IAM Flashcards
What is IAM
Amazon Identity Access Management is a web service that helps you securely control access to AWS resources.
Authentication vs Authorization
Authentication - Able to sign in
Authorization - Access to resources.
Consistency type of IAM
Eventually consistent.
You access IAM via:
- AWS Management Console
- AWS Command Line Tools
- AWS SDKs
- IAM HTTPS API
When you use the ________, you must include code to digitally sign requests using your credentials
HTTPS API
What are IAM Resources
- User
- Group
- Role
- Identity Provider Objects
Can you add/delete/modify IAM resources?
With given permissions, yes
What are Identity Provider Objects?
If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account.
What are IAM Identities?
IAM resource objects that are used to identify and group such as users, groups and roles.
You attach policies to _______
IAM identities.
What are IAM Entities?
IAM Resource objects that AWS use for authentication such as users and roles.
What is a principal
A principal is a person or applicaion that uses AWS root user, an IAM User or an IAM role to sign in and make requests to AWS.
Principals include users such as _______ and _________
Federated users and assumed roles.
AWS users and roles, that are used to authenticate are called as _________
IAM entities
Out of users, groups and roles, you don’t use this for authentication.
Groups
_________ are used for AWS authentication?
IAM Entities.
What information does a request from principal to AWS resource include?
- Actions or operations.
- Resources
- Principal
- Environment Data
- Resource Data
AWS gathers the information from request into a ________ which is used to authorize the request
Request context
To authenticate a principal from the API or AWS CLI, you must provide your ________ and __________
access key and secret key.
Most policies are stored in AWS as ___________
JSON documents
__________ specify the permissions for principal entities
Policies
To provide your users with permissions to access the AWS resources in their own account, you need only _________.
identity-based policies
Resource-based policies are popular for ___________
granting cross-account access
When does AWS Denies a request?
- Explicit Deny
2. Denied by default
What is Explicit Deny?
If a single permissions policy includes a denied action, AWS denies the entire request and stops evaluating.
What is Denied by default
AWS property that by default, all requests are denied.
When does AWS Accepts a request?
If the action is allowed in the permissions policy, with no other policy denying it
An _________ in any policy overrides any allows.
explicit deny
If one or more of ________ policy types exists, they must all allow the request. Otherwise, it is ___________
- Organizations’ SCP (Service Control Policies)
- IAM Permissions boundary
- Session Policy
Implicitly denied
What is Organizations’ SCP
AWS Organizations service control policy (SCP) defines the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
What is IAM Permission boundary
IAM Permission Boundary for AWS Entities is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to IAM entity. It does not grant permissions.
An entity’s permissions boundary allows it to perform only the actions that are allowed by _______________
identity-based policies and its permissions boundaries.
What is a Session Policy
A session policy is an inline permissions policy which users pass in the session when they assume the role.
What is Federating existing users
If the users in your organization already have a way to be authenticated, such as by signing in to your corporate network, you don’t have to create separate IAM users for them. Instead, you can federate those user identities into AWS.
How to Federate users when you have identities in your corporate directory that is compatible with Security Assertion Markup Language 2.0 (SAML2.0)
If your corporate directory is compatible with SAML 2.0, you can configure your corporate directory to provide single-sign on (SSO) access to the AWS Management Console for your users.
How to Federate users when you have identities in your corporate directory that is NOT compatible with Security Assertion Markup Language 2.0 (SAML2.0)
If your corporate directory is not compatible with SAML 2.0, you can create an identity broker application to provide single-sign on (SSO) access to the AWS Management Console for your users.
How to Federate users when you have identities if your corporate directory is Microsoft Active Directory?
If your corporate directory is Microsoft Active Directory, you can use AWS Directory Service to establish trust between your corporate directory and your AWS account.
What are principal entities?
A principal entity is a person or application that is authenticated using an IAM entity (user or role)
_________ is often referred to as authorization.
Access management
You manage access in AWS by _________
creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.
What is a policy?
A policy is an AWS Object that , when associated to a
_______ in the policies determine whether the request is allowed or denied.
Permissions
IAM users are ________ in the service.
identities
You give permissions to a user by creating an ________, which is a policy that is attached to the user or a group to which the user belongs
identity-based policy
You can organize IAM users into _______
IAM groups
________ don’t have permanent identities in your AWS account the way that IAM users do.
Federated users
To assign permissions to federated users, you can create an entity referred to as a ______ and define permissions for that
role
What are Identity-based policies
Identity-based policies are permissions policies (managed or inline) that you attach to an IAM identity, such as an IAM user, group, or role. They grant permissions to an identity.
What are Resource-based policies
Resource-based policies are permissions policies (inline) that you attach to a resource such as an Amazon S3 bucket (bucket policies) or an IAM role trust policy. Resource-based policies grant permissions to the principal that is specified in the policy.
What actions does Identity-based policies control
Identity-based policies control what actions the identity can perform, on which resources, and under what conditions
What actions does Resource-based policies control
Resource-based policies control what actions a specified principal can perform on that resource and under what conditions.