AWS IAM Flashcards
What are the main logical components of AWS IAM?
Users, Groups, Roles, Permission Policies
Can a user assume a role in another account?
Yes, a user can assume a role in another account by calling assume-role using the CLI or using the Web console switch role function. With the CLI asume-role requires an –role-arn and a –role-service-name.
How can I enable a user from another account access to a resource in my account?
We will create a cross-account role the other account user will assume. The other account user will have to have a policy stating they can assume this role, for this you will need and ARN.
With an AWS IAM role can I have credentials for 30day?
No, the access keys expire from 15min to 12hrs depending on your configuration?
I have an application running on an EC2 instance, the EC2 instance has been given a role that enables access to S3, where can i get these access keys from?
You can get the keys from the metadata service 169.254.169.254.
I have a user in aws account A and what to give this user access to aws account b, how can i do this?
Create a cross-account role and user switch role in the user account.
I want to use a Web Identity Provider with my mobile application to access DynamoDB, how would this work?
Mobile app signs into IP
IP give mobile app a token
Mobile calls AsumeRoleWithEebIdentity with STS
STS validates token with IP
STS cheeks policy with AWS IAM
STS return security creds (temp access key and secret key) to mobile app
What are the creds returned by STS?
Access key and secret key
From an IAM perspective, what should I do with the root user first thing after setting up a new account?
- Remove the access key.
- Set an extremely secure password on the root user.
- Do not use the root password only;y in emergencies
- Enable MFA and lock away the security key.
From an IAM perspective is it better to assign permissions to individuals or groups?
Groups, they are easier to manage than the individual.
When assigning access to users, should I assign all access to all service to make it easy to manage and save time?
NO, you should implement the least privilege and only assign the levels of access required for the person to do their job.
As IAM best practice what should I do for passwords?
Implement a password policy for rotation and strength, reuse, etc.
When an application on an EC2 instance wants access to services in AWS, what is best practice?
Implement a role and assign to EC2 instance, only assign the service and actions required by the application.
If I have two accounts, do I share security creds between accounts?
No, you set up a role in other account and enable the user to assume the role.
For an AWS account, what are the 3 domains?
- Authentication (IAM)
- Billing
- The authorisation (Permissions)
How can we restrict the blast radius in AWS?
You cna use an AWS account, the account is the billing, user authenticationa nd authorision.
What are the two wats a user can authenticate them self with AWS IAM?
- User name & Password
- Access key & Secret key
How is a user given access to resources?
A user is given access through the assignment of policies to the user direct to the group the user is in.
What are the main parts of a user policy?
- Effect: This is allow or deny
- Action: s3:ListBucket”, Resource: “arn:aws:s3:::example_bucket
- Condation
For a user based policy, what is its main purpose?
To allow or deny user access to a resource?
For a resource-based policy, what is the main purpose?
To allow or deny one or more users to the resource?
What are the main elements of a resource-based policy?
- Effect: This is allow or deny
- Action: s3:ListBucket”, Resource: “arn:aws:s3:::example_bucket
- Principal : {“AWS”: [“arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root”]},
- Condation
What is an AWS group?
It is an admin construct to group users into a single pool.
What is an inline policy?
It is a policy thet is directly attached to a user or a group.
Can you log in as a group?
No, a group is a logical construct.
What you create a user in AWS do they have any rights by default?
No
They is a DENY in a user policy, but there is also a ALLOW for the resource, what is the out come?
Deny
What is the limit of the number of users per AWS account?
5K, but using federation you can get around this.
Using a user policy, how would you enable access for s3 resource.
“Effect”: “Allow”
“Action”: “s3:”
“Resource”: “”
How are policies evaluated when you access a resource?
All policies are gathered to gether and evaluated as a group, this includes use and resource, if there is a DENY in th epolicies, then you will be delied access, if there is no allow in the policy you will be denyed access.
Can a user have multipal policies attached?
Yes.
Can you have multipal statement in a access policy?
Yes
If I have a policy with two statements thet allow s3 access for all APIs, will I be able to access Ec2? and why?
No, as ther is a implicit deny
What are managed policies?
They are the native policies available to you by AWS that are managed by AWS.
What is a customer managed policy?
They are policies you create.
What is a condition on a policy statement?
It means the statement applies to provide the condition matches.
What are policy variables?
They are AWS variables that are available when creating policy documents.
I only want a bucket available between 1pm and 4pm daily, how can I achieve this?
You can set a condition in the policy.
Can I log into a role?
No, a role can be assumed by the users.
Can an Ec2 instance assume a role?
Yes, this way the EC2 instance can use the assumed role to access something s3.
I want a lambda function to access an s3 bucket, do I need a user
You need to assume a role that has a policy with permission to access the s3 bucket. There will also need it trust policy to allow the lamb to assume the role.
A role has two main parts, what are they?
- Trust relationship, a policy.
- Permissions, a policy
What is the role trust policy 9 relationships)?
The trust relationship is a policy that you can use to enable accounts, or services assume a rile
What are the 4 trust relationships types for a role?
- AWS Service (the service asumes a rile)
- Account (3rd partsy can asume a role
- Web identity
- SAML
When you asume a role what are you doing?
You are geteing back key id, access key and security token form the STS server.
For a EC2 instance with a role, where dose the EC2 instance get the access keys, etc from?
When the EC2 instances asuesmes the asigned role, it gets an access key, etc from STS server and this is stored in the metadaat server. The reasoln Ec2 can sume the role is because role has a trust relation ship policy set up to allow this EC2 servoces asume the role.
Where in the metadata server is the security credentails for a ec2 instance stored?
https://169.254.169.254/latest/meta-data/iam/security-redentails/name of_vm
What service is used to give tempory credentails ?
STS.
When creating a cross account acess where you allow the user asume a role, what do you need to set up?
In the account to be asumed, you et up a rile with a trust policy to allow other account asume the role, you also set up ppermissions fo the role. In the accont you will asume the role from, you setup a plicy and asign to uses to enable the users asume the role.
Can you revoke tempory sesons (STS)?
No, they will only invalidate when tey expire, but you cna using revoke sesstion tab add a policy thet deny any session before a date/time
I wnat to assume a role fdrom another account when using the CLI, how is this possible?
- CLI to asume a role in the other account
- You receive back a access key, secret key and session key
- Store in environment varables
I have two buckets one on accout A and one in account B, hiw cna I copy an objetc betwwen the buckets?
You can set up a bucket policy to allow the remote account access the bucke.
If using a buckety policy I grand a remote account access nto upload to a bucket, what is a potentail isse with the objects?
The owner of the object is the remote account and local accounts users will not have access to the objects?
Can you have two or more master accounts?
No, you can only have a single account.
What does AsumeRoleWithWebIdnetity do?
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider
What does AssumeRoleWithSAML do?
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.
When you use AsumeRoleWithWebIdnetity, what are the steps involved?
- You log in to your identity provider, like Google.
- You receive a barer token after the login
- You call AWS with barer token and STS generates access key, secret key and session key and return to you.
- You can then use these access keys, etc to make s cales to the AWS.
I need to use Google as an identity provider to allow my users to access the AWS console, how is this possible?
It is not, WebIdentity cannot be used to access the web console, you can only use it to access the API.
I am using SAML for web identity, I have logged in to AWS using SAML, I want to access the API, what do I need to do?
Call AssumeRoleWithSAML, this will give you a new Access key, etc and you can use to access AWS resources.
What are the types of policies used in AWS?
- Orgnization polocies - Service control polocies (SCP)
- Identity polocies
- Resource polocies
- Endpoint polocies
- Security token
- Permission boundry
If I enable services with service control policies, have i given permission to the services?
No, you have just enabled the use of these policies, a user or role still has to have permission through a resource of identity policy.
What will a service control policy with no allows in it do?
It will deny access to every resource in every account it is attached to.
If I have an allow S3 in the service control policy and I have allowed EC2 in permission boundary and I have allowed CodeCommit in permission policy for user X, what cna uses X access?
Nothing as there is no overlap between the policies.
I want to stop developers from turning off cloud trail or create IAM users or setup AWS Directory Services across my accounts, how can I do this?
You can use a service console policy
I want to ensure users can only create resources in approved regions, how can I do this?
Use service control policies. For this policy we list the actions we want to all and attach a condition with string equals aws:requestedregion
What is a permission boundary?
Enables you to set the max permissions that an identity-policy can grant.
What is a permission boundary attached to?
A user or a role.
I have two accounts (A + B), I want to give permissions to the user Keith so they can only manage users in an account, how can I do this?
Use permissions boundary.
What is Deny->Allow->Deny?
It is where if these are not explicit deny then the allow takes effect if there is not a allow then the deny takes effect.
What is the flow of how policies are evaluated?
- Org boundary
- User & Role Boundry
- User & Role Policies
- Role policies
- Permission
What is an instance profile?
an instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
What happens when I call the AssumeRole?
You get back 3 elements from, you get, -Session Key - Acce3ss Key - Secret You can use these to then make further API calls to AWS under the account the role belongs to.
What are session policies used for?
Session policies are used to restrict the permissions that you get when you assume a rile using AzureRole, AsumeRoleWithSAML and Assume RoleWithWebIdentity
What is the STS service?
It is a service thet when called return a tempory security token.
What is a trues relationship in the context of AWS IAM?
It is part of a role and is used to create a trust relationship between the role and another account, this account can assume the role.
What API call is used when assuming an OAuth/web-based identity?
AsumeRoleWithWebIdentity
I have a federated account, explain how I can make a call to get table information form DynamoDB?
You can assume a role using the AsumeRole API, as there is a trust relationship between the role and the calling account STS will return temp credentials, their creds can be used when calling the DynamoDB table.
What are the 3 types of the federation and the API used?
- AsumeRole: Used between AWS accounts
- AsumeRole withWebIdentity: Used between federated web-based like OAuth
- AsumeRoleWithSAML: Used between AWS and AD.
When I am using Google-based federated identity with AWS IAM, what type of access and API am I using?
You are using web-based federation and will be using the AssumeRoleWithWebIdentity.
I have 20K users with google accounts and I wnat them to be able to call the DynamoDB API, what is my best option?
You can use web-based federation and the AssumeRoleWith WebIdentity and then use the return creds to make calls to the DynamoDB Table API.
What is an IAM Permission Boundry?
It enables you to restrict what services a user can access, for example, you can allow access to S3 and even if the user has IAM permissions to EC2 they will not get access to EC2 as the IAM boundary will not all it.
What is the difference between an IAM boundary and a service control policy?
The service control policy is applied at the org and account level to allow or deny access to services. The IAM Boundry is applied at the IAM user and role level.
I wnat to restrict the use of all services in an account except for S3, can I use an IAM Boundry policy?
You cna not use an IAMBoundry policy as it only operates at the user and role level. Use a service controle policy.
How are all IAM related policies (Service control, boundary etc) applied?
All related policies are collected and evaluate din one go, if there is a deny then thet service is denied if there is a allow then provided the user policy also enables the allow then access is granted.
When evaluation IAM based policies and you do not have an explicit deny or allow then this the access?
Deny
What order are policies evaluated in?
- > Org Bounderies (Service control policies)
- > User Role Bounderies
- > Role Policies
- > Identity and Resource Policies
What is the role policy?
The role policy is attached to a role and enables deny -> Allow -> Deny. You can use it to restrict what services a person or system can access when assuming a role.
When assuming a role how can I restrict the role to a set of service?
you can use role Policies, Role Boundaries or service control policies.
Tinder up SAML what are the steps?
Set up,
- aws identity provider
- setup roles
- setup rekient party
Is IAM a regional or global product?
It is a global product.
I have account 111111111 as part of many orgnization accounts and account 22222222 thet is outside the orgnization, I have a service control policy in 111111111 that blocks access to service S3, can account 22222222 access S3 if the correct S3 resource policy is set up to allow account 22222222 access?
Yes because service control policies do not apply outside the account.
What are policies attached to?
- Users
- User groups
- Roles
When a policy is attached to a user, user group or a role, what is it known as?
- Identity policy
What are the types of policies you can have?
- Identity-based policie
- Resource-based policies,
- Permissions boundaries,
- Organizations SCPs,
- ACLs
- Session policies.
What is an identity-based policy?
It is a policy attached to identities like a user, users group or a role. It is evaluated to allow or not allow access by identity.
What is a resource-based policy?
It is a policy evaluated when a resource is accessed, it will allow or deny access to the resource.
What is a service control policy?
Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
What is an ACL?
Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal entity. ACLs cannot grant permissions to entities within the same account.
What are a Permissions boundaries?
Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.
What are the elements in the JASON IAM policy?
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "keith"
}
}
}What is the effect in an IAM policy?
The effect is weather to ‘Allow’ or ‘Deny’ based on policy
What is the action in an IAM policy?
This will be the list of API call allows. Like S3.* means al S3 calls and * meas all API in AWS.
What is OrganizationAccountAccessRole used for
You can use the role as part of the switch role functionality to switch to the org account.
Dose service control policies apply to the root account>
No
I am creating cross-account access, what are the steps to create this?
- Create a cross-account role in the account you are switching to. With a trust relationship form the account, you are coming from.
- Add a policy to assume role for the user in the from the account, this will be a policy like
{
“effect”:”Allow”,
“Action”:”sta:AssumeRole”,
“Resource”:”arn:aws:iam:11111111111:role/RoleName”
}
What identity providers dose AWS IAM support?
- OpenID
- SAML
What are the elements of a SAML based role?
Permission policies
Trust relationship
