IAM - Identity and Access Management

Question 1

What are the 4 security components of IAM?

Answer 1

Users, Groups, Roles and Policies

Question 2

What 2 things you should not do with your Root account? Mention an exception.

Answer 2

Use it or share it.

except for initial setup

Question 3

IAM Users must be created with [2]

Answer 3

proper permissions

Question 4

IAM policies are written in []

Answer 4

JSON

Question 5

An IAM user is usually [3]

Answer 5

a physical person

Question 6

IAM groups are frequently used to group based on [2]

Answer 6

Functions (admins, devops) and Teams (engineering, design)

Question 7

IAM groups contain []

Answer 7

IAM users

Question 8

An IAM rol is for using it []

Answer 8

internally, within AWS resources (machines)

Question 9

An IAM policy defines what [7] do

Answer 9

Users, Groups and Roles can and cannot

Question 10

What is IAM’s visibility?

Answer 10

global

Question 11

IAM Permissions are governed by []

Answer 11

policies

Question 12

You can setup [] on IAM to increase security

Answer 12

MFA

Question 13

IAM has predefined [2]

Answer 13

managed policies

Question 14

What is the recommended amount of permission to give users?

Answer 14

the minimal they need to perform their job (least privilege principles)

Question 15

What is used for IAM Identity Federation?

Answer 15

for big enterprises, to usually integrate their own repository of users with IAM, this way, one can login into AWS using company credentials

Question 16

IAM Identity Federation uses [] standard

Answer 16

Security Assertion Markup Language (SAML) standard

Active Directory is one of the big users of this standard

Question 17

1 IAM User per [2]

Answer 17

physical person

Question 18

1 IAM Role per []

Answer 18

application

Question 19

Never use IAM credentials in []

Answer 19

code

Question 20

How you need to create IAM users when using Identity Federation?

Answer 20

you don’t need to create IAM users when using Identity Federation

Question 21

What types of Identity Federations are the most relevants to AWS?

Answer 21

• SAML 2.0
• Custom Identity Broker
• Web Identity Federation with Amazon Cognito
• Web Identity Federation without Amazon Cognito
• SSO
• Non-SAML with AWS Microsoft AD

Question 22

What you need to use if your identity provider is not compatible with SAML 2.0?

Answer 22

You must write your own Custom Identity Broker

Question 23

What you should delete on your ROOT account?

Answer 23

access keys

Question 24

What is the difference between key pair and access keys?

Answer 24

Key Pairs DO provide ACCESS – to EC2 instances.

Access Keys are for programmatic access to AWS services and APIs.

Question 25

I updated an IAM policy but I still don’t see it reflected. What is the cause?

Answer 25

Sometimes it takes a little bit of time to see a policy update working, you just need to keep trying

Question 26

What is an inline policy?

Answer 26

These are policies that cannot be reused. Not recommended
o Strict one-to-one relationship between policy and principal
o Policy is deleted if you delete the IAM principal

Question 27

How does work IAM Authorization Model Evaluation of Policies?

Answer 27

Is there an explicit DENY?
   YES: DENY
   NO: Is there an ALLOW?
   	  YES: ALLOW
	  NO: DENY
DENY will be default behavior

Question 28

How does work IAM + Bucket policies?

Answer 28

• IAM Policies are attached to users, roles, groups
• S3 Bucket Policies are attached to buckets
• When evaluating if an IAM Principal can perform an operation X on a bucket, the union of its assigned IAM Policies and S3 Bucket Policies will be evaluated.

Question 29

How do you assign in a scalable way each user a /home/ folder in an S3 bucket?

Answer 29

o Create one dynamic policy with IAM

o Leverage the special policy variable ${aws:username}

Question 30

What are the three types of IAM policies?

Answer 30

• AWS Managed Policy
• Customer Managed Policy
• Inline Policy

Question 31

What is IAM PassRole?

Answer 31

The PassRole permission helps you make sure that a user doesn’t pass a role to a service where the role has more permissions than you want the user to have

Question 32

Can an IAM role be passed to any service?

Answer 32

• No: Roles can only be passed to what their trust allows

* A trust policy for the role that allows the service to assume the role