IAM Flashcards
How are users, groups, policies and permission related ? and what about json
- Users or Groups can be assigned JSON documents called policies
- These policies define the permissions of the users
- In AWS you apply the least privilege principle: don’t give more permissions than a user needs
Can multiple policies be associated with one IAM user ?
Yes
Whats the format of policy json ?
what are the components of the policy and what are the components of “statement”
- Consists of
- Version:policy language version, always include“2012-10- 17”
- Id: an identifier for the policy(optional)
- Statement: one or more individual statements(required)
- Statements consists of
- Sid: an identifier for the statement(optional)
- Effect: whether the statement allows or denies access (Allow, Deny)
- Principal:account/user/role to which this policy applied to
- Action:list of actions this policy allows or denies
- Resource:list of resources to which the actions applied to
- Condition:conditions for when this policy is in effect (optional)
Account and user inter-relation
An IAM policy can be applied to what all things ?
- Identities
- Users
- Groups
- Roles
- Resources
- S3 buckets
- EC2 instances
- DynamoDB tables
- Services
- Amazon SNS
- Amazon SQS
- Amazon RDS
What things are considered as identities
- AWS Account
- IAM Users
- IAM Roles
- IAM Groups
- Federated Users
- AWS Services
Whats ARN
Amazon Resource Name
What is a principal in AWS IAM ?
In AWS, a principal is an entity that can make a request to AWS. Principals can be
- IAM User
- IAM Role
- AWS Service
- AWS Account and root user
- Anonymous User
- Federated User Sessions
What is IAM Users ?
An IAM user is an identity created within an AWS account that represents an individual or application. IAM users have unique credentials and can authenticate themselves to access AWS services.
What is IAM Role ?
An IAM role is similar to an IAM user but doesn’t have permanent credentials. IAM roles are used to delegate access to AWS resources and are assumed by trusted entities, such as IAM users or AWS services, to obtain temporary security credentials.
What is AWS service ?
Some AWS services act as principals to interact with other services and resources. For example, AWS Lambda functions, Amazon EC2 instances, and AWS Step Functions can assume IAM roles and perform actions on behalf of those roles.
What is AWS Account ?
An AWS account itself can be considered a principal. Policies can be attached to the AWS account to define permissions that apply globally across all resources in the account.
What is Anonymous User ?
In some cases, AWS resources can be publicly accessible to anonymous users without any authentication. Policies can be defined for anonymous users to control their access to specific resources.
Role can be assumed by who all ?
IAM users, AWS services, or even identity federation systems.
How can users access AWS ?
- AWS Management Console (protected by password + MFA)
- AWS Command Line Interface (CLI): protected by access keys
- AWS Software Developer Kit (SDK) - for code: protected by access keys
- AWS Management Console (protected by password + MFA)
- AWS Command Line Interface (CLI): protected by access keys
- AWS Software Developer Kit (SDK) - for code: protected by access keys
In these what are the principals for each
to be done
Name 2 IAM security tools and what are they used for.
- IAM Credentials Report (account-level)
- a report that lists all your account’s users and the status of their various credentials
- IAM Access Advisor (user-level)
- Access advisor shows the service permissions granted to a user and when those services were last accessed.
- You can use this information to revise your policies.
Can I have more than one principal in an IAM Policy json
No, in AWS IAM (Identity and Access Management), you cannot have more than one principal in a single IAM policy JSON. An IAM policy is associated with a single principal, which can be a user, a group, or a role. The principal represents the AWS entity (such as a user or a group) to which the policy applies.
What is an IAM identity ?
An IAM identity represents a human user or programmatic workload, and can be authenticated and then authorised to perform actions in AWS.
- Users
- User Groups
- Roles
Who can use an IAM Role ?
tbd
Whats the difference between an identity and a principal
tbd