IAM - Identity and Access Management Flashcards
(20 cards)
People that within your organization that can be grouped
Users
True or False: Groups can only contain users, not other groups
True
True or False: Users must belong to a group
False
Permissions assigned as a JSON document are called _________.
Policies
What is the least privilege principle?
Only give a user the permissions that they need.
What three main components make up a policy?
Version, ID, and Statement
What does a statement consist of?
- Sid: an identifier for the statement (optional)
- Effect: whether the statement allows or denies access (allow, deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource: list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect (optional)
What forms of MFA are options in AWS?
Virtual and Physical MFA Devices
What physical MFA devices can be used with AWS?
- Universal 2nd Factor (U2F) Security Key (Physical device)
- YubiKey by Yubico (3rd Party)
- Support for multiple root and IAM users using a single security key
- YubiKey by Yubico (3rd Party)
- Hardware Key Fob MFA Device
- Gemalto MFA device
What physical MFA device is offered for AWS GovCloud?
SurePassID
What options do you have when accessing AWS?
AWS Management Console, AWS CLI, and AWS SDK
What are access keys?
Access keys are made of a key ID and a secret that can be used like a username and password.
What is the AWS CLI?
A tool that enables you to interact with AWS services using command in your command-line shell.
What is the AWS SDK?
The AWS SDK is a software development kit that allows you to programmatically access and manage AWS services.
What purpose do roles have when it comes to IAM?
Roles allow AWS services to perform actions on your behalf.
What two security tools does AWS offer?
IAM Credentials Report, IAM Access Advisor
What is the IAM Credentials Report?
A report that lists all of your account’s users and the status of their various credentials.
What does the IAM Access Advisor do?
Access advisor shows the service permissions granted to a user and when those services were last accessed.
What are some best practices of IAM?
- Don’t use the root account
- One physical user = One AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce the use of MFA
- Create and use Roles for giving permissions to AWS services
- Use access keys for programmatic access (CLI/SDK)
- Audit permissions of your account with the IAM credentials report
- Never share IAM users & Access keys
What is the shared responsibility model for IAM?
- AWS
- Infrastructure (global network security)
- Configuration and vulnerability analysis
- Compliance Validation
- User (You)
- Users, groups, roles, policies management and monitoring
- Enable MFA on all accounts
- Rotate all keys often
- Use IAM tools to apply appropriate permissions
- Analyze access patterns and review permissions