IAM (Identity Access Management)

Question 1

Is IAM a global service on AWS? If the answer to this question is “yes”, what are the implications for users and permissions?

Answer 1

Because IAM is a global service on AWS, users and permissions apply across all available AWS regions.

Question 2

What is IAM?

Answer 2

IAM (Identity Access Management) is a service on AWS that allows you to manager users and their level of access to the AWS console.

Question 3

Name 9 key features that IAM provides.

Answer 3

1. Centralised control of your AWS account
2. Shared access to your AWS account
3. Granular permissions
4. Identity Federation (AD, Facebook, LinkedIn)
5. Provides temp access to users, devices and services
6. Setup your own Password rotation policy
7. Integrates with other AWS services
8. Supports PCI DDS compliance
9. MFA (Multi-factor Authentication)

Question 4

Are instances global or regional?

Answer 4

Instances are regional

Question 5

Where do the permissions for instances apply?

Answer 5

Despite instances being regional, the permissions apply regardless of where the instance is

Question 6

Can you provide regional based access to instances?

Answer 6

Yes. You could for example, allow EC2 admins to only start and stop instances in a given region

Question 7

What is an ARN and what is its purpose?

Answer 7

Amazon Resource Name. It uniquely identifies an AWS resource

Question 8

What are the two policies in IAM? Name them and elaborate on what each policy is for.

Answer 8

Inline Policy is a policy assigned to one user or one group –used to apply permissions in one off instances.

Managed Policy is a prebuilt policy either by AWS or an admin user inside the AWS account.

Question 9

What are the implications of having an explicit “deny” in a policy?

Answer 9

An explicit deny will always override any “allow”.

Question 10

All permissions are implicitly denied until you grant those permissions explicitly.

True or False.

Answer 10

True.

Question 11

When assigning permissions, what important principle should you follow and keep in mind?

Answer 11

The principle of least privilege security which advises that you should only provide the bear minimum permissions required for a user to do their job and no more.

Question 12

What is the best way to go about assigning permissions?

Answer 12

You should assign permissions to groups and assign users to those groups. The permissions assigned to the groups will apply to the users in the groups.

Question 13

Which tool enables you to test the effects of IAM policies before committing them to production?

Answer 13

The IAM Policy Simulator. This helps validate that policies work as expected.

Question 14

In which formate are policy documents written?

Answer 14

In JSON format, as a series of key-value pairs

Question 15

What are the four key things that IAM consists of and briefly describe each of them.

Answer 15

1. Users: end users interacting with console or CLI
2. Groups: a collection of users under one set of permissions
3. Roles: created and assigned to AWS resources
4. Policy: a document that defines one or more permissions

Question 16

Which IAM entity can you use to delegate access to your AWS resources to users, groups or services?

Answer 16

IAM role

Question 17

AWS recommends that EC2 instances have credentials stored on them so that the instances can access other resources (such as S3 buckets).

True or False?

Answer 17

False

Question 18

Which is the best way to enable your EC2 instance to read files in an S3 bucket?

Answer 18

Create an IAM role with read-access to S3 and assign the role to the EC2 instance

Question 19

What are IAM roles and what are its functions?

Answer 19

IAM roles allow applications to securely make API requests from instances, without requiring you to manage the security credentials the applications use.

Question 20

What is an IAM Policy?

Answer 20

A JSON doc that defines one or more permissions

Question 21

In AWS, what is IAM used for?

Answer 21

Creating and managing users and groups, managing access to AWS resources and assigning permissions to allow and deny access to AWS resources