IAM

Question 1

What is IAM?

Answer 1

Identity and Access Management

Question 2

Is IAM a Global or local service?

Answer 2

Global

Question 3

Defined the privilege principle applied in aws

Answer 3

The least privilege principle: don’t give more permissions than a user needs.

Question 4

What is an inline policy?

Answer 4

A policy that is only attached to a user

Question 5

Basic concepts and info of IAM

Answer 5

• Root account is created by default, shouldn’t be used or shared
• Users are people within your organization and can be groupes
• Groups only contain users, not other groups
• Users don’t have to belong to a group
• Users can belong to multiple groups
• Users or Groups can be assigned JSON documents called policies.
• The policies defined the permissions of the users

Question 6

IAM policy structure

Answer 6

• versions: policy language version
• id: an identifier (optional)
• statement: one or more individual statements (required)
  - sid: statement id (optional)
  - effect: whether the statement allows or denies access (allow, deny)
  - principal: account/user/role to which this policy applied to
  - action: list of actions this policies allows/denies
  - resource: list of resources to which the actions applied to
  - condition: conditions for when this policy is in effect (optional)

Question 7

IAM password policy

Answer 7

Dictates the rules that the users’ passwords must follow
- set a minimum length
- require specific character types
- allow all IAM users to change their own passwords
- require users to change their password after sometime (password expiration)
- prevent password re-use

Question 8

What is MFA?

Answer 8

Multi Factor Authentication

Question 9

Benefit of MFA

Answer 9

If a password is stolen/hacked, the account is not compromised

Question 10

MFA device options

Answer 10

Virtual MFA device
Universal 2nd Factor Security Key
Hardware Key Fob MFA Device (for AWS GovCloud)

Question 11

Virtual MFA device

Answer 11

Support for multiple tokens on a single device

Question 12

Universal 2nd Factor Security Key

Answer 12

Physical device
Support for multiple root and IAM users using a single security key

Question 13

What are the ways to access AWS?

Answer 13

• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI) protected by access keys
• AWS Software Developer KIT (SDK) protected by access keys

Question 14

Access Keys

Answer 14

Are generated through the AWS Console
Users manage their own access keys

Question 15

What are the Security Tools available?

Answer 15

At the account level, IAM Credentials Report
At the user leve, IAM Access Advisor

Question 16

What is the IAM Credentials Report?

Answer 16

A security tool, a report that list all your account’s users and the status of their various credentials.

Question 17

What is IAM Access Advisor?

Answer 17

A security tool. Access Advisor shows the service permissions granted to a user and when those services where last accessed. You can uses this information to revise your policies and stick with the least privilege principle.

Question 18

Shared responsibility model for IAM

Answer 18

AWS
- Infrastructure (global network security)
- Configuration and vulnerability analysis
- Compliance validation
You
- Users, groups, roles, policies management and monitoring
- Enable MFA on all accounts
- Rotate all your keys often
- Use IAM tools to apply appropriate permissions
- Analyze access patterns and review permissions