IAM & S3 Flashcards
What 4 features does IAM consist of?
1) USERS
2) GROUPS
3) ROLES
4) POLICIES
What format are policies written in?
JSON (JavaScript Object Notation)
What does IAM stand for?
Identity Access Management
What is the root account of an IAM and what privileges does it have?
Email account used to sign up to the AWS console
Admin access
What permissions do new users have when they are added to the AWS console?
None
What are new users assigned when they are created?
Secret access ID and secret access key
Can you use your secret access credentials to access the console?
No, this not the same as a username and password. The secret access key and password are used to access AWS via APIs and the CMD line
What 2 security methods can you use to improve the security of your AWS user accounts?
- Set up MFA
2. Use strict password policies
Are S3 buckets private by default?
Yes
What 2 methods can be used to secure an s3 bucket?
- Bucket policies (apply to the whole bucket)
2. Access control lists (apply at the document level)
What are the 5 key features of an S3 bucket?
1) Key
2) Value
3) Version ID
4) Metadata
5) Sub resources
a) Torrent
b) access control list
How is encryption in transit achieved in S3?
SSL/TLS –> HTTPS
Stops man in the middle attacks
Name 3 examples of encryption at rest in S3? (server side)
1) S3 managed keys –> SSE-S3
2) AWS key management service SSE-KMS
3) Sever side encryption with customer provided keys –> SSE-C
What is cross regional replication?
The process of replicating the contents of a S3 buckets to another bucket in a different region/AZ
What must be enabled to allow cross regional replication?
Versioning
you create a bucket add a file and then turn on CRR… does the file get pushed to the destination bucket?
No, existing files will not be replicated automatically, but subsequent additions will be.
Are delete markers replicated?
No
What is a lifecycle policy?
A process to automate moving objects between different storage tiers
Can a lifecycle policy be used with versioning?
Yes, a policy can be applied to current and previous versions
What is transfer acceleration?
A way to increase speed and performance of file transfer using AWS’s dedicated backbone network
What is Cloudfront?
AWSs content delivery network. Comprised of Origin (bucket, EC2, ELB) –> Edge locations(with cache) –> destination
What is distribution?
A collection of Edge locations
What is a snowball?
A large disc used to move data in and out of the cloud
What is storage gateway?
A hybrid cloud storage solution that give you on-premise access to cloud storage solutions
What are the 3 types of storage gateways?
1) File gateways
a) File gateway (Flat file NFS- network file system)
b) Volumes
i) Stored volumes
ii) Cached volumes
c) Gateway virtual tape library
What is a power access user?
A power access user allows access to all AWS services except the management groups and the user within IAM
How many buckets can you have per bucket by default?
100
Which 2 features can be used to improve the security of an S3 bucket?
1) Signed URLs
2) Signed cookies
What is the Puts limit for an S3 bucket?
3500 puts per second
What is SAML and what does it do?
Security Assertion Markup Language
This is used to give your federated users single sign on (SSO) access to the AWS management console
What 2 problems does AIM solve?
1) Manage users and their access e.g. access keys, passwords , MFA e.t.c or request temp security credentials to provide users access to AWS services and resources
2) Manage access for federated users- can request credentials with configurable expirations for users you manage in a corporate directory. You can provide AWS access without creating a IAM user account for them
Can a user be a system or an application that requires access to AWS?
Yes as well as a federated user a user managed outside of AWS in your corporate directory
What can a user do?
Can place requests such as to S3 or EC2
Who is responsible for a user’s access to web service APIs?
AWS account holder
By default, which service APIs can a user call?
None
What are the 4 ways IAM users are managed?
1) Create and manage IAM users
2) Create and manage IAM groups
3) Manage users security credentials
4) Create and manage policies to grant access to AWS services and resources
What is a group?
A collection of IAM users. You manage group membership as a simple list. e.g. Add or remove them from a group
Can users belong to multiple groups?
Yes
Can groups belong to other groups?
No
Can policies be applied to groups?
Yes, applying policies to groups of users makes it easier to mange permissions that having to manage permissions for each individual user
Can you disable user access?
Yes, you can enable and disable a users access keys via the IAM APIs, CLI or IAM console
Who is able to manage users for an AWS account?
By default only the AWS account holder. However, you can grant permissions to an administrator users to manage users (recommended practice)
How are MFA devices configured for IAM users?
The account holder can order multiple MFA devices. You can assign these to individual IAM users via the IAM API, CLI or IAM console
Can IAM users have individual SSH keys?
No
Do IAM user names have to be an email address?
No, it can be any string
Can I define a password policy for my user’s passwords?
Yes. e.g. minium length or at least one number. You can also enforce automatic password expiration.
What problem does an IAM role solve?
Allows you to delegate access with defined permissions without having to share long term access keys
How many IAM roles can you assume?
There is no limit, but you can only act as one IAM role when you make a request to AWS services
How many IAM roles can I create?
up to 1000 but this can be increased
What is IAM roles for EC2 instances?
Enables your applications running on EC2 to make requests of AWS services such as S3, SQS and SNS without having to copy AWS access keys to every instance
What are the features of IAM roles for EC2 instances?
1) AWS temporary security credentials to use when making request from running EC2 instances to AWS services
2) Automatic rotation of AWS temporary security credentials
3) Granular AWS service permissions for applications running on EC2 instances
Can you apply the same role to multiple EC2 instances?
Yes
What happens if you delete and IAM role that is associated with a running EC2 instance?
Any application running on the instance that is using the role will be denied access immediately
