AWS IAM Flashcards

1
Q

What are the main logical components of AWS IAM?

A

Users, Groups, Roles, Permission Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can a user assume a role in another account?

A

Yes, a user can assume a role in another account by calling assume-role using the CLI or using the Web console switch role function. With the CLI asume-role requires an –role-arn and a –role-service-name.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can I enable a user from another account access to a resource in my account?

A

We will create a cross-account role the other account user will assume. The other account user will have to have a policy stating they can assume this role, for this you will need and ARN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

With an AWS IAM role can I have credentials for 30day?

A

No, the access keys expire from 15min to 12hrs depending on your configuration?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

I have an application running on an EC2 instance, the EC2 instance has been given a role that enables access to S3, where can i get these access keys from?

A

You can get the keys from the metadata service 169.254.169.254.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

I have a user in aws account A and what to give this user access to aws account b, how can i do this?

A

Create a cross-account role and user switch role in the user account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

I want to use a Web Identity Provider with my mobile application to access DynamoDB, how would this work?

A

Mobile app signs into IP
IP give mobile app a token
Mobile calls AsumeRoleWithEebIdentity with STS
STS validates token with IP
STS cheeks policy with AWS IAM
STS return security creds (temp access key and secret key) to mobile app

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the creds returned by STS?

A

Access key and secret key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

From an IAM perspective, what should I do with the root user first thing after setting up a new account?

A
  • Remove the access key.
  • Set an extremely secure password on the root user.
  • Do not use the root password only;y in emergencies
  • Enable MFA and lock away the security key.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

From an IAM perspective is it better to assign permissions to individuals or groups?

A

Groups, they are easier to manage than the individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When assigning access to users, should I assign all access to all service to make it easy to manage and save time?

A

NO, you should implement the least privilege and only assign the levels of access required for the person to do their job.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

As IAM best practice what should I do for passwords?

A

Implement a password policy for rotation and strength, reuse, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When an application on an EC2 instance wants access to services in AWS, what is best practice?

A

Implement a role and assign to EC2 instance, only assign the service and actions required by the application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If I have two accounts, do I share security creds between accounts?

A

No, you set up a role in other account and enable the user to assume the role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

For an AWS account, what are the 3 domains?

A
  • Authentication (IAM)
  • Billing
  • The authorisation (Permissions)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How can we restrict the blast radius in AWS?

A

You cna use an AWS account, the account is the billing, user authenticationa nd authorision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the two wats a user can authenticate them self with AWS IAM?

A
  • User name & Password

- Access key & Secret key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How is a user given access to resources?

A

A user is given access through the assignment of policies to the user direct to the group the user is in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the main parts of a user policy?

A
  • Effect: This is allow or deny
  • Action: s3:ListBucket”, Resource: “arn:aws:s3:::example_bucket
  • Condation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

For a user based policy, what is its main purpose?

A

To allow or deny user access to a resource?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

For a resource-based policy, what is the main purpose?

A

To allow or deny one or more users to the resource?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the main elements of a resource-based policy?

A
  • Effect: This is allow or deny
  • Action: s3:ListBucket”, Resource: “arn:aws:s3:::example_bucket
  • Principal : {“AWS”: [“arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root”]},
  • Condation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is an AWS group?

A

It is an admin construct to group users into a single pool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is an inline policy?

A

It is a policy thet is directly attached to a user or a group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Can you log in as a group?

A

No, a group is a logical construct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What you create a user in AWS do they have any rights by default?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

They is a DENY in a user policy, but there is also a ALLOW for the resource, what is the out come?

A

Deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the limit of the number of users per AWS account?

A

5K, but using federation you can get around this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Using a user policy, how would you enable access for s3 resource.

A

“Effect”: “Allow”
“Action”: “s3:
“Resource”: “

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

How are policies evaluated when you access a resource?

A

All policies are gathered to gether and evaluated as a group, this includes use and resource, if there is a DENY in th epolicies, then you will be delied access, if there is no allow in the policy you will be denyed access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Can a user have multipal policies attached?

A

Yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Can you have multipal statement in a access policy?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

If I have a policy with two statements thet allow s3 access for all APIs, will I be able to access Ec2? and why?

A

No, as ther is a implicit deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What are managed policies?

A

They are the native policies available to you by AWS that are managed by AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is a customer managed policy?

A

They are policies you create.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is a condition on a policy statement?

A

It means the statement applies to provide the condition matches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What are policy variables?

A

They are AWS variables that are available when creating policy documents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

I only want a bucket available between 1pm and 4pm daily, how can I achieve this?

A

You can set a condition in the policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Can I log into a role?

A

No, a role can be assumed by the users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Can an Ec2 instance assume a role?

A

Yes, this way the EC2 instance can use the assumed role to access something s3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

I want a lambda function to access an s3 bucket, do I need a user

A

You need to assume a role that has a policy with permission to access the s3 bucket. There will also need it trust policy to allow the lamb to assume the role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A role has two main parts, what are they?

A
  • Trust relationship, a policy.

- Permissions, a policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is the role trust policy 9 relationships)?

A

The trust relationship is a policy that you can use to enable accounts, or services assume a rile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What are the 4 trust relationships types for a role?

A
  • AWS Service (the service asumes a rile)
  • Account (3rd partsy can asume a role
  • Web identity
  • SAML
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

When you asume a role what are you doing?

A

You are geteing back key id, access key and security token form the STS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

For a EC2 instance with a role, where dose the EC2 instance get the access keys, etc from?

A

When the EC2 instances asuesmes the asigned role, it gets an access key, etc from STS server and this is stored in the metadaat server. The reasoln Ec2 can sume the role is because role has a trust relation ship policy set up to allow this EC2 servoces asume the role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Where in the metadata server is the security credentails for a ec2 instance stored?

A

https://169.254.169.254/latest/meta-data/iam/security-redentails/name of_vm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What service is used to give tempory credentails ?

A

STS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

When creating a cross account acess where you allow the user asume a role, what do you need to set up?

A

In the account to be asumed, you et up a rile with a trust policy to allow other account asume the role, you also set up ppermissions fo the role. In the accont you will asume the role from, you setup a plicy and asign to uses to enable the users asume the role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Can you revoke tempory sesons (STS)?

A

No, they will only invalidate when tey expire, but you cna using revoke sesstion tab add a policy thet deny any session before a date/time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

I wnat to assume a role fdrom another account when using the CLI, how is this possible?

A
  • CLI to asume a role in the other account
  • You receive back a access key, secret key and session key
  • Store in environment varables
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

I have two buckets one on accout A and one in account B, hiw cna I copy an objetc betwwen the buckets?

A

You can set up a bucket policy to allow the remote account access the bucke.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

If using a buckety policy I grand a remote account access nto upload to a bucket, what is a potentail isse with the objects?

A

The owner of the object is the remote account and local accounts users will not have access to the objects?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Can you have two or more master accounts?

A

No, you can only have a single account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What does AsumeRoleWithWebIdnetity do?

A

Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What does AssumeRoleWithSAML do?

A

Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

When you use AsumeRoleWithWebIdnetity, what are the steps involved?

A
  • You log in to your identity provider, like Google.
  • You receive a barer token after the login
  • You call AWS with barer token and STS generates access key, secret key and session key and return to you.
  • You can then use these access keys, etc to make s cales to the AWS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

I need to use Google as an identity provider to allow my users to access the AWS console, how is this possible?

A

It is not, WebIdentity cannot be used to access the web console, you can only use it to access the API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

I am using SAML for web identity, I have logged in to AWS using SAML, I want to access the API, what do I need to do?

A

Call AssumeRoleWithSAML, this will give you a new Access key, etc and you can use to access AWS resources.

60
Q

What are the types of policies used in AWS?

A
  • Orgnization polocies - Service control polocies (SCP)
  • Identity polocies
  • Resource polocies
  • Endpoint polocies
  • Security token
  • Permission boundry
61
Q

If I enable services with service control policies, have i given permission to the services?

A

No, you have just enabled the use of these policies, a user or role still has to have permission through a resource of identity policy.

62
Q

What will a service control policy with no allows in it do?

A

It will deny access to every resource in every account it is attached to.

63
Q

If I have an allow S3 in the service control policy and I have allowed EC2 in permission boundary and I have allowed CodeCommit in permission policy for user X, what cna uses X access?

A

Nothing as there is no overlap between the policies.

64
Q

I want to stop developers from turning off cloud trail or create IAM users or setup AWS Directory Services across my accounts, how can I do this?

A

You can use a service console policy

65
Q

I want to ensure users can only create resources in approved regions, how can I do this?

A

Use service control policies. For this policy we list the actions we want to all and attach a condition with string equals aws:requestedregion

66
Q

What is a permission boundary?

A

Enables you to set the max permissions that an identity-policy can grant.

67
Q

What is a permission boundary attached to?

A

A user or a role.

68
Q

I have two accounts (A + B), I want to give permissions to the user Keith so they can only manage users in an account, how can I do this?

A

Use permissions boundary.

69
Q

What is Deny->Allow->Deny?

A

It is where if these are not explicit deny then the allow takes effect if there is not a allow then the deny takes effect.

70
Q

What is the flow of how policies are evaluated?

A
  • Org boundary
  • User & Role Boundry
  • User & Role Policies
  • Role policies
  • Permission
71
Q

What is an instance profile?

A

an instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.

72
Q

What happens when I call the AssumeRole?

A
You get back 3 elements from, you get,
-Session Key
- Acce3ss Key
- Secret
You can use these to then make further API calls to AWS under the account the role belongs to.
73
Q

What are session policies used for?

A

Session policies are used to restrict the permissions that you get when you assume a rile using AzureRole, AsumeRoleWithSAML and Assume RoleWithWebIdentity

74
Q

What is the STS service?

A

It is a service thet when called return a tempory security token.

75
Q

What is a trues relationship in the context of AWS IAM?

A

It is part of a role and is used to create a trust relationship between the role and another account, this account can assume the role.

76
Q

What API call is used when assuming an OAuth/web-based identity?

A

AsumeRoleWithWebIdentity

77
Q

I have a federated account, explain how I can make a call to get table information form DynamoDB?

A

You can assume a role using the AsumeRole API, as there is a trust relationship between the role and the calling account STS will return temp credentials, their creds can be used when calling the DynamoDB table.

78
Q

What are the 3 types of the federation and the API used?

A
  • AsumeRole: Used between AWS accounts
  • AsumeRole withWebIdentity: Used between federated web-based like OAuth
  • AsumeRoleWithSAML: Used between AWS and AD.
79
Q

When I am using Google-based federated identity with AWS IAM, what type of access and API am I using?

A

You are using web-based federation and will be using the AssumeRoleWithWebIdentity.

80
Q

I have 20K users with google accounts and I wnat them to be able to call the DynamoDB API, what is my best option?

A

You can use web-based federation and the AssumeRoleWith WebIdentity and then use the return creds to make calls to the DynamoDB Table API.

81
Q

What is an IAM Permission Boundry?

A

It enables you to restrict what services a user can access, for example, you can allow access to S3 and even if the user has IAM permissions to EC2 they will not get access to EC2 as the IAM boundary will not all it.

82
Q

What is the difference between an IAM boundary and a service control policy?

A

The service control policy is applied at the org and account level to allow or deny access to services. The IAM Boundry is applied at the IAM user and role level.

83
Q

I wnat to restrict the use of all services in an account except for S3, can I use an IAM Boundry policy?

A

You cna not use an IAMBoundry policy as it only operates at the user and role level. Use a service controle policy.

84
Q

How are all IAM related policies (Service control, boundary etc) applied?

A

All related policies are collected and evaluate din one go, if there is a deny then thet service is denied if there is a allow then provided the user policy also enables the allow then access is granted.

85
Q

When evaluation IAM based policies and you do not have an explicit deny or allow then this the access?

86
Q

What order are policies evaluated in?

A
  • > Org Bounderies (Service control policies)
  • > User Role Bounderies
  • > Role Policies
  • > Identity and Resource Policies
87
Q

What is the role policy?

A

The role policy is attached to a role and enables deny -> Allow -> Deny. You can use it to restrict what services a person or system can access when assuming a role.

88
Q

When assuming a role how can I restrict the role to a set of service?

A

you can use role Policies, Role Boundaries or service control policies.

89
Q

Tinder up SAML what are the steps?

A

Set up,

  • aws identity provider
  • setup roles
  • setup rekient party
90
Q

Is IAM a regional or global product?

A

It is a global product.

91
Q

I have account 111111111 as part of many orgnization accounts and account 22222222 thet is outside the orgnization, I have a service control policy in 111111111 that blocks access to service S3, can account 22222222 access S3 if the correct S3 resource policy is set up to allow account 22222222 access?

A

Yes because service control policies do not apply outside the account.

92
Q

What are policies attached to?

A
  • Users
  • User groups
  • Roles
93
Q

When a policy is attached to a user, user group or a role, what is it known as?

A
  • Identity policy
94
Q

What are the types of policies you can have?

A
  • Identity-based policie
  • Resource-based policies,
  • Permissions boundaries,
  • Organizations SCPs,
  • ACLs
  • Session policies.
95
Q

What is an identity-based policy?

A

It is a policy attached to identities like a user, users group or a role. It is evaluated to allow or not allow access by identity.

96
Q

What is a resource-based policy?

A

It is a policy evaluated when a resource is accessed, it will allow or deny access to the resource.

97
Q

What is a service control policy?

A

Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.

98
Q

What is an ACL?

A

Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal entity. ACLs cannot grant permissions to entities within the same account.

99
Q

What are a Permissions boundaries?

A

Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.

100
Q

What are the elements in the JASON IAM policy?

A
{
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Owner": "keith"
                }
            }
   }
101
Q

What is the effect in an IAM policy?

A

The effect is weather to ‘Allow’ or ‘Deny’ based on policy

102
Q

What is the action in an IAM policy?

A

This will be the list of API call allows. Like S3.* means al S3 calls and * meas all API in AWS.

103
Q

What is OrganizationAccountAccessRole used for

A

You can use the role as part of the switch role functionality to switch to the org account.

104
Q

Dose service control policies apply to the root account>

105
Q

I am creating cross-account access, what are the steps to create this?

A
  • Create a cross-account role in the account you are switching to. With a trust relationship form the account, you are coming from.
  • Add a policy to assume role for the user in the from the account, this will be a policy like
    {
    “effect”:”Allow”,
    “Action”:”sta:AssumeRole”,
    “Resource”:”arn:aws:iam:11111111111:role/RoleName”
    }
106
Q

What identity providers dose AWS IAM support?

A
  • OpenID

- SAML

107
Q

What are the elements of a SAML based role?

A

Permission policies

Trust relationship

108
Q

How would you organize multiple AWS accounts for an enterprise?

A

Using AWS Orgnizations

109
Q

When using AWS orgnizations, what is the first thing you must have?

A

Management account

110
Q

What is an AWS account OU?

A

It’s an organizational unit that enables Oyu to organize the structure under root.

111
Q

When you create an account under aws orgnizations do you have a management account, what role do you use to access the newly created account?

A

OrganizationAccountAccessRole

112
Q

Is it easy to add new accounts to AWS organizations?

A

Yes, you can create a new account from the portal or invite an existing account.

113
Q

What is AWS access analyzer?

114
Q

What makes up an AES access control policy?

A

Effect
Action
Resource
Condition

115
Q

When using AWS policies, what is #{aws: username}?

A

Its a variable name of the aws user.

116
Q

Create an AWS IAM service policy variable for s3?

A

This is like s3: and say s3:prefix

117
Q

If I wnat my user to access an s3 bucket in account b from the account a, what must I do?

A

Use the assumed roles.

118
Q

What is a resource-based policy?

A

A resource-based policy in AWS is a JSON policy attached directly to a resource, such as an S3 bucket or Lambda function. It defines who (which principals) can access the resource and what actions they can perform.
Unlike identity-based policies, they are attached to the resource itself, not a user or role.

119
Q

What is an AWS IAM permissions boundary, and how does it affect an IAM user’s permissions?

A

An IAM permissions boundary is an advanced feature that acts as a guardrail, defining the maximum permissions an IAM user or role can have. It does not grant permissions by itself, but instead limits what policies can allow.

It’s an optional policy attached to a user or role.

It intersects with the user’s or role’s identity-based policies.

The effective permissions are the intersection of what the identity-based policies allow and what the permissions boundary allows.

Example use case:
You want to allow developers to define their own IAM roles, but restrict them from granting permissions beyond a specific scope (like preventing full admin access).

120
Q

Explain the IAM Policy Generator.

A

You can have the tool create a policy based on past 90 days logs.

121
Q

What types of findings are reported?

A

Anything outside the zone of trust.

122
Q

What is a Zone of Trust?

A

This is equal to an AWS Account or Orgnization

123
Q

How do you configure AWS IAM Access Analyzer for multiple regions?

A

You have to enable it in each region separately.

124
Q

What types of analysis can be performed by IAM Access Analyzer?

A

External access analysis
The analyzer scans the resources within the zone of trust.

Unused access analysis
The analyzer scans IAM users and roles within selected organizations or accounts.

125
Q

How can I find out which resources are shared externally?

A

IAM Access Analyzer

126
Q

What service do you assume a role with?

A

STS (Security token Service)

127
Q

What are the steps to assume a role?

A
  • Create an IAM role
  • Defined the principles that can assume the role
128
Q

What is the difference between an IAM user and an Identity Center user in AWS?

A

🧑‍💼 IAM User

Definition: An individual identity created directly in AWS Identity and Access Management (IAM).

Where it exists: Inside your AWS account.

Use case: Best for programmatic access (CLI, SDK) or when long-lived access is needed for legacy apps.

Authentication: Username/password or access keys.

Permissions: Managed via IAM policies attached directly to the user.

Management:

    You manage passwords, MFA, and key rotation.

    Exists only in the AWS account it was created in.

👥 AWS Identity Center User (via AWS SSO)

Definition: A user identity managed via AWS IAM Identity Center (connected to AWS Directory, AD, or an external IdP like Entra ID).

Where it exists: In AWS Identity Center or federated through an external identity provider.

Use case: Best for centralized access management across multiple AWS accounts or organizations.

Authentication: Through SSO using corporate credentials (SSO/MFA supported).

Permissions: Granted via Permission Sets mapped to roles in different AWS accounts.

Management:

    Central user directory.

    Users access the AWS Management Console and CLI using SSO.

    Ideal for organizations with lots of users.
129
Q

When you assume a role using STS, how long are the creds for?

A

15 min to 12 hr

130
Q

What is an AWS IAM User?

A

An AWS IAM User is an identity created within AWS Identity and Access Management to represent a person or application. It has long-term credentials like a username, password, and access keys.
IAM users are used to access AWS services and resources based on assigned permissions.

131
Q

What is an AWS IAM Group?

A

An AWS IAM Group is a collection of IAM users managed as a single unit.
It allows you to assign the same permissions to multiple users easily.
Groups simplify permission management but cannot be nested within other groups.

132
Q

What is an AWS IAM Role?

A

An AWS IAM Role is a set of permissions that define what actions are allowed on AWS resources.
Unlike users, roles are not associated with a specific person but can be assumed by users, applications, or services.
They enable secure, temporary access to resources without needing long-term credentials.

133
Q

What service is involved when you assume an AWS IAM Role?

A

The service involved when you assume an AWS IAM Role is AWS Security Token Service (STS).
STS provides temporary security credentials for the role being assumed.
This allows trusted entities to access AWS resources securely and temporarily.

134
Q

Explain how the AWS Identity Center fits into the AWS IAM picture.

A

AWS Identity Center (formerly AWS SSO) provides centralized access management for AWS accounts and applications using a single set of credentials. It integrates with AWS IAM by assigning permissions through permission sets mapped to IAM roles. This enables fine-grained, federated access without managing IAM users directly.

135
Q

What AWS services can be configured to provide single sign-on for EC2 instances?

A

AWS IAM Identity Center (formerly AWS SSO)

Purpose: Centralized access management and SSO across AWS accounts and apps.

You can configure it with EC2 Instance Connect or Session Manager to allow users to connect to EC2 without needing SSH keys.

136
Q

In AWS using IAM-related services, how can you configure single sign-on for Office 365 using AWS services?

A
  1. Use AWS IAM Identity Center (formerly AWS SSO) to configure an identity source like Active Directory or external IdP.
  2. Create a SAML 2.0 application in the IAM Identity Center for Office 365
  3. Configure Office 365/Azure AD as the service provider and upload the AWS SAML metadata to enable federation.
137
Q

In AWS IAM what is a Session tag used for and also give a use case?

A

In AWS IAM, a session tag is a key–value pair passed during role assumption, used to pass user attributes into temporary credentials.

They help control access, track user activity, or customize permissions dynamically.

Use case: Tag sessions with department=finance to allow access only to finance-related S3 buckets via resource-based policies.

138
Q

In AWS IAM, how are Session tags used?

A

In AWS IAM, session tags are key-value pairs passed when users assume roles.

They can be used to control access with policies, track sessions, or pass user attributes.

Session tags stay active only for the session’s duration and don’t persist.

Example: you have an s3 bucket with a bucket policy with the condition {StringEquels: was:PrimncipleTag/Department: “HR”}

139
Q

In AWS IAM, what API do you use to assume a role?

A

AssumeRole

140
Q

In AWS IAM, what API do you use to assume a role with SAML?

A

AssumeRoleWithSaml

141
Q

In AWS IAM, what API do you use to assume a role with web identity?

A

AssumeRoleWithWebIdentity

142
Q

In AWS IAM, what is GetFederationToken used for?

A

GetFederationToken allows you to create a temporary IAM identity for a user without having to create an IAM user in your AWS account.
🛠️ Use Case

You use it when you want to grant temporary, limited access to AWS resources to a user authenticated outside of AWS, such as:

An employee from your internal system

A user in your organization's custom identity system
143
Q

In AWS IAM, what is GetSessionToken used for?

A

In AWS IAM, the GetSessionToken API operation is used to obtain temporary security credentials for an IAM user or AWS account root user. These credentials are generated by AWS Security Token Service (STS).
🔐 Purpose of GetSessionToken:

It allows you to get temporary credentials (Access Key ID, Secret Access Key, and Session Token) that are valid for a limited duration (from 15 minutes up to 36 hours, depending on context).
✅ Common Use Cases:

MFA (Multi-Factor Authentication):
When MFA is enabled, GetSessionToken is often used to get session credentials that prove the user authenticated with MFA.

Securing CLI/SDK sessions:
You use the temporary credentials for short-lived tasks, reducing the risk of long-term credential exposure.

Delegation or session-limited actions:
Useful when you want to execute a task with temporary, scoped access rather than long-term credentials.

🧠 How It Works:

You call GetSessionToken, optionally providing an MFA device serial and MFA token.

AWS STS returns:

    AccessKeyId

    SecretAccessKey

    SessionToken

You use these credentials to sign AWS API requests or configure tools like the AWS CLI.
144
Q

What is the successor to AWS Single Sign-On?

A

The successor to AWS Single Sign-On is AWS Identity Center.

145
Q

What is the main purpose of AWS Identity Center?

A

The purpose of an identity center is to provide a single sign-on across all your accounts within your organization.

And your business applications such as Office 365 or Microsoft 365 and Salesforce.

Also, log on to EC2 Windows instances.

Also, any SAML 2.0-enabled application.

146
Q

In AWS, what’s the permission set?

A

In AWS, a Permission Set is a collection of IAM policies (AWS managed or custom) that define what actions a user can perform in AWS accounts when using AWS IAM Identity Center (formerly AWS SSO).
Key Concepts:

Permission Sets are created and managed in AWS IAM Identity Center.

They are not IAM roles or policies by themselves, but rather they define the policies that are used when Identity Center provisions roles into target AWS accounts.

Users or groups in IAM Identity Center are assigned to accounts with a specific permission set, which allows them to assume roles into those accounts with the permissions defined by the set.

Example Use Case:

You might have a “ReadOnlyAccess” permission set which includes the ReadOnlyAccess AWS managed policy. You can assign this set to your team members for all production accounts so they can view resources but not modify them.
Components of a Permission Set:

Name & Description: To identify the purpose.

Permissions: A combination of:

    AWS Managed Policies (like AdministratorAccess)

    Customer Managed Policies

    Inline Policies (JSON policies you write directly)

Session Duration: How long the session lasts when the user assumes the role.

Relay State: Optional URL users are redirected to after login.

Tagging: You can add tags to permission sets for organization.

How it Works:

Create a permission set.

Assign it to one or more AWS accounts.

Assign it to one or more users or groups.

Identity Center provisions the required roles in those accounts.

Users log in via Identity Center and assume the role created from the permission set.

Let me know if you’d like to see how it compares to IAM roles or how to set it up in the AWS Console or via Terraform.

147
Q

In AWS, can you explain a permission boundary?

A

In AWS, a permissions boundary is an advanced feature that sets the maximum permissions that an IAM principal (like a user or role) can have — even if their IAM policies allow more.

🔒 What It Does
- It limits the effective permissions.
- Think of it like a “fence”: no matter what permissions the user’s policies grant, they can’t exceed what the boundary allows.

🧠 How It Works
- It’s an IAM policy (JSON document) attached as a permissions boundary to a user or role.
- The final permissions are the intersection of:
- The permissions granted by IAM policies, AND
- The permissions allowed by the permissions boundary.

✅ Example
Say you have:
- A user with a policy that allows s3:* on all S3 buckets.
- A permissions boundary that allows only s3:GetObject.

👉 Even though the user’s policy says “do everything with S3”, they can only do GetObject, because the boundary restricts them.

🔧 When to Use
- When delegating IAM management, e.g.:
- Allowing a team to create roles but limiting what those roles can do.
- For guardrails in larger organizations using Organizations, Service Control Policies (SCPs), and permissions boundaries together.

🧩 Quick Comparison

|————————–|——————–|———————————–|
| IAM Policy | Attached to user/role | Grants permissions |
| Permissions Boundary | Attached to user/role | Limits maximum permissions |
| SCP (Service Control Policy) | Org units/accounts | Org-wide restrictions |

Want a diagram or real-world example to reinforce it?

Feature | Scope | Purpose |