AWS CERTIFIED ASSOCIATE DEVELOPER EXAMS: INSIGHTFUL A+
QUESTIONS AND ANSWERS
Document that formally states one or more permissions. By default a deny all is
given. Deny overrides Allow policies
IAM Policy
IAM Policy Statements
3 Parts:
1) Effect - Allow or Deny
2) Action - What action is allowed or denied
3) Resource - What resource the allow or deny is applied
IAM Users
Non-explicit deny when new user is created
Can configure MFA on a per-user basis
IAM Roles
Something another entity can "assume", acquires the specific permissions defined by a
role
Security Token Service (STS)
Grants users limited and temporary access to AWS resources.
Security Token Service (STS) get-session-token API call return
3 components:
1) Security Token
2) Access Key ID
3) Secret Access Key
STS API Calls
AssumeRole
-Cross-account delegation and federation through custom identity broker
AssumeRoleWithWebIdentity
-Federation through web-based IdP
AssumeRoleWithSAML
-Federation through enterprise IdP compatible with SAML 2.0
,GetFederationToken
-Federation through a custom IdP
GetSessionToken
-Temp credentials for users in untrusted Environments
STS Benefits
-No distributing or embedding long-term AWS credentials in app
-Grant access without having to create an IAM identity
-Since credentials are temporary, there is no need to rotate or revoke
When to use STS
Identity Federation
-Enterprise Identity Federation, Web Based (Google, FB, etc)
Roles for cross-account access
Roles for services
IAM API Keys
-Required to make API calls
-Only available ONCE - when new user is created or when keys are reissued
-AWS will not regenerate the same set of keys
-API keys are associated with a user
-Roles do not have API keys
-Only able to see the Access Key ID, never the secret
-NEVER create or store API keys on an EC2 instance
Key Management Service (KMS)
Managed service to create and control the encryption keys used to encrypt your data
KMS Customer Master Keys (CMKs)
-Used to encrypt/decrypt up to 4KB of data, and are the primary resource in KMS
-CMKs generate, encrypt, decrypt data keys that you use outside of AWS KMS
-2 kinds: Customer-managed and AWS-managed
Customer-managed CMK
CMKs you create, enable/disable, rotate, and manage the policied that allow access to
use the CMK
AWS-managed CMK
, -CMKs that are created, managed, and used by AWS services integrated with KMS
-Naming convention = aws/service-name i.e. aws/s3
KMS Data Keys
-Keys for encrypting large amounts of data or other data encryption keys
-CMKs can generate, encrypt, and decrypt data keys
-AWS does not manage or store your data keys
-KMS cannot use data keys to encrypt data for you
KMS Envelope Encryption
-Plaintext data is encrypted with a data key
-Data keys are encrypted with a key encryption key (KEK)
-A KEK may be encrypted by another KEK, but eventually there is a master key (the
KMS CMK in this case) that decrypts one or more keys
KMS API Actions
-Encrypt = Encrypt plaintext using CMK
-GenerateDataKey = Uses a CMK to return a plaintext and ciphertext version of a data
encryption key
-Decrypt = Decrypts ciphertext that was encrypted with the Encrypt, GenerateDataKey,
or GenerateDataKeyWithoutPlaintext API actions
Amazon Cognito
-Single user identity and data synchronization service
-Helps manage and sync app data for users across their mobile devices
-Create unique identities for users through public login providers (Facebook, google,
amazon) and support unathenticated guests
-Save any kind of data in the AWS cloud without writing any backend code or managing
infrastructure.
EC2 Instance Types
General Purpose
Compute Optimized
Memory Optimized
Accelerated Computing
Storage Optimized
QUESTIONS AND ANSWERS
Document that formally states one or more permissions. By default a deny all is
given. Deny overrides Allow policies
IAM Policy
IAM Policy Statements
3 Parts:
1) Effect - Allow or Deny
2) Action - What action is allowed or denied
3) Resource - What resource the allow or deny is applied
IAM Users
Non-explicit deny when new user is created
Can configure MFA on a per-user basis
IAM Roles
Something another entity can "assume", acquires the specific permissions defined by a
role
Security Token Service (STS)
Grants users limited and temporary access to AWS resources.
Security Token Service (STS) get-session-token API call return
3 components:
1) Security Token
2) Access Key ID
3) Secret Access Key
STS API Calls
AssumeRole
-Cross-account delegation and federation through custom identity broker
AssumeRoleWithWebIdentity
-Federation through web-based IdP
AssumeRoleWithSAML
-Federation through enterprise IdP compatible with SAML 2.0
,GetFederationToken
-Federation through a custom IdP
GetSessionToken
-Temp credentials for users in untrusted Environments
STS Benefits
-No distributing or embedding long-term AWS credentials in app
-Grant access without having to create an IAM identity
-Since credentials are temporary, there is no need to rotate or revoke
When to use STS
Identity Federation
-Enterprise Identity Federation, Web Based (Google, FB, etc)
Roles for cross-account access
Roles for services
IAM API Keys
-Required to make API calls
-Only available ONCE - when new user is created or when keys are reissued
-AWS will not regenerate the same set of keys
-API keys are associated with a user
-Roles do not have API keys
-Only able to see the Access Key ID, never the secret
-NEVER create or store API keys on an EC2 instance
Key Management Service (KMS)
Managed service to create and control the encryption keys used to encrypt your data
KMS Customer Master Keys (CMKs)
-Used to encrypt/decrypt up to 4KB of data, and are the primary resource in KMS
-CMKs generate, encrypt, decrypt data keys that you use outside of AWS KMS
-2 kinds: Customer-managed and AWS-managed
Customer-managed CMK
CMKs you create, enable/disable, rotate, and manage the policied that allow access to
use the CMK
AWS-managed CMK
, -CMKs that are created, managed, and used by AWS services integrated with KMS
-Naming convention = aws/service-name i.e. aws/s3
KMS Data Keys
-Keys for encrypting large amounts of data or other data encryption keys
-CMKs can generate, encrypt, and decrypt data keys
-AWS does not manage or store your data keys
-KMS cannot use data keys to encrypt data for you
KMS Envelope Encryption
-Plaintext data is encrypted with a data key
-Data keys are encrypted with a key encryption key (KEK)
-A KEK may be encrypted by another KEK, but eventually there is a master key (the
KMS CMK in this case) that decrypts one or more keys
KMS API Actions
-Encrypt = Encrypt plaintext using CMK
-GenerateDataKey = Uses a CMK to return a plaintext and ciphertext version of a data
encryption key
-Decrypt = Decrypts ciphertext that was encrypted with the Encrypt, GenerateDataKey,
or GenerateDataKeyWithoutPlaintext API actions
Amazon Cognito
-Single user identity and data synchronization service
-Helps manage and sync app data for users across their mobile devices
-Create unique identities for users through public login providers (Facebook, google,
amazon) and support unathenticated guests
-Save any kind of data in the AWS cloud without writing any backend code or managing
infrastructure.
EC2 Instance Types
General Purpose
Compute Optimized
Memory Optimized
Accelerated Computing
Storage Optimized
