IAM Flashcards
In-line Policies Vs Managed Policies
Inline policies - attached to individuals/groups and allows for fine grain permissions.
Managed Policies - are applied to User, group, service. Any changes made to managed policies affects all linked principals/services
Managed Policy has its own ARN.
Has permissions for common use cases
Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity to which it is applied. For example, if you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they’re intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well because they are part of the principal entity.
Authentication
Who are you
Authorization
What are you allowed to do
IAM QUOTAS
5,000 Users per Account
1user to 10groups Max
How do you Authenticate more than 5000 users at a time?
- IAM Roles
- Using Cognito
Service-Linked Role
An IAM administrator can create, modify, and delete a service role from within IAM. A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service.
Management Account, Payment Account
The account in AWS organization that is billed
Access Key confidentiality
- Access key can be public(not delicate), but Secret Keys are meant to be confidential
Maximum number of access keys allowed per user
- You can create two Access Keys MAX per user (Active or inactive) and this is for the purpose of manual key rotation.
Access Keys Best practice
Deactivate to suspend Access whenever necessary.
Create two for rotation
Access Keys vs Key Pairs
Access Key is created to distinguish two types of users, Access keys are for users who have create and own instance. Key pairs are for those who are users of ec2 instance. Users don’t need to share access keys of owner as they don’t need to create resources thus maintaining separation of concern.
Default VPC CIDR
173.31.0.0/16
173.31.0.0/20
173.31.16.0/20
173.31.32.0/20
“sid” in an IAM Policy
Statement iD, its like a description string
Define Identity Federation
The use of IAM to issue temporary access tokens to an external Identity provider so they can access an AWS resource. They Assume the role and carry out their instructions/function.
