IAM Flashcards
What security control provides visibility for inventory and history of config changes?
Config
What control allows you to see who is doing what, when, how, from where and what resources are affected?
CloudTrail - Audibility
What security control provides controllability?
KMS, CloudHSm you get to control your keys and where to use them
What provides Agility and quickly update security rules and patches in a repeatable and auditable manner?
CloudFormation
What provides automation in helping deploy security updates?
OpsWorks, CodeDeploy
How are IAM roles typically used?
Assigned to services to access other services but can also be assumed by IAM users
What is the only thing power users don’t have access to?
IAM. They cannot make IAM changes
What is the thing about customer managed poicies?
Exist only within 1 account, cannot share
What are the size limits for IAM policies? Users, groups, roles
2kb for users, 5kb for groups, 10kb for roles. So don’t write overly long policies
What is IAM Credentials Report?
A CSV with a details of all users, password last used, changed, MFA, access keys last used, rotated, which service used it, etc.
What IAM permissions do you need for Credential Report?
iam:GenerateCredentialReport and iam:GetCredentialReport
What is size limit of bucket policies?
20kb
How are bucket policies useful?
To deny access to individual buckets without messing with IAM policies
What happens if If IAM policy for a user is set to only READ to S3 bucket, but S3 bucket policy is added to a specific bucket to give that user DELETE permissions
that user WILL be allowed to delete objects. S3 bucket policy ADDS to IAM policy here
What happens if If S3 bucket policy is set to “Deny all actions” for “All principals”,
nobody will be able to write or read to that bucket irrespective of IAM policies, not even root user. S3 bucket Deny All overrides everything here
What happens if S3 bucket policy is set to “Deny all actions” for “All principals” followed by an “Allow all actions” for a specific user,
that user will NOT be able to do anything on S3. Explicit Deny ALWAYS trumps everything else, whether it is defined in IAM policy or S3 bucket policy!
What happens if If an IAM policy has a “Deny read” for a bucket but one object inside that bucket is given Read access using S3 ACL
anyone WILL be able to access that object if using the S3 URL of the object (since the URL does not know anything about IAM users) but an IAM user will NOT be able to access it by clicking “Open” on console!
What is the conflict resolution method for s3? 3 steps
- Is there explicit deny anywhere? if so it’s denied
- If there is no explicit deny, is there any ALLOW anywhere. If yes allows (only in same account)
- If there is no explicit deny but no explicit allow either, it’s implict denied