IAM & AWS CLI Flashcards
IAM stands for
Identity and Access Management
Is IAM a global service? (Globally Resilient)
Yes
Created automatically when creating a new AWS account
Root User
Has full control of the AWS Account
Root User
Bills to the AWS account payment method as they are consumed
Resources
Best practice that adds an extra layer of protection on top of your user name and password
AWS Multi-Factor Authentication (MFA)
Can the root User be restricted?
No
Can be used by AWS services or for granting external access to your account
Roles
Objects or documents which can be used to allow or deny access to AWS services when they are ATTACHED to groups, users, or roles
Policies
Long term credentials in AWS
Access Keys
policy created for a single IAM identity which has a strict one-to-one relationship to its associated IAM identity. Will be automatically deleted if you delete its associated identity.
Inline Policy
Used for special or exceptional allows or denies
Inline Policy
Remains unchanged even if you delete its associated IAM identity, It doesn’t have a strict one-to-one relationship to its associated IAM identity
Standalone Policy
First priority when evaluating policy logic
Explicit Denies
Used by an unknown number of principals on a temporary basis that represents the level of access in an AWS Account
IAM Role
Using an external identity provider and giving the external identities roles to perform actions
ID Federation
Predefined IAM Role that is linked to a specific AWS Service
Service-linked roles
Max IAM users per account
5000
Manage your AWS services using the command-line
AWS CLI
Manage your AWS services using a programming language
AWS SDK
Used to audit permissions of your account
IAM Credentials Report & IAM Access Advisor
Practice of not give more permissions than a user needs
Principle of Least Privilege
Short-lived access tokens that act as temporary security credentials to allow access to your AWS resources
AWS Security Token Service (AWS STS)
Policies you attach to IAM Users, Groups and Roles
Identity-based policies
Policies that you attach to AWS services that support this type of policy, such as Amazon S3 buckets
Resource-based policies
Element of a policy that specifies which IAM identities can access that resource
Principal element
Term that refers to the process where principal proves their identity
Authenticate
Term to allow or deny access to resources
Authorize
Used when the identity store which is currently being used is not compatible with SAML
Custom identity broker application + STS to obtain temporary security credentials