IAM - Identity and Access Management Flashcards
What is IAM?
Indentity and Access Management, a global AWS service
Is the root account part of IAM?
No
Who can be a user?
Ppl within the organization.
Can a group contain another group?
No, it can only contain user.
Is it a must for a user to be part of any group?
No, inline policies can be applied.
Can a user be part of multiple groups?
Yes, it can.
What are IAM Permissions?
Policies defined for users or groups.
What are IAM policies?
JSON document that list the access for different services.
What is the Permission best practise?
The least privilege principle: do not give more permission than a user needs.
How can you add permissions to a user without groups?
With inline policies.
What are the structure of an IAM Policy?
- version: policy language version
- id: policy id, optional
- statement: one or more individual statements, required
What does a Policy Statement consist?
- Sid: statement id, opt
- Effect: whether the statement allows or denies access(Allow, Deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource: list of resources to which the actions applied
- Condition: conditions for when this policy is in effect, opt
What password policies can be set in IAM?
- Set minimum pw lengt
- Require specific character
1. including uppercase letter
2. lowercase letter
3. numbers
4. non-alp. num. char. - Allow all IAM users to change their own passwords
- Require users to change their password after some time (pw expiration)
- Prevent pw reuse
What is MFA?
MFA = pw you know + security device you have
If the pw is stolen or hacked, the account is not compromised.
What are the MFA options in IAM?
- Virtual MFA devices: Google Auth, Authy … => multiple tokens single device
- Universal 2nd Factpr Security Key (U2F) => multiple root and IAM users using a single sec key
- Hardware TOTP token
How can users access AWS ?
- AWS Management Console (protected by password + MFA)
- AWS Command Line Interface (CLI): protected by access keys
- AWS Software Developer Kit (SDK) - for code: protected by access keys
Who can create an access key?
Access Keys are generated through the AWS Console
What is AWS CLI?
A tool that enables you to interact with AWS services using commands in
your command-line shell.
What is AWS SDK?
- AWS Software Development Kit (AWS SDK)
- Language-specific APIs (set of libraries)
- Enables you to access and manage AWS services programmatically
What are IAM Roles?
Permissions assign to AWS services to act on your behalf.
What are the common IAM roles?
- EC2 Instance Roles
- Lambda function roles
What are the IAM Security Tools?
- IAM Credentials Report (account-level); a report that lists all your account’s users and the status of their various credentials
- IAM Access Advisor (user-level); shows the service permissions granted to a user and when those services were last accessed.
How to setup AWS CLI?
- Download and install
- Generate access key
- Use ‘aws configure’ in cmd
- Paste your access key
What are the part of the Credential Reports?
It is a list of all users, with the following data:
* user
* arn
* user_creation_time
* password_last_used
* password_last_changed
…
List some best practies for IAM
- Don’t use the Root account except for AWS account setup
- one phys. user = one AWS user
- assign users to groups then permissions to groups
- create strong pw policy
- use and enforce MFA
- create and use Roles
- use access keys
- Audit permissions of your accounts
- never share IAM users & Acccess keys
What are the responsibilities of AWS according to Shared Responsibility Model?
- Infrastructure (global network security)
- Configuration and vulnerability analysis
- Compliance validation
