Core Fundamentals and AWS Accounts Flashcards
What is IAM?
A standard issue FREE (with limits) service is provided with each AWS account. Where users, groups, and roles are created and are given permissions. Own DB for IAM. 1 Globally resilient service. Any data is always secure across all regions. Own dedicated instance of IAM. IAM service has full trust and can do as much as ROOT USER. Enbles user Identity federation (IDF) and MFA.
Manage Identities - ID Provider (create and manage)
Authenticates (proves who you are)
Authorizes (allow or deny services within the account)
What can the ROOT USER do in an AWS account?
Full control of the AWS account. Full control. Unrestricted. AWS Account and ROOT USER are kind of the same thing. Auto created. CANNOT be restricted.
What permissions are automatically granted to new identities added to the account?
Least privilege principle. No permissions are given automatically. They must be explicitly given.
What is an AWS account made up of?
A unique email address, payment method, users, groups, roles, and services being provided. It prevents things from getting out of the account and things getting into the account as well.
Why would you want to avoid using the same AWS account for the entire business?
This creates a single point of failure. If that one account is compromised, all the business is compromised. You can split Dev, Prod, or Test into different accounts or even separate customer segments into separate accounts.
When creating a new AWS account what options do you have for alternate contacts?
Billing, Operations, and Security
What are the factors of identification?
Knowledge - Something you know
Possession - Something you have (device or app)
Inherent - Something you are (fingerprint, iris scan)
Location - Building, Corporate Network, VPN
How is MFA implemented for AWS?
AWS creates a secret key and pairs that with your user account info like user name. Then, that information is stored in a QR Code. When that QR code is scanned with an app, the app will reach out to AWS to ensure that the key is correct and will pair itself to your account to give regenerated MFA codes that AWS can cross reference to ensure you are who you say you are.
When setting up a budget, what template options do you have?
Free tier - Any spend at all
Monthly Spend - Define how much you can spend in one month
Daily Savings - Notifies when you fall below the defined target that you agree to use. Must spend!
Daily Reservation Utilization - Notifies when you fall below the defined target that you agree to use. Must use!
What kind of objects can you create with IAM?
User - Identities (humans or apps) that need access to the account. Individual.
Group - a collection of related users
Role - used by AWS services or external users to grant access to an uncertain number of entities. Uncertain many.
What is an IAM Policy?
Allows or denies access to AWS services. Do nothing, only define. Must be attached to a user group or role to take effect.
If using best practices, what should the ROOT USER be used for?
Only for the initial creation and setup of the AWS account.
How can you access an AWS account through the command line or APIs?
IAM Access Keys.
What are long-term access keys?
These are authentication types which don’t change or rotate automatically.
When creating an IAM user why would you want to omit a password?
If you intend to authenticate with this user through only access keys (API or command line)
What are the parts of credentials?
Public piece and private piece. Username is public, password is private, MFA token is private.
What is an access key?
Where are access keys created?
How many access keys can a user have?
An account can use an access key to access an AWS account via command line or API. They can be Created, deleted, made acitive/inactive.
Access keys are created in the security credentials for a logged in user.
A user can have 0-2 access keys.
What are the parts of an access key?
The key ID which you can fetch from AWS at any point.
The secret key which you can NEVER access again after the point of creation. It must be stored securely at time of creation.
What should you do if an access key is compromised?
Delete the access key, recreate an access key, and update all instances of connection via that access key.
What is the process for rotating access keys?
Create a new access key, update all instances where the key is used, and make the old access key inactive/delete it.
What are the best practices of working with access keys?
NEVER STORE IN PLAIN TEXT
DISABLE/DELETE WHEN NOT IN USE
Use the least privilege principle
Rotate keys regularly
How do you configure multiple accounts on a single computer?
Use named credentials when configuring in the terminal:
aws configure –profile general
