IAM Advanced Flashcards
What is AWS Organizations?
A global service, to manage multiple AWS Accounts at the same time.
You have a main account called “Management Account”.
The other accounts are called “Member Accounts”.
**Member accounts can only be part of 1 organization
How does account billing work when using AWS Organizations?
Billing is centralized for all accounts, in the management account.
Discounts for quantity of resources also is aggregated.
Shared reserved instances and savings plan usage.
What are OUs in aws organizations?
They are like groups of types of aws accounts.
Root OU is always for Management account
Example:
1 OU for Dev aws member accounts
1 OU for Prod aws member accounts
You can create OUs inside other OUs.
For example an HR OU and and a Finance OU inside the Prod OU.
What are the advantages of using aws organizations with OUs?
Thanks to having multiple accounts, you have better security.
What are Service Control Policies? (SCP)
IAM Policies applied to OUss or member aws accounts to restrict all users and roels within that account.
They dont apply to management account.
SCPs have inheritance policies, so if you apply a deny to an OU, all accounts and children OUs in this OU will have the deny applied.
If you apply an allow on an x OU, OUs inside the x will also inherit the allow policy.
What is a great permission boundary use case?
To limit a specific user permissions without changing any iam policies.
What are IAM Permission boundaries?
Its like an allow policy you can attach to users and roles (NOT GROUPS). And its a json with specific permissions in a statement. But those defined permissions are the boundary of the user, meaning it can’t do more than that configured policy for the boundary.
You still need iam permissions on top of it to grant access to the user or role.
The IAM Policy needs to match or be contained in the IAM Permission boundary for the user to have any permissions.
If you have a user with a boundary that only includes allow statement for EC2, and you configure a iam policy giving it access to read on S3, it won’t work. The user wont have any permssions until you give it access to any api call on EC2.
What is AWS Identity Center?
A service for SSO for all your aws accounts within an organization.
Also SSO for Windows EC2 instances (Like an ad domain)
Also external SAML enabled apps like Ms 365, salesforce, etc.
It uses an identity provider, which can be built-in from identity center, or external like Active Directory, okta, etc.
You have “permission sets” for access control.
What is AWS Directory services?
Integration with Microsoft AD.
1) AWS Managed Ms AD
2) Connector
3) Simple AD
AWS Managed Ms AD can be connected with on premises ad with trust relationship.
The connector is a proxy to redirecto to your on premises AD.
Simple AD is ad compatible directory managed by aws, can’t be connected to on permises AD.
Both support MFA
What is AWS Control Tower?
Easy way to set up and govern a secure and compliant multi-account aws environment based on best practices.
It uses aws organizations to create accounts.
Automates setup of your environment in a few clicks
Automates policy management using “guardrails”
Detect policy violations and remediate automatically
What are control tower guardrails?
Preventive guardrails:
Applies aws orgs SCPs to all accounts with restricted service access.
Detective guardrials:
Detect non compliance using aws config: Ex: Identified untagged resources.
When configuring permissions for EventBridge to configure a Lambda function as a target you should use ………………….. but when you want to configure a Kinesis Data Streams as a target you should use …………………..
*Identity-based policy, Identity-based policy
*resource-based policy, Identity-based policy
*Identity-based policy, resource-based policy
*resource-based policy, resource-based policy
*resource-based policy, Identity-based policy
