IAM, ACCOUNTS AND AWS ORGANISATIONS Flashcards
IAM Identity Policies
policy permissions that tell AWS what resources can or can’t be accessed using the identity
What takes priority when reading a IAM Policy?
If you have a explicit Deny statement that Always takes president over an explicit allow
What if there is No explicit deny or allow on an IAM Policy ?
the AWS resource are by default denied
Inline policies
attached policies to an individual accounts
used for special or exceptional allow or Deny for managed policies
Managed Policies
reusable low management overhead
IAM Users
identity used for anything that requiring long-term AWS access ex. Humans, applications or service accounts
What are Access Keys used for ?
Humans using CLI and applications
IAM user account limit
5,000 IAM users per account
Account Group limits
IAM users can be member of 10 groups
IAM Groups
containers for IAM users
Can IAM groups have policies attached to them ?
groups can have policies attached to them inline/managed
cons of IAM Groups
- no nesting
- no built in All users group
- 200 groups per account (soft limit can be increased )
- not an identity
What can’t you do with an IAM group that you can do with IAM user?
Groups can not be login to and as such are not a true identity so they can’t be references as a principal in a policy
Principal
Physical person, application, device, or process which wants to authenticate with AWS
IAM user vs IAM role
single principal
Long time usage
can have policies attached to the, Both Inline and manages
IAM Role vs IAM User
Multiple principles internal or external
more than 5,000 users
generally used on a temporary basis
Has trust and permission policy
Trust Policy
controls which identities can assume that role
Permissions Policy
roles can be refences in resource policies
What operation is done to allow IAM roles to function If an IAM role is created in the CLI?
Temporary security credentials are generated by
AWS secure token service called
STS:AssumeRole
If done in the UI the credentials are always add when creating the IAM role
if done in the UI the credentials have to be added to the IAM role before being able to use it with AWS resources
Wayne is a worker at Galaxe who works at the help desk. Wayne is in the Help desk group and and as such he only has read access. But there are cases where he would need Read access What solution can you provide?
We can make an IAM role called emergency role where if situation is need Wayne can take on that role and gain write access.
Company A has over 5,000 user under their existing Microsoft active directory. Those users need access to an S3 bucket contain essentials company resources. How could they access the resources? what would be your solution?
External accounts can’t be used but we can have those accounts take on IAM role when they need to access S3.
AWS Organization
allows the management of multiple aws accounts from one AWS account called the management account
AWS Organization Consolidated Billing
individual billing is removed from the member account of an organization and the management account is use
How are you able to access member accounts in AWS organizations?
when your invited to AWS account into the organization you have to create the IAM role manually when creating an AWS account in the organization AWS creates the roll for you.
What is the name of the role that AWS users when switching into another AWS account under the engagement account
Service Control Policies
account permission boundaries
that limit what a account can do
they don’t grant any permission
Can a SPC (service control policy ) restrict what a root user can do ?
no, root users themselves can never be restricted. SPC limits what an account can do and so indirectly impacts what a root user can do.
FullAWSAccess
default policy that is applied when you enable service control policies (SPC)
Allows access to all AWS services
Deny List Architecture (SPC)
By default all AWS services are allowed which would scale with AWS as new infrastructures are added
to deny a service you would have to create a Deny list
Allow List Architecture (SPC)
where the default FullAwsAccess is deleted
all resources would then be denied
you would have to create a allows list to grant access to services
Cloud Watch Logs
A public services that allows store, monitor and access logging data with aws intergrations
Cloud Trail
Logs API actions that effect an AWS account
enabled by default for 90 days history
Management Events
management events like creating an EC2 instance or VPC
Data Events
resource operations performed on or in a resource like objects being added to S3
What’s so special about IAM,STS,and CloudFront ?
They are global Service events they always log there events in us-east-1
can cloud Trail log global events ?
yes but it needs to be enabled
Trails
unit that used to configure a3 and CW logs
AWS Security Token Service (AWS STS)
is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources.
Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.
