IAM

Question 1

IAM Security Reporting and Access Information tools

Answer 1

• IAM credentials report (account-level)
  
  • all account users and their permissions
• IAM access advisor (user-level)
  
  • what services were accessed by which user
  • use this information to revise policies

Question 2

IAM Groups

Answer 2

• Groups (only contain users)
  
  • i.e. developers, operations
  • users can belong to multiple groups

Question 3

IAM Roles

Answer 3

• similar to user only they don’t have any credentials (not associated with a single person)
• permission policies associated with it
• use this inside applications and ec2 instances (instead of embeding user credentials inside an app)

Question 4

Policies

Answer 4

Users & Groups can be assigned JSON documents called policies describing what the group can do

Question 5

Inline Policy

Answer 5

policy that’s embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity to which it is applied.

Question 6

Managed policy

Answer 6

Reusability
Central change management
Versioning and rolling back
Delegating permissions management

Question 7

policy structure

Answer 7

• version
• id (optional)
• statements
  
  • Sid - statement id (optional)
  • effect (allow/deny)
  • principal - account/user/role/service to which the policy is applied to (optional)
  • action - list of actions this policy allows or denies
  • resource - list of resources the actions are applied to
  • condition - conditions for when this policy is in effect (optional)

Question 8

Key pairs

Answer 8

Ec2 and cloudfront only
Create a digital SIGNATURE

Question 9

Access Keys

Answer 9

Access key I’d
Secret access key

Sign programmatic requests to AWS (not accessing ec2 directly)