AWS - mód 2 - IAM Flashcards
What is IAM?
Helps you control access to AWS resources securely. You control who is authenticated (logged in) and authorized (has permissions) to use resources.
IAM Resources - Shared Access to your AWS account.
You can grant permission to others to administer and use resources in your AWS account without having to share your password or access key.
IAM Resources - Granular Permissions
You can grant different permissions to different people for different resources. For example, you can allow some users to have full access to Amazon Elastic Compute Cloud (AmazonEC2), Amazon Simple Storage Service (AmazonS3), Amazon DynamoDB, Amazon Redshift, and other AWS services. For other users, you can allow read-only access to just a few S3 buckets, or permission to administer just a few EC2 instances, or to access your billing information but nothing else.
IAM Resources - Secure access to AWS resources for applications that run on Amazon EC2.
You can use IAM features to securely provide credentials to applications running on EC2 instances. These credentials provide permissions for your application to access other AWS resources. Examples include S3 buckets and Dynamo DB tables.
IAM Resources - Multi-factor authentication (MFA).
You can add multi-factor authentication to your account and individual users for extra security. With MFA, you or your users must provide not only a password or access key to work with your account, but also a code from a specially configured device.
IAM Resources - Federation of identities.
You can allow users who already have passwords elsewhere—for example, on your corporate network or at an Internet identity provider—to gain temporary access to your AWS account.
IAM Resources - Identity Information for Warranty
If you use AWS CloudTrail, you receive log records that include information about who made resource requests in your account. This information is based on IAM Identities.
IAM Resources - Identity Information for Warranty
IAM supports the processing, storage, and transmission of credit card data made by a merchant or service provider if it has been validated as compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).
IAM - Terms - Resources
User, group, role, policy, identity provider, and objects that are stored in IAM. Just like other AWS services, you can add, edit, and remove IAM resources.
IAM - Terms - Identities
IAM resource objects are used to identify and group. You can attach a policy to an IAM identity. This includes users, groups, and roles.
IAM - Terms - Entities
The IAM resource objects that AWS uses for authentication. This includes IAM users, federated users, and assumed IA roles.
IAM - Terms - Principal
A principal is a person or application that can make a request for an action or operation on an AWS resource. The principal authenticates as the root user of the AWS account or an IAMentity to make requests to AWS. As a best practice, do not use your root user credentials for your day-to-day work. Instead, create IAM entities (users and roles). programmatic to allow an application to access your AWS account.
Request
When a principal tries to use the AWS Management Console, AWS API, or AWS CLI, it sends a request to AWS. The request includes the following information:
Actions (or operations) - The actions or operations that the principal wants to perform. This can be an action in the AWS Management Console, an operation in AWSCLI, or an AWSAPI.
Resources - The AWS resource object on which the actions or operations are performed.
Principal - The person or application that used an entity (user or role) to send the request. Information about the principal includes the policies associated with the entity used by the principal to log in.
Environment data - Information about the IP address, user agent, SSL Enabled status, or time of day.
Resource data - Data related to the resource being requested. This may include information such as the DynamoDB table name or an AmazonEC2 instance.
AWS gathers the request information into a request context, which is used to evaluate and authorize the request.
Authentication
The principal must be authenticated (signed into AWS) using its credentials to send a request to AWS. Some services, such as Amazon S3 and AWS STS, allow few requests from anonymous users. However, they are the exception to the rule.
Authorization
You must also have authorization (permission) to complete
your request. During authorization, AWS uses values from the request context to check the policies that apply to the request. It then uses the policies to determine whether to allow or deny the request. Most policies are stored in AWS as JSON documents and specify permissions for principal entities. There are several types of policies that can affect whether a request is authorized. To give your users permissions to access resources For AWS in your own accounts, you only need identity-based policies. Resource-based policies are popular for granting cross-account access. The other types of policies are advanced resources and should be used with caution.
AWS checks each policy that applies to the context of your request. If a single permissions policy includes a denied action, AWS denies the entire request and stops evaluation. This is called an explicitdeny. Because requests are denied by default, AWS authorizes your request only if all parts of your request are allowed by the applicable permissions policies. The evaluation logic for a request in a single account follows these general rules:
By default, all requests are denied. (In general, requests made using the AWS account’s root user credentials for resources in the account are always allowed.)
An explicit permission in any permissions policy (identity-based or resource-based) would override this default.
The existence of Organizations SCP, IAM Permissions boundary, or a session policy overrides permission. If one or more of these policy types exist, all of them must allow the request. Otherwise, it is implicitly denied.
An explicit denial in any policy overrides any permission.
