IAM Flashcards
Limit for IAM users?
Default permissions?
Up to 5000
none
What is the root users username?
What permissions does the root user have?
Can the permissions be changed?
The email address the AWS account was created with
All permissions - full unrestricted access to AWS resources
Some permission can’t be changed
What username can an IAM user provide when logging in?
How does the IAM user get permissions?
The friendly name/alias or their AWS account id
Permissions are obtained for IAM user either by assigning policies to the user or a group the user is in
What are permissions boundaries?
What type of security attack to they prevent?
Permissions boundary sets the maximum permissions that a user or role can have
Privilege Escalation
List the logic of policy evaluation performed by AWS?
Decision starts at deny
Evaluate all policies for explicit deny
Now we look for Allow in policies that include the principal:
Evaluate SCP if account is a member of an organization, if no Allow then deny
Evaluate Resource policies, if Allow this policy determines access
Evaluate Identity policies, if doesn’t exist deny or no Allow, then deny
Evaluate Permission Boundary, if doesn’t exist deny or no Allow, then deny
Is Principal a session principal, if no, Allow
If yes, Evaulate Session policy,
if doesn’t exist and this is a role session, Allow,
if doesn’t exist and not a role session, Deny
if does exist and there is an Allow, Allow
Otherwise deny
What is included in the request context for request to an AWS resource?
Action
Resource
Principal
Environment data - IP, user agent, SSL status and date/time
Resource data
List IAM policy types?
Identity based policies
Resource based policies
IAM permissions boundaries
AWS Organization service control policies
Session policies
SCP
AWS Organization service control policies- specifies the maximum permissions for an account member of an organization or OU
Session policies
used to evaluate request for resources when the AssumeRole* API actions are taken
List the determination rules for policy evaluation
By default all request are implicitly denied (except root user)
An explicit allow in an identity or resource policy overrides the default
If a permissions boundary, SCP or session policy is present it might override an allow with a implicit deny
An explicity deny in any policy overrides any allows
Indicate intersection or union of policies that include an Allow will result in an Allow for a permission?
Union of permissions allowed in resource and identity policies will result in an allow of all permissions
Intersection of allowed permissions in an identity and permission boundary will result in an allow
Intersection of allowed permissions in an identity and SCP will result in an allow
What is the structure of the JSON for an IAM policy?
Whatis not required in an IAM policy?
Version (usually the date the policy was written)
Statement - list of statements
Statement includes
Effect - Allow or Deny
Action - list of resource actions
Resource - list of specific resource (e.g S3 bucket or RDS table, etc.)
Principal element is not required in the policy
What are IAM best practices for temporary credentials?
Require human users to use federation with an identity provider to access AWS using temporary credentials
Require workloads to use temporary credentials with IAM roles to access AWS
What are IAM best practices for IAM Access Analyzer?
Use IAM Access Analyzer to generate least-privilege policies based on access activity
Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions
Verify public and cross-account access to resources with IAM Access Analyzer
What are IAM best practices for least privilege?
Apply least-privilege permissions
Get started with AWS managed policies and move toward least-privilege permissions
Use IAM Access Analyzer to generate least-privilege policies based on access activity
Use conditions in IAM policies to further restrict access
What are IAM best practices for user and credential management?
Apply least-privilege permissions
Require human users to use federation with an identity provider to access AWS using temporary credentials - don’t use IAM users instead use identity provider or AWS Identity Center
Require multi-factor authentication (MFA)
Update (Rotate) access keys when needed for use cases that require long-term credentials
Follow best practices to protect your root user credentials
Regularly review and remove unused users, roles, permissions, policies, and credentials
What are IAM best practices for account management?
Establish permissions guardrails across multiple accounts
Use permissions boundaries to delegate permissions management within an account
Verify public and cross-account access to resources with IAM Access Analyzer
What are IAM best practices for policy management?
Get started with AWS managed policies and move toward least-privilege permissions
Use IAM Access Analyzer to generate least-privilege policies based on access activity
Regularly review and remove unused users, roles, permissions, policies, and credentials
Use conditions in IAM policies to further restrict access
Can a group be the principal of an identity-based policy? If so, how. If not, why not, and how do you apply policy to group?
A group is not an identity and therefore can’t be identified as a principal in an identity policy
Use resource based policy instead of others that require principal
Can you nest or create a group within a group?
No
IAM Role
used to delegate permissions to resources for users and services
roles are created and then assumed by trusted entities
STS
Security Token Service provides temporary credentials
IAM/identity-based Policy
documents that define permissions and can be applied to users, groups and roles
written in JSON
MFA Protected API Access
Used to enforce another authentication factor (MFA code) when accessing AWS resources
Enforced using the aws:MultiFactor AuthAge
“Condition”:{ “Null”: {“aws:MultiFactorAuthAge”: true }}
AWS account root user
When you first create an Amazon Web Services (AWS) account, the email address and password you provide are the credentials for your root user, which has access to all AWS services and resources in the account.
A root user:
Has full access to all
AWS services
Cannot be
restricted in a single
account model
Should not be used
for day to day
interactions with
AWS
Best practice for root user
Manage the account with the administrator user instead of the root user.
Secure your root user credentials
Use a strong root user password to help protect access
Secure your root user sign-in with multi-factor authentication (MFA)
Don’t create access keys for the root user
Use multi-person approval for root user sign-in wherever possible
Use a group email address for root user credentials
Restrict access to account recovery mechanisms
Secure your Organizations account root user credentials
Monitor access and usage
AWS Identity and Access Management (IAM)
Use IAM to:
*
Create and manage
users, groups, and
roles.
*
Manage access to
AWS services and
resources.
*
Analyze access
controls.
Principals
A principal is an entity that can request an action or operation on an AWS resource. IAM users and IAM roles are the most common principals that you work with
principal can also be an AWS service, such as Amazon Elastic Compute Cloud (Amazon EC2), a Security
Assertion Markup Language 2.0 (SAML 2.0) provider, or an identity provider (IdP).
Resource-based policies
Attach inline policies to resources.
The most common examples of resource-based
policies are Amazon S3 bucket policies and IAM role trust policies.
IAM permissions boundaries
AWS supports permissions boundaries for IAM entities (users or roles). Use IAM permissions boundaries to set the maximum permissions that an IAM entity can receive.
AWS
Organizations provides these key features?
- Centralized management of all your AWS accounts
- Consolidated billing for all member accounts
- Hierarchical grouping of your accounts to meet your budgetary, security, or compliance needs
- Policies to centralize control over the AWS services and API actions that each account can access
- Policies to standardize tags across the resources in your organization's accounts
- Policies to control how AWS artificial intelligence (AI) and machine learning (ML) services can collect and
- store data
- Policies that configure automatic backups for the resources in your organization's accounts
- Integration and support for IAM
- Integration with other AWS services
- Global access
- Data replication that is eventually consistent
- No cost to use
