IAM, Accounts, and AWS Organizations Flashcards
IAM Policies
Grants or denies access to identities
Policy Document
Written in JSON to tell what is allowed or denied.
(T/F) An individual can have multiple IAM Policies
True
SEAR
Statement ID, Effect, Action, Resource
IAM Policy Document Statements
SEAR or SARE - Statement ID or SID (optional), ex. Full Access; Action can be very specific and then the service : and can be specific or * ex. Action: [“s3:&”]; Resource specifies the resources, can be specific or wildcard ex Resource: [“*”]; Effect is to either allow or deny
DAD
Priority of IAM Policy Statements - Deny, Allow, Deny
Priority of IAM Policy Statements
First is explicit deny. If a resource is denied, it cannot be accessed.
Second is explicit allow. If a resource is allowed and there is no explicit deny, it is allowed.
Third is implicit deny. If there is not statement allowing a service, it is denied implicitly.
Two types of IAM Policies
Inline and Managed
Inline Policy
applying JSON to each account individually. Not best practice. Got to make changes to each individual JSON policy. Usually used for special or exceptional allow or deny.
Managed Policy
created as its own object and attach it to any policy that wants to gain those access rights. They are RESUABLE and LOW MANAGEMENT OVERHEAD
Two types of Managed Policies
AWS Managed Policies and Custom Policies
IAM Users
an identity used for anything requiring LONG-TERM AWS access e.g. HUMANS, APPLICATIONS or SERVICE ACCOUNTS
Authenticated Identity
U&P and Access Keys (services); proves identity
Authorization
IAM checking the authentication and allowing or denying access
Exam Alert: (T/F) Internet scale apps and large organizations with more than 5,000 users should use IAM Users.
False. 5,000 IAM users PER ACCOUNT; IAM User can be a member of 10 GROUPS; This has design impacts – remember the limits for the exam which may discuss large organizations or Internet scale apps that have more than 5,000 users then IAM will not be the right choice.
IAM Groups
containers for USERS; solely for organizing users
(T/F) You can log into a group
False. You CANNOT log into a group – no credentials, etc.
(T/F) An IAM user can only be a member of one IAM Group.
False. An IAM user can be a member of multiple IAM Groups
IAM Group Policies
Two kinds of Group Policies both Inline or Managed and have permissions from each group plus whatever permissions for the user.
(T/F) There isn’t a built in all users group in IAM
True. There isn’t a built in all users group in IAM – you can create one but it isn’t native.
(T/F) There is no nesting in groups
True. You can not nest one group inside another group.
Total groups per account
300 Groups per accounts but can be increased with support tickets
Reference Policy
controls access to a specific resource and allows or denies identities to that resource; reference through ARN
(T/’F) Groups are a true identity of a user
False. Groups are NOT a TRUE IDENTITY. They can’t be referenced as a PRINCIPAL in a resource policy.
IAM Roles
exists in AWS account. Best suited for an unknown number or multiple principals. Can be internal or external.
(T/F) IAM roles are ASSUMED. YOU BECOME that role.
IAM roles are ASSUMED. YOU BECOME that role. Generally short term. Think about a mobile app that gains access through a role and become an identity in an AWS account for a short period of time.
Two types of policies attached to IAM Roles
Trust policy and permissions policy
Trust Policies
says what identities can access that role – reference identities in the same account or services and can reference other identities in other AWS accounts, even anonymous, or SSO via Google, Facebook, etc.
Permissions Policy
says what can be accessed.
(T/F) Roles cannot be accessed with Resource Policies
False
STS
Secure Toke Service – sts:AssumeRole – know that roles are involved. Works with Temporary Security Credentials
When to use IAM Roles
All through Permissions Policy;
- AWS Lambda functions known as a Lambda Execution Role so you don’t need to hardcode permission (access keys);
- out of the usual situations (emergencies) think third-party help desk; adding AWS into an on-prem environment – EXISTING IDENTITIES through SSO or go above the 5000 user limit;
- application with 1,000,000 of users that may need to access DynamoDB (ride sharing app) – Web identity Federation; cross AWS account
Web identity Federation
uses IAM roles to access certain services and allows for SSO through Google, Facebook, etc. – NO AWS CREDENTIALS on the APP, uses EXISTING customer LOGINS, scales to 1,000,000,000’s of accounts and beyond
ID Federation
small number of roles to manage and/or external
(T/F) External accounts can be used in AWS directly
False
Break Glass Situations
emergency situations
Function Invocation or Execution
running a Lambda function
Service Linked role
IAM role linked to a SPECIFIC AWS SERVICE; PREDEFINED by a SERVICE; providing permissions that a SERVICE needs to interact with OTHER AWS SERVICES on your behalf; SERVICE might create/delete the role or allow YOU to during the SETUP or within IAM
(T/F) You can’t delete the service linked role until it’s no longer required
True
Under Resource in the JSON
don’t try and guess the service-name of the resource, the FORMAT can differ and is CASE sensitive
PassRole
gives the ability to implement role separation.
AWS Organizations
Consolidated billing and identities of all accounts.
Hierarchy Structure of AWS Accounts
take a standard AWS account and create an organization – this is MANAGEMENT (master) account – and invite other accounts into the organization and then those invited accounts are member accounts of the organization. Hierarchical. Consolidated Billing (single bill) to the payment account aka Management account. Consolidation of RESERVATIONS and VOLUME DISCOUNTS.
Organization Root
Top of the Organization hierarchy. Container within an AWS organization that contain AWS accounts. Also contain other containers aka organization units or OUs. Organization root at the top and OUs underneath hierarchically.
Standard AWS Account
An account not within an organization
Service Control Policy (SCP)
restrict what AWS accounts can do in the AWS organization.
(T/F) Creating a new account within AWS organizations requires no invite process.
True
(T/F) Organizations need IAM users in each account
False. Organizations don’t need IAM users in each account as IAM roles can be used to access other AWS accounts.
Role Switch
federation on-prem identities switch into other accounts in the organization and assuming the role.
Exam question, the overlap between identity policies and SCP
If not allowed in IAM but allowed in SCP then won’t be allowed. If allowed in IAM but denied in SCP then not allowed. If allowed in IAM and allowed in SCP then allowed.
Service Control Policy (SCP)
ACCOUNT PERMISSIONS BOUNDARIES AND LIMIT WHAT ACCOUNT CAN DO including ROOT USER in ORGANIZATIONS. DON’T GRANT PERMISSIONS – THEY LIMIT PERMISSIONS. ALLOW or DENY list. Follows DAD. You can’t restrict the root user, it will allows have full control of the account but SCP can restrict the account thereby restricting the root user.
CloudWatch Logs
PUBLIC SERVICE; STORE, MONITOR, and ACCESS logging data; AWS INTEGRATIONS – EC2, Lambda, CloudTrail, and more; if no integration, need CLOUDWATCH AGENT; METRIC FILTER (create metrics from the logs)
Log Stream
sequence of log events from the same source
Log Group
container for log streams; define retention and permissions and applies to all streams in the container; metric filters resides here as well
CloudTrail
REGIONAL service. Logs API calls/activities as a CLOUDTRAIL EVENT. Stores 90 days by default in EVENT HISTORY; enabled BY DEFAULT at no cost.
Trail (CloudTrail)
To customize you need to create a TRAIIL. A trail can be configured for one region or all regions and can be stored in an S3 bucket indefinitely, you only pay for the space in the S3 bucket. CloudTrail can be integrated into CloudWatch logs with trails.
(T/F) Logs in the region that they occurred in or log to US East 1 for global such as IAM STS CloudFront.
True
Two types CloudTrail Events
MANAGEMENT (default) events and DATA (configured and $$) events.
Exam alert, is CloudTrail in real time?
CloudTrail is NOT REAL-TIME, there is a delay (within 15 minutes generally).
Service Catalog
DOCUMENT or DATABASE created by an IT team (service documentation); organized COLLECTION of PRODUCTS; KEY PRODUCT INFORMAIONT: owner, cost, requirements, support info, dependencies; defines approval of provisioning from IT and customer.
AWS Service Catalog
SELF-SERVICE portal for end users; launch PREDEFINED PRODUCTS (ADMINS SET UP). Think of it like this, sales team needs to launch an EC2 instance but IT doesn’t want to give them the infrastructure capabilities with an AWS account so they set up AWS Service Catalog with CloudFormation and they can launch the instance that way. Build PRODUCTS into PORTFOLIOS.
Admin role in Service Catalog
DEFINED PRODUCTS and PORTFOLIOS using CLOUDFORMATION TEMPLATES and SERVICE CATALOG CONFIGURATION then deploy PORTFOLIO to any service enabled regions. Service catalog users review PORTFOLIOS they have permissions on and LAUNCH PRODUCTS into service enabled regions. Service catalog, launches the infrastructure using DEFINED TEMPLATES. Service catalog users don’t need infrastructure permissions.
Exam alert, see any question talk about a need for users or customers to release services with a tight infrastructure, think
Service Catalog
Any exam questions about exploring cost or evaluate cost, also can give recommendations about reserved instance purchases
CostExplorer
Cost anomaly shows in
CostExplorer
SAML
Security Assertion Markup Language – Open Standard used by idP e.g. MS ADFS. INDIRECTLY use on premises ID w/ AWS. Used when using an ENTERPRISE identity provider (not Google SSO for example). EXISTING identity management team. SINGLE SOURCE OF TRUTH MORE THAN 5000 users. Uses IAM ROLES and TEMP CREDENTIALS (12 hour window).
(T/F) SAML cannot use enterprise credentials directly, they have to be exchanged for AWS credentials.
True
SSO
Manage SSO Access – AWS ACCOUNTS and EXTERNAL APPLICATIONS. Flexible IDENTITY SOURCE system. There is a built-in identity store, AWS Managed AD, On-premises AD by TWO WAY TRUST or AD CONNECTORS, or SAML 2.0.
(T/F) SSO is not preferred by AWS vs traditional workforce identity federation.
False
Two phases of SSO
1.) Single Sign on; 2.) Provides centralized permissions management across accounts.
Exam Alert: If it is web identities such as Facebook, Twitter, Google, it won’t use SSO.
If it is enterprise identities, it will be SSO.