AWS Identity Basics

Question 1

What’s an example of how IAM allows you to maintain records of identity?

Answer 1

The user list.

Question 2

What five elements is IAM commonly used to manage

Answer 2

• Users
• Groups
• Roles
• IAM Policies
• Authentication attributes (uids, pwds, keys, mfa, pwd policies)

Question 3

What two methods can IAM use to authenticate your identity

Answer 3

• Userid/Password presentation at the console

- Access key usage at the API level

Question 4

What two components form an IAM access key?

Answer 4

• Access key ID

- Secret access key

Question 5

Are userid/passwords and access keys considered long term or short term access credentials? What makes them so?

Answer 5

Long term access credentials. No expiration / no changes unless initiated by the user.

Question 6

What kinds of keys can an IAM user maintain for AWS CodeCommit?

Answer 6

• SSH Keys

- HTTPS Git credentials

Question 7

Users and roles are both known as what kind of identity? Why?

Answer 7

Real identities.

• Have an Amazon reference name
• Can be referenced in other areas of AWS (policies)

Question 8

IAM can enforce specific password character types. Which types can it enforce?

Answer 8

• Uppercase
• Lowercase
• Number
• Non-alphanumeric

Question 9

Can IAM enforce a minimum password length?

Answer 9

Ayep.

Question 10

What three provisions can IAM enforce around password changes?

Answer 10

• Enforced password expiration periods
• Enforced password reuse rejection
• Enforce admin requirement to reset after expiry

Question 11

Which permission policies are attached to a new IAM user?

Answer 11

None.

Question 12

Without explicit allowances, is an IAM user ALLOWed or DENYed access to services?

Answer 12

Denied. All policies have an implicit deny.

Question 13

When multiple policies conflict explicitly, does an ALLOW or a DENY override the conflict?

Answer 13

DENY. Explicit denies always ‘win’.

Question 14

IAM can allow external identities to access AWS resources. What’s the mechanism it uses to do this, and what’s this usage known as?

Answer 14

STS (security token service) - the usage is known as Federated Identities.

Question 15

What’s the limit of IAM users per account?

Answer 15

5000

Question 16

Is there any way to get around the limitation of max IAM users per account?

Answer 16

Yes - use STS and Identity Federation. Delegate the provision of identities to an external provider, and once that entity is verified you can allow it access to AWS resources.

Question 17

What three elements are ALWAYS present in an IAM policy?

Answer 17

Effect, Action, and Resource

Question 18

What does the Effect element of an IAM policy do?

Answer 18

Determines what effect the rest of the statement has - generally of the Allow or Deny flavors.

Question 19

What does the Action element of an IAM policy do?

Answer 19

Action refers to one or more API calls that the policy is meant to refer to.

Question 20

When using the Action element, what value types are appropriate?

Answer 20

• Single element
• List of specific elements
• A ‘*’ which represents all actions
• A mix of the above two (“s3:* would give blanket access to all S3 api calls).

Question 21

What does the Resource element of an IAM policy do?

Answer 21

Limits the resources for which the policy applies (by ARN).

Question 22

When using the Resource key, what value types are appropriate for use, and in what formats?

Answer 22

ARNs, in either:

• single ARNs,
• lists of multiple ARNs
• • for all possible ARNs, or
• Mixes of the above.

Question 23

What’s the typical use case for in-line IAM policies?

Answer 23

To provide one-off exceptions for users who are otherwise assigned standardized or managed policies but need something in addition to the standardized policy.

Using inline policies for all users is considered an antipattern.

Question 24

What does the Condition element of an IAM policy do?

Answer 24

Allows a policy item to be applied if a variable meets the condition’s requirements.

Question 25

What three attributes are necessary for a Condition element in an IAM policy?

Answer 25

• Condition-Operator (“StringEquals”)
• Condition-Key (“aws:username”)
• Condition-Value (“joe”)

Question 26

What does the format of a Condition in an IAM policy look like?

Answer 26

“Condition”: {“StringEquals”: {“aws:username”: “joe”}}

Question 27

There is a way for IAM to substitute the values of system variables in a Condition element. What’s the mechanism called, and what does its format look like?

Answer 27

Yes - it’s a Variable, of course. In use it looks like ${aws:username}, for example.

Question 28

What does the Principal element of an IAM policy do?

Answer 28

Limits the application of the policy only to users who match the name of the Principal involved. All users can be allowed via a * notation.

Question 29

Is the Principal element required in an Identity policy or a Resource policy?

Answer 29

A Resource policy. Principal is assumed to be the identity itself in an Identity policy.

Question 30

When is a resource policy best used?

Answer 30

When you want to control the access of many identities to a single resource.

Question 31

What four use cases are best suited for the use of an IAM Role?

Answer 31

• Letting an AWS service do something on your behalf
• When many identities need to perform a similar function
• When an application needs to interact with one or more AWS resources
• When a remote account wants to grant one or more members of multiple AWS accounts access to its resources.

Question 32

What two main components does an IAM Role consist of?

Answer 32

• Trust policy. This is checked to see if an IAM user has the ability to assume the role
• Permissions policy. As we’ve discussed prior.

Question 33

How often are trust policies evaluated for assumed roles?

Answer 33

Only when roles are assumed.

Question 34

How often are permissions policies evaluated for assumed roles?

Answer 34

Every time a service is accessed.

Question 35

What’s the IP address where EC2 instance info is always available?

Answer 35

http://169.254.169.254/

Question 36

What kind of credentials are provided when assuming a role? What mechanism issues those credentials? Are there any special limitations to those credentials?

Answer 36

Temporary credentials (including access and secret keys) are issued, using STS. These credentials have an expiration date.

Question 37

What mechanism does IAM use to revoke role assumption sessions?

Answer 37

It creates an IAM policy which issues an explicit deny effect for all resources when the aws:TokenIssueTime is less than the current time.

Question 38

AWS products and services use IAM service roles for what reason?

Answer 38

To interact with other AWS services, both within a single account and across accounts using sts-assume-role

Question 39

What functional call do you make to assume a role at the command line? What arguments are required, and what values do they represent?

Answer 39

sts-assume-role

• role-arm - the AWS ARN of the role to be assumed
• role-session-name - the name of the session

Question 40

What two cases still exist where you need to use ACLs to control access to S3 buckets?

Answer 40

• Control access to objects at the object level

- Configuring S3 access logs.

Question 41

What’s the key limitation to using ACLs to control access to S3 buckets?

Answer 41

Bucket owner has no access to objects uploaded by others (object is owned by uploader)

Question 42

What are two limitations to using bucket policies to control putObject access to S3 buckets?

Answer 42

• Uploader cannot verify upload (no permissions to view objects, only pub)
• Bucket owner has no access to objects uploaded by others (object is owned by uploader)

Question 43

Under what circumstances does it become problematic when a bucket owner does not have permissions to an object in a bucket?

Answer 43

• Cross-region replication

Question 44

What is the method used to force externally authorized bucket users via a bucket policy to only allow uploads when bucket owners also own the uploads?

Answer 44

Add an explicit deny to the action and principal with the condition that the x-amz-acl attribute does NOT equal bucket-full-owner-control

Question 45

What is the easiest way, from an admin load perspective, to ensure that objects uploaded to a bucket by a third party are owned by the bucket owner?

Answer 45

Have the third party assume a role on the destination account using sts:AssumeRole.