IAM 2 Flashcards

1
Q

Roles

When you assume a role, what happens to abilities of the account you assumed from?

A

Still there and active, but have to use the other creds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Roles

What abilities do you inherit from your old creds when you assume a role?

A

None: your new creds from sts:AssumeRole get nothing from creds used to assume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Roles

User john wants to assume role DbAdmin, what has to be in place?

A

John needs sts:AssumeRole, DbAdmin needs John in its Trust Policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Roles

Assume role, then permissions on the role change. What happens?

A

Previously-generated temp creds from STS carry the just-made Role permission changes!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Confused Deputy

Simple description of Confused Deputy?

A

I call DevOps Inc. Catagram and Doggogram both trust DevOps to assume role. Trick DevOps to assume wrong role!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Confused Deputy

Why is this a problem? Role ARNs are secrets not known anywhere?

A

Role ARNs are not considered sensitive, OK to have them available.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Confused Deputy

What’s the fix for Confused Deputy?

A

External ID in Policy – the External ID is secret, Role ARNs aren’t.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Confused Deputy

Why is aws:SourceArn so important to security?

A

Helps prevent Confused Deputy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Confused Deputy

How do you spot places of potential Confused Deputy?

A

Cross-account Roles that trust other accounts to modify things in my account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Switchrole

What is “Switch role”?

A

Menu option on the AWS console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Switchrole

Why don’t I see a list of roles I can switch to on the AWS Console?

A

You have to manually add them (account + role, give it a display name)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Switchrole

How do you Switchrole to a role in another AWS account (on the console)?

A

Same as your own account, just enter AWS account number and role on console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

PassRole

What’s “PassRole”?

A

A Role you can give to other services to assume, but you can’t assume it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

PassRole

Why is PassRole good?

A

CloudFormation: you don’t have permission to create things, but can give the Role to CFN to do it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

PassRole

How do you see which IAM users have MFA enabled and when they used access keys?

A

Credential Report from the IAM Console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

PassRole

Change permissions on a Role. What happens to already-assumed creds?

A

They immediately are affected.

17
Q

Revoke Temp Creds

How do you revoke temporary credentials?

A

Can’t! Once created, you can cancel them.

18
Q

Revoke Temp Creds

So what do you (human) do the second temp creds get out into the wild?

A

AWS console, Role, click “Revoke Sessions”

19
Q

Revoke Temp Creds

What does revoking sessions do?

A

Adds policy AWSRevokeOlderSessions to the Role with “now” as the conditional date

20
Q

Revoke Temp Creds

How does revoking one session impact other sessions?

A

Also immediately invalidates them! The change was on the ROLE. They need to get new creds.

21
Q

Revoke Temp Creds

What’s the key thing to remember for the exam about revoking creds?

A

You can’t. You can add a conditional deny-all on the assumption date.

22
Q

Revoke Temp Creds

Why can’t you just change the trust policy on a Role to lock out someone with creds?

A

Trust policy only used when assuming the role. Once you have temp creds, you’re good.

23
Q

Service Roles and Service-Linked Roles

What is a Service Role?

A

Role you create that you assign to EC2, S3, SQS, Lamba for those services to act.

24
Q

Service Roles and Service-Linked Roles

How can you tell if a Role is a Service Role?

A

Check trust policy for Service Principals

25
Q

Service Roles and Service-Linked Roles

What is a Service-Linked Role?

A

Created by AWS, ro, used by service in the background to work with your other resources.

26
Q

Service Roles and Service-Linked Roles

Service-linked Role name pattern?

A

“AWSServiceRoleFor______” <– service it applies to

27
Q

Service Roles and Service-Linked Roles

Example of a Service-Linked Role for EC2 alarms?

A

AWSServiceRoleForCloudWatchEvents: so CWE can mess with your EC2 instances when alarming

28
Q

Service Roles and Service-Linked Roles

Example of a Service-Linked Role for managing EC2 instances?

A

AWSServiceRoleForAmazonSSM: can mess with EC2, run its own Lambda functions

29
Q

Service Roles and Service-Linked Roles

Help! The SSM Service-Linked Role isn’t listed on my account!

A

It (and many other SLRs) are created when you configure SSM.

30
Q

Service Roles and Service-Linked Roles

Can you edit a Managed Policy?

A

Yes if you created it, no if it’s AWS-provided.