IAM 2 Flashcards
Roles
When you assume a role, what happens to abilities of the account you assumed from?
Still there and active, but have to use the other creds
Roles
What abilities do you inherit from your old creds when you assume a role?
None: your new creds from sts:AssumeRole get nothing from creds used to assume.
Roles
User john wants to assume role DbAdmin, what has to be in place?
John needs sts:AssumeRole, DbAdmin needs John in its Trust Policy.
Roles
Assume role, then permissions on the role change. What happens?
Previously-generated temp creds from STS carry the just-made Role permission changes!
Confused Deputy
Simple description of Confused Deputy?
I call DevOps Inc. Catagram and Doggogram both trust DevOps to assume role. Trick DevOps to assume wrong role!
Confused Deputy
Why is this a problem? Role ARNs are secrets not known anywhere?
Role ARNs are not considered sensitive, OK to have them available.
Confused Deputy
What’s the fix for Confused Deputy?
External ID in Policy – the External ID is secret, Role ARNs aren’t.
Confused Deputy
Why is aws:SourceArn so important to security?
Helps prevent Confused Deputy
Confused Deputy
How do you spot places of potential Confused Deputy?
Cross-account Roles that trust other accounts to modify things in my account.
Switchrole
What is “Switch role”?
Menu option on the AWS console
Switchrole
Why don’t I see a list of roles I can switch to on the AWS Console?
You have to manually add them (account + role, give it a display name)
Switchrole
How do you Switchrole to a role in another AWS account (on the console)?
Same as your own account, just enter AWS account number and role on console
PassRole
What’s “PassRole”?
A Role you can give to other services to assume, but you can’t assume it.
PassRole
Why is PassRole good?
CloudFormation: you don’t have permission to create things, but can give the Role to CFN to do it.
PassRole
How do you see which IAM users have MFA enabled and when they used access keys?
Credential Report from the IAM Console