IAM (Identity and Access Management) Flashcards
What is IAM, and what are Users, Groups, Policies and Roles?
o IAM is the primary service that handles authentication within AWS environments: systems architecture is incomplete without ability to control access in a granular way
o IAM controls access to AWS services via policies that can be attached to users, groups and roles
o Users: could be human users (long-term credentials, in the form of username/passwords or access keys) or services (short-term credentials)
o Groups: used to group a number of Users together (Dev team, Finance team, …)
o Policies: JSON documents defining under which conditions a principal and an identity are authorised to access resources or features
o Roles: Roles are a secure way to grant permissions to trusted entities. Policies can also be attached to Roles, but Roles cannot logged be in to (they are not meant for long term usage)
o IAM Identities have no permission by default (= implicit deny)
What is ARN?
o ARN (Amazon Resource Name): the globally unique name used by AWS to identify any AWS resource, including Users
What is an IAM Policy, and how does the allow / deny mechanism work?
o An IAM Policy is a document that has no effect until it is attached to an Identity (Identity Policy) or to a Resource (Resource Policy)
o A Policy Document is a list of statements, each of them matching a request to AWS, resulting in Allowing or Denying the request
o If a request is not explicitly allowed, it is implicitly denied
o If a request is explicitly denied, it overrides everything else
o If a request is explicitly allowed, it is allowed unless denied by an explicit deny (DENY -> ALLOW -> DENY)
o There are AWS Managed Policies (low overhead, low flexibility) and Customer Manager Policies
What are IAM Users, and what are the hard limits?
o IAM Users are a type of IAM Identity suitable for long-term access for a known entity (human, service, application)
o Principals authenticate to IAM users either with a username and password (and optionally MFA – Multi Factor Authentication) or via access keys
o Hard limit of 5,000 IAM Users per account (important from architectural perspective)
o Max default of 10 group memberships per IAM Users
o Max default of 10 managed policies per user
o Inline policies cannot exceed 2048 characters, all combined
o 1 MFA per user
o 2 access keys per user
What are IAM Groups?
o IAM Groups are collections of IAM Users, allowing easier administration over sets of IAM Users. Inline and managed policies can be applied to groups, and they flow on to all members of that group
o Groups are not true identities, therefore they cannot be used in resource policies
What are Access Keys?
o Access Keys are a pair of values (access key ID and secret access key) used by applications, SDKs or the AWS command line to authenticate to AWS
o A maximum of 2 access keys can be generated for each account
o The access key ID is the public part of the key
o The secret access key is the private part of the key, available only once, when the access key is initially generated
What are IAM Roles?
o IAM Roles are a secure way to grant permissions to entities you trust, for a limited amount of time
o Roles are assumed (not logged in!) by another identity allowed in the trust policy (IAM User, AWS Service, another AWS Account, a Web Identity)
o When a Role is assumed, the Security Token Service (STS) generates a time-limited set of access keys, with the permission defined in the permission policy
What can / cannot IAM Roles be used for?
o What you can use roles for:
You need to grant extra rights to users with normally low level of rights
You need to grant services access to things
Two companies are merging: rather than creating additional users, you could use roles
o What you cannot use roles for:
Roles cannot be used when you need something to log in to
