IAM & AWS CLI Flashcards
What does IAM stand for?
Identity & Access Management
Is IAM a regional or global service?
Global
What is the root account?
It is created by default when you create an account and shouldn’t be used or shared (except to initially set up account)
What are users in IAM?
One user represents one person within your organization, and can be grouped
What are groups in IAM?
A group of users
Do users have to belong to a group in IAM?
No (although it is best practice to assign users to groups)
Can a user belong to multiple groups in IAM?
Yes
Can a group in IAM contain other groups?
No, only users
How are permissions handled in IAM?
What is the least privilege principle?
Don’t give more permissions than a user needs
How does policy inheritance work?
What are the elements of an IAM policy?
What can you define in an IAM password policy?
What are two defense mechanisms to protect IAM users?
Password policies and multi-factor authentication (MFA)
What should you add MFA (multi-factor authentication) to?
Root account and IAM users
What is the main benefit of MFA (multi-factor authentication)?
Even if a password is stolen or hacked, the account is not compromised
What MFA (multi-factor authentication) device options are available in AWS?
Virtual MFA device (e.g. Google Authenticator or Authy), which supports multiple tokens on the same device
Universal Second Factor (U2F) Security Key (e.g. physical device, like Yubikey), which supports multiple root and IAM users using a single security key
Other hardware security device, like hardware key fob MFA device (e.g. Gemalto) and hardware key fob MFA device for AWS GovCloud (US) (e.g. SurepassID)
How can users access AWS?
What are AWS access keys and how do you create them?
They are used to protect the AWS CLI and SDK and users manage their own keys
Access Key Id ~= username
Secret Access Key ~= password
What is the AWS CLI?
What is the AWS SDK?
What is AWS CloudShell
A terminal within the AWS cloud that is free to use
What happens to file stored in AWS CloudShell if you restart your shell?
The files remain
What is an IAM service role?