Advanced IAM Flashcards
What does ARN stand for?
Amazon Resource Name
What is the component syntax of an ARN?
- All ARNs begin with
**arn:partition:service:region:account\_id:
**- If not applicable, section is empty (so you can see
::
)
- If not applicable, section is empty (so you can see
- And end with a resource
- resource
- resource_type/resource
- resource_type/resource/qualifier
- resource_type/resource:qualifier
- resource_type:resource
- resource_type:resource:qualifier
What are the major differences between the two types of IAM Policies?
-
Identity Policies
- attached to an IAM user, group, or role
- specify what an identity can do
-
Resource policies
- attached to a resource
- specify who can do what to the resource
Do IAM policies take effect upon creation?
No. An IAM Policy has no effect until it is attached to a resource or role.
What is the basic format of an IAM policy document?
- Version # (YYYY-MM-DD)
- List of statements, each individual statement enclosed in {}
- Each statement matches an AWS API Request
- Each statement has an Effect, either allow or deny
- Each statement has A list of Actions with the effect, of the form
*servicename:ActionName
* - Each statement has a Resource the Action is against (in ARN form)
- Idea: (Allow/Deny) Resource to do Actions
What is an AWS API Request?
Any action you can perform against AWS
If an IAM policy does not explicitly allow an API action, might it still be implicitly allowed?
No
If an action is not explicitly allowed, it is implicitly denied
In general, how does AWS reconcile multiple attached policies to the same user or resource?
AWS joins all applicable policies
Suppose your IAM user has 2 policies, one of which explicitly denies access to all S3 buckets, the other of which explicitly allows access to a specific S3 bucket. Will this user be allowed to access to the specific S3 bucket?
No
An explicit deny overrides anything else in any other policy
What is the purpose of AWS Permission Boundaries?
- The idea is to prevent priviledge escalation or unnecessarily overbroad permissions
- Controls maximum permissions an IAM policy can grant
What are some use cases for AWS Permission Boundaries?
- Developers creating roles for Lambda functions
- Application owners creating roles for EC2 instances
- Administrators creating ad hoc users
In the context of IAM, what does RAM stand for?
Resource Access Manager
What is the general use case of AWS Resource Access Management?
- Resource Sharing between accounts
- can be between individual accounts or within accounts in AWS Organizations
Which AWS Resources can I share using AWS Resource Access Management?
- App Mesh
- Aurora
- CodeBuild
- EC2
- EC2 Image Builder
- License Manager
- Resource Groups
- Route53
What does SSO stand for?
Single Sign-On
What does SAML stand for?
Security Assertion Markup Language