AWS Identity and Access Management

Question 1

What is IAM?

Answer 1

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.

Question 2

What can you control with IAM?

Answer 2

You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

Question 3

What does IAM make it easy to do?

Answer 3

IAM makes it easy to provide multiple users secure access to AWS resources.

Question 4

How is the IAM set up process?

Answer 4

When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account.

This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.

Question 5

What can IAM be used to manage?

Answer 5

IAM can be used to manage:

Users.
Groups.
Access policies.
Roles.
User credentials.
User password policies.
Multi-factor authentication (MFA).
API keys for programmatic access (CLI).

Question 6

What features does IAM provide?

Answer 6

IAM provides the following features:

Shared access to your AWS account.
Granular permissions.
Secure access to AWS resources for application that run on Amazon EC2.
Multi-Factor authentication.
Identity federation.
Identity information for assurance.
PCI DSS compliance.
Integrated with may AWS services.
Eventually consistent.
Free to use.

Question 7

What are the ways that you can interact with IAM?

Answer 7

You can work with AWS Identity and Access Management in any of the following ways:

AWS Management Console.
AWS Command Line Tools.
AWS SDKs.
IAM HTTPS API.

Question 8

What access do new users have by default?

Answer 8

By default new users are created with NO access to any AWS services – they can only login to the AWS console.

Permission must be explicitly granted to allow a user to access an AWS service.

Question 9

What is an IAM user?

Answer 9

IAM users are individuals who have been granted access to an AWS account.

They are an entity that represents a person or service.

Question 10

What can you assign to IAM User?

Answer 10

Can be assigned:

An access key ID and secret access key for programmatic access to the AWS API, CLI, SDK, and other development tools.
A password for access to the management console.

Question 11

What are the three components of IAM users?

Answer 11

Each IAM user has three main components:

A username.
A password.
Permissions to access various resources.

You can apply granular permissions with IAM.

Question 12

What individual security credentials can you assign to users?

Answer 12

You can assign users individual security credentials such as access keys, passwords, and multi-factor authentication devices.

Question 13

What is IAM not used for?

Answer 13

IAM is not used for application-level authentication.

Question 14

What can Identify Federations be configured to do?

Answer 14

Identity Federation (including AD, Facebook etc.) can be configured allowing secure access to resources in an AWS account without creating an IAM user account.

Question 15

Who can MFA be enabled for?

Answer 15

Multi-factor authentication (MFA) can be enabled/enforced for the AWS account and for individual users under the account.

Question 16

What does MFA use?

Answer 16

MFA uses an authentication device that continually generates random, six-digit, single-use authentication codes.

Question 17

How can you authenticate using an MFA device?

Answer 17

You can authenticate using an MFA device in the following two ways:

Through the AWS Management Console – the user is prompted for a user name, password, and authentication code.
Using the AWS API – restrictions are added to IAM policies and developers can request temporary security credentials and pass MFA parameters in their AWS STS API requests.
Using the AWS CLI by obtaining temporary security credentials from STS (aws sts get-session-token).

Question 18

What is the best practice for MFA on the root account?

Answer 18

It is a best practice to always setup multi-factor authentication on the root account.

Question 19

Is IAM universal?

Answer 19

IAM is universal (global) and does not apply to regions.

Question 20

Does IAM replicate data across the world?

Answer 20

IAM replicates data across multiple data centers around the world.

Question 21

What is the root account?

Answer 21

The “root account” is the account created when you setup the AWS account.

It has complete Admin access and is the only account that has this access by default.

It cannot be restricted.

Question 22

What is best practice for root account?

Answer 22

It is a best practice to avoid using the root account for anything other than billing.
Don’t use the root user credentials.
Don’t share the root user credentials.
Create an IAM user and assign administrative permissions as required.
Enable MFA.

Question 23

What access does power user have ?

Answer 23

Power user access allows all permissions except the management of groups and users in IAM.

Question 24

What consists of temporary security credentials?

Answer 24

Temporary security credentials consist of the AWS access key ID, secret access key, and security token.

Question 25

What can IAM do with temporary security credentials?

Answer 25

IAM can assign temporary security credentials to provide users with temporary access to services/resources.

Question 26

What must you provide to sign in to AWS?

Answer 26

To sign-in you must provide your account ID or account alias in addition to a user name and password.

Question 27

What is a console password?

Answer 27

Console password:

A password that the user can enter to sign in to interactive sessions such as the AWS Management Console.
You can allow users to change their own passwords.
You can allow selected IAM users to change their passwords by disabling the option for all users and using an IAM policy to grant permissions for the selected users.

Question 28

What is an access key?

Answer 28

A combination of an access key ID and a secret access key.

Question 29

How many active access keys can you assign to a user at a time?

Answer 29

You can assign two active access keys to a user at a time.

Question 30

What can access keys be used to do?

Answer 30

These can be used to make programmatic calls to AWS when using the API in program code or at a command prompt when using the AWS CLI or the AWS PowerShell tools.

Question 31

What can you do to access keys?

Answer 31

You can create, modify, view, or rotate access keys.

Question 32

What does IAM return when created?

Answer 32

When created IAM returns the access key ID and secret access key.

The secret access is returned only at creation time and if lost a new key must be created.

Question 33

Can users change their own keys?

Answer 33

Users can be given access to change their own keys through IAM policy (not from the console).

Question 34

Can user access keys be disabled?

Answer 34

You can disable a user’s access key which prevents it from being used for API calls.

Question 35

What are server certificates?

Answer 35

SSL/TLS certificates that you can use to authenticate with some AWS services.
AWS recommends that you use the AWS Certificate Manager (ACM) to provision, manage and deploy your server certificates.
Use IAM only when you must support HTTPS connections in a region that is not supported by ACM.

Question 36

What is the account root user credential?

Answer 36

The account root user credentials are the email address used to create the account and a password.

Question 37

Can IAM users represent applications?

Answer 37

IAM users can be created to represent applications, and these are known as “service accounts”.

Question 38

How many IAM users can an AWS account have?

Answer 38

You can have up to 5000 users per AWS account.

Question 39

How is a user account identified?

Answer 39

Each user account has a friendly name and an ARN which uniquely identifies the user across AWS.
A unique ID is also created which is returned only when you create the user using the API, Tools for Windows PowerShell, or the AWS CLI.

Question 40

Can access key id and secret access key be used to login to AWS console?

Answer 40

The Access Key ID and Secret Access Key are not the same as a password and cannot be used to login to the AWS console.

The Access Key ID and Secret Access Key can only be used once and must be regenerated if lost.

Question 41

What password policy does IAM have?

Answer 41

A password policy can be defined for enforcing password length, complexity etc. (applies to all users).

You can allow or disallow the ability to change passwords using an IAM policy.

Access keys and passwords should be changed regularly.

Question 42

What is a group in IAM?

Answer 42

Groups are collections of users and have policies attached to them.

Question 43

What isn’t a group in IAM?

Answer 43

A group is not an identity and cannot be identified as a principal in an IAM policy.

Question 44

What can you use groups for?

Answer 44

Use groups to assign permissions to users.

Question 45

What is the best practice when assigning permissions for groups?

Answer 45

Use the principle of least privilege when assigning permissions.

Question 46

What is the constraint of groups?

Answer 46

You cannot nest groups (groups within groups).

Question 47

What is a role in IAM?

Answer 47

Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests.

Question 48

What can you do with IAM roles?

Answer 48

With IAM Roles you can delegate permissions to resources for users and services without using permanent credentials (e.g. user name and password).

Question 49

How does IAM users or services obtain permission to make AWS calls?

Answer 49

IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls.

Question 50

Are ther credentials associated with role?

Answer 50

There are no credentials associated with a role (password or access keys).

Question 51

Who can a role be assigned to?

Answer 51

A role can be assigned to a federated user who signs in using an external identity provider.

Question 52

What does IAM roles most commonly use?

Answer 52

Temporary credentials are primarily used with IAM roles and automatically expire.

Question 53

How can you assume a role?

Answer 53

Roles can be assumed temporarily through the console or programmatically with the AWS CLI, Tools for Windows PowerShell, or the API.

Question 54

How does IAM roles work with EC2 instances?

Answer 54

IAM roles can be used for granting applications running on EC2 instances permissions to AWS API requests using instance profiles.

Question 55

How many roles can be assigned to an EC2 instance at any time?

Answer 55

Only one role can be assigned to an EC2 instance at a time.

Question 56

When can the IAM role be assigned to EC2 instance?

Answer 56

A role can be assigned at the EC2 instance creation time or at any time afterwards.

Question 57

When must instance profiles be created manually?

Answer 57

When using the AWS CLI or API instance profiles must be created manually (it’s automatic and transparent through the console).

Question 58

How does application get security certificate?

Answer 58

Applications retrieve temporary security credentials from the instance metadata.

Question 59

What are the rules for Role Delegation?

Answer 59

Role Delegation:

Create an IAM role with two policies:
Permissions policy – grants the user of the role the required permissions on a resource.
Trust policy – specifies the trusted accounts that are allowed to assume the role.
Wildcards (*) cannot be specified as a principal.
A permissions policy must also be attached to the user in the trusted account.

Question 60

What are IAM Policies?

Answer 60

Policies are documents that define permissions and can be applied to users, groups, and roles.

Question 61

What language are IAM policies written in?

Answer 61

Policy documents are written in JSON (key value pair that consists of an attribute and a value).

Question 62

What is the default permission for IAM policies?

Answer 62

All permissions are implicitly denied by default.

The most restrictive policy is applied.

Question 63

What is the use of IAM policy simulator?

Answer 63

The IAM policy simulator is a tool to help you understand, test, and validate the effects of access control policies.

Question 64

What is AWS Security Token Service STS?

Answer 64

The AWS STS is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).

Question 65

What is the difference between temporary security credentials and long term access key credentials?

Answer 65

Temporary security credentials are short-term.

They can be configured to last anywhere from a few minutes to several hours.

After the credentials expire, AWS no longer recognizes them or allows any kind of access to API requests made with them.

Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested.

When (or even before) the temporary security credentials expire, the user can request new credentials, if the user requesting them still has permission to do so.

Question 66

What are the advantages of AWS STS?

Answer 66

You do not have to distribute or embed long-term AWS security credentials with an application.

You can provide access to your AWS resources to users without having to define an AWS identity for them (temporary security credentials are the basis for IAM Roles and ID Federation).

The temporary security credentials have a limited lifetime, so you do not have to rotate them or explicitly revoke them when they’re no longer needed.

After temporary security credentials expire, they cannot be reused (you can specify how long the credentials are valid for, up to a maximum limit)

Question 67

Where do users come from?

Answer 67

Federation (typically AD):
Uses SAML 2.0.
Grants temporary access based on the users AD credentials.
Does not need to be a user in IAM.
Single sign-on allows users to login to the AWS console without assigning IAM credentials.

Federation with Mobile Apps:
Use Facebook/Amazon/Google or other OpenID providers to login.

Cross Account Access:
Allows users from one AWS account access resources in another.
To make a request in a different account the resource in that account must have an attached resource-based policy with the permissions you need.
Or you must assume a role (identity-based policy) within that account with the permissions you need.

Question 68

IAM Best Practices Summary

Answer 68

Lock away the AWS root user access keys.

Create individual IAM users.

Use AWS defined policies to assign permissions whenever possible.

Use groups to assign permissions to IAM users.

Grant least privilege.

Use access levels to review IAM permissions.

Configure a strong password policy for users.

Enable MFA.

Use roles for applications that run on AWS EC2 instances.

Delegate by using roles instead of sharing credentials.

Rotate credentials regularly.

Remove unnecessary credentials.

Use policy conditions for extra security.

Monitor activity in your AWS account.