IAM 101

Question 1

Users

Answer 1

End Users

Question 2

Groups

Answer 2

Collection of users under one set of permissions (or policies)

Question 3

Roles

Answer 3

You create roles and assign them to AWS resources

Question 4

Does IAM give you centralized control of your AWS account?

Answer 4

yes

Question 5

Does IAM provide shared access to your AWS account?

Answer 5

yes

Question 6

Does IAM provide granular permissions

Answer 6

yes

Question 7

Does IAM provide identity federation to connect to Active Directory, Facebook, LinkedIN, etc.?

Answer 7

yes

Question 8

Does IAM provide temporary access for users/devices if needed?

Answer 8

yes

Question 9

Does IAM let you create & customize your own password rotation policy?

Answer 9

yes

Question 10

Does IAM support PCI DSS compliance?

Answer 10

yes

Question 11

Policies (Policy Documents)

Answer 11

document that defines one or more permissions. Attach policies to users, groups or roles

Question 12

How do you apply a policy?

Answer 12

Attach policies to users, groups or roles

Question 13

Policy Documents

Answer 13

Apply to users, groups, roles
made up of JSON
key-value pair: attribute and value (version:date) (effect:allow) (action:*)

Question 14

Is IAM universal (global)

Answer 14

yes
it doesn’t apply to regions at this time
user, group or role is consistent across all regions

Question 15

root account

Answer 15

the account created when first setting up your AWS account

Only account that has complete admin access by default

Question 16

What permissions do new users have when first created?

Answer 16

none

Question 17

What two things are new users assigned when first created (for programmatic access)

Answer 17

Access Key ID

Secret Access Keys

Question 18

Can you use the Access Key ID and SecretAccess Key to log in to the console?

Answer 18

No.
You need a password to login to the console
You can only use these to access from the CLI or via API’s

Question 19

How many times can you view the Access Key ID & SecretAccess Key?

Answer 19

Once. Can download them to CSV

If you lose them, you have to regenerate them

Question 20

Setup MFA on root account

Answer 20

Otherwise get warnings

Question 21

When do you use the Access key ID and Secret Access Key?

Answer 21

When programmatically accessing AWS

cannot use username and password for this

Question 22

Examples of IAM Roles

Answer 22

IAM user in other account
Code running on EC2 instance that acts on AWS resources
AWS Service that acts on your resources
Users in directory linked with SAML for federation

Question 23

What’s special about role keys

Answer 23

they’re valid for short durations