AWS Identity and Access Management (IAM) | Permissions Flashcards
How do I delete a service-linked role?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
You can delete a service-linked role from the IAM console. Choose Roles in the navigation pane, choose the service-linked role that you want to delete, and choose Delete role. (Note: For Amazon Lex, you must use the Amazon Lex console to delete the service-linked role.)
How do permissions work?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Access control policies are attached to users, groups, and roles to assign permissions to AWS resources. By default, IAM users, groups, and roles have no permissions; users with sufficient permissions must use a policy to grant the desired permissions.
How do I assign permissions using a policy?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
To set permissions, you can create and attach policies using the AWS Management Console, the IAM API, or the AWS CLI. Users who have been granted the necessary permissions can create policies and assign them to IAM users, groups, and roles.
What are managed policies?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Managed policies are IAM resources that express permissions using the IAM policy language. You can create, edit, and manage separately from the IAM users, groups, and roles to which they are attached. After you attach a managed policy to multiple IAM users, groups, or roles, you can update that policy in one place and the permissions automatically extend to all attached entities. Managed policies are managed either by you (these are called customer managed policies) or by AWS (these are called AWS managed policies). For more information about managed policies, see Managed Policies and Inline Policies.
How do I create a customer managed policy?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
You can use the visual editor or the JSON editor in the IAM console. The visual editor is a point-and-click editor that guides you through the process of granting permissions in a policy without requiring you to write the policy in JSON. You can create policies in JSON by using the CLI and SDK.
How do I assign commonly used permissions?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
AWS provides a set of commonly used permissions that you can attach to IAM users, groups, and roles in your account. These are called AWS managed policies. One example is read-only access for Amazon S3. When AWS updates these policies, the permissions are applied automatically to the users, groups, and roles to which the policy is attached. AWS managed policies automatically appear in the Policies section of the IAM console. When you assign permissions, you can use an AWS managed policy or you can create your own customer managed policy. Create a new policy based on an existing AWS managed policy, or define your own.
How do group-based permissions work?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Use IAM groups to assign the same set of permissions to multiple IAM users. A user can also have individual permissions assigned to them. The two ways to attach permissions to users work together to set overall permissions.
What is the difference between assigning permissions using IAM groups and assigning permissions using managed policies?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Use IAM groups to collect IAM users and define common permissions for those users. Use managed policies to share permissions across IAM users, groups, and roles. For example, if you want a group of users to be able to launch an Amazon EC2 instance, and you also want the role on that instance to have the same permissions as the users in the group, you can create a managed policy and assign it to the group of users and the role on the Amazon EC2 instance.
How are IAM policies evaluated in conjunction with Amazon S3, Amazon SQS, Amazon SNS, and AWS KMS resource-based policies?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
IAM policies are evaluated together with the service’s resource-based policies. When a policy of any type grants access (without explicitly denying it), the action is allowed. For more information about the policy evaluation logic, see IAM Policy Evaluation Logic.
Can I use a managed policy as a resource-based policy?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Managed policies can only be attached to IAM users, groups, or roles. You cannot use them as resource-based policies.
How do I set granular permissions using policies?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Using policies, you can specify several layers of permission granularity. First, you can define specific AWS service actions you wish to allow or explicitly deny access to. Second, depending on the action, you can define specific AWS resources the actions can be performed on. Third, you can define conditions to specify when the policy is in effect (for example, if MFA is enabled or not).
How can I easily remove unnecessary permissions?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
To help you determine which permissions are needed, the IAM console now displays service last accessed data that shows the hour when an IAM entity (a user, group, or role) last accessed an AWS service. Knowing if and when an IAM entity last exercised a permission can help you remove unnecessary permissions and tighten your IAM policies with less effort.
Can I grant permissions to access or change account-level information (for example, payment instrument, contact email address, and billing history)?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Yes, you can delegate the ability for an IAM user or a federated user to view AWS billing data and modify AWS account information. For more information about controlling access to your billing information, see Controlling Access.
Who can create and manage access keys in an AWS account?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Only the AWS account owner can manage the access keys for the root account. The account owner and IAM users or roles that have been granted the necessary permissions can manage access keys for IAM users.
Can I grant permissions to access AWS resources owned by another AWS account?
Permissions
AWS Identity and Access Management (IAM) | Security, Identity & Compliance
Yes. Using IAM roles, IAM users and federated users can access resources in another AWS account via the AWS Management Console, the AWS CLI, or the APIs. See Manage IAM Roles for more information.
