IAM Flashcards
Identity and Access Management
Identity - who can access resources
Access - What resources they can access
authentication (Who) vs authorization (What)
Authentication verifies that someone or something is who they say they are
Authorization the security process that determines a user or service’s level of access
Root User
- Created when AWS account is created
Only root user can:
-Close Your account
-Modify Support Plan
-Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and Regions, do not require root user credentials.
-Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.
-Activate IAM access to the Billing and Cost Management console.
-View certain tax invoices.
-Register as a seller in the Reserved Instance Marketplace.
-Configure MFA delete for your S3 bucket.
-Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID.
-Sign up for GovCloud.
Users
-perform administrative task
-launch EC2 instances
-Access application code
-Configure databases
Application - applications can be users
create a user in IAM so you can generate access keys for an application running on-premises that needs access to your cloud resources
CLI
Access keys are needed when using the CLI and can be generated using IAM
Groups
Difference between EC2 Groups and IAM Groups
Do not confuse security groups for EC2 with IAM groups. EC2 security groups act as firewalls, while IAM groups are collections of users.
Roles
Roles define access permissions and are temporarily
assumed by an IAM user or service.
Can be assumed by users or services that need it.
Polices
You manage permissions for IAM users, groups, and roles by creating
a policy document in JSON format and attaching it.
IAM Best Practices
- Enable MFA for privileged users.
- Implement strong password policies
- Create individual users instead of using root.
- Use roles for Amazon EC2 instances.
Full list: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
IAM Resources
The user, group, role, policy, and identity provider objects that are stored in IAM. As with other AWS services, you can add, edit, and remove resources from IAM.
IAM Identities
The IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.
IAM Entities
The IAM resource objects that AWS uses for authentication. These include IAM users and roles.
Principals
A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS. Principals include federated users and assumed roles.
