IAM, Accounts, and AWS Orgs

Question 1

What are the 3 types of identity policies in AWS?

Answer 1

1. IAM
2. USER
3. ROLE

Question 2

What is a Policy Document created with?

Answer 2

JSON

Question 3

What is a policy document?

Answer 3

One or more statements which contain permit or deny actions to products/features/services for an identity which uses/consumes that policy.

Question 4

What are the 4 categories in a Policy Document?

Answer 4

1. Statement ID - what it does
2. Effect - permit/deny
3. Action - operation you’re trying to perform
4. Resource - service or product being used/communicated with q

Question 5

REVIEW:

You can have overlapping statements in a policy document, but an Explicit Deny statement trumps everything else.

Answer 5

By default, there is an Implicit Deny at the bottom of the statement, denying access to everything i.e the statement starts off with no access to AWS.

Deny, Allow, Deny

Question 6

What are the 2 main types of policies? (Hint: it’s how they are applied)

Answer 6

1. Inline - assigned individually to IAM account; good for exceptional rights/access to a specific user/group/role.
2. Managed - policy is created as an object for which user/group/role will point to to then gain access to whatever they need to have access to.

Question 7

What are the 2 types of Managed Policies?

Answer 7

1. AWS Managed

2. Customer Managed

Question 8

What is a Principal?

Answer 8

A physical person, application, device or process within IAM which wants to authenticate with AWS.

IAM will Authenticate (makes sure the Principal is what it says it is) and then Authorize (attach appropriate policy/statement).

Question 9

What is an Amazon Resource Name (ARN)?

Answer 9

Method of uniquely identifying resources in AWS. This is required when provisioning resources.

Ex. arn:aws:s3:::sportsgifs (where double colon skips the field)

Question 10

How many IAM Users per AWS account?

How many groups can an IAM User be part of?

Answer 10

5000 users per account.

10 groups per user.

Question 11

What is a IAM Group?

Answer 11

A container for IAM Users and/or a way to organize IAM users.

Question 12

REVIEW

IAM users can be part of multiple IAM groups. Policies can be attached INLINE or MANAGED, where Users within a group can also have separate policies assigned via INLINE or MANAGED.

Answer 12

If a user is in multiple groups, they will get the policy associated with that group AND they will also have the policies assigned to them directly.

AWS merges all of these policies into a set of permissions for a specific users.

Question 13

True/False: Can you “nest” within a Group?

Answer 13

No - you can’t have a group within another group.

Question 14

How many groups can a single AWS account contain?

Answer 14

300 max.

If more are required, you can open a support ticket to get approval for more Groups.

Question 15

True/False: Can a Group be a Principal?

Answer 15

No - Groups are not a true “identity”

You can grant access to users within a group, but you can’t grant permissions to a group where all the users in that group suddenly have access.

Ex - you can’t create a resource policy for an S3 bucket and then apply it to the Developers Group, where the Dev Group is the acting “Identity” or Principal.

Question 16

When is an IAM Role used?

Answer 16

When there is an unknown number of entities and/or multiple principles.

Permissions are borrowed for a finite amount of time i.e the policy/credentials are temporary and do not stay with the user/app/service as opposed to a IAM User.

Question 17

What are the 2 types of policies that can attach to an IAM Role which give the user consuming that Role access?

Answer 17

Trust Policy - permit/deny which identities can assume the Role.

Permission Policy - dictates what the identity assigned to the Role is allowed to access/do.

Question 18

What are the temporary credentials called when assigning permissions to a Role?

Answer 18

Secure Token Service (STS)

Once the task is completed the credentials are discarded.

Question 19

REVIEW

The most common use case for IAM Roles is for AWS Services . Services are set up in your account and then need access rights or permissions to perform actions or run certain functions.

Ex. - You enabled LAMBDA in your environment, and upload your code to it. Lambda then is required to run it’s functions instructed via the code upload - like starting or stopping a set of EC2 instances - which requires permissions to do.

Lambda will assume an IAM Role which enables it to work with EC2 to create/tear down instances.

Answer 19

A trust-policy is assigned which “trusts” Lambda, and a permission-policy is assigned to grant Lambda access to the services or resources that it needs to access.

Roles are always the preferred method for invoking services in AWS to do something on your behalf. This way, you don’t have to provide any static credentials, the service will get temp credentials via the Role that it get assigned.

Question 20

What IAM policy would you use when prompting users to create an account to access a new service?

Answer 20

IAM Role - this way you don’t have to set up individual IAM Users (5K user maximum per account), but rather, they can use their AD credentials to sign into the Role associated with that service.

This is called “ID Federation”

Question 21

What is the hierarchy for AWS Organizations? i.e Which account is at the top and what falls beneath it?

Answer 21

The Root Account is the top of the tree.

You can then have a Master account.

Then within that Member accounts and Organizational Units.

Question 22

What is a Service Control Policy (SCP)?

Answer 22

A feature within AWS Orgs that restrict what Member accounts within an AWS Org can do - they basically outline permission boundaries.

SCPs are inherited top-down - if they’re placed @ Root level, all accounts in the Org are affected.

Question 23

Which account is never affected by an SCP?

Answer 23

Master Account i.e this account cant be restricted.

Question 24

REVIEW

SCPs by themselves don’t grant permissions - they just lay the boundaries on what is/isn’t allowed in Accounts. You can either Whitelist (Allow List) or Blacklist (Deny List) services. Deny List is Default and much easier to manage in AWS i.e grant access to all but Deny specific things.

Answer 24

The full set of permissions that an Identity in an AWS account gets is the overlap of:

1. any direct identity policies (Inline or Managed)
2. SCPs on that account

That’s how we can deny access to certain services, even to a Root User. An Identity policy might allow something within an Account but a portion of it might be beyond what the SCP attached allows.

** think of the picture of 2 circles overlapping **

Question 25

What is a CloudWatch Log?

Answer 25

A regional service that allows you to store/monitor/access log data from AWS Services (Logging Sources) which gather the data (Log Events) into the repository.

Question 26

What is a Log Group?

Answer 26

Multiple Log Streams coming from the same Source type are grouped together i.e 20 different streams from 20 x EC2 instances could be organized into a Log Group.

Question 27

What is CloudTrail?

Answer 27

Service that logs API calls/actions, which are called Events, that affect any AWS accounts.

Any action taken by a User, Role, or Service from a management (control plane) or data (data plane) perspective.

Question 28

REVIEW

CloudTrail (just like Cloudwatch Logs) is a REGIONAL Service i.e it will only log trails within that isolated region that it’s created in. Because services in AWS are split into Regional and Global services, any Global service will automatically log data trails into US-EAST-1 N. Virginia.

Answer 28

The types of Trails are:

One Region Trail - always isolated to 1 region; you’d have to manually create a trail in every region

All Regions Trail - encompasses all the regions in AWS and auto-updated when AWS creates new regions (new DCs)

Question 29

How long are Trails (CloudTrail) stored for by default? How do you get around this if needed?

Answer 29

90 days.

Integrate Trails with CW Logs or store them into a centralized S3 bucket where the files get compressed and can be stored indefinitely.

Question 30

What two policies are assigned to an IAM Role?

Answer 30

Trust Policy

Permission Policy

Question 31

What functionality is provided by CloudTrail?

Answer 31

account-wide Auditing and API-logging

Question 32

What is Role Switching?

Answer 32

Assuming a Role in another AWS account to access that account via the console UI, without having to leave from the Account (like the Master Account) that you’re currently in.

Question 33

Policy Summary:

Answer 33

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations SCPs, ACLs, and session policies.