AWS IAM Flashcards
What is AWS Identity and Access Management (IAM)?
IAM is a service that allows you to define users and the types of access they will have to AWS services.
What are the key components of IAM?
Users, groups, roles, and policies are the key components used to manage access in IAM.
What is the purpose of IAM groups?
Groups are used to apply permissions efficiently by defining access policies for a collection of users with similar responsibilities.
What is an IAM policy?
An IAM policy is a document that defines access permissions independently of users and groups. It specifies what actions are allowed or denied on AWS services.
What is the principle of least privilege in IAM?
The principle of least privilege means granting only the minimum permissions necessary for users, groups, and roles to perform their tasks, enhancing security by limiting access.
What is the difference between identity-based policies and resource-based policies in IAM?
Identity-based policies are attached to users, groups, or roles and specify permissions for those identities. Resource-based policies are attached to resources like S3 buckets and control who can access the resource and what actions they can perform.
What is an IAM role?
An IAM role is an identity in AWS with specific permissions that can be assumed by anyone who needs it. It does not have long-term credentials like passwords or access keys associated with it.
What is multi-factor authentication (MFA) in IAM?
MFA adds an additional layer of security by requiring users to provide an additional piece of information (such as an MFA code from a device) along with their username and password for access.
How does IAM handle authorization?
IAM users, groups, and roles do not have permissions by default. Permissions must be explicitly granted through policies, following the principle of least privilege.
How does IAM determine permission when a user requests access?
IAM first checks for explicit denial policies. If none exist, it checks for explicit allow policies. If neither is found, IAM defaults to deny access (implicit deny) unless an explicit allow statement is present.
What is programmatic access in AWS IAM?
Programmatic access allows users to interact with AWS services through APIs, requiring an access key ID and secret access key.
What is AWS Management Console access in IAM?
AWS Management Console access allows users to interact with AWS services through the web-based management console, requiring a username and password.
What is multi-factor authentication (MFA), and why is it recommended?
MFA adds an extra layer of security by requiring users to provide a second form of verification, such as a code from a mobile app or a hardware token. It’s recommended to enhance security and protect against unauthorized access.
How does IAM handle permissions in case of conflicting policies?
In IAM, if there is a conflict between an explicit allow statement and an explicit deny statement for the same action, the deny statement takes precedence, ensuring more restrictive access controls.
Can IAM groups contain other groups?
No, IAM groups cannot contain other groups. Each group can only contain users, and users can belong to multiple groups.
What is an IAM role, and how is it different from a user?
An IAM role is similar to a user in that it is an identity with specific permissions, but it does not have long-term credentials associated with it like passwords or access keys. Roles are intended to be assumable by anyone who needs the associated permissions.
What is the purpose of a trust policy in an IAM role?
A trust policy in an IAM role defines which entities (users, services, or accounts) can assume the role and access its permissions.
How does IAM enforce the principle of least privilege?
IAM follows the principle of least privilege by default, meaning that users, groups, and roles have no permissions until specific permissions are explicitly granted through policies.
What are the different types of access that can be assigned to IAM users?
IAM users can be assigned programmatic access, which requires access keys for API calls, and/or AWS Management Console access, which allows access through the web console.
How does IAM determine permission in resource-based policies?
In resource-based policies, IAM determines permission based on explicit allow or deny statements attached to the resource. If no explicit allow statement exists, IAM defaults to deny access.
