IAM Flashcards

1
Q

Full Form Of IAM

A

Identity & Access Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Is IAM a Regional or Global service

A

Global service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do IAM groups consist of?

A

only users, they don’t contain other groups.
* Groups can’t contain other groups

In AWS, groups are collections of IAM users. They help organize users, making it easier to manage permissions by assigning policies to a group rather than individual users. This simplifies access management across multiple users with similar roles or permissions.

  • IAM groups are containers for Users, they can’t be logged-in to like Users.
  • Used for making management of USERS easier.
  • Groups help in administrative style management of users which facilitates attaching policies to groups making it more convienient to manage permissions both at group level and user level.
  • Limit of 300 groups per account.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Is it necessary for users to belong to a group?

A

No, it’s not necessary for users to belong to a group in AWS. Users can have permissions assigned individually without being part of a group. Groups are just a helpful way to manage permissions more efficiently, especially when multiple users need the same access rights.

  • Used for making management of USERS easier.
  • Groups help in administrative style management of users which facilitates attaching policies to groups making it more convienient to manage permissions both at group level and user level.
  • AWS doesn’t allow groups in groups. Overlapping of users in multiple groups is allowed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Can a user belong to multiple groups ?

A

Yes

  • There doesn’t exist a default all users’ group
  • AWS doesn’t allow groups in groups. Overlapping of users in multiple groups is allowed.
  • Limit of 300 groups per account
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why do we create users and groups ?

A

Because we want them to use AWS services with limited permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are IAM: Permissions ?

A

They JSON documents containing policies.
Assigning capabilities to use specific services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the principle to apply best practice for giving permission to users?

A

Least privilege principle; Don’t give more permission than a user needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True/False
Only root user can create groups and draft policies ?
Best Practice

A

False.
Admin user should be created as the first user by the root user.
As best practices root user shouldn’t be used more than generating admin user and assigning permissions to admin users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IAM Policies inheritance: Group level permissions

A

A user can be in multiple groups
A group can have multiple users and multiple sub groups
A user can not be in any group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Important IAM policy structure

A

Effect

The structure of an IAM policy is shown below:

Version
# ID
# Statement/s
## SId
## Effect
## Principal
## Action
## Resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Facts

IAM

A
  • 5,000 IAM Users per account not per region, and IAM is a global service.
  • IAM User can be a member of 10 groups (maximum)
  • Internet-scale applicaitions
  • Large orgs & org merges (Limits to keep in mind when merging orgs)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Resource policy

Mark the difference between Resource policy and IAM policy

A

AM Policies:

  • Definition: IAM policies manage permissions for IAM identities (users, groups, roles) within an AWS account.
  • Format: Written in JSON (JavaScript Object Notation).
  • Scope: Applied to IAM users, groups, or roles.
  • Purpose: Dictate what actions IAM identities can perform on AWS resources.

Resource Policies:
- Definition: Resource policies control access to specific AWS resources (e.g., S3 buckets, SQS queues) directly.
- Format: Also written in JSON format.
- Scope: Applied directly to AWS resources.
- Purpose: Specify who has access to the resource and what actions they can perform, including granting access across AWS accounts.

Key Difference:

IAM Policies: Control access at the identity level within the AWS account.
Resource Policies: Control access at the resource level, allowing cross-account access and defining permissions directly on the resource.

  • Groups are not a true identity. They can’t be referenced as a principal in a policy.
  • A resource policy can’t grant access to an IAM group, expecting all the user of a group gets access to the group.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly