IAM Flashcards
What does IAM stand for?
Identity and Access Management
True or false, IAM is a global service?
True
What should a root account be used for?
For AWS account setup only
Define User
People within your organisation that can be assigned to groups
True or false, a group can contain other groups?
False
True or false, users need to be assigned to groups?
False - however, it is bad practice to not assign user’s to groups
True or false, a user can belong to many groups?
True
What is an IAM policy?
JSON documents that define a set of permissions for making requests to AWS services, and can be used by IAM Users, User Groups, and IAM Roles.
What principle should you apply when assigning privileges?
Do not give more permissions then what the user needs.
(Grant least privilege)
Define Group Policies
Policies applied to everyone in a group
Define Inline Policies
Policies applied to a specific user
What does a IAM Policy structure consist of? (x3)
- Version: policy language version
- ID: (Optional) Identifier for the policy
- Statement: One or more statements
What does a IAM policy statement consist of? (x6)
- SID: (Optional) Identifier for the statement
- Effect: Indicates whether the statement allows or denies access, value can be either “Allow” or “Deny”
- Principle: Account / user / role the policy is applied to
- Action: List of actions this policy allows or denies
- Resources: List of Resources to which the action is applied to
- Conditions: (Optional) Conditions for which this policy is in effect
What can you do with IAM Password Policy (x5)
- Specify minimum password length
- Require Specific Character types
- Allow all IAM users to change their passwords
- Require users to change their passwords (make passwords expire)
- Prevent password reuse
List Multi Factor Authentication Options (x4)
- Virtual MFA Devices
– Google Authenticator
– Authy - Universal 2nd Factor (UTF) Security Key
– YubiKey - Hardware Key Fob MFA Device
– Gemalto - Hardware Key Fob MEA Device + AWS GovCloud (US)
– SurePassID
What is an IAM role?
An IAM entity that defines a set of permissions for making requests to AWS services, and will be used by an AWS service
List Common IAM Roles (x3)
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation
List IAM Security Tools (x2)
- IAM Credentials Report
- IAM Access Advisor
What is the IAM Credential Report?
An account-level report that lists your account’s users and the status of their various credentials
What is IAM Access Advisor?
(user-level)
Access Advisor shows the service permissions granted to a user and when these services were last accessed.
You can use this information to revise your policies.
List IAM Best Practices (x9)
- Don’t use root account except for AWS account setup
- 1 physical user for 1 AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce MFA
- Create and use roles for giving permission to AWS services
- Use Access Keys for Programmatic Access (CLI / SDK)
- Audit permissions of your account using IAM Credentials Report and IAM Access Advisor
- Never share IAM users and Access Keys
What is AWS’s responsibility for IAM (x3)
- Infrastructure (global network security)
- Configuration and vulnerability analysis
- Compliance validation
What is Your responsibility for IAM (x5)
- Users, Groups, Roles and Policies management and monitoring
- Enabling MFA on all accounts
- Rotating all your keys often
- Using IAM tools to apply appropriate permissions
- Analysing access patterns and reviewing permissions
