AWS Security Identity and compliance

Question 1

What does IAM stand for?

Answer 1

Identity and security access management

Question 2

What is IAM purpose?

Answer 2

To manage:

• users
• groups
• access policies
• roles
• user credentials
• user password policies
• multi-factor authentication (MFA)
• API key for programmatic access (CLI)

Question 3

What kind of access do users have by default to AWS services at first?

Answer 3

By default, new users are created with NO access to any AWS services

Question 4

Who are IAM users?

Answer 4

IAM users are people who have been granted access to an AWS account.

Question 5

What are the components of an IAM user?

Answer 5

The components of an IAM user are:

• username
• password
• permissions to access different resources

Question 6

What is identity federation used for

Answer 6

Identity federation is used to allow secure access to resources in AWS account without creating an IAM user account.

Question 7

What is MFA?

Answer 7

MFA (Multi Factor Authentication) uses an authentication device that continually generates random, six-digit, single-use authentication codes.

Question 8

Is IAM specific to a given region?

Answer 8

IAM is universal (global) and does not apply to regions.

Question 9

What should the root account be used for?

Answer 9

It is a best practice to not use the root account for anything other than billing.

Question 10

What is a root account?

Answer 10

The “root account” is the account created when you setup the AWS account. It has complete Admin access and is the only account that has this access by default.

Question 11

What is a principal?

Answer 11

A principal is an entity that can take an action on an AWS resource.

IAM users, roles, federated users, and applications are all AWS principals.

Question 12

What do requests contain?

Answer 12

Requests contain:

• actions (or operations) that the principal wants to perform
• resources upon which the actions are performed
• principal information including the environment from which the request was made (IP address, user agent, SSL status, etc.)

Question 13

What condition should a principal satisfy to send a request?

Answer 13

In order to send a request a principal must be authenticated.

Question 14

How can a principal get authenticated?

Answer 14

• A principal can get authenticated via console with username and password.
• In addition it can be authenticated via API or CLI with access key and secret key

Question 15

How is authorization implemented in AWS IAM?

Answer 15

By means of IAM policies which are stored in IAM as JSON documents and specify the permissions that are allowed or denied.

Question 16

How are requests evaluated?

Answer 16

IAM checks each policy that matches the context of your request. If a single policy has a deny action IAM denies the request and stops evaluating (explicit deny).

If a single policy has a deny action IAM denies the request and stops evaluating (explicit deny).

By default, all requests are denied (implicit deny).

Question 17

What are actions?

Answer 17

Actions are operations that can be performed on resources like: create, viewing, editing, deleting.

Question 18

What happens to an action on a resource if it is not explicitly allowed?

Answer 18

An action on a resource that is not explicitly allowed gets denied.

Question 19

How does a principal get allowed to perform an action?

Answer 19

In order for a principal to perform an action on a resource you must include the necessary actions in a policy that applies to the principal or the affected resource.

Question 20

What is a resource?

Answer 20

A resource in entity that exists within a service.

E.g.: EC2 instances, S3 buckets, IAM users, and DynamoDB tables.

Question 21

What are groups?

Answer 21

Groups are collections of users and have policies attached to them.

Use groups to assign permissions to users. Use the principal of least privilege when assigning permissions.

You cannot nest groups (groups within groups).

Question 22

What is a role?

Answer 22

A role is a set of permissions that grant access to actions and resources in AWS. These permissions are attached to the role, not to an IAM user or group.

Question 23

What are roles used for?

Answer 23

IAM roles are used to delegate access to users, applications, or services that do not normally have access to your AWS resources.

• users in your AWS account can have access to resources they normally have not.
• users in AWS account can access resources in another account.
• a mobile web app needs to use some AWS resources, but you don’t wanna embed AWS keys within the app.
• users who have identities defined outside of AWS, such as in your corporate directory.
• third parties so that they can perform an audit on your resources.

Question 24

What are policies?

Answer 24

Policies are entities that define permissions and can be applied to principals (users, groups and roles) or to resources (S3 Bucket, etc.) in order to determine if a request should be allowed or denied.

Policies are stored in AWS within JSON documents.

Question 25

What is STS (Secure Token Service)?

Answer 25

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).

Question 26

What is an ARN and what is it made of?

Answer 26

ARN (Amazon Resource Name) is a format to specify resources which is required by the permission policy language.

arn:partition:service:region:account:resource

• partition: the resource that a partition is in. For standard AWS regions the partition is aws. In case of other regions it become aws-partitionname. E.g. in the case of China (Beijing) it is aws-cn.
• service: it is the aws product.
• region: is the region that the resource is in. In case of IAM (since it’s a global resource, it’s always blank.
• account: aws account id without hyphens.
• resource: the name of the resource.

Question 27

Is it possible to rename a user?

Answer 27

Yes, via CLI or API but not via console.

Question 28

What are identity based policies?

Answer 28

They are policies that can be attached to a principal or an identity, such as an IAM user, role or group.

Question 29

What is the difference between managed policies and inline policies regarding identity based policies?

Answer 29

Managed policies are standalone, identity based policies that you can attach to multiple user, roles, groups in an aws account.

The managed policies created and managed by AWS are called AWS managed policies.

Whereas the policies created and maintained by AWS users are the customer managed policies. The customer managed policies provide more customer control over your policies than AWS managed policies.

The inline policies are the policies that you can create an manage and that are embedded in a single user or role.

Question 30

What are resource based policies?

Answer 30

Resource based polciies are policies that are attached to a resource such as a S3 bucket.

These policies specify what actions a specified principal can perform on that resource and under what conditions.

These are inline policies and there are no managed resource-based policies.

Question 31

What is the template of an IAM policy?

Answer 31

• Version: optional policy wide information (it can be the date when the policy was issued)
• Statement: there can be one or more
• Actions: the list of actions that are allowed or denied
• Resources: the list of the resources on which actions can occur.
• Principal: who is granted the permission.

Question 32

Why to use a role?

Answer 32

• It allows you to delegate (hand over) access with defined permissions to trusted entities without having to share long-term access keys.
• When EC2 accesses AWS resources such as S3 via IAM User, the user’s security credentials get stored on that EC2 instance. This should be avoided.
• When the same EC2 instance assumes a role, its credentials are not stored, making it the most secure way to access the resource.

Question 33

When to use IAM roles?

Answer 33

• Provide access for services offered by AWS to AWS resources.
• Provide access for an IAM user in one AWS account that you own to another AWS account that you own.
• Provide access for externally authenticated users (identity federation)
• Provide access to IAM users in AWS accounts owned by third parties.

Question 34

What is an AWS service role?

Answer 34

A role that a service assumes to perform actions i nyour account on your behalf.

Question 35

What is an AWS service role for an EC2 instance?

Answer 35

A special type of service role that a service assumes to launch an Amazon EC2 instance that runs your application.

Question 36

What is an AWS service-linked role?

Answer 36

A role predefined by a service and includes all the permissions that the service requires to call other AWS services on your behalf.

Question 37

What is role chaining?

Answer 37

Role chaining occurs when you use a role to assume a second role through the AWS CLI or API.

E.g. User1 -> Role A & Role B, additionally Role A -> Role B

-> means “has permission to assume”

Question 38

What is delegation?

Answer 38

Delegation means granting permissions to someone in order to allow access to resources that you control.

Question 39

What is federation?

Answer 39

Federation is the creation of a trust relationship between an external identity provider and AWS.

Question 40

What is a trust policy?

Answer 40

A trust policy is a document in JSON format where you define who is allowed to asusme the role.

Question 41

What is a permissions policy?

Answer 41

A permissions document in JSON format in which you define what actions and resources the role can use.

Question 43

What is a role for cross-account access?

Answer 43

It means granting acces to resources in one account to a trusted principal in a different account.