Advanced IAM Flashcards
IAM policies and S3 bucket policies
Union of both is evaluated
Types of policies
- aws managed policy - maintained by aws, define power users and admins
- customer managed policy - can be applied to many principals, version controlled
- inline policy - strict one to one policy between policy and principle
- policy is deleted if IAM principle is deleted
granting permissions to pass a role to a service
AWS Organizations Service Control Policy (SCP)
Use an AWS Organizations Service Control Policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions
Permissions boundary
Permissions boundary is a managed policy that is used for an IAM entity (user or role). The policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions.
ACLs
Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal.
resource based policy
i.e. bucket policy, IAM role trust policy
indicates a principal and permissions. principal can be cross account.
trust policy
The trust policy defines which principals can assume the role, and under which conditions. A trust policy is a specific type of resource-based policy for IAM roles. The trust policy is the focus of the rest of this blog post.
IAM Access Analyzer
AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.
You can set the scope for the analyzer to an organization or an AWS account. This is your zone of trust. The analyzer scans all of the supported resources within your zone of trust. When Access Analyzer finds a policy that allows access to a resource from outside of your zone of trust, it generates an active finding.
Access Advisor feature on IAM console
Reports on usage of ONLY iam entities. To help identify the unused roles, IAM reports the last-used timestamp that represents when a role was last used to make an AWS request. Your security team can use this information to identify, analyze, and then confidently remove unused roles. This helps improve the security posture of your AWS environments. This does not provide information about non-IAM entities such as S3
IAM cert manager
IAM is used as a certificate manager only when you must support HTTPS connections in a Region that is not supported by ACM.
Access to billing dashboard with non-root users
By default, IAM users do not have access to the AWS Billing and Cost Management console. You or your account administrator must grant users access. You can do this by activating IAM user access to the Billing and Cost Management console and attaching an IAM policy to your users. Then, you need to activate IAM user access for IAM policies to take effect. You only need to activate IAM user access once.
Cloudfront key pairs can only be created by
root user.
AWS recommends that you use trusted key groups with signed URLs and signed cookies instead of using CloudFront key pairs.
IAM user access keys
Access keys consist of two parts: an access key ID and a secret access key. You use access keys to sign programmatic requests that you make to AWS if you use AWS CLI commands (using the SDKs) or using AWS API operations. IAM users can create their own Access Keys, does not need root access.
