IAM Flashcards
This deck aims to help retain concepts related to the AWS IAM service.
Which policies are attached to IAM identities (Users, User groups, or Roles) and grant permissions to an identity?
Identity-based policies
What types of identity-based policies are there?
- Managed policies (customer-managed, aws-managed)
- Inline policies
What type of identity-based managed policy is created and administered by you?
Customer-managed policy
What type of identity-based managed policy is created and managed by AWS?
Hint: it has an ARN that includes the policy name.
AWS-managed policy
What type of identity-based policy is created for a single IAM identity (a user, group, or role)?
Hint: it maintains a one-to-one relationship with the identity and is deleted when the identity is deleted.
Inline policy
Which policies are attached to resources (such as an S3 bucket or an IAM role trust policy) and grant permissions to the principal specified in the policy (principals can be in the same account as the resource or in other accounts)?
Resource-based policies
Which policy type uses a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity, but does not grant permissions itself?
Permissions boundary
Which policy type is used to limit the permissions that the role or user’s identity-based policies grant when using AWS CLI or AWS API to assume a role or a federated user, but does not grant permissions itself?
Session policy
Which type of cross-account permissions policies, not utilizing the JSON policy document structure, are used to control which principals in other accounts can access the resource?
Access control lists (ACLs)
Which type of policy is used to define the maximum permissions for account members of an organization or organizational unit (OU), limiting permissions that identity-based or resource-based policies grant to entities (users or roles) within the account, but does not grant permissions itself?
Service control policies (SCPs)
In which order are the “Effect” rules (Allow, Deny) applied when AWS processes policy statements?
- Explicit Deny (overrides all Allow effects)
- Explicit Allow (provides access to the listed resources)
- Implicit Deny (denies access by default)
What identity types are in AWS IAM?
Users, User groups, and Roles
Which identity type is used for long-term AWS access, representing an application, a person, or a service account?
User
What is the limit on the number of IAM groups IAM users can be members of?
Each IAM user can be a member of a maximum of 10 groups
What is the limit on the number of IAM users that can be created per account?
There is a limit of 5000 IAM users per account
Which IAM identities specify a collection of IAM users, primarily focusing on policy management simplification for a large set of users?
User groups
Which IAM identities cannot be used to sign in and do not support nesting?
User groups
Which IAM identities cannot be referenced as principals in a resource-based policy?
User groups
What is the default limit for IAM User groups per account, which can be increased with a support ticket?
300 User groups
Which IAM identity is used to provide short-term access permissions to internal or external principals and can be referenced as principals in resource-based policies?
Role
Which type of IAM policy defines which principals can assume the role and under which conditions?
Trust policy
Which type of IAM policy defines the specific permissions and actions that the IAM identity is allowed or denied within AWS services and resources?
Permissions policy (IAM policy)
Which two types of policies do IAM roles have attached?
Permissions policy and trust policy
Which type of IAM role is associated directly with an AWS service and includes all the permissions required to call other AWS services on your behalf?
Service-linked role
What is the precedence of the assumption of configuration settings by AWS tools?
- Command line options (–profile, –region)
- Environment variables
- Assume role
- Assume a role with a web identity
- Credentials file (~/.aws/credentials)
- Custom process
- Configuration file (~/.aws/config)
- Container credentials (ECS)
- EC2 instance profile credentials
What are the most common use cases for IAM roles?
- Service execution roles (e.g., Lambda, ECS)
- Identity federation
- Cross-account access
Which string uniquely identifies an AWS resource?
Amazon Resource Name (ARN)
What is the structure of Amazon Resource Name (ARN)?
The structure can vary based on the resource, but generally looks as follows:
arn:partition:service:region:account-id:resource-idarn:partition:service:region:account-id:resource-type/resource-idarn:partition:service:region:account-id:resource-type:resource-id
S3 example:
- arn:aws:s3:::bucket-name
- arn:aws:s3:::bucket-name/*
EC2 example:arn:aws:ec2:us-east-1:4575734578134:instance/i-054dsfg34gdsfg38
How does IAM policy evaluation work, and what are its key components?
- Explicit Deny: Allow = NEXT | Deny = STOP NEGATIVE
- Service Control Policies (SCPs) of account that contains the identity: Not+Exists or Exists+Allow = NEXT | Exists+Deny = STOP NEGATIVE
- Resource Policies: Allow = STOP POSITIVE | Deny = NEXT
- Permissions Boundaries: Not+Exists or Exists+Allow = NEXT | Exists+Deny = STOP NEGATIVE
- Session Policies: Not+Exists or Exists+Allow = NEXT | Exists+Deny = STOP NEGATIVE
- Identity Policies: Explicit+Allow = STOP POSITIVE | Implicity+Deny = STOP NEGATIVE
How are IAM policies evaluated in multi-account environments?
- Account A: Must allow access to Account B through an identity-based policy (e.g., permissions policy).
- Account B: Must allow access from Account A using a resource-based policy (e.g., bucket policy) or a role trust policy.
What actions must be performed to grant AWS IAM users access to the Billing and Cost Management section?
Activate IAM user access to the Billing and Cost Management console (only needs to be done once) and attach an IAM policy to the IAM users
Which AWS IAM service helps identify resources in an organization and accounts, like Amazon S3 buckets or IAM roles, that are shared with external entities?
AWS IAM Access Analyzer
What feature serves as placeholders for AWS IAM policies, when the exact value of a resource or condition key is unknown?
Policy Variables
What type of resource-based policy can be applied to an AWS IAM Role?
Trust Policy
What does the following AWS IAM policy statement enforce?
{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucket_name>*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
It enforces that objects uploaded to the specified AWS S3 bucket must be encrypted at rest using SSE-KMS encryption
What does the following AWS IAM policy statement enforce?
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
It enforces that objects uploaded to the specified AWS S3 bucket must be encrypted at rest using SSE-S3 encryption
What does the following AWS IAM policy statement enforce?
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::<bucket_name>/${aws:PrincipalTag/<tag_key>}/*"]
}
It allows Get and Put object actions for a tag-specific prefix (directory) within the specified AWS S3 bucket, with the tag representing a team, department, or similar classification
Can AWS IAM roles and resource-based policies delegate access across different AWS partitions, such as aws and aws-cn?
No, access delegation is only possible within a single AWS partition
