IAM, Accounts, and AWS Orgs Flashcards
What are the 3 types of identity policies in AWS?
- IAM
- USER
- ROLE
What is a Policy Document created with?
JSON
What is a policy document?
One or more statements which contain permit or deny actions to products/features/services for an identity which uses/consumes that policy.
What are the 4 categories in a Policy Document?
- Statement ID - what it does
- Effect - permit/deny
- Action - operation you’re trying to perform
- Resource - service or product being used/communicated with q
REVIEW:
You can have overlapping statements in a policy document, but an Explicit Deny statement trumps everything else.
By default, there is an Implicit Deny at the bottom of the statement, denying access to everything i.e the statement starts off with no access to AWS.
Deny, Allow, Deny
What are the 2 main types of policies? (Hint: it’s how they are applied)
- Inline - assigned individually to IAM account; good for exceptional rights/access to a specific user/group/role.
- Managed - policy is created as an object for which user/group/role will point to to then gain access to whatever they need to have access to.
What are the 2 types of Managed Policies?
- AWS Managed
2. Customer Managed
What is a Principal?
A physical person, application, device or process within IAM which wants to authenticate with AWS.
IAM will Authenticate (makes sure the Principal is what it says it is) and then Authorize (attach appropriate policy/statement).
What is an Amazon Resource Name (ARN)?
Method of uniquely identifying resources in AWS. This is required when provisioning resources.
Ex. arn:aws:s3:::sportsgifs (where double colon skips the field)
How many IAM Users per AWS account?
How many groups can an IAM User be part of?
5000 users per account.
10 groups per user.
What is a IAM Group?
A container for IAM Users and/or a way to organize IAM users.
REVIEW
IAM users can be part of multiple IAM groups. Policies can be attached INLINE or MANAGED, where Users within a group can also have separate policies assigned via INLINE or MANAGED.
If a user is in multiple groups, they will get the policy associated with that group AND they will also have the policies assigned to them directly.
AWS merges all of these policies into a set of permissions for a specific users.
True/False: Can you “nest” within a Group?
No - you can’t have a group within another group.
How many groups can a single AWS account contain?
300 max.
If more are required, you can open a support ticket to get approval for more Groups.
True/False: Can a Group be a Principal?
No - Groups are not a true “identity”
You can grant access to users within a group, but you can’t grant permissions to a group where all the users in that group suddenly have access.
Ex - you can’t create a resource policy for an S3 bucket and then apply it to the Developers Group, where the Dev Group is the acting “Identity” or Principal.
When is an IAM Role used?
When there is an unknown number of entities and/or multiple principles.
Permissions are borrowed for a finite amount of time i.e the policy/credentials are temporary and do not stay with the user/app/service as opposed to a IAM User.
What are the 2 types of policies that can attach to an IAM Role which give the user consuming that Role access?
Trust Policy - permit/deny which identities can assume the Role.
Permission Policy - dictates what the identity assigned to the Role is allowed to access/do.
What are the temporary credentials called when assigning permissions to a Role?
Secure Token Service (STS)
Once the task is completed the credentials are discarded.
REVIEW
The most common use case for IAM Roles is for AWS Services . Services are set up in your account and then need access rights or permissions to perform actions or run certain functions.
Ex. - You enabled LAMBDA in your environment, and upload your code to it. Lambda then is required to run it’s functions instructed via the code upload - like starting or stopping a set of EC2 instances - which requires permissions to do.
Lambda will assume an IAM Role which enables it to work with EC2 to create/tear down instances.
A trust-policy is assigned which “trusts” Lambda, and a permission-policy is assigned to grant Lambda access to the services or resources that it needs to access.
Roles are always the preferred method for invoking services in AWS to do something on your behalf. This way, you don’t have to provide any static credentials, the service will get temp credentials via the Role that it get assigned.
What IAM policy would you use when prompting users to create an account to access a new service?
IAM Role - this way you don’t have to set up individual IAM Users (5K user maximum per account), but rather, they can use their AD credentials to sign into the Role associated with that service.
This is called “ID Federation”
What is the hierarchy for AWS Organizations? i.e Which account is at the top and what falls beneath it?
The Root Account is the top of the tree.
You can then have a Master account.
Then within that Member accounts and Organizational Units.
What is a Service Control Policy (SCP)?
A feature within AWS Orgs that restrict what Member accounts within an AWS Org can do - they basically outline permission boundaries.
SCPs are inherited top-down - if they’re placed @ Root level, all accounts in the Org are affected.
Which account is never affected by an SCP?
Master Account i.e this account cant be restricted.
REVIEW
SCPs by themselves don’t grant permissions - they just lay the boundaries on what is/isn’t allowed in Accounts. You can either Whitelist (Allow List) or Blacklist (Deny List) services. Deny List is Default and much easier to manage in AWS i.e grant access to all but Deny specific things.
The full set of permissions that an Identity in an AWS account gets is the overlap of:
- any direct identity policies (Inline or Managed)
- SCPs on that account
That’s how we can deny access to certain services, even to a Root User. An Identity policy might allow something within an Account but a portion of it might be beyond what the SCP attached allows.
** think of the picture of 2 circles overlapping **
