IAM

Question 1

IAM

Answer 1

• a root account by default and do not used or shared
• Create user with your organization, and can be group together
• Group only have user, and user can belong to multiple group

Question 2

Users

Answer 2

• Mapped to physical user, has password for AWS console

Question 3

Groups

Answer 3

Contains user only

Question 4

Policies

Answer 4

• JSON documents that outlines permissions for users or group
• IAM policy Inheritance:will be inherited by a group, were people are
• inline policy is attached to a user

Question 5

Roles

Answer 5

For EC2 instance or AWS service

• What is a proper definition of IAM Roles?

( An IAM entity that defines a set of permissions for making AWS service requests, that will be used by AWS service )

Question 6

Security

Answer 6

MFA + Password policy

Question 7

IAM password Policy:

Answer 7

• Protect user and group from getting compromised
• Strong password - high security
• Set password policy
• Allow IAM user to change password
• Prevent password reuse
• User change password after 90 day or more

Question 8

Multiple factor authentication - MFA

Answer 8

• Second defend
• to increase your root account security
• protect from wicked intention
• MFA= have password you know + security device you own like token, or app on your phone
• protect root account and IAM user

Question 9

How Can Users Access AWS?

Answer 9

• AWS management console
• AWS command line interface (CLI)
• AWS software AWS Developer kit (SDK) for code:

Question 10

AWS CLI

Answer 10

manage your AWS service using the command-line

Question 11

AWS SDK

Answer 11

manage your AWS services using a programming language

Question 12

Access Keys

Answer 12

• Access AWS using the CLI or SDK
• User have their own access keys
• ## DONT SHARE access key

Question 13

Audit

Answer 13

IAM credential reports & IAM access Advisor

Question 14

Login into IAM

Answer 14

• for security create a admin user account, so you can log out of the root account
• Admin would have a police called administratorAccess - to be an admin

Question 15

AWS CloudShell

Answer 15

• Region Availability

- alternative for the cli terminal

Question 16

IAM role for services

Answer 16

• create role add permission for service like EC2
• Just like giving permission to our user but giving them to AWS service so they would use it.
• Common roles: EC2 instance role, Lambda function role, role for cloudformation

Question 17

IAM security tools:

Answer 17

IAM credential report (account-level):

• can view report of list of all your account user, and their status of various credentials

Question 18

IAM Access advisor (user-level)

Answer 18

• show service permission granted to users and when those service where last accessed

→ information can be used to revise your policies

Question 19

Generate a credential report

Answer 19

• users are not changing their password, see what user need to focus on from a security standpoint.
• See when the user was created, if the password was enabled, last used, last change, next password rotation, is MFA activated, access key active or not , access key last rotated, last used,
• for auditing

Question 20

Access advisor

Answer 20

• show when service where last used, and recent activities that happen within 4 hours, remove permission users are not using
• for auditing

Question 21

IAM Guidelines & best practices:

Answer 21

• Do Not use root account only, only when you set up their AWS account
• One physical user = do give some your account, but create a user for them
• Create strong password policy
• Assign users to group and permission to group
• Use MFA
• Use role when give role to AWS services
• If using AWS CLI/SDK need to have access key for programmatic access
• For audit your account used IAM credential report and AWS access advisor
  Never share IAM users and ACcess keys.