AIM Basics Flashcards

Question

**How to Enable MFA with a hardware TOTTP Token?**

Answer 1

1. IAM Dashboard Conolse > Users > [user] > Security Credentials > Assign MFA device 2. Specify MFA device name 3. MFA device type > `Hardware TOTP token` 4. Enter the Key Fob serial number 5. Enter MFA Code 1 6. Wait 30 seconds 7. Enter MFA Code 2

Answer 2

* 6-digit numeric code based on `time-based one-time password (TOTP)` algorithm * Key Fob provided by `Thales / Gemalto` (3rd Party) * `AWS GovCloud (US)` Key Fob MFA Device is provided by `SurePassID`(3rd Party)

Answer 3

`YES`. AWS allows you to use the same U2F security key with several root and IAM users across multiple accounts.

Answer 4

`NO`. The MFA device or mobile phone number associated to virtual, hardware, and SMS MFA is bound to an individual AWS identity (IAM user or root account).

Answer 5

Each user can have a `maximum of 8 MFA devices assigned`.

Answer 6

MFA-enabled IAM users must call `aws sts get-session-token` API with their MFA code to create a temporary session: ``` aws sts get-session-token \ --serial-number arn-of-the-mfa-device \ --token-code code-from-token \ --duration-seconds 3600 ``` Output: { "Credentials": { "SecretAccessKey": "secret-access-key", "SessionToken": "temporary-session-token", "Expiration": "expiration-date-time", "AccessKeyId": "access-key-id" } }

Answer 7

* Use the CLI command: `aws iam create-virtual-mfa-device` aws iam create-virtual-mfa-device \ --virtual-mfa-device-name BobsMFADevice \ --outfile C:/QRCode.png \ --bootstrap-method QRCodePNG Output: { "VirtualMFADevice": { "SerialNumber": "arn:aws:iam::210987654321:mfa/BobsMFADevice" } }

Answer 8

* Use `CreateVirtualMFADevice` to make an API call ``` https://iam.amazonaws.com/? Action=CreateVirtualMFADevice &VirtualMFADeviceName=ExampleName &Version=2010-05-08 &AUTHPARAMS ``` * Response information: - XML format - Base32 string seed - Device serial number - QR Code PNG image - Metadata with RequestId

Answer 9

* Use the CLI command: `aws iam enable-mfa-device` aws iam enable-mfa-device \ --user-name Bob \ --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice --authentication-code1 123455 \ --authentication-code2 789012 \ * Output: None

Answer 10

* Use `EnableMFADevice` to make an API call ``` https://iam.amazonaws.com/? Action=EnableMFADevice &UserName=Bob &SerialNumber=R1234 &AuthenticationCode1=234567 &AuthenticationCode2=987654 &Version=2010-05-08 &AUTHPARAMS ``` * Response information: - XML format - Metadata with RequestId

Answer 11

* Use the CLI command: `aws iam deactivate-mfa-device` aws iam deactivate-mfa-device \ --user-name Bob \ --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice * Output: None

Answer 12

* Use `DeactivateMFADevice` to make an API call ``` https://iam.amazonaws.com/? Action=DeactivateMFADevice &UserName=Bob &SerialNumber=R1234 &Version=2010-05-08 &AUTHPARAMS ``` * Response information: - XML format - Metadata with RequestId

Answer 13

* Use the CLI command: `aws iam list-virtual-mfa-devices` aws iam list-virtual-mfa-devices Output: { "VirtualMFADevices": [ { "SerialNumber": "arn:aws:iam::123456789012:mfa/ExampleMFADevice" }, { "SerialNumber": "arn:aws:iam::123456789012:mfa/Fred" } ] }

Answer 14

* Use `ListVirtualMFADevices` to make an API call ``` https://iam.amazonaws.com/? Action=ListVirtualMFADevices &AssignmentStatus=Any &Version=2010-05-08 &AUTHPARAMS ``` * Response information: - XML format - VirtualMFADevices - Enable Date - Serial Number - User Information - Metadata with RequestId

Answer 15

* Use the CLI command: `aws iam resync-mfa-device` aws iam resync-mfa-device \ --user-name Bob \ --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \ --authentication-code1 123456 \ --authentication-code2 987654 * Output: None

Answer 16

* Use `ResyncMFADevice` to make an API call ``` https://iam.amazonaws.com/? Action=ResyncMFADevice &UserName=Bob &SerialNumber=R1234 &AuthenticationCode1=234567 &AuthenticationCode2=987654 &Version=2010-05-08 &AUTHPARAMS ``` * Response information: - XML format - Metadata with RequestId

Answer 17

* Use the CLI command: `aws iam delete-virtual-mfa-device` aws iam delete-virtual-mfa-device \ --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \ * Output: None

Answer 18

* Use `DeleteVirtualMFADevice` to make an API call ``` https://iam.amazonaws.com/? Action=DeleteVirtualMFADevice &SerialNumber=arn:aws:iam::123456789012:mfa/ExampleName &Version=2010-05-08 &AUTHPARAMS ``` * Response information: - XML format - Metadata with RequestId

Answer 19

MFA Serial number reference `based on the device type`: * `MFA hardware device`: `GAHT12345678` * `IAM Virtual MFA`: `arn:aws:iam::123456789012:mfa/ExampleName`

Answer 20

* `AWS Management Console`: protected by password + MFA * AWS Command Line Interface (`CLI`): protected by access keys * AWS Software Development Kit (`SDK`): for code - protected by access keys * AWS IAM Query API (`API`): issue HTTPS requests directly to the AWS service

Answer 21

* AWS Console > choose your `username` (upper right nav bar), and then choose `Security credentials` > `Update Console password` * AWS CLI: `aws iam change-password` - Generate change-password.json file ``` aws iam change-password \ --generate-cli-skeleton > change-password.json ``` * Update change-password.json file with new password ``` { "OldPassword": "3s0K_;xh4~8XXI", "NewPassword": "]35d/{pB9Fo9wJ" } ``` * Upload the updated change-password.json file ``` aws iam change-password \ --cli-input-json file://change-password.json ``` * AWS API: ChangePassword ``` https://iam.amazonaws.com/?Action=ChangePassword &OldPassword=U79}kgds4? &NewPassword=Lb0*1(9xpN &Version=2010-05-08 &AUTHPARAMS ```

Answer 22

* IAM users must have sufficient permissions to create, view, and deactivate MFA devices assigned to them * You can permit IAM users to access `My security credentials` to manage their own MFA by creating `custom policy provided by provided AWS IAM` * Assign the policy to the User Groups * Users will be force to setup MFA for their account before they can access resources

Answer 23

* `Users` are people within your organization, and can be grouped * `Groups` only contain users, not other groups * `Users don’t have to belong to a group, and user can belong to multiple groups`

Answer 24

* Manage `Access Keys` * Set `Permission Polices` * Assign user to `Groups` * Create `Tags` * Manage `Security Credentials` * View `Access Advisor`

Answer 25

* `Unique IDs`: `128 characters`, includes: User ID, Group ID, Role ID, Managed Policy ID, Server Certificate ID * `Group Name`, `Policy Name`: `128 characters` * `User Name`, `Role Name`, `Role Session Name`: `64 characters` * `Switch Role`: `Path + RoleName can't exceed 64 characters`

Answer 26

* Access Keys are generated through the AWS Console * Users manage their own access keys * Use access keys for `long term access` * Use access keys to send `programmatic calls to AWS` from the AWS CLI, AWS Tools for PowerShell, AWS SDKs, or direct AWS API calls. * IAM will prompt to acknowlege the recommendation of using AWS CloudShell and AWS CLI V2 for IAM Identity Center * You can have a `maximum of two access keys` (active or inactive) at a time. * Access Keys are secret, just like password. - `Access Key Id` = username - `Secret Access Key` = password * `Never share you Access Keys`

Answer 27

* Workloads that `cannot use IAM Roles` such as `WordPress plugins` * Third-party clients `not hosted on AWS` * AWS `CodeCommit` access * Amazon `Keyspaces` (for Apache `Cassandra`) access

Answer 28

* `Identity-based policies` - JSON policy, control actions of an identity (users, groups, roles) * `Resource-based policies` - JSON policy, attach to a resource * `Permissions boundaries` - JSON policy, set the maximum permissions that an identity-based policy can grant to an IAM entity * `Organizations SCPs` - JSON policie, grouping and centrally managing the AWS accounts * `Access control lists (ACLs)` - Not JSON format, control which principals in another account can access a resource * `Session policies` - use pass as a parameter when you programmatically create a temporary session for a role or federated user

Answer 29

* Identity-based policies are `JSON permission policies to control actions of an identity (users, groups, roles)` * Further categorized: * `Inline Policies` - directly assign to a single user, group, or role * `Managed Policies`: - `AWS managed policies` - policies created and managed by AWS - `Customer managed policies` - policies created and managed by the customer

Answer 30

* Resource-based policies are `JSON policy` documents that you attach to a resource such as an Amazon S3 bucket. * Resource-based policies are `inline policies` * There are `no managed` resource-based policies

Answer 31

* Enable AWS Roles (`Resource-based policies`) * Specify the principle: - if principle and resource are in the same account - no identity-based policy is required - if principle and resource are in different accounts - an additional identity-based policy is required

Answer 32

* Sets of Identity-based policies to control the `maximum permissions` for Users or Roles * It `limits the user's permissions` but does not provide permissions on its own * `Delegate permissions` management tasks, such as user creation, to IAM users in your account * `Enforce the delegatee to assign the same Permission Boundary for new users they created` Use Cases: * Enable developer to create roles with escalating their access * Require developers to create roles with a boundary Pro tip: Require roles and managed polices start with a namespace

Answer 33

- Permissions boundaries use a `managed IAM policy` to restrict access - Policy cannot exceed `6,144 characters long` - Can have `up to 10 managed policies and 1 permissions boundary attached to an IAM role` - Apply permissions boundaries to the IAM roles created by developers, rather than to the developers themselves

Answer 34

* A service for `grouping and centrally managing the AWS accounts` that the business owns * Once enabled it will enabled for all accounts * SCPs are `JSON policies` that specify the `maximum permissions` for an `organizational unit (OU)` as well as Account Root user * An explicit `Deny` in any of these policies `overrides` the `Allow` Use Cases: * Restrict access to specific AWS Regions * Prevent your IAM Principals from deleting common resources * Restrict service actions to all IAM entities except a specific role Pro tip: Push restrictions common amount accounts up to SCPs.

Answer 35

* Allow you to control which principals in another account can access a resource * Cannot be used to control access for a principal within the same account * Similar to Resource-based policies * `Does not use the JSON policy document format` * Example: Amazon S3, AWS WAF, and Amazon VPC

Answer 36

* Policies that you pass as a parameter when you `programmatically` create a temporary session for a role or federated user * Permissions use `both` Identity-based and resource-based policy for access * An explicit deny in any of these policies overrides the allow

Answer 37

* Can provide access keys of the IAM user to programmatically call the **GetFederationToken** API operation * Must also pass session policies * Permission results: `intersection (Identity-based + Session policy)`

Answer 38

* Must specify the ARN of the user or role as a principal * Permission results: `All Resource-based policy + Intersection(Identity-based + Session policy) )`

Answer 39

* Set the maximum permissions for a user or role that is used to create a session * Permission results: `Intersection (Resource-based policy + Identity-based + Session policy)`

Answer 40

* IAM user - 15 minutes to 36 hours, 12 hours is the default * AWS account owners - maximum and default is 1 hour

Answer 41

* Content's can't exceed 2,048 characters * Can pass a maximum of 10 managed policy when session is created * Can only pass one JSON document for a role or federated user

Answer 42

* Authorization strategy that defines permissions based on attributes called `Tags` * Use `PrincipalTag` to indicate what principle tags are allowed to access the resource

Answer 43

* `IAM Principle Tags`- Tag entities with access control attributes * `IAM Session Tags` - Tag sessions with access control attributes * `Tags on AWS Resource` - Tag resources with access control attributes * `Tags on AWS IAM Polices` - Control access based on tags * `Tags on AWS Organization` - Standardized tag names, value, and capitalization. Control allowable values, investigate difference.

Answer 44

* Session tags must meet the tag key limit of 128 characters and the tag value limit of 256 characters * You can pass up to 50 session tags in a single session

Answer 45

* `All access requests start with DENY` * If using Service Control Polices (CSPs) - `CSP must Allow` * if using Permission Boundaries - `Permission Boundary must Allow` * if same account access - Identity or Resource policy must Allow * if direct cross account access - `Both Identity AND Resource Policy must Allow` * if using session policy - `Session AND Identity Policy must Allow`

Answer 46

* 100,000 characters * Applies to assume-role-with-saml CLI or AssumeRoleWithSAML API operation

Answer 47

* Affected by some policy types but not others * Cannot attach identity-based policies * Cannot set the permissions boundary * Affected by Service Control Policies (SCPs) * Can specify the root user as the principal in a resource-based policy or an Access Control List (ACL)

Answer 48

* `Inline`: add directly to a single user, group, or role and maintain a strict one-to-one relationship * `Policies Inheritance`: Users inherit the policies within the group

Answer 49

* Permissions are defined by policies attached to the user directly or through groups. * Users or Groups can be assigned `JSON` documents called policies * These policies define the permissions of the users * Apply the `least privilege principle`: don’t give more permissions than a user needs * Most policies are stored in AWS as JSON documents.

Answer 50

* `Version`: policy language version, in the format: `“2012 -10 - 17”` * `Id`: an identifier for the policy (optional) * `Statement`: one or more individual statements (required) * `Sid`: an identifier for the statement (optional) * `Effect`: whether the statement allows or denies access (`Allow`, `Deny`) * `Principal`: Account, User or Role to which this policy applied to * `Action`: list of actions this policy allows or denies * `Resource`: list of resources to which the actions applied to * `Condition`: conditions for when this policy is in effect (optional)

Answer 51

* A logical `OR` will be applied across the statements * If multiple policies appy to a single request, AWS applies a logical `OR` accross all those policies when evaluating them

Answer 52

`Access Level Groupings`: * `Full`: access to all actions within the specified access level classification * `Limited`: access to one or more but not all actions within the specified access level classification * `None`: no access * `(empty)`: IAM does not recognize this service `Access Level Classification`: * `List`: can list objects but cannot view the object's content * `Read*`: can read the object's content * `Tagging`: can change the objects's tag * However, CreateRole action allows tagging a role, but also Write access * `Write`: can create, delete or modify object's content * `Permissions Management`: can modify the resource permission in the service * Example: `S3 actions PutBucketPolicy and DeleteBucketPolicy have Permissions Management access level` * It's important to restrict or regularly monitor this type of policies

Answer 53

Inline Policies: * User policy - can't exceed `2,048` characters. * Group policy - can't exceed `5,120` characters. * Role policy - can't exceed `10,240` characters. Managed Policies: * All policies - can't exceed `6,144` characters. **IAM doesn't count white space when calculating the size of a policy against this limit.**

Answer 54

* Amazon Resource Names (ARNs) `uniquely identify AWS resources in AWS JSON policies` * Format: * `arn:partition:service:region:account-id:resource-id` * `arn:partition:service:region:account-id:resource-type:resource-id` * `partition`: * `aws` - AWS Regions * `aws-cn` - China Regions * `aws-us-gov` - AWS GovCloud (US) Regions * `service` - service namespace that identifies the AWS product * `region` - Region code. For example, us-east-2 for US East (Ohio) * `account-id` - ID of the AWS account * `resource-type` - The resource type - For example, vpc for a virtual private cloud (VPC) * `resource-id` - ID of the resource * `ARN paths` - forward slash (`/`), equals (`=`), comma (`,`), period (`.`), at (`@`), and hyphen (`-`). * `Using wildcards in paths` - "Resource":"arn:aws:iam::123456789012:user/`*`"

Answer 55

- IAM > Policies > Create Policy - Select `Visual` or `JSON` - Select `Actions` to `generate CloudFormation template`, `optimize for readability or size ` - `Select a service`: - Auto Sccaling - CloudFront - EC2 - IAM - Lambda - RDS - S3 - SNS (`Simple Notification Service`) - `Add Access Level Actions`: - List - Read - Write (create/update/delete) - Permission Management (permission access actions such as `CreatePolicy`) - Tagging (tagging actions) - `Select Effect (Add/Deny)` - `Select Resource ARN`: - Access-Report - Group - Instance-Profile - MFA - OIDC-Provider - Policy - Role - SAML-Provider - Server-Certificate - SMS-MFA - User

Answer 56

* Generate policies based on access activity * Require date/time period, trail logs and service Role

Answer 57

* A user group is a collection of IAM users * Use groups to specify permissions for a collection of users * A user can be a `member of up to 10 groups at a time`

Answer 58

* Tags are key-value pairs that you can add to AWS resources to help identify, organize, or search for resources. * A `Tag Key` (for example, CostCenter, Environment, Project, or Purpose) * An `optional` field known as a `Tag Value` *(Omitting the tag value is the same as using an empty string)* * Tag Keys and values requirements: - `case sensitive` - `any combination of letters, numbers, spaces and _ . : / = + - @ symbols`

Answer 59

* Tag Key: 128 characters * Tag Value: 256 characters * Empty tag value has a length of 0 characters

Answer 60

* `Manage console access` * `Reset user password` * Manage `Access Keys` * Use `SSH public keys to authenticate access to AWS CodeCommit*` repositories * Generate HTTPS `Git credentials for AWS CodeCommit` * `Generate credentials for Amazon Keyspaces` (for Apache Cassandra) * `X.509 Signing certifications`

Answer 61

* CodeCommit is a `secure, highly scalable`, managed source control service that hosts `private Git repositories` * Designed to `integrate with other AWS services` * Access authentication with: * `SSH public keys` - *maximum of five SSH public keys (active or inactive) at a time* * `Generate HTTS username & password credentials` - *maximum 2 sets (active or inactive) at a time*

Answer 62

* Amazon Keyspaces (for Apache Cassandra) is a scalable, highly available, and managed Apache Cassandra-compatible database service * Ways to generate access credentials: * Users > Security Credentials * AWS CLI > `aws iam create-service-specific-credential` * AWS API > `CreateServiceSpecificCredential`

Answer 63

* AWS server certicate is a `X.509 v3 data structure` that binds the public key in the certificate to the subject of the certificate. * An SSL/TLS certificate is signed by `Certificate Authority (CA)` and contains the name of the server, validaity period, public key and signature, etc... * Use Cases: * Amazon API Gateway for custom domain name * AWS CloudFormation - ACM certificates * Amazon CloudFront to distribute website content delivery * Code Signing for AWS IoT * Elastic Beanstalk * Elastic Load Balancing * Ways to create X.509 certificates: * `IAM User > Security Credentials` - Maximum of 2 X.509 certificates (active or inactive) at a time * `AWS Certificate Manager (ACM)`

Answer 64

* IAM Roles are permission policies for services * An IAM Role is both an `identity` and a `resource` that supports resource-based policies - `Must attach both a trust policy and an identity-based policy` * It is `associated with a service` instead of an identity user * Users have permanent long-term credentials, but roles provide `temporary credentials` * Common roles: * `EC2 Instance Roles` * `Lambda Function Roles` * `Roles for CloudFormation`

Answer 65

When the following situation occurs: * `Federated user access` * `Temporary IAM user/role permissions` * `Cross-account access` - trusted principle from another AWS account * `Cross-service access` * `Principal permissions` - permission given to IAM user/role to access cross service resource * `Service role` - delegate permission to assumes a service on your behalf `(such as permission boundary)` * `Service-linked role` - type of service role that linked to another AWS service * `Applications running on Amazon EC2` - making AWS CLI or AWS API requests

Answer 66

* `Trust Policy` - defined which principle can assume the role * `Identity-based policies (inline and managed)` - define permissions the user of the role to perform actions on the resource

Answer 67

- IAM > Roles > Create Role - Select the Trusted Entity type - AWS Service (EC2, Lambda) - AWS Accounts - Web Identity (federated user) - SAML 2.0 Federation (corporate active directory) - Custom Trust Policy - Provide Use Case for services to call on it's behalf - Attach a permission policy - Set a permission boundary (optional) - Provide Role name and description - Add Tags (optional)

Answer 68

* Authenticate your non AWS workloads and securely provide access to AWS services * Can configure existing Roles policies to Roles Anywhere * `Create a Certificate Authority (CA)` and `Trust Anchor` to establish trust between AWS and Certificate Authority (CA)

Answer 69

* Administrator will provide you a link to access the Switch Role page which have Account ID and Role Name already filled * Sign in to AWS Console and access the username on the navbar and choose `Switch Role` > manually enter the Account ID and Role Name

Answer 70

* You can switch to a role only after you sign in as an IAM user or a federated user. * If you launch an Amazon EC2 instance to run an application, the application can assume a role through its instance profile * `You cannot switch to a role when you sign in as the AWS account root user` * `Only one set of permissions can be in effect at a time` - cannot make use of his power-user privileges for your account if you're switching roles to another account. * Switching roles using the AWS Management Console only works with accounts that do not require an `ExternalId`

Answer 71

* Click on the role display name on the navbar and then choose "`Back to YourName@YourAccountID`".

Answer 72

1. `IAM Credentials Report (account-level)` - a report that lists all your account’s users and the status their various credentials 2. `IAM Access Advisor (user-level)` - Shows the service permission granted to a user and when those services were last accessed - You can use this information to revise your policy

Answer 73

* Command line interface (CLI) is a tool allows you to interact with AWS services using commands * Direct `access to the public APIs of AWS services` * You can develop scripts to manage your resources * It’s open-source https://github.com/aws/aws-cli * Alternative to using AWS Management Console * Developed upon `Python SDK (boto3)`

Answer 74

- Search for AWS CLI v2 on Windows - Download MSI install and install it - Open cmd line prompt - Run `aws --version` - The output will show if AWS CLI is installed: `aws-cli/2.10.0 Python/3.11.2 Windows/10 exe/AMD64 prompt/off`

Answer 75

- Search for AWS CLI v2 on Mac OS - Download and install the PKG file - Select *install for all users on this computer* - Open a terminal on Mac - Run `aws --version` - The output will show if AWS CLI is installed: `aws-cli/2.10.0 Python/3.11.2 Windows/10 exe/AMD64 prompt/off`

Answer 76

- Run the 3 commands sequentially: ``` $ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install ```

Answer 77

Ensure you're using the most recent version of AWS CLI

Answer 78

* 512 characters

Answer 79

* A browser-based CLI to manage AWS resources from a terminal in your browser * Use the `same AWS Management Console login` * `1 GB of persistent storage` * `Import/export files`

Answer 80

* AWS Software Development Kit (AWS SDK) * Language-specific APIs (set of libraries) * Enables you to access and manage AWS services programmatically * Embedded within your application * Supports: * SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++) * Mobile SDKs (Android, iOS, …) * IoT Device SDKs (Embedded C, Arduino, …) * Example: AWS CLI is built on AWS SDK for Python (`boto3`) Examples: * We have to use the AWS SDK when coding against AWS Services such as DynamoDB

Answer 81

* Break up policies by resource type due to limited JOSN document size * Avoid define multiple permissions in a single statement * `Grant least privilege` * Understand `access level groupings` * Use IAM Access Analyzer & CloudTrail to generate and validate user access information

Answer 82

`AWS:` * Infrastructure (global network security) * Configuration and vulnerability analysis * Compliance validation `You:` * Users, Groups, Roles, Policies management and monitoring * Enable MFA on all accounts * Rotate all your keys often * Use IAM tools to apply appropriate permissions * Analyze access patterns & review permissions

Answer 83

1. Root account must provide IAM user with `AdministratorAccess` to access Billing Information 2. Log on to our IAM User account 2. Go to `My Account` > `My Billing Dashboards` 3. Click on `Budget` > Create a Budget 4. Choose premade templates or customized your own template: - `Zero spending budget` - `Monthly cost budget` - `Daily savings Plans coverage budget` 5. Add `email recipients` to be notified 6. Click `Create Budget`

Answer 84

1. Log onto `Root account` 2. Click `My Account` 3. Click Edit under `IAM User and Role access to Billing Information` 4. Check `Activate IAM Access` 5. Click `Update`

Answer 85

* `Users`: mapped to a physical user, has a password for AWS Console * `Groups`: contains users only * `Policies`: JSON document that outlines permissions for users or groups * `Roles`: for EC2 instances or AWS services * `Security`: MFA + Password Policy * `AWS CLI`: manage your AWS services using the command-line * `AWS SDK`: manage your AWS services using a programming language * `Access Keys`: access AWS using the CLI or SDK * `Audit`: IAM Credential Reports & IAM Access Advisor