IAM Flashcards
What does IAM stand for?
Identity Access Management
Is IAM a global service?
Yes
How is the root account created? Should it be used or shared?
The root account is created by default. It should NEVER be used or shared.
What are users?
End users within an organization
What are groups?
Groups are a collection of users
Can groups contain other groups?
No
Do users have to belong to a group?
No
True/False: Users can only belong in one group
False, users can belong to multiple groups
What are IAM policies?
IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API.
Who can be assigned JSON documents aka ‘policies’?
Users and Groups
What is the least privilege principle?
Don’t give more permissions than a user needs
What does the IAM policy structure consist of?
Version, Id, and Statement
What does the IAM policy statement consist of?
Sid, Effect, Principal, Action, Resource, Condition
In AWS IAM policy statement, what does Sid stand for and what is it?
Sid = Statement ID
Sid is an identifier for the statement. Sid not always present.
In AWS IAM policy statement, what does the Effect show?
the Effect shows whether the statement allows or denies access
(Allow, Deny)
In AWS IAM policy statement, what does the principal show?
the account/user/role to which the policy is applied to
In AWS IAM policy statement, what does the resource show?
the Resource shows a list of resources to which the actions applied to
In AWS IAM policy statement, what does the Condition show?
the Condition shows the conditions for when the policy is in effect (optional…not always present in the statement)
What are some requirements that you can add when setting up a password policy to create stronger passwords?
Set a min password length, require specific character types (i.e upper/lower case, numbers, non-alphanumeric), allow ALL IAM users to change their passwords, set a password expiration & require users to change it, prevent password re-use
What does MFA stand for?
Multi-Factor Authentication
Why should MFA be implemented?
To protect your Root Accounts and IAM users. Users who have access to your account can change configurations and/or delete resources
How does MFA work?
MFA = password you know + security device you own
What is the main benefit of an MFA?
If a password is stolen or hacked the account is not compromised
What are the types of MFA devices?
virtual MFA device, universal 2nd factor (U2F) security key, hardware key fob mfa device, hardware key fob mfa device AWS GovCloud
What are 2 types of virtual MFA devices?
Google authenticator (phone only) and Authy (mult-device)
True/False Virtual MFA devices can support multiple tokens on a single device
True
What is an example of a Universal 2nd Factor (U2F) Security Key?
YubiKey by Yubico (a third party vendor)
True/False U2F’s such as YubiKey by Yubico can support multiple root and IAM users using a single security key
true
What is an example of a hardware key fob mfa device?
Gemalto
What is an example of a hardware key fob MFA device for AWS GovCloud (US)?
SurePassID
How many options do you have to access AWS?
3
How can you access AWS?
AWS Management Console (protected by password + MFA), AWS CLI (protected by access keys), AWS Software Developer Kit/SDK (for code: protected by access keys)
Where are access keys generated?
through the AWS console
Who manages users’ access keys?
Users manage their own access keys
True/False Access keys should be shared
False
True/False Access Key ID is similar to a username
True
True/False The secret access key is similar to a password
True
What is the AWS CLI?
a tool that enables you to interact with AWS services using commands in you command-line shell
What does AWS Command Line Interface provide?
Direct access to the public APIs of AWS services and an alternative to the AWS Management console
What is the AWS SDK?
AWS Software Development Kit. Enables you to access and manage AWS services programmatically.
What does an IAM role do?
assign permissions to AWS services to perform actions on your behalf
Give examples of common IAM roles?
EC2 Instance Roles, Lambda Function Roles, Roles for CloudFormation
What are two IAM security tools?
IAM Credentials Report (account level), IAM Access Advisor (user level)
What does a credential report show?
a report that lists all your account’s users and the status of their various credentials
What does the IAM access advisor show?
the service permissions granted to a user and when those services were last accessed
How can IAM access advisor be used?
to revise policies
What are the AWS IAM best practices?
1.) don’t use the root user except for AWS account setup
2.) one physical user = one AWS user
3.) create a strong password policy
4.) use & enforce the use of MFA
5.) create & use roles for giving permissions to AWS services
6.) use access keys for programmatic access (CLI/SDK)
7.) audit permissions of your account with the IAM credentials report
8.) never share IAM users and Access Keys
What is a policy?
a JSON doc that outlines permissions for users or groups
