01-AWS Basics Flashcards
At its core, what is an account?
A container for both identities (user, roles, groups) and AWS resources.
What is required for each new AWS account?
Unique email address & payment method.
What is an AWS account root user?
A root user that has full access over an account, the resources in the account, and this cannot be restricted.
How do you secure the root account?
MFA
What invoice model does AWS use?
Pay as you go as you only pay for the resources that you are.
What service can be used for creating additional identities?
Identity and Access Management (IAM)
What access does identities other than root start out with?
None. They have no access. You must explicitly grant permissions to each identity.
How can AWS accounts act as a security boundary?
By creating different accounts for development, testing, production environments as well as accounts for different teams.
What types of identities does IAM allow the creation of?
User, Roles, and Groups
How is access handled in AWS accounts by default?
All access is denied unless explicitly granted.
What are authentication factors?
Pieces of evidence used to prove your identity.
What is single factor authentication?
One factor for authentication (e.g., your password)
What is multi-factor authentication?
Two factor for authentication (e.g., your password and an MFA device)
What are 4 common authentication factors?
knowledge (something you have, like a password), Possession (something you have like an MFA device), Inherence (something you are: fingerprint or face scan), Location (physical or network location).
What type of MFA does AWS support
virtual device and physical devices, such as a fob.
What authentication factor does AWS use by default?
single factor authentication
Why is MFA a critical security feature for an AWS account?
It requires both something you know (password) and something you have (MFA device).
What practice should you follow when providing access to necessary resources?
The practice of least privilege access where you only grant the permissions required to perform the task.
What does IAM do?
Allows you to control who has access to your account and what they can do.
Do all of your AWS account share an instance of IAM or do they have their own instance of IAM?
Each account has their own dedicated instance of IAM.
How resilient is IAM?
It is globally resilient, meaning that your IAM data is secure across all AWS regions.
Does IAM have any restrictions?
IAM can do almost anything in your account, but there are restrictions around billing control and account closure)
What identity objects can you create in IAM?
IAM users, IAM Groups, and IAM Roles
What are IAM users?
These typically represent humans or applications that need access to your AWS account or AWS resources.
What are IAM Groups?
These are collections of related IAM users.
What are IAM roles?
Used by AWS services or to grant external access to your account.
What are IAM Policies?
These are objects or documents defining how you allow or deny permissions to services. These are typically attached to IAM users, groups, or roles.
At a high level, what are the three main responsibilities of IAM?
Identity Provider (IdP)- Allows you to create, modify, an delete identities. -Authentication - Challenges identities to prove they are who they say they are typically through usernames and passwords. -Authorization - Determines whether authenticated users are allowed or denied access to resources based on policies attached to their identity.
How much does IAM cost?
It is free. There are not costs for creating users, groups, or roles.
Is IAM a global, region, or AZ based service?
It is a global service, meaning it is resilient across AWS regions.
What identities in your account does IAM support?
local identities, but not external identities.
Does IAM support Identity Federation and MFA?
Yes
What are IAM access keys?
Long-term credentials available within AWS and used by IAM users.
What are access skeys typically used for?
CLI
Why are access keys called long-term credentials?
Because they do not regularly change or rotate automatically.
How many sets of access keys can one IAM user have?
0-2
What is the structure of an access key?
Access Key ID - This is the public part -Secret access Key - This is the private part
How many times can you download your access keys?
Just once. You can view the Access Key ID anytime, but you can only download or view the Secret Access Key once right after its creation.
How do access keys work?
The Access Key ID is like a username and the Secret Access Key is like a password.
What happens if someone obtains your access keys?
They can act like you and your IAM user. It is crucial to security store access keys.
What management features do IAM users have over their access keys?
Create, Delete, Make Access Keys active or inactive
What state are access keys in, by default?
They are active.
What should you do it your misplace the Secret Access Key or suspect that your access keys were leaked?
Delete it and create a new one from the console.
What should you do after replacing your access key(s)?
Update your CLI config and any services using those keys.
What can IAM users have 2 sets of Access Keys?
So they can rotate them. They can create a new set, updated where it is used, and then delete the old set. The term for this is “rotating access keys”.
Who can use Access Keys?
IAM users and the root user. IAM roles cannot use them.
