IAM 101 Flashcards
What is IAM?
- AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.
- MANAGES
- who is authenticated (signed in)
- who is authorized (has permissions) to use resources.
What are the main features of IAM?
List the key features of IAM
- CENTRALIZED CONTROL of your account
- CUSTOM PASSWORD ROTATION POLICY
- EVENTUALLY CONSISTENT
- GRANULAR PERMISSIONS
- IDENTITY FEDERATION (Active Directory, Facebook, LinkedIn)
- IDENTITY INFO for assurance
- INTEGRATED with aws services
- MFA (multi-factor authentication)
- PCI DSS COMPLIANCE
- SECURE ACCESS to aws resources for apps on EC2
- SHARED ACCESS to your account
- TEMP ACCESS for users/devices and services where necessary
How do you access IAM?
- AWS Management Console
- AWS Command Line Tools
- AWS SDKs
What are IAM users?
IAM users are end users such as people, employees of an organzation, etc.
What are IAM groups?
- IAM groups are collections of users
- Each user in a group inherits the permissions of the group
What are IAM permission policies?
Permission policies:
- consist of Policy Documents,
- are formated as JSON,
- give permissions as to what a User/Group/Role is able to do.
What are IAM roles?
An IAM role is an IAM identity that defines a set of permissions for making AWS service requests.
IAM roles are not associated with a specific user or group; instead, trusted identities assume roles (such as IAM users, applications or services such as EC2).
A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when a trusted identity assumes a role, it provides you with temporary security credentials for your role session.
How are IAM roles and users similar?
An IAM role is similar to an IAM user, in that BOTH ARE
- an AWS identity with permission policies
- that determine what the identity can and cannot do in AWS.
How are IAM roles and users different?
- A user is uniquely associated with one person.
- A role is intended to be assumable by anyone who needs it.
What entities can use roles?
Roles can be used by the following:
- An IAM user in the same AWS account as the role
- An IAM user in a different AWS account than the role
- A web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2)
- An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker.
What is an AWS service role?
A role that a service assumes to perform actions in your account on your behalf.
What is an AWS service role for an EC2 instance?
A special type of service role that an application running on an Amazon EC2 instance can assume to perform actions in your account.
What is an AWS service-linked role?
- A unique type of service role that is linked directly to an AWS service.
- Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
What is role chaining?
Role chaining occurs when you use a role to assume a second role through the AWS CLI or API.
What is role delegation?
The granting of permissions to someone to allow access to resources that you control.
