IAM Flashcards
What security control provides visibility for inventory and history of config changes?
Config
What control allows you to see who is doing what, when, how, from where and what resources are affected?
CloudTrail - Audibility
What security control provides controllability?
KMS, CloudHSm you get to control your keys and where to use them
What provides Agility and quickly update security rules and patches in a repeatable and auditable manner?
CloudFormation
What provides automation in helping deploy security updates?
OpsWorks, CodeDeploy
How are IAM roles typically used?
Assigned to services to access other services but can also be assumed by IAM users
What is the only thing power users don’t have access to?
IAM. They cannot make IAM changes
What is the thing about customer managed poicies?
Exist only within 1 account, cannot share
What are the size limits for IAM policies? Users, groups, roles
2kb for users, 5kb for groups, 10kb for roles. So don’t write overly long policies
What is IAM Credentials Report?
A CSV with a details of all users, password last used, changed, MFA, access keys last used, rotated, which service used it, etc.
What IAM permissions do you need for Credential Report?
iam:GenerateCredentialReport and iam:GetCredentialReport
What is size limit of bucket policies?
20kb
How are bucket policies useful?
To deny access to individual buckets without messing with IAM policies
What happens if If IAM policy for a user is set to only READ to S3 bucket, but S3 bucket policy is added to a specific bucket to give that user DELETE permissions
that user WILL be allowed to delete objects. S3 bucket policy ADDS to IAM policy here
What happens if If S3 bucket policy is set to “Deny all actions” for “All principals”,
nobody will be able to write or read to that bucket irrespective of IAM policies, not even root user. S3 bucket Deny All overrides everything here
What happens if S3 bucket policy is set to “Deny all actions” for “All principals” followed by an “Allow all actions” for a specific user,
that user will NOT be able to do anything on S3. Explicit Deny ALWAYS trumps everything else, whether it is defined in IAM policy or S3 bucket policy!
What happens if If an IAM policy has a “Deny read” for a bucket but one object inside that bucket is given Read access using S3 ACL
anyone WILL be able to access that object if using the S3 URL of the object (since the URL does not know anything about IAM users) but an IAM user will NOT be able to access it by clicking “Open” on console!
What is the conflict resolution method for s3? 3 steps
- Is there explicit deny anywhere? if so it’s denied
- If there is no explicit deny, is there any ALLOW anywhere. If yes allows (only in same account)
- If there is no explicit deny but no explicit allow either, it’s implict denied
How can you enforce HTTPS-only on S3
adding a condition to bucket policy that Allows all first, followed by Deny with a Condition: Bool: “aws:SecureTransport”: false
Is Cross Region Replication (CRR) is by default done over SS
Yes, do not need to set any bucket policies etc for it
What does Cross Region Replication require?
both source and destination buckets have versioning enabled, and S3 should have permission to read and write objects on your behalf (using a policy in a role it creates)
What happens if If OBJECT owner is not same as BUCKET owner
for CRR object owner needs to give bucket owner permission to read object using object ACL
What does CRR require?
IAM role with permission to replicate objects in destination account
What is possible in CRR configuration?
to change ownership of replica object to replica account owner → useful for putting CloudTrail logs to a secure account with locked down permissions ← Best Practice
CRR replicates objects that are unencrypted, encrypted using SSE-S3, encrypted using SSE-KMS (but ONLY if you turn it on), object metadata, ACL updates, object tags, delete markers on current version
Yes
What does CRR NOT replicate?
Older objects, objects encrypted with SSE-C, objects in source bucket where bucket owner does not have permission, specific versions of source objects (for security)
What to keep in mind When restricting S3 to Cloudfront only using OAI
to “grant read permission to S3” in CF
What’s the only region where CloudFront custom SSL certificates can be created?
us-east-1 only
How to generate presigned S3 URL?
From CLI only:
aws s3 presign s3://<bucket>/filename --expires-in 300
Default expiry is 3600 sec</bucket>
STS gives limited access to AWS using 3 methods
- AD federation, users dont need to be IAM users, it is based on their AD credentials
- Mobile app federation (FB/Google)
- OTher AWS accounts
What is federation?
Federation is joining users from one domain (IAM) to another domain (AD)
What allows joining (sts)
Identity broker allows this joining (STS), using Identities stored in Identity Stores (Goog/FB/AD)
What does federation process look like?
** Federation Process: User logs in to Identity Broker who first authenticates them against LDAP directory (AD), then contacts STS using GetFederation (IAM needs to be setup in advance with permissions to be allowed in STS in response to GetFederation) who gives it a token with 4 values- access key, secret access key, token and duration which is returned to user. User logs in to S3 using token, S3 validates this token against IAM permissions and grants access
What is Cognito used for?
Web identity federation - it acts as Identity Broker between app and Web ID providers
How does Cognito work?
Web ID providers like Meta (formerly FB) give a web token to logged in users, user gives that to Cognito who in exchange gives temp credentials mapped to an IAM role to access AWS services
What are User Pools in Cognito?
a directory of user logins, either directly created login-passwords or via Web ID providers like Goog/FB. Successful auth generates JSON Web Tokens (JWT)
What are Identity pools in Cognito?
create unique identity for a user and generates temp credentials with which users can access other AWS services like S3/Dynamo etc. Identity pools exchange JWT tokens and give temp token with IAM role
What is difference between user pools and identity pools?
User pools are for authentication (identity verification). Identity pools are for authorization (access control).
How to set up Cognito user pool?
Setting up Cognito User Pool- 1) create an “app client” 2) configure it with callback URL (where do users go after they are signed in), “authorization code grant” (code to be used by backend to verify auth), “implicit grant” (JWT token), and all OAuth options (this gives access to make API calls and also verification by phone/email); 3) give a domain name, 4) customize UI with your logo/branding; Done
What does Cognito also allow?
creating Groups with specific IAM roles and add users to that group
What is difference between Glacier Archieve and Vault?
Archive = single or multiple files in zip/tar format; Vault = container storing 1 or more archives
Are vault lock policies applied to individual archives or all archives within a vault?
All archieves within a vault
How long do you have to change vault lock policy?
Get 24 hours to validate vault lock policy and abort if needed, after 24 hours CANNOT change the policy forever!
Where do SCPs (Service Control Policies) apply to?
Organizational Units (OU) or individual account level
Can OU be one account or also multiple?
Can also be one
What do SCP rules apply to?
All accounts under an OU, including to root user of child accounts. Be careful not to lock them out
