IAM - Advanced Flashcards
What is the AWS Organisations service?
A global service that allows you to manage multiple AWS (“member”) accounts through a main account called the management account
Can member accounts be part of more than 1 AWS organisation?
No
What are 2 benefits of using an AWS organisation?
Consolidated billing and ability to share reserved instances/savings plans discounts across accounts
Send logs/CloudTrail to a central account
What mechanism can be used to group accounts together with organisations??
Organisational units
What are service control policies?
IAM policies that are applied to organisational units or accounts to restrict users and roles
Is the management account beholden to service control policies?
No, it is above SCPs and IAM policies
Are service control policies explicit allow or explicit deny?
Explicit allow - everything is denied by default
What are IAM conditions?
Kind of like ‘if’ statements that can be used to increase the complexity of your IAM policies
What is the difference between a resource-based policy and an IAM role for accessing resources?
A resource based policy is attached to the resource, the role has access to the resource and is inherited by the accessor.
When the accessor inherits the role, they lose their other permissions and only have access to the permissions associated with the role
Are resource-based policies available for all services?
No
EventBridge uses
a) resource-based policies
b) IAM roles
c) either - it depends on the service it links to
to get permissions on the target when it runs a rule
c) Either - it depends on the service it links to
For example Lambda, SNS, SQS it uses resource based, Kinesis Data Streams, EC2 auto scaling and ECS tasks it uses IAM roles
What are IAM permission boundaries?
Boundaries that define the maximum permissions an IAM entity can get
Which of users, roles and groups do IAM permission boundaries apply to?
Users and roles
What operates at a higher level (priority) - permissions or permission boundaries?
Permission boundaries
What is IAM Identity Centre?
The successor to AWS Single Sign-On, a single login for AWS accounts, business cloud applications, SAML2.0 applications etc.
What is a permission set in IAM Identity Centre?
A way to define which users can access what applications and to what level.
Permission sets are assigned to groups of users
What is the idea of attribute based access control?
The idea that you assign tags to users and then as they move around you change these tags and thus their associated permissions
What are the 3 main AWS Directory offerings?
AWS Managed Microsoft Active Directory
Active Directory Connector
Simple Active Directory
What is AWS Managed Microsoft AD?
An easy way to fully integrate with existing Microsoft AD on-premises with a two way trusting relationship where the local and cloud sides both trust each other and so can handle their respective requests in their respective environments.
Which 2 AWS Directory offerings support MFA?
AWS Managed Microsoft AD and AD Connector
What service would be used to set up and govern a secure and compliant multi-account AWS environment based on best practices?
AWS Control Tower
What are the 2 types of guardrails for policy management?
Detective and preventative
AWS Control Tower enables the automation of ______ ______ ______ using guardrails
AWS Control Tower enables the automation of ongoing policy management using guardrails
