IAM, Accounts and AWS Organizations Flashcards
What is the maximum number of IAM users in an AWS account
5000
Which of the following are features of IAM groups
- Admin groupings of IAM Users
- Can hold Identity Permissions
- Can be used to login (Access Keys)
- Can be used to login (Username and password)
- Can be nested
- Admin groupings of IAM Users
- Can hold Identity Permissions
Within AWS policies, what is always a priority?
Explicit Deny
What two policies are assigned to an IAM Role
- Permissions Policy
- Assumption Policy
- Resource Policy
- Trust Policy
- Permissions Policy
- Trust Policy
Which of the following are true for IAM Roles
- Roles have associated Long Term Credentials (Access Keys)
- Roles can be assumed
- When assumed - temporary credentials are generated
- Roles can be logged into
- When an identity logs into a role - temporary credentials are generated
- Roles can be assumed
- When assumed - temporary credentials are generated
What Three features are provided by AWS Organizations (pick all that apply)
- Consolidated billing
- Managed assistance for company and AWS account mergers
- AWS Account restrictions using SCP
- Account organisation via OU’s
- Protection against credential leaks
- Company ID reports
- Consolidated billing
- AWS Account restrictions using SCP
- Account organisation via OU’s
What functionality is provided by CloudTrail
- Log Ingestion
- Metrics management
- Account Restrictions
- Account wide Auditing and API Logging
- Account wide Auditing and API Logging
Is it possible to restrict what the Account Root User can do?
- Always
- Never
- If AWS Organisations are used
- If AWS Organizations are used .. but not the management account
- If AWS Organizations are used .. but not the management account
What is Role Switching?
- Changing the permissions on an IAM Role
- Changing the TRUST on a Role
- Changing who can assume a Role
- Logging into a Role
- Assuming a role in another AWS account to access that account via the console UI
- Assuming a role in another AWS account to access that account via the console UI
What are valid IAM Policy types (choose all that apply)
- AWS Managed Policy
- Customer Managed Policy
- Self-Managed Policy
- Inline Policies
- External Policies
- AWS Managed Policy
- Customer Managed Policy
- Inline Policies
What are trust policies
The trust policy defines which principals can assume the role, and under which conditions.
What are the 3 types of IAM identities
Users
Groups
Roles
When is it usually a good idea to create IAM users
When you can picture one, named thing
What are permissions policies
The permissions policy grants the user of the role the needed permissions to carry out the intended tasks on the resource.
What are the permissions policies priorities
First: Explicit deny
Second: Explicit allow
Third: Default deny
When should you use inline policies
For exceptions
Can you log into IAM groups
No
Do IAM groups have credentials
No
Can groups be references as a principal in a policy
No
Can groups be granted access by a resource policy
No
Is there a builtin all-users group in IAM
No
Can you do IAM group nesting
No
Can you use external accounts/identities to access AWS resources?
No
What kind of identity management should you use for a mobile app
Identity Federation
Is a management account affected by SCPs
No
What is a CloudTrail trail
A unit of config within the CloudTrail product
Where does a CloudTrail trail log
It logs events for its region, or all regions if set (us-east-1)
What is the default CloudTrail log price, and storage time?
Free, but only stores 90 days of data
How can you use CloudWatch and S3 with Cloud Trails?
Using trails
Is Cloud Trail logging real time?
No
Can groups be applied group directly in a resource policy?
NO
* Groups can ONLY be used in IAM policies, not resource policies
* Use roles as a proxy when you need to grant group-based access in resource policies
* Remember the relationship: Groups → Roles → Resource Policies
* Bad eg. of group on a resource
```JSON{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::123456789012:group/Developers” // THIS WON’T WORK!
},
“Action”: [
“s3:GetObject”,
“s3:PutObject”
],
“Resource”: “arn:aws:s3:::example-bucket/”
}
]
}
~~~
* Good eg of group on a resource
~~~
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::123456789012:role/DevelopersRole” // CORRECT!
},
“Action”: [
“s3:GetObject”,
“s3:PutObject”
],
“Resource”: “arn:aws:s3:::example-bucket/”
}
]
}
~~~
Permission boundaries set what?
Sets the maximum permissions an IAM entity (user or role) can have, regardless of the permissions granted by their standard policies.
Think of it like a container - no matter what permissions you grant inside the container, they cannot exceed its boundaries.
Key Concepts:
* Sets maximum allowed permissions (NOT granted permissions)
* Can be applied to IAM users and roles (not groups)
* Useful for delegation while maintaining control
* Evaluated alongside identity-based policies
Exam tips:
1. Boundaries don’t grant permissions by themselves
2. Both the permission policy AND boundary must allow an action
3. Can’t exceed boundaries even with resource-based policies
4. Useful for AWS Organizations to delegate admin tasks safely
```// Permission Boundary Policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:”,
“cloudwatch:”,
“ec2:Describe”
],
“Resource”: “”
}
]
}
// User’s Actual Permission Policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:”,
“rds:”, // This won’t work - outside boundary
“cloudwatch:”,
“ec2:Describe”,
“ec2:StartInstances” // This won’t work - outside boundary
],
“Resource”: “*”
}
]
}
Can External accounts be used to access AWS resources directly? What do they use?
- No
- External accounts like AD, Google, Facebook, etc. must usea Identity Federation account, then must assume a role for access and use resources.
- Remember any business with >5000 accounts must assume a role
What are some examples of when to use a role?
- Web ID Federation
- Cross Account Access
- Emergency Situations
- Corporate mergers
- Any thing needing more than 5000 accounts
- AWS serives that need to perform a task on a belhalf
Describe a Service Linked Role?
- PassRole is NOT an API action - it’s a permission to pass a role to a service
- PassRole is crucial for security (prevents privilege escalation)
- Service-Linked Roles:
1. * Are predefined by AWS
2. Can only be assumed by the specified service
3. Have permissions defined by AWS (you can’t modify them)
4. Are automatically deleted when the service no longer needs them
Common example with Auto Scaling:
Auto Scaling needs to create/terminate EC2 instances
It uses a Service-Linked Role named “AWSServiceRoleForAutoScaling”
When you create an Auto Scaling group, you need PassRole permission to pass this role to Auto Scaling
Exam tips:
You can’t modify permissions in Service-Linked Roles
PassRole is crucial for security (prevents privilege escalation)
Services can only create Service-Linked Roles if they have permission
Some services create Service-Linked Roles automatically when you take certain actions
Can you modify permissions in Service-Linked Roles?
- No
- Are predefined by AWS
When is the root user on an account restricted?
- When an SCP is attached to the act
- Except the AWS Org MGMT Act
How are SCPs inherited?
- Inheritance downward
* Root -> Mgmt -> OU -> Nested OU -> INdividual Act
* Attached individually
Do SCPs grant permissiosn? Or grant permissions to users?
- NO
- SCP are boundaries, they define the limitsof what is/isn’t allowed in the account
- Identities must be granted permissions in the account to access resources
What is the SCP default permissions?
Deny
You use SCP in one of two ways?
Allow List vs. Deny List
Explain SCP Allow vs. Deny?
- Use Block by Default, then add certain services = which is called an “Allow List”
- Use Allow by Default, then deny certain services = which is called an “Deny List”
For SCPs, use Block by Default, then add certain services = which is called an?
“Allow List”
For SCPs, Use Allow by Default, then deny certain services = which is called an ?
“Deny List”
What is the defualt AWS Org SCP when a new account is created and SCP is enabled or attached?
- Default “Deny List”
- Use Allow by Default, then deny certain services
- FullAWSAccess
AWS Deny list uses which AWS policy by default?
- FullAWSAccess
- You must attached any services you want to deny
- If FullAWSAccess, wasn’t attched, there would be no way to perform actions in the account
- As AWS expands servcies, servcies are atomattacly allowed
What is the two part process to use SCP “Allow List”?
- Remove FullAWSAccess
- Then add the service or resource
- “Allow List” cause more overhead
In an AWS Act with SCP, what permissions are allowed?
- Only permissions within the SCP
- Only permissions within the Idenity Policies of the account
