Have you read the Blue/Green deployments whitepaper? (Link on back of card)
Should you use AWS Secret Access Keys?
NO! Always use IAM Roles. ROLES MAN!
What is an RCA when referring to reported issues in an application?
Root Cause Analysis - troubleshooting how the issue was caused, and what to do to resolve it
What is IAM?
Identitiy Access Management
What are the 9 features that IAM provides?
- Centralized control over your AWS account
- Shared access to your AWS account
- Granular Permissions
- Identity Federation (including Active Directory, Facebook, Linkedin…)
- MFA
- Temporary access for user/devices/services
- Allows you to establish a password rotation policy
- Integrated with many AWS services
- PCI DSS Compliant
What is the difference between Roles and Groups?
Roles are something that can be assigned to resources through which the calls can be made to other AWS resources, whereas groups need users who are the individual human users. roles avoids the need to create a user individually or assigned to a group. If user/group combination is used, the access key ID and secret access key are stored in a credentials file when you access AWS resource programatically. We can avoid this by instead creating a role which is a safer way.
A group is a container for user entities, and as such is not an entity itself. Since groups are not entities, you can not assign roles to them. You have to define policies explicitly on groups. Consider a situation where you want to use federated identity with your existing identity provider to authenticate users. In this case, you will not be using IAM users since your users are defined in your existing IdP (identity provider, i.e. Active Directory, Okta, etc). Since you are not using IAM users to allow access to the platform, you need a way to define what users who authenticate through your IdP can do on the AWS platform. You can’t use groups. This is where roles come in. With federated identity, you can authenticate against your existing IdP and have an IAM role assigned to that identity to give it access to the required AWS services.
What is the acronym for EC2 instance types?
FIGHTDRMCPX
F - FPGA (field programmable gate array), big data, genomics, realtime video processing, financial analysis
I - IOPS, noSQL, DBs, Data Warehouseing
G - Graphics, Video Encoding, 3D App Streaming
H - High Disk Thoroughput, MapReduce, HDFS
T - cheap general purpose (think T2 micro), Webservers, Small DBs
D - Density, Fileservers/Data Warehouse/Hadoop
R - RAM, Memory intensive apps/DBs
M - main choice for general purpose apps, app servers
C - Compute, CPU intensive Apps, DB/s
P - Graphics (pics), General Purpose GPU - Machine Learning, BitCoin Mining
X - Extreme Memory, SAP HANA, Apache Spark
What is an EC2 Spot instance type?
Allows you to bid whatever price you want for instance capacity, provising best savings if your apps have flexible start/end times.
What is an EC2 dedicated host?
Physical EC2 server for use if/when policy or legislation dictates that you cannot have multiple VM’s on a box (multi-tenant virtualization), AND you can use existing licenses with these if you have them.
How are you charged for partial usage of Spot Instances?
If Amazon terminates it (the price goes up past your bid amount) then you dont pay for the partial hour. BUUUT if you manually terminate the instance, then you are charged for the full house in which the instance ran.
What are the EC2 EBS volume types?
SSD
- GP2 - General purpose SSD, balance of price/performance, use if you need less than 10,000 IOPS
- IO1 - Provisioned IOPS SSD, used for I/O intense apps like large relational or noSQL DBs - can provision up to 20,000 IOPS per volume
MAGNETIC
- ST1 - Magnetic, Thoroughput Optomized HDD, big data, data warehouses, log processing, cannot be a boot volume
- SC1 - Magnetic, Cold HDD, lowest cost storage for infrequently accessed workloads, cannot be a boot volume Magnetic (Standard) - (LEGACY, not even shown by amazon in most of their comparison tables) - lowest cost per gig of all EBS types that is bootable, ideal for workloads where data access is infrequent, and apps that need low storage cost
Explain WIF and the process for mobile app authentication (3 steps), and how does this relate to Cognito?
Web Identity Federation - allows you to hook your apps up to AWS access (like Amazon, Facebook, and Google)
TLDR;
- A user authenticates with facebook first. They are then given an ID token by facebook.
- An API call called AssumeRoleWithWebIdentity is then used in conjunction with the ID token. A user is then granted temporary security credentials.
- the user can now access AWS resources
NOTE: With Cognito, it allows guest access and once the user authenticates, it can pass that data along to provide a seamless experience. It also allows syncing data across multiple devices. It is the recommended approach for Web ID Federation particularly for mobile apps.
—————————————-
The old WIF process is as follows:
- Authenticate with Identity Provider (Facebook):
This verifies the user’s identity, and generates an access token (ID token) with a userID and expiration - Obtain Temporary Security Credentials:
Make an AssumeRoleWithWebIdentity request with the ID token, a trust policy (JSON AWS policy), a providerID (graph.facebook.com), RoleArn (ARN role to assume), and the RoleSessionName (the role’s name). This will return a secret access key, access key id, and a session token. - Access AWS Resource:
Using the access key, id, and token, various AWS permissions (defined by the policy) can be performed - S3 bucket listing, S3 resource CRUD, etc.
Explain how Cognito works (user pool, and WIP)
Cognito uses User Pools to manage user sign-up and sign-in direcly or via Web Identity Providers.
Cognito acts as an Identity Broker, handling all interaction with Web Identity Providers.
Cognito uses Push Synchronization to send a silent push notification of user data updates to multiple device types associated with a user ID.
How can you verify a JWT with public key?
A JWT is:
HASH.SIGNATURE
HASH = BASE64({header, body})
SIGNATURE = ENCRYPT(HASH,private_key)
So to verify (since RSA public/private keys are complementary), we can simply decrypt the signature, which results in the original object HASH - which is the first part of the JWT; so we just compare the two which ensures the data hasn’t been tampered with!
Hooray!
What is an AWS Managed Policy?
A IAM policy managed by AWS for general use cases and cannot be changed by the user or administrator.
What is a Customer Managed Policy?
A standalone policy that you (admin) creates. You can copy an AWS Managed Policy and modify it, or create one from scratch.
What is an IAM Inline Policy?
An IAM policy that is embedded within a user, group, or role entity. If the entity is deleted, so is the associated policy. AWS usually recommends against using these in favor of managed policies, unless it’s required that the policy is absolutely required to only need to be applied to a single entity (usually a user).
Explain STS - What are the three steps and the response?
STS = Security Token Service
This is the old WIF (Web Identity Federation)!
- A user authenticates with facebook first. They are then given an ID token by facebook.
- An API call called AssumeRoleWithWebIdentity is then used in conjunction with the ID token. A user is then granted temporary security credentials.
* AssumedRoleUser (ARN) & AssumedRoleID - both are used to programmatically access the temporary credentials - the user can now access AWS resources
The old WIF process is as follows:
- Authenticate with Identity Provider (Facebook):
This verifies the user’s identity, and generates an access token (ID token) with a userID and expiration - Obtain Temporary Security Credentials:
Make an AssumeRoleWithWebIdentity request with the ID token, a trust policy (JSON AWS policy), a providerID (graph.facebook.com), RoleArn (ARN role to assume), and the RoleSessionName (the role’s name). This will return a secret access key, access key id, and a session token. - Access AWS Resource:
Using the access key, id, and token, various AWS permissions (defined by the policy) can be performed - S3 bucket listing, S3 resource CRUD, etc.
What is cross account access?
Many customers use separate AWS accounts for dev/prod environments, and to separate resources for security.
Cross account lets you switch between accounts seamlessly.
What are the steps to enable Cross-Account Access in IAM?
- Identify both dev and prod account numbers
- Create group and user in Dev account
- Log into prod
- Create read-write-app-bucket policy which allows access to a particular S3 bucket
- Create ProdS3BucketAccessRole cross account role (note: you actually specify the role as a Cross Account type role, and the Dev accountID!)
- Apply the policy to the role we just created
- Login to Dev
- Create an inline policy for the Dev group above referencing the “ProdS3BucketAccessRole”
- Login as John and Switch Role to ProdS3BucketAccessRole - will need to specify the prod account ID and role name, but it works!
TLDR: Create a CrossAccount type role on the prod account that the Dev account will attach to itself via an inline policy. This allows a user to login as their account, and switch roles which will grant them any attached policies.
What is the difference between a UserPool and and IdentityPool in Cognito?
https://serverless-stack.com/chapters/cognito-user-pool-vs-identity-pool.html
TLDR: the Cognito User Pool stores all your users which then plugs into your Cognito Identity Pool which can give your users access to your AWS services. The UserPool can be swapped out with any other popular Identity Provider like Facebook/Twitter/Google .
