IAM - Identity and Access Management Flashcards

1
Q

What are the 4 security components of IAM?

A

Users, Groups, Roles and Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What 2 things you should not do with your Root account? Mention an exception.

A

Use it or share it.

except for initial setup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

IAM Users must be created with [2]

A

proper permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IAM policies are written in []

A

JSON

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An IAM user is usually [3]

A

a physical person

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IAM groups are frequently used to group based on [2]

A

Functions (admins, devops) and Teams (engineering, design)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IAM groups contain []

A

IAM users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An IAM rol is for using it []

A

internally, within AWS resources (machines)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An IAM policy defines what [7] do

A

Users, Groups and Roles can and cannot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is IAM’s visibility?

A

global

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IAM Permissions are governed by []

A

policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You can setup [] on IAM to increase security

A

MFA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

IAM has predefined [2]

A

managed policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the recommended amount of permission to give users?

A

the minimal they need to perform their job (least privilege principles)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is used for IAM Identity Federation?

A

for big enterprises, to usually integrate their own repository of users with IAM, this way, one can login into AWS using company credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IAM Identity Federation uses [] standard

A

Security Assertion Markup Language (SAML) standard

Active Directory is one of the big users of this standard

17
Q

1 IAM User per [2]

A

physical person

18
Q

1 IAM Role per []

A

application

19
Q

Never use IAM credentials in []

20
Q

How you need to create IAM users when using Identity Federation?

A

you don’t need to create IAM users when using Identity Federation

21
Q

What types of Identity Federations are the most relevants to AWS?

A
  • SAML 2.0
  • Custom Identity Broker
  • Web Identity Federation with Amazon Cognito
  • Web Identity Federation without Amazon Cognito
  • SSO
  • Non-SAML with AWS Microsoft AD
22
Q

What you need to use if your identity provider is not compatible with SAML 2.0?

A

You must write your own Custom Identity Broker

23
Q

What you should delete on your ROOT account?

A

access keys

24
Q

What is the difference between key pair and access keys?

A

Key Pairs DO provide ACCESS – to EC2 instances.

Access Keys are for programmatic access to AWS services and APIs.

25
I updated an IAM policy but I still don't see it reflected. What is the cause?
Sometimes it takes a little bit of time to see a policy update working, you just need to keep trying
26
What is an inline policy?
These are policies that cannot be reused. Not recommended o Strict one-to-one relationship between policy and principal o Policy is deleted if you delete the IAM principal
27
How does work IAM Authorization Model Evaluation of Policies?
``` Is there an explicit DENY? YES: DENY NO: Is there an ALLOW? YES: ALLOW NO: DENY DENY will be default behavior ```
28
How does work IAM + Bucket policies?
* IAM Policies are attached to users, roles, groups * S3 Bucket Policies are attached to buckets * When evaluating if an IAM Principal can perform an operation X on a bucket, the union of its assigned IAM Policies and S3 Bucket Policies will be evaluated.
29
How do you assign in a scalable way each user a /home/ folder in an S3 bucket?
o Create one dynamic policy with IAM | o Leverage the special policy variable ${aws:username}
30
What are the three types of IAM policies?
* AWS Managed Policy * Customer Managed Policy * Inline Policy
31
What is IAM PassRole?
The PassRole permission helps you make sure that a user doesn't pass a role to a service where the role has more permissions than you want the user to have
32
Can an IAM role be passed to any service?
* No: Roles can only be passed to what their trust allows | * A trust policy for the role that allows the service to assume the role