy – specify the IdP (like Amazon) as the Principal (the trusted entity), and include a Condition that matches the IdP assigned app ID
2. Permission policy – specify the permissions the application can assume
Application calls the sign-in interface for the IdP to login
IdP authenticates the user and returns an authentication token (OAuth access token or OIDC ID token) with information about the user to the application
Application then makes an unsigned call to the STS service with the AssumeRoleWithWebIdentity action to request temporary security credentials.
Application passes the IdP’s authentication token along with the Amazon Resource Name (ARN) for the IAM role created for that IdP.
AWS verifies that the token is trusted and valid and if so, returns temporary security credentials (access key, secret access key, session token, expiry time) to the application that has the permissions for the role that you name in the request.
STS response also includes metadata about the user from the IdP, such as the unique user ID that the IdP associates with the user.
Application makes signed requests to AWS using the Temporary credentials
User ID information from the identity provider can distinguish users in the app for e.g., objects can be put into S3 folders that include the user ID as prefixes or suffixes. This lets you create access control policies that lock the folder so only the user with that ID can access it.
Application can cache the temporary security credentials and refresh them before their expiry accordingly. Temporary credentials, by default, are good for an hour.

Interactive Website provides a very good way to understand the flow

Mobile or Web Identity Federation with Cognito

Amazon Cognito as the identity broker is a recommended for almost all web identity federation scenarios
Cognito is easy to use and provides additional capabilities like anonymous (unauthenticated) access
Cognito supports anonymous users, MFA and also helps synchronizing user data across devices and providers

Web Identify Federation using Cognito

SAML 2.0-based Federation

AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard used by many identity providers (IdPs).
SAML 2.0 based federation feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without having to create an IAM user for everyone in the organization
SAML helps simplify the process of configuring federation with AWS by using the IdP’s service instead of writing custom identity proxy code.
This is useful in organizations that have integrated their identity systems (such as Windows Active Directory or OpenLDAP) with software that can produce SAML assertions to provide information about user identity and permissions (such as Active Directory Federation Services or Shibboleth)

SAML based Federation

Create a SAML provider entity in AWS using the SAML metadata document provided by the Organizations IdP to establish a “trust” between your AWS account and the IdP
SAML metadata document includes the issuer name, a creation date, an expiration date, and keys that AWS can use to validate authentication responses (assertions) from your organization.
Create IAM roles which define
1. Trust policy with the SAML provider as the principal, which establishes a trust relationship between the organization and AWS
2. Permission policy establishes what users from the organization are allowed to do in AWS
SAML trust is completed by configuring the Organization’s IdP with information about AWS and the role(s) that you want the federated users to use. This is referred to as configuring relying party trust between your IdP and AWS
Application calls the sign-in interface for the Organization IdP to login
IdP authenticates the user and generates a SAML authentication response which includes assertions that identify the user and include attributes about the user
Application then makes an unsigned call to the STS service with the AssumeRoleWithSAML action to request temporary security credentials.
Application passes the ARN of the SAML provider, the ARN of the role to assume, the SAML assertion about the current user returned by IdP, and the time for which the credentials should be valid. An optional IAM Policy parameter can be provided to further restrict the permissions to the user
AWS verifies that the SAML assertion is trusted and valid and if so, returns temporary security credentials (access key, secret access key, session token, expiry time) to the application that has the permissions for the role named in the request.
STS response also includes metadata about the user from the IdP, such as the unique user ID that the IdP associates with the user.
Using the Temporary credentials, the application makes signed requests to AWS to access the services
Application can cache the temporary security credentials and refresh them before their expiry accordingly. Temporary credentials, by default, are good for an hour.

AWS SSO with SAML

SAML 2.0 based federation can also be used to grant access to the federated users to the AWS Management console.
This requires the use of the AWS SSO endpoint instead of directly calling the AssumeRoleWithSAML API.
The endpoint calls the API for the user and returns a URL that automatically redirects the user’s browser to the AWS Management Console.

SAML based SSO to AWS Console

User browses the organization’s portal and selects the option to go to the AWS Management Console.
Portal performs the function of the identity provider (IdP) that handles the exchange of trust between the organization and AWS.
Portal verifies the user’s identity in the organization.
Portal generates a SAML authentication response that includes assertions that identify the user and include attributes about the user.
Portal sends this response to the client browser.
Client browser is redirected to the AWS SSO endpoint and posts the SAML assertion.
AWS SSO endpoint handles the call for the AssumeRoleWithSAML API action on the user’s behalf and requests temporary security credentials from STS and creates a console sign-in URL that uses those credentials.
AWS sends the sign-in URL back to the client as a redirect.
Client browser is redirected to the AWS Management Console. If the SAML authentication response includes attributes that map to multiple IAM roles, the user is first prompted to select the role to use for access to the console.

Custom Identity Broker Federation

Custom Identity broker Federation

If the Organization doesn’t support SAML-compatible IdP, a Custom Identity Broker can be used to provide the access.
Custom Identity Broker should perform the following steps
- Verify that the user is authenticated by the local identity system.
- Call the AWS STS AssumeRole (recommended) or GetFederationToken (by default, has an expiration period of 36 hours) APIs to obtain temporary security credentials for the user.
- Temporary credentials limit the permissions a user has to the AWS resource
- Call an AWS federation endpoint and supply the temporary security credentials to get a sign-in token.
- Construct a URL for the console that includes the token.
- URL that the federation endpoint provides is valid for 15 minutes after it is created.
- Give the URL to the user or invoke the URL on the user’s behalf.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?
1. SAML-based Identity Federation
2. Cross-Account Access
3. AWS IAM users
4. Web Identity Federation
Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
1. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
2. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP
3. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials. (Refer Link)
4. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
5. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.
You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S3 bucket. Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3. You want to configure security to handle potentially millions of users in the most secure manner possible. What should your server-side application do when a new user registers on the photo-sharing mobile application? [PROFESSIONAL]
1. Create a set of long-term credentials using AWS Security Token Service with appropriate permissions Store these credentials in the mobile app and use them to access Amazon S3.
2. Record the user’s Information in Amazon RDS and create a role in IAM with appropriate permissions. When the user uses their mobile app create temporary credentials using the AWS Security Token Service ‘AssumeRole’ function. Store these credentials in the mobile app’s memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app.
3. Record the user’s Information in Amazon DynamoDB. When the user uses their mobile app create temporary credentials using AWS Security Token Service with appropriate permissions. Store these credentials in the mobile app’s memory and use them to access Amazon S3 Generate new credentials the next time the user runs the mobile app.
4. Create IAM user. Assign appropriate permissions to the IAM user Generate an access key and secret key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
5. Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user Generate an access Key and secret Key for the IAM user, store them In the mobile app and use these credentials to access Amazon S3.
Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary. You don’t want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console. Which option below will meet the needs for your NOC members? [PROFESSIONAL]
1. Use OAuth 2.0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console.
2. Use Web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console.
3. Use your on-premises SAML 2.O-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.
4. Use your on-premises SAML 2.0-compliant identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console
A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an iPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space (S3) keyspace specific to that user. Which two approaches can satisfy these objectives? (Choose 2 answers) [PROFESSIONAL]
1. Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials. The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket. (Needs to authenticate against LDAP and not IAM)
2. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket. (Authenticates with LDAP and calls the AssumeRole)
3. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket. (Custom Identity broker implementation, with authentication with LDAP and using federated token)
4. The application authenticates against LDAP the application then calls the AWS identity and Access Management (IAM) Security Token service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket. (Can’t login to IAM using LDAP credentials)
5. The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket. (Need to authenticate with LDAP)
Company B is launching a new game app for mobile devices. Users will log into the game using their existing social media account to streamline data capture. Company B would like to directly save player data and scoring information from the mobile app to a DynamoDB table named Score Data When a user saves their game the progress data will be stored to the Game state S3 bucket. what is the best approach for storing data to DynamoDB and S3? [PROFESSIONAL]
1. Use an EC2 Instance that is launched with an EC2 role providing access to the Score Data DynamoDB table and the GameState S3 bucket that communicates with the mobile app via web services.
2. Use temporary security credentials that assume a role providing access to the Score Data DynamoDB table and the Game State S3 bucket using web identity federation
3. Use Login with Amazon allowing users to sign in with an Amazon account providing the mobile app with access to the Score Data DynamoDB table and the Game State S3 bucket.
4. Use an IAM user with access credentials assigned a role providing access to the Score Data DynamoDB table and the Game State S3 bucket for distribution with the mobile app.
A user has created a mobile application which makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
1. User should create a separate IAM user for each mobile application and provide DynamoDB access with it
2. User should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2 and route all calls from the mobile through EC2
3. The application should use an IAM role with web identity federation which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook
4. Create an IAM Role with DynamoDB access and attach it with the mobile application
You are managing the AWS account of a big organization. The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees. Which of the below mentioned options is the best possible solution in this case?
1. The user should create a separate IAM user for each employee and provide access to them as per the policy
2. The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2 instance and setup AWS authentication on that server
3. The user should create IAM groups as per the organization’s departments and add each user to the group for better access control
4. Attach an IAM role with the organization’s authentication service to authorize each user for various AWS services
Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring more hardware The outcome was that all employees would be granted access to use Amazon S3 for storage of their personal documents. Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? (Choose 3 Answers) [PROFESSIONAL]
1. Setting up a federation proxy or identity provider
2. Using AWS Security Token Service to generate temporary tokens
3. Tagging each folder in the bucket
4. Configuring IAM role
5. Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket
An AWS customer is deploying a web application that is composed of a front-end running on Amazon EC2 and of confidential data that is stored on Amazon S3. The customer security policy that all access operations to this sensitive data must be authenticated and authorized by a centralized access management system that is operated by a separate security team. In addition, the web application team that owns and administers the EC2 web front-end instances is prohibited from having any ability to access the data that circumvents this centralized access management system. Which of the following configurations will support these requirements? [PROFESSIONAL]
1. Encrypt the data on Amazon S3 using a CloudHSM that is operated by the separate security team. Configure the web application to integrate with the CloudHSM for decrypting approved data access operations for trusted end-users. (S3 doesn’t integrate directly with CloudHSM, also there is no centralized access management system control)
2. Configure the web application to authenticate end-users against the centralized access management system. Have the web application provision trusted users STS tokens entitling the download of approved data directly from Amazon S3 (Controlled access and admins cannot access the data as it needs authentication)
3. Have the separate security team create and IAM role that is entitled to access the data on Amazon S3. Have the web application team provision their instances with this role while denying their IAM users access to the data on Amazon S3 (Web team would have access to the data)
4. Configure the web application to authenticate end-users against the centralized access management system using SAML. Have the end-users authenticate to IAM using their SAML token and download the approved data directly from S3. (not the way SAML auth works and not sure if the centralized access management system is SAML complaint)
What is web identity federation?
1. Use of an identity provider like Google or Facebook to become an AWS IAM User.
2. Use of an identity provider like Google or Facebook to exchange for temporary AWS security credentials.
3. Use of AWS IAM User tokens to log in as a Google or Facebook user.
4. Use of AWS STS Tokens to log in as a Google or Facebook user.
Games-R-Us is launching a new game app for mobile devices. Users will log into the game using their existing Facebook account and the game will record player data and scoring information directly to a DynamoDB table. What is the most secure approach for signing requests to the DynamoDB API?
1. Create an IAM user with access credentials that are distributed with the mobile app to sign the requests
2. Distribute the AWS root account access credentials with the mobile app to sign the requests
3. Request temporary security credentials using web identity federation to sign the requests
4. Establish cross account access between the mobile app and the DynamoDB table to sign the requests
You are building a mobile app for consumers to post cat pictures online. You will be storing the images in AWS S3. You want to run the system very cheaply and simply. Which one of these options allows you to build a photo sharing application without needing to worry about scaling expensive uploads processes, authentication/authorization and so forth?
1. Build the application out using AWS Cognito and web identity federation to allow users to log in using Facebook or Google Accounts. Once they are logged in, the secret token passed to that user is used to directly access resources on AWS, like AWS S3. (Amazon Cognito is a superset of the functionality provided by web identity federation. Refer link)
2. Use JWT or SAML compliant systems to build authorization policies. Users log in with a username and password, and are given a token they can use indefinitely to make calls against the photo infrastructure.
3. Use AWS API Gateway with a constantly rotating API Key to allow access from the client-side. Construct a custom build of the SDK and include S3 access in it.
4. Create an AWS oAuth Service Domain ad grant public signup and access to the domain. During setup, add at least one major social media site as a trusted Identity Provider for users.
The Marketing Director in your company asked you to create a mobile app that lets users post sightings of good deeds known as random acts of kindness in 80-character summaries. You decided to write the application in JavaScript so that it would run on the broadest range of phones, browsers, and tablets. Your application should provide access to Amazon DynamoDB to store the good deed summaries. Initial testing of a prototype shows that there aren’t large spikes in usage. Which option provides the most cost-effective and scalable architecture for this application? [PROFESSIONAL]
1. Provide the JavaScript client with temporary credentials from the Security Token Service using a Token Vending Machine (TVM) on an EC2 instance to provide signed credentials mapped to an Amazon Identity and Access Management (IAM) user allowing DynamoDB puts and S3 gets. You serve your mobile application out of an S3 bucket enabled as a web site. Your client updates DynamoDB. (Single EC2 instance not a scalable architecture)
2. Register the application with a Web Identity Provider like Amazon, Google, or Facebook, create an IAM role for that provider, and set up permissions for the IAM role to allow S3 gets and DynamoDB puts. You serve your mobile application out of an S3 bucket enabled as a web site. Your client updates DynamoDB. (Can work with JavaScript SDK, is scalable and cost effective)
3. Provide the JavaScript client with temporary credentials from the Security Token Service using a Token Vending Machine (TVM) to provide signed credentials mapped to an IAM user allowing DynamoDB puts. You serve your mobile application out of Apache EC2 instances that are load-balanced and autoscaled. Your EC2 instances are configured with an IAM role that allows DynamoDB puts. Your server updates DynamoDB. (Is Scalable but Not cost effective)
4. Register the JavaScript application with a Web Identity Provider like Amazon, Google, or Facebook, create an IAM role for that provider, and set up permissions for the IAM role to allow DynamoDB puts. You serve your mobile application out of Apache EC2 instances that are load-balanced and autoscaled. Your EC2 instances are configured with an IAM role that allows DynamoDB puts. Your server updates DynamoDB. (Is Scalable but Not cost effective)

References

AWS IAM User Guide – Id Role Providers

AWS Identity & Security Services Cheat Sheet

February 9, 2017 ~ Last updated on : October 6, 2022 ~ jayendrapatil ~ 9 Comments

AWS Identity & Security Services Cheat Sheet

AWS Identity and Security Services