IAM Flashcards
What does IAM stand for?
Identity Access Management
What is IAM?
It is a AWS Service used to manage users and their level of access to the AWS console.
What are IAM Users?
People using the AWS console.
What are IAM Groups?
A Collection of users under 1 set of permissions
What are IAM Roles?
Permissions that are created and assigned to:
- AWS Resources
- another AWS account
- Web identity
- or SAML
What are IAM Policies?
Documents that define one or more permissions. They can be attached to a:
- User
- Group
- or Role
What happens if you loose your Secret Access Key in IAM?
You have to generate a new Access Key and Secret Access Key.
What are the 3 IAM Policy Types?
1) Managed
2) Customer Managed
3) Inline
Describe a Managed IAM Policy
- Created and administered by AWS
- CANNOT be changed by the customer
Describe a Customer Managed IAM Policy
- Customer Created
- Used when managed policies don’t meet needs of your environment
Describe an Inline IAM Policy
- Embedded w/ in user group to which it applies
- 1:1 relationship
- Most cases AWS recommends managed over inlined policy
What does AWS recommend for security (IAM)?
To use roles because it allows you not to use access key ids and secret access keys.
Roles are also controlled by policies which will take immediate affect if changed.
What is identity federation?
It is an IAM feature that allows users to get temp access to your AWS account.
What is STS?
AWS Security Token Service
- It creates and gives users temp security credentials to get access to AWS resources
- Global Service with a single endpoint (https://sts.amazonaws.com)
What are the Assume Role Options?
- AssumeRole
- AssumeRoleWithSAML
- AssumeRoleWithWebIdentity
When to use AssumeRole
Used for cross-account access.
Need temp credentials that include an access key ID, secret access key, and security token.
You can also include AWS MFA.
When to use AssumeRoleWithSAML
Want users to have temp credentials who have been authenticated with a SAML authentication response.
Want to link enterprise identify store/directory to role-based AWS access without having to configure users.
Does not support MFA.
When to use AssumeRoleWithWebIdentity
Want to get temp security credentials after a user has verified with :
- Cognito
- Amazon
- OpenID Connect-compatible identity provider
What is a GetFederationToken?
It is an STS Get Token that returns temp credentials for a federated user which include:
- access key ID
- secret access key
- security token
Used typically for a proxy app that gets temp credentials for distributed app inside a corporate network.
Does NOT support MFA
What is a GetSessionToken?
It is a STS Get Token that returns temp credentials for AWS account or IAM User.
- access key ID
- secret access key
- security token
Used if want MFA to protect certain AWS API calls.
When using the AWS CLI how can you make AWS API calls?
Use your Access Keys (must have necessary permissions attached to them)
Think EC2 login from console.
What is AWS SSO?
It is a service that allows you to define federated access permissions for users or groups in a single centralized directory and allow them to access multiple AWS accounts. Works with IdP. As well as SAML-enabled cloud applications (Salesforce, Office365 ect).
Can also audit user’s access to cloud services using CloudTrail.
Are IAM role secure to make API requests from instances?
Yes they are encrypted and rotated automatically.
How to allow an on-premise data center to have access to various AWS services?
create a new IAM user with programatic access. Create crediential file on app server (~/.aws/credentials) with access keys.
For apps running outside of AWS env you must use an IAM user (even though best practice is role)
