iam & cli Flashcards
What does IAM stand for?
Identity and Access Management
is IAM a global or region service?
global
what is the root account?
created by default, shouldn’t be used or shared
what are users in IAM?
are people within your organization, and can be grouped
what do groups in IAM contain?
only contain users, not other groups
T/F: Users must belong to groups
False
T/F: Users can belong to multiple groups
True
For IAM Permissions, what are the policies?
JSON documents that define permissions for users or groups
Who can be assigned the policies?
users or groups
what are inline policies?
policies assigned to a single user
what is the least privilege principle?
don’t give more permissions than a user/group
needs
What do IAM policy structure consist of ?
Version, Id, Statement
What is the Version in IAM policy structure?
policy language version, always include “2012-10-17”
What is the Id in IAM policy structure?
an identifier for the policy (optional)
What is the Statement in IAM policy structure?
one or more individual statements (required)
What do IAM policy structure Statements consist of ?
Sid, Effect, Principal, Action, Resource, Condition
what is the Sid for statements?
an identifier for the statement (optional)
What is the Effect in the statement?
whether the statement allows or denies access
Allow, Deny
What is the Principal in the statement?
account/user/role to which this policy applied to
What is the Action in the statement?
list of actions this policy allows or denies
What is the Resource in the statement?
list of resources to which the actions applied to
What is the Condition in the statement?
conditions for when this policy is in effect
optional
strong passwords result in
higher security
what can you set up in password policy?
Set a minimum password length • Require specific character types: • including uppercase letters • lowercase letters • numbers • non-alphanumeric characters • Allow all IAM users to change their own passwords • Require users to change their password after some time (password expiration) • Prevent password re-use
What is MFA in aws iam?
password you know and device you know
what do you want to protect with MFA?
root account and iam users
what is the main benefit of mfa?
if a password is stolen or hacked, the account is not compromised
what are the 3 ways to access AWS
AWS Management console
AWS CLI
AWS SDK
what do you need to log in to aws with cli and sdk?
access keys
access key id is like the
username
secret access key is like the
password
what is the aws cli?
open-source tool that enables you interact with aws services using commands in your own cli shell
aws cli provides direct access to what?
public apis of aws servies
what can you develop with aws cli to manage your resources?
scripts
what does aws sdk stand for?
AWS Softwre Development Kit
what is aws sdk?
language-spec apis that enables you to access and manage AWS services programatically that can be embeded within your app
what languages do aws sdk support
JS, py, PHP, .net, ruby, java, go, nodeJS,c++, mobile sdks, ioT device
what are IAM Roles?
aws services you need to perform actions on your behalf to other aws services using permissions
what are common IAM roles?
EC2 instance roles, lambda function roles, and role for cloudformation
What is IAM credentials report?
report that lists all your account’s users and the status of their various credentials
What is IAM Access Advisor ?
Access advisor shows the service permissions granted to a user and when those services were last accessed
What level is IAM credentials report?
acct level
what level is iam access advisor?
user-level
what can you use iam access advisor information for/
revise your policies
T/F: Dont use the root acct except for AWS acct set up
T
One phyiscal user =
1 aws user
What is the best practice for assigning users ?
assign users to groups
What is the best practice for assigning permissions?
assign permissions to groups
T/F: create strong password policy
T
T/F: Use and enforce use of MFA
T
What do you create and use roles for?
giving permissions to AWS services
what do you use Access Keys for?
Programmatic Access (CLI/SDK)
how do you audit permissions of acct ?
IAM Credentials Report
What should never be shared?
IAM Users & Access Keys
what is the Shared Responsibiltiy Model for IAM?
what AWS handles and what the AWS acct owner handles for respons
In the Shared Responsibiltiy Model for IAM, what does AWS handle?
Infrastructure (global networkk security), Configuration and vulnerability analysis, and compliance validation
In the Shared Responsibiltiy Model for IAM, what does account owner handle?
Users, Groups, Roles, Policies management and monitoring; enable mfa for all accts; rotate keys often; use IAM tools to apply appropriate permissions; analyze access patterns and review permissions
Users are maped to
a phyiscal user and has a password for AWS console
Groups contain only
users
Policies are JSON docs that outlines
permissions for users or groups
Roles
for ec2 instances or aws services
security
mfa + strong password policy
access keys
access aws using cli or sdk
audit
iam cred report or iam access advisor
