IAM 101

Question 1

What is IAM?

Answer 1

Identity and Access Management

Question 2

What is a root account? What should it be used for?

Answer 2

An IAM root account is created when you create an AWS account. It will always have full permissions for your organization, so it should only be used to create users.

Question 3

How are users organized within an organization?

Answer 3

By GROUPS, which are collections of users.

Question 4

How many groups can a user belong to?

Answer 4

They can belong to multiple groups, but a user doesn’t need to belong to any groups.

Question 5

Can a group contain other groups?

Answer 5

No, a group can only contain users.

Question 6

How are IAM permissions determined?

Answer 6

Users or groups can be assigned JSON documents called POLICIES, which define its permissions.

Question 7

You are concerned about passwords being cracked or stolen within your organization. What are two ways to mitigate the risk of this?

Answer 7

1) You can create a password policy that specifies password length, password re-use requirements, character types, or password expiration periods.
2) You can enforce MFA.

Question 8

What are the options for MFA?

Answer 8

1) A virtual MFA device like Google Authenticator or Authy.
2) A hardware U2F device like YubiKey.
3) A hardware key fob MFA device like Gemalto.
4) A hardware key fob MFA device for AWS GovCloud, like SurePassID.

Question 9

What is the difference between a MFA device and a U2F device?

Answer 9

MFA is support for multiple tokens on a single device, while U2F (a “universal” key) is a single key for multiple root and IAM users.

Question 10

If you don’t have access to a shell for AWS (or can’t install the CLI tool), what’s another option for using the CLI?

Answer 10

AWS has a browser CLI called CloudShell. It has the same credentials that you’d use for your user.

Question 11

How can you give permissions to an AWS service?

Answer 11

Create an IAM role.

Question 12

What is an IAM role?

Answer 12

You can think of an IAM role as similar to an IAM user, but intended to be used by an AWS service.

Question 13

You’d like to do an account-level audit of your users’ credentials. What security tool would you use?

Answer 13

IAM Credentials Report.

It lists all of your account’s users and the status of their various credentials.

Question 14

You’re worried that a user could have IAM access to a service that they don’t need. How can you examine this, and see if that permission has been used?

Answer 14

IAM Access Advisor.

It shows the permissions granted to a user and when those services were last accessed.

Question 15

What is an access key?

Answer 15

An access key is used for programmatic (CLI/SDK) access to AWS. It’s similar to a machine user in CircleCI. You can only have two access keys.

Question 16

What are best practices for access keys?

Answer 16

They’re meant for long-term use, so should only be used when they need to be. IAM roles (temporary access) are preferred over access keys.

Disable access keys on your root account - your keys should have limited permissions.

You can only have two keys, and this should be used to rotate your access keys regularly.

Question 17

How can you test whether a user can perform an action?

Answer 17

IAM policy simulator.