IAM: Identity and Access Management Flashcards
What AWS service is used to create and manage permissions for users, groups, and roles?
Identity and Access Management (IAM)
What are Identity Policies?
Identity Policies are rules that can be attached to an identity and grant or deny access to AWS resources.
When Identity Policy statements overlap, which statement takes precedence?
Explicit denies have the highest priority, then explicit allows, then implicit denies.
Why should you use a managed policy instead of an inline policy?
Managed policies are reusable, whereas inline policies have to be applied as lines of json to each individual identity. If you need to change part of that json, you would have to do it for each identity instead of just once in the managed policy.
When should you use inline policies?
For special or exceptional allow or deny cases on a small set of users.
What does an IAM user represent?
A human or application that needs to access resources within an AWS account.
What does an IAM group represent?
A collection of users that need the same permissions.
What does an IAM role represent?
A temporary grant of permissions to specified resources within an AWS account.
What scope and level of resilience does IAM have?
IAM is a global service with global resilience.
What type of credentials are used when accessing AWS resources via the command line interface (CLI)?
IAM Access Keys
How many access keys can a single IAM user have?
Two.
When can you download a secret access key for an IAM user?
Only when it is created.
Are IAM access key mutable or immutable?
Immutable. A key cannot be changed; you must create a new key to replace it.
What are the two types of credentials that can be used to authenticate an IAM user?
Username/password and access keys.
What is the maximum number of IAM users an AWS account can have?
5,000.
What is the maximum number of groups an IAM user can be a member of?
10.
Can you log in as an IAM Group?
No.
Are IAM Policies attached to IAM Users, IAM Groups, or both?
Both.
Is there a default “All Users” group in IAM?
No.
How many levels deep can IAM Groups be nested?
Zero. IAM Groups cannot be nested.
What is the default limit for IAM Groups per AWS account?
300, but this can be increased by contacting AWS.
What types of IAM stuctures can Resource Policies reference? IAM Users, IAM Groups, or IAM Roles?
IAM User and IAM Roles. A Resource Policy cannot reference an IAM Group. IAM Groups are not identities, they are just a collection of identities.
What is the difference between an IAM User and an IAM Role?
An IAM User represents a single principle (a person or an application) that has certain access rights to resources. An IAM Role is an identity that can be assumed to temporarily grant access rights for a short period of time.
What are the two types of policies that can be attached to an IAM Role?
A Trust Policy and a Permissions Policy.
The Trust Policy specifies what identities can assume the Role.
The Permissions Policy specifies what access to resources the Role has.
What types of identities can be specified in a Trust Policy?
Identities in the AWS account (IAM Users, IAM Roles, and AWS Services), identities in other AWS accounts, anonymous identities, and federated identities from other identity providers (Facebook, Google, etc.)
How would you provide user login for a mobile or web application that has millions of users?
By using federated or web identies and IAM Roles to grant access to the necessary AWS resources.
What is a service-linked role?
An IAM Role linked to a specific AWS service. These are often auto-generated and cannot be deleted until they are no longer needed.
What does the PassRole permission allow?
PassRole allows an identity to pass a Role to an AWS service even if the identity itself does not have access to that Role.
If the “Principal” attribute appears as a statement in a policy, is the policy most likely an identity policy or a resource policy?
Resource policy. The “Principal” attribute will specify which indentities are effected by the statement.
