IAM Flashcards
Elements of IAM
Users;
Access key;
Secret key;
Password policy;
Multi-factor Authentication;
Group – collection of users that allows for management of permissions/policies on a group level;
Role – access management for AWS services; created from policies then attached to services;
Policy – JSON document that enables permissions throughout AWS to be given or restricted to users, groups or roles.
STS
Simple Token Service;
Active Directory Federation
use an on-premises active directory(ADFS) server to gain temporary access to AWS.
- user access a webpage on the ADFS server and log in
- ADFS authenticates user and returns a SAML assertion;
- CLient browser uses the SAML assertion to redirect to an AWS SAML endpoint and uses the ASSUMEROLEWITHSAML API to get temporary credentials;
- Client browser receives and redirects to a signin URL for AWS.
Web Identity Federation
ability to use 3rd party providers such as Google, Facebook… to grant permissions to resources without creating explicit users.
- authenticate with third party provider and if successful a token is returned.
- Using the token provided by the 3rd party provider use the AssumeRoleWithWebIdentity call to gain temporary credentials from AWS.
- Using temp credentials, you can now use the CLO or SDK’s to access the AWS account with the permission of the role that was assumed.
SAML
Security Assertion Markup Language(SAML) endpoint: https://signin.aws.amazon.com/saml
IAM GROUPS
can not belong to other groups; can not be nested
IAM users can have any combination of credentials that AWS supports
such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device
users vs roles
An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
CANNOT add an IAM role to an IAM group
Policy
Add as many inline policies as you want to IAM role, and up to 10 managed policies
service-linked role
a type of role that links to an AWS service.
temporary security credential limits
default–12 hours;
min – 15 minutes;
max – 36 hours;
temporary security credential limits
default–12 hours;
min – 15 minutes;
max – 36 hours;
you can not restrict the temporary security credentials to a particular region or subset of regions.
Federated users CAN access the AWS Management Console
You can specify a session limit between 15 minutes and 36 hours (for GetFederationToken and GetSessionToken) and between 15 minutes and 12 hours (for AssumeRole* APIs), during which time the federated user can access the console