01 Accounts & Permissions Flashcards
Describe AWS Organisations.
AWS Organisations is a service that allows users to manage multiple AWS accounts in a hierarchical structure.
Define the management account in AWS Organisations.
The management account is the account that created the organisation and can invite other existing accounts to join.
How can existing accounts join an AWS Organisation?
Existing accounts can be invited to join an AWS Organisation, but they must agree to the invitation.
What are member accounts in AWS Organisations?
Member accounts are accounts that are part of an organisation, which can be either invited existing accounts or newly created accounts.
Describe the hierarchical structure of AWS Organisations.
The hierarchical structure includes an organisation root at the top level, with Organisation Units (OUs) as sub-groupings of accounts and other nested OUs.
Explain consolidated billing in AWS Organisations.
Consolidated billing allows charges from all member accounts to be billed to the management account, pooling reservations and volume discounts across the organisation.
What is the payer account in the context of AWS Organisations?
The payer account is another term for the management account, which handles the consolidated billing for all member accounts.
How does consolidated billing affect billing methods in AWS Organisations?
Consolidated billing overrides any billing methods that were added to accounts before they joined the organisation.
What is the best practice architectural pattern for accessing AWS accounts?
The best practice is to have a single AWS account for users to log into, using roles to perform actions in other accounts or to assume roles in those accounts.
Define Service Control Policies (SCPs) in AWS Organisations.
Service Control Policies (SCPs) are a feature that restricts what actions an account can perform within AWS Organisations.
How are Service Control Policies applied in AWS Organisations?
SCPs can be applied to the entire organisation, specific Organisation Units (OUs), or individual accounts, and they are enforced down the hierarchy.
Describe how Service Control Policies (SCPs) affect AWS accounts and organizational units (OUs).
Applying an SCP to an OU affects all accounts and nested OUs within that OU.
Do management accounts have restrictions imposed by SCPs?
Management accounts are not restricted by SCPs, but SCPs can still be applied to them.
Define the role of SCPs in relation to the root account of an AWS account.
SCPs are the only way to constrain the root account of an AWS account.
How can permissions be modeled in SCPs?
Permissions can be modeled as either a deny-list or an allow-list.
Explain the function of the managed FullAWSAccess SCP.
The FullAWSAccess SCP allows all actions and functions as a deny list, as other actions can be explicitly denied in other SCPs.
What happens when the FullAWSAccess SCP is removed?
Removing the FullAWSAccess SCP causes permissions to be modeled as an allow-list, meaning actions will only be possible if they are explicitly allowed.
Clarify the purpose of SCPs in AWS permissions management.
SCPs do not grant permissions to identities; they only constrain them.
How can you block actions outside a specific AWS region using a policy?
You can use a policy that denies actions based on the requested region, specifying conditions to restrict access.
Describe the function of the Security Token Service (STS) in AWS.
STS generates temporary credentials when the sts:AssumeRole call is made.
What components make up STS credentials?
STS credentials consist of AccessKeyID, Expiration, SecretAccessKey, and SessionToken.
How long do STS credentials typically last?
The duration of STS credentials defaults to 1 hour but can range from 15 minutes to 12 hours.
What is the role of the trust policy in an IAM role?
The trust policy of an IAM role controls who can assume it via an STS session.
Explain the significance of the SessionToken in STS credentials.
The SessionToken is a unique token that must be included in every request made with STS credentials.
What does the identity’s ownership of credentials imply in AWS?
The identity does not own its credentials; they are temporary and managed by AWS.
Describe the ownership of access keys in IAM roles.
In IAM roles, the access key and secret key are owned by the role itself.
Define an inline policy in the context of STS.
An inline policy is used to restrict permissions to be a subset of the role’s permissions.
How do temporary credentials relate to IAM roles by default?
By default, temporary credentials have the same permissions as the IAM role.
Explain how sessions can be requested in AWS.
Sessions can be requested either by an AWS identity, such as an AWS role, or by an external identity, such as using SAM.
What happens if temporary credentials leak?
If temporary credentials leak, an inline condition can be added to the role with an explicit deny for all sessions created for the current time.
Describe the condition statement used to revoke leaked credentials.
The condition statement to revoke leaked credentials is: “DateLessThan”: {“aws:TokenIssueTime”: “2014-05-07T23:47:00Z”}.
How can you implement a condition statement in IAM?
A condition statement can be implemented via a button in the IAM Console.
Define permission boundaries in AWS IAM.
Permission boundaries are used to constrain the permissions an identity can use, preventing users from creating users with higher privileges.
Explain the relationship between resource policies and permission boundaries.
Resource policies are not affected by permission boundaries.
What is the purpose of Resource Access Manager (RAM) in AWS?
Resource Access Manager (RAM) allows supported resources in one account to be shared with another account.
Describe how resources are shared using RAM.
Resources are shared with a principal, which can be an organization, organizational unit (OU), or specific account.
How are shared resources displayed in AWS?
Shared resources are visible in the AWS Console.
What is notable about availability zone names in AWS accounts?
Availability zone names are rotated between accounts.
Describe the importance of consistent naming when sharing resources.
Consistent naming, such as using availability zone IDs (e.g. use1-az2), helps in organizing and identifying resources effectively when sharing.
Define the role of the owner account in resource sharing.
The owner account creates the resource share and retains full ownership of it, ensuring control over the shared resources.
How must resource shares be accepted in a cross-account sharing scenario?
Resource shares must be accepted by the receiver unless the organization is configured to automatically share resources.
Explain the requirements for cross-account access.
Cross-account access requires an ‘Allow’ permission from Account A (e.g. an identity policy) and an ‘Allow’ permission from Account B (e.g. a resource policy).
