# AWS Certified Solutions Architect - Associate (IAM) ###### tags: `AWS` ## Advanced IAM ### Active Directory - On-premises directory service - Hierarchical db of users, groups, computers - **trees** and **forests** - Group policies - LDAP and DNS - Kerberos, LDAP, and NTLM authentication - Highly available ### AWS Directory Service - Family of managed services - Connect AWS resources with on-premises AD - Standalone directory in the cloud - Use existing coporate creentials - SSO to any domain-joined EC2 instance ### AWS Managed Microsoft AD - AD domain controllers(DCs) running Windows server - Reachable by applications in your VPC - Add DCs for HA and performance - Exclusive access to DCs - Extend existing AD to on-premises using **AD Trust** ### Manage Range | AWS | Customer | | -------- | -------- | | Multi-AZ deplyment | Users, groups, GPOs| | Patch, monitor, recover | Standard AD tools| | Instance rotation | Scale out DCs | | Snaoshot and restore | Trusts (resource forest)| | - |Certificate authorities(LDAPS)| | - |Federation| ### Simple AD - Standalone managed directory - Basic AD features - Small: <=500; Large <= 5000 users - Easier to manage EC2 - Linux workloads that need LDAP - Does not support **trust** (can't join on-premises AD) **USING AD CONNECTOR!!** ### AD Connector - Directory gateway (proxy) for on-premises AD - Avoid caching info in the cloud - Allow on-premises users to log in to AWS using AD - Join EC2 instances to your existing AD domain - Scale across multiple AD Connectors ### Cloud Directory - Directory-based store for developers - Multiple hierarchies with hundreds of millions of objects - Use cases: org charts, course catalogs, device registries - Fully managed service ### Amazon Cognito User pools - Managed user directory for SaaS applications - Sign-up and sign-in for web or mobile - Works with social media identities  ### IAM policies - ARNs all begin with: > arn:partition:service:region:account_id example: arn:aws-cn:s3:us-east-1:123456789012 AND end with: resource_type/resource/qualfier  > Notes: > :: -> omit, * -> wildcard #### Features - JSON document that defines permissions - Identity policy - Resource policy - No effect until attached - List of statements(matches an AWS API request)  > Notes: > Effect is either Allow or Deny > Matched based on their action > And the **Resource** the Actrion is against Tips: - Not explicitly allowed == implicitly denied - Explict deny > everything else - Only attached policies have effect - AWS joins all applicable policies - AWS-managed vs. customer-managed #### Permission Boundaries - Used to delegate administration to other users - Prevent privilege escalation or unnecessarily broad permissions - Control maximum permissions an IAM policy can grant - Use cases - Dev creating roles of lambda functions - Application owners creating roles for EC2 instances - Admins creating ad hoc users ### AWS Resource Access Manager(RAM) RAM allows **resource sharing** between accounts.  ### AWS SSO SSO service helps centrally manage access to AWS accounts and business application.  > Notes: SAML -> SSO