IAM Flashcards
Limit for IAM users?
Default permissions?
Up to 5000
none
What is the root users username?
What permissions does the root user have?
Can the permissions be changed?
The email address the AWS account was created with
All permissions - full unrestricted access to AWS resources
Some permission can’t be changed
What username can an IAM user provide when logging in?
How does the IAM user get permissions?
The friendly name/alias or their AWS account id
Permissions are obtained for IAM user either by assigning policies to the user or a group the user is in
What are permissions boundaries?
What do they type of security attack to they prevent?
Permissions boundary sets the maximum permissions that a user or role can have
Privilege Escalation
List the logic of policy evaluation performed by AWS?
Decision starts at deny
Evaluate all policies for explicit deny
Now we look for Allow in policies that include the principal:
Evaluate SCP if account is a member of an organization, if no Allow then deny
Evaluate Resource policies, if Allow this policy determines access
Evaluate Identity policies, if doesn’t exist deny or no Allow, then deny
Evaluate Permission Boundary, if doesn’t exist deny or no Allow, then deny
Is Principal a session principal, if no, Allow
If yes, Evaulate Session policy,
if doesn’t exist and this is a role session, Allow,
if doesn’t exist and not a role session, Deny
if does exist and there is an Allow, Allow
Otherwise deny
What is included in the request context for request to an AWS resource?
Action
Resource
Principal
Environment data - IP, user agent, SSL status and date/time
Resource data
List IAM policy types?
Identity based policies
Resource based policies
IAM permissions boundaries
AWS Organization service control policies
Session policies
SCP
AWS Organization service control policies- specifies the maximum permissions for an organization or OU
Session policies
used to evaluate request for resources when the AssumeRole* API actions are taken
List the determination rules for policy evaluation
By default all request are implicitly denied (except root user)
An explicit allow in an identity or resource policy overrides the default
If a permissions boundary, SCP or session policy is present it might override an allow with a implicit deny
An explicity deny in any policy overrides any allows
Indicate intersection or union of policies that include an Allow will result in an Allow for a permission?
Union of permissions allowed in resource and identity policies will result in an allow of all permissions
Intersection of allowed permissions in an identity and permission boundary will result in an allow
Intersection of allowed permissions in an identity and SCP will result in an allow
What is the structure of the JSON for an IAM policy?
Version (usually the date the policy was written)
Statement - list of statements
Statement includes
Effect - Allow or Deny
Action - list of resource actions
Resource - list of specific resource (e.g S3 bucket or RDS table, etc.)
What are IAM best practices for temporary credentials?
Require human users to use federation with an identity provider to access AWS using temporary credentials
Require workloads to use temporary credentials with IAM roles to access AWS
What are IAM best practices for IAM Access Analyzer?
Use IAM Access Analyzer to generate least-privilege policies based on access activity
Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions
Verify public and cross-account access to resources with IAM Access Analyzer
What are IAM best practices for least privilege?
Apply least-privilege permissions
Get started with AWS managed policies and move toward least-privilege permissions
Use IAM Access Analyzer to generate least-privilege policies based on access activity
Use conditions in IAM policies to further restrict access
