AIM Basics Flashcards
What is AWS IAM?
- AWS
Identity and Access Management (IAM)
is a web service that helps you securely control access to AWS resources - IAM is a Global service
- IAM to control who is
authenticated
(signed in) andauthorized
(has permissions) to use resources.
What are some IAM features?
-
Shared access
to your AWS account Granular permissions
-
Secure access
to AWS resources for applications that run on Amazon EC2 -
Multi-factor authentication
(MFA) -
Identity federation
- 3rd party authenticated providers -
Identity assurance
- AWS CloudTrail activity logs PCI DSS Compliance
-
Integrated
with many AWS services -
Evenly Consistent
- high availability by replicating data across multiple servers Free to use
What is a federated identity user?
Federated Identity users are users authenticated with a 3rd party provider such as Facebook, Google, Instagram, etc.
What are the sign in options available for AWS?
Sign in with:
* AWS Management Console
as a root user or IAM user
* AWS access portal
as a user in IAM Identity Center
* Federated Identity
user
* AWS Command Line Interface (CLI
)
* Programmatic methods like SDK
and API
* Sign in with AWS Builder ID
- personal profile linked to AWS training
If you don’t use AWS tools, you must sign requests yourself such as sign-in API requests using AWS Signature Version 4
How are you authorized to access AWS resources?
- You must be
authenticated
(sign in) to AWS - Authenticated users can
access resource based on their permission policies
Federated Identity users will indirectly assuming a role
How does IAM work?
- Principle makes an
Authentication
request - On successfully authentication, IAM performs
Authorization
- IAM checks for
Identity-based polices
Other policies
Resource-based policies
- IAM checks for
- Check
Actions (Console)
OROperations (CLI/API)
- EC2: RunInstance, StartInstance, StopInstance
- IAM Service: CreateUser, DeleteUser, GetUser
- S3: Create Bucket, DeleteBucket, ListBucket
Perform Actions on Resources
What is a Principle in AWS IAM?
- A Principle is either a
human identity (IAM User)
or a collection ofresources (IAM Role)
- Principals include
federated users
andassumed roles
What is the best security best practices in IAM?
* Don’t use the root account
except for AWS account setup
* One physical user = One AWS use
* Assign users to groups and assign permissions to groups
* Create a strong password policy
* Use and enforce the use of Multi Factor Authentication (MFA
)
* Update access keys
when needed for use cases that require long-term credentials
* Create and use Roles
for giving permissions to AWS services
* Apply least-privilege permissions
* Use Access Keys for Programmatic Access (CLI / SDK)
* Audit permissions of your account using IAM Credentials Report
& IAM Access Advisor
* Never share IAM users & Access Keys
What is attribute-based access control?
-
Attribute-based access control (ABAC)
is an authorization strategy that lets you createfine-grained permissions
based on user attributes, such as department, job role, and team name
What is the difference between Actions and Operations?
- Actions and Operations the principle wants to perform on the resource
- CreateUser
- GetUser
- UpdateUser
- DeleteUser
-
Actions
in AWS Management Console -
Operations
in AWS CLI or AWS API
What information is required to send a request to AWS?
-
Environment data
- Information about the IP address, user agent, SSL enabled status -
Principal
- user or role -
Actions (AWS Console) or operations (AWS CLI/API)
- Requested actions to perform such as IAM:CreateUser -
Resources
- AWS Resource object upon -
Resource data
- Data to be updated
What is AWS Authorization?
- Authorization are permission to access AWS resources
-
Mut be Authorized
(allowed) to complete your request By default: all requests are denied
- Explicit Allow any permissions to override the default
- If any of the follow exist, then they must all allow the request:
Organizations SCP
IAM permissions boundary
session policy
An explicit deny in any policy overrides any allows
What is AWS Root User account?
- The Root account is the master account used to manage all AWS Services.
- We strongly recommend that you don’t use the root user for your everyday tasks
It should not be used or shared.
What are the steps to create a Root User account?
- Sign up for an AWS account by visiting the AWS website and clicking on the “
Create an AWS Account
” button. -
Provide the necessary information
, such as email address, password, and billing information, to create your AWS account. - Amazon requires
credit card authorization of $1.00
to verify the billing information. - Complete the identity verification process to activate your account.
Select a Support Plan
- Log in to the AWS Management Console using your newly created credentials.
- Consider
setting up multi-factor authentication (MFA)
for added security on your account.
What are the tasks that require root user account?
- Change your
account settings
- Restore
IAM user permissions
- Activate IAM access to the
Billing
andCost
Management console - View certain
tax invoices
Close your AWS account
-
Register as a seller
in the Reserved Instance Marketplace - Configure an
Amazon S3 bucket to enable MFA
(multi-factor authentication). - Edit or delete an Amazon Simple Queue Service (Amazon
SQS
) resource policy that denies all principals - Edit or delete an Amazon Simple Storage Service (Amazon
S3
) bucket policy that denies all principals - Sign up for
AWS GovCloud (US)
What can you do in IAM Dashboard?
- Dashboard shows
Security Recommendations
for best practice - Create
Users, Groups, & Roles
- Create
Permission Policies
- Manage
Single-Signon Identity Providers
-
Configure Account Settings
- Password Policy
- Security Token Service (STS) Region Endpoints
-
View Access Reports
- Access Analyzer
- Credential Report
- Organization Activity
- Service Control Polices (SCPs)
How do you create a new IAM User?
- Access Users from the IAM Dashboard
- Specify usename
- Select
User Access Type
-
"Specify a user in IAM Identity Center"
- For developers who need access to Access Keys -
"I want to create a IAM user"
- Single Signon for organization users
-
- Configure a console password
- Autogenerate password
- Custom password (IAM default password policy)
- Option to select
"Users must create a new password at next sign-in"
- Configure user permission
- Add user to group (recommended)
- Copy permissions from another user
- Attach policies directly (Inline Policy
) - Review and create
How do IAM user sign into AWS?
- Root User will sign-in with their email and Password
- We can simplify the Root account sign-in by creating an
Alias
to use instead of the email address - IAM users sign-in with their AWS Account ID, Username, and Password
- All accounts must be configure with
MFA
for security purposes
How to configure IAM Password Policy?
- Strong password = higher security for your account
- Good password policy helps protect against brute force on your account
- IAM Dashboard - Access management > Account Settings > Edit
- Configure IAM Password Policy:
- Set minimum password length -
default is 8 characters
- Password strength (
default is any of the 3 combination
):- An uppercase letter
- A lowercase letter
- One number
- A non-alphanumeric character ! @ # $ % ^ & * ( ) _ + - (hyphen) = [ ] { } | ‘
- Other requirements:
- Turn on password expiration
- Password expiration require administrator reset
- Allow users to change their own password
- Prevent password reuse
- Set minimum password length -
What is Multi Factor Authentication (MFA)?
- You want to protect your Root Accounts and IAM users
MFA = password you know + security device you own
- Main benefit of MFA: If a password is stolen or hacked, the account is not compromised
How to Enable MFA on your computer or phone?
- IAM Dashboard Conolse > Users > [user] > Security Credentials > Assign MFA device
- Specify MFA device name
- MFA device type >
Authenticator app
- Install and open Authenticator app
- Scan QR code
- Enter MFA code 1
- Wait 30 seconds
- Enter MFA code 2
What is TOTP Authentication?
-
Time-based one-time password (TOTP)
algorithm and support multiple tokens on a single device - Available for
MFA Authenticator app
- Available providers:
-
Google Authenticator
(phone only) -
Twilio Authy
(multi-device) - Duo Mobile
- Microsoft Authenticator
- Symantec VIP
-
How to Enable MFA with a hardware security key?
- IAM Dashboard Conolse > Users > [user] > Security Credentials > Assign MFA device
- Specify MFA device name
- MFA device type >
Security Key
- Connect your security key to your device via USB, Bluetooth, or NFC
- Tab the security key
What is FIDO Security Key?
-
FIDO
is a authentication protocol which uses Universal 2nd Factor (U2F) Security Key in performing MFA -
Universal 2nd Factor (U2F) Security Key
is an open authentication standard that enables internet users to securely access any number of online services -
Hardware YubiKey
is a USB Key Fob by Yubico (3rd Party) -
Support multiple root accounts and IAM users
using a single security key