IAM - Identity and Access Management Flashcards
What are the 4 security components of IAM?
Users, Groups, Roles and Policies
What 2 things you should not do with your Root account? Mention an exception.
Use it or share it.
except for initial setup
IAM Users must be created with [2]
proper permissions
IAM policies are written in []
JSON
An IAM user is usually [3]
a physical person
IAM groups are frequently used to group based on [2]
Functions (admins, devops) and Teams (engineering, design)
IAM groups contain []
IAM users
An IAM rol is for using it []
internally, within AWS resources (machines)
An IAM policy defines what [7] do
Users, Groups and Roles can and cannot
What is IAM’s visibility?
global
IAM Permissions are governed by []
policies
You can setup [] on IAM to increase security
MFA
IAM has predefined [2]
managed policies
What is the recommended amount of permission to give users?
the minimal they need to perform their job (least privilege principles)
What is used for IAM Identity Federation?
for big enterprises, to usually integrate their own repository of users with IAM, this way, one can login into AWS using company credentials
IAM Identity Federation uses [] standard
Security Assertion Markup Language (SAML) standard
Active Directory is one of the big users of this standard
1 IAM User per [2]
physical person
1 IAM Role per []
application
Never use IAM credentials in []
code
How you need to create IAM users when using Identity Federation?
you don’t need to create IAM users when using Identity Federation
What types of Identity Federations are the most relevants to AWS?
- SAML 2.0
- Custom Identity Broker
- Web Identity Federation with Amazon Cognito
- Web Identity Federation without Amazon Cognito
- SSO
- Non-SAML with AWS Microsoft AD
What you need to use if your identity provider is not compatible with SAML 2.0?
You must write your own Custom Identity Broker
What you should delete on your ROOT account?
access keys
What is the difference between key pair and access keys?
Key Pairs DO provide ACCESS – to EC2 instances.
Access Keys are for programmatic access to AWS services and APIs.
I updated an IAM policy but I still don’t see it reflected. What is the cause?
Sometimes it takes a little bit of time to see a policy update working, you just need to keep trying
What is an inline policy?
These are policies that cannot be reused. Not recommended
o Strict one-to-one relationship between policy and principal
o Policy is deleted if you delete the IAM principal
How does work IAM Authorization Model Evaluation of Policies?
Is there an explicit DENY? YES: DENY NO: Is there an ALLOW? YES: ALLOW NO: DENY DENY will be default behavior
How does work IAM + Bucket policies?
- IAM Policies are attached to users, roles, groups
- S3 Bucket Policies are attached to buckets
- When evaluating if an IAM Principal can perform an operation X on a bucket, the union of its assigned IAM Policies and S3 Bucket Policies will be evaluated.
How do you assign in a scalable way each user a /home/ folder in an S3 bucket?
o Create one dynamic policy with IAM
o Leverage the special policy variable ${aws:username}
What are the three types of IAM policies?
- AWS Managed Policy
- Customer Managed Policy
- Inline Policy
What is IAM PassRole?
The PassRole permission helps you make sure that a user doesn’t pass a role to a service where the role has more permissions than you want the user to have
Can an IAM role be passed to any service?
- No: Roles can only be passed to what their trust allows
* A trust policy for the role that allows the service to assume the role