IAM Section

Question 1

• What does IAM stand for?
• Is it a global service?

Answer 1

• Identity and Access Management.
• Yes, IAM is a global service.

Question 2

• What is the IAM Root Account?
• Should you use or share the root account?

Answer 2

• The root account is the account created by default. A root account is a user account for administrative purposes, and typically has the highest access rights on the system.
• A root account should not be used or shared, rather, you should create a user with certain access permissions to use, even for yourself. Sharing the root account would give someone complete and total access to change everything.

Question 3

What are IAM Users?

Answer 3

Users are people within your organization, and can be grouped.

Question 4

• What are IAM Groups?
• How can you use them to grant access permissions?
• Which principle should you always adhere to when creating groups?

Answer 4

• Groups only contain users, not other groups
• Users don’t have to belong to a group, and user can belong to multiple groups
• Usually, you create an access permission for a group, then add users who fit that access permission.
• Always use the principle of least privilege (only access what is necessary)!

Question 5

Describe the below image from an IAM standpoint:

Hint, this is related to groups and users.

Answer 5

Users don’t have to belong to a group, and user can belong to multiple groups.

Question 6

Describe IAM Permissions, like, which type of document is assigned and which principle to follow.

Answer 6

• Users or Groups can be assigned JSON documents called policies
• These policies define the permissions of the users
• In AWS you apply the least privilege principle: don’t give more permissions than a user needs

Question 7

Graphically describe IAM Policies Inheritance by way of different groups or users who are not in any group.

Answer 7

• If a user is only part of one group, then they inherit only the permissions of that group.
• If a user is part of multiple groups, then they inherit the permissions of each (for example, one group could exclude a permission, while the other allows it, so if the user was a part of both groups, they’d be allowed said permission).
• Individual users not assigned to a group have inline permissions, specifically granted in the IAM users terminal.

Question 8

Describe this code from an IAM perspective.

This is an example of a JSON doc.

Answer 8

General
- Version: policy language version, always include “2012-10-17”
- Id: an identifier for the policy (optional)
- Statement: one or more individual statements (required)

Statement
- Sid: an identifier for the statement (optional)
- Effect: whether the statement allows or denies access (Allow, Deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource: list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect (optional, not shown)

Question 9

List all the ways in which you can set an IAM Password Policy.

Answer 9

Strong passwords = higher security for your account
In AWS, you can setup a password policy:
- Set a minimum password length
- Require specific character types:
- including uppercase letters
- lowercase letters
- numbers
- non-alphanumeric characters
- Allow all IAM users to change their own passwords
- Require users to change their password after some time (password expiration)
- Prevent password re-use

Question 10

Why use MFA (Multi Factor Authentication)?

IAM

Answer 10

• Users have access to your account and can possible change configurations or delete resources in your AWS account
• You want to protect your Root Accounts and IAM users
• MFA = password you know + security device you own
• Main benefit: if a password is stolen or hacked, the account is not compromised.

Question 11

List the virtual MFA devices:

IAM

Answer 11

• Google Authenticator (phone only)
• Authy (multi-device)

Both of these options support multiple tokens on a single device. You’ve used MFA on other devices before, this is no different. You get a one-time passcode to enter as a secondary authentication.

Question 12

List the physical MFA devices:

IAM

Answer 12

• Universal 2nd factor (U2F) security key (ex: YubiKey by Yubico (3rd Party))
• Hardware key fob MFA device (ex: Gemalto (3rd Party))
• Harware key fob MFA device for AWS GovCloud (US) (ex: SurePassID (3rd Party))

All of these options have support for multiple root and IAM users using a single security key.

Question 13

How can users access AWS? List the three options.

IAM

Answer 13

• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
• AWS Software Developer Kit (SDK) - for code: protected by access keys

Question 14

What are access keys? Provide an example of the two types of access keys.

IAM

Answer 14

• Access Keys are generated through the AWS Console
• Users manage their own access keys
• Access Keys are secret, just like a password. Don’t share them
• Access Key ID ~= username
• Secret Access Key ~= password

Example Keys
- Access key ID: AKIASK4E37PV4983d6C
- Secret Access Key: AZPN3zojWozWCndIjhB0Unh8239a1bzbzO5fqqkZq

Question 15

What is AWS CLI?

IAM

Answer 15

• A tool that enables you to interact with AWS services using commands in your command-line shell
• Direct access to the public APIs of AWS services
• You can develop scripts to manage your resources
• It’s open-source https://github.com/aws/aws-cli
• Alternative to using AWS Management Console

Question 16

What is AWS SDK?

IAM

Answer 16

• AWS Software Development Kit (AWS SDK)
• Language-specific APIs (set of libraries)
• Enables you to access and manage AWS services programmatically
• Embedded within your application
• Supports
• SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++)
• Mobile SDKs (Android, iOS, …)
• IoT Device SDKs (Embedded C, Arduino, …)
• Example: AWS CLI is built on AWS SDK for Python

Question 17

What are IAM Roles for Services?

Answer 17

• Some AWS service will need to perform actions on your behalf
• To do so, we will assign permissions to AWS services with IAM Roles

Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation

Question 18

List the two IAM security tools for auditing permissions:

Answer 18

IAM Credentials Report (account-level)
- A report that lists all your account’s users and the status of their various credentials

IAM Access Advisor (user-level)
- Access advisor shows the service permissions granted to a user and when those services were last accessed.
- You can use this information to revise your policies.

Question 19

Describe the IAM Guidelines and Best Practices:

Answer 19

• Don’t use the root account except for AWS account setup
• One physical user = One AWS user
• Assign users to groups and assign permissions to groups
• Create a strong password policy
• Use and enforce the use of Multi Factor Authentication (MFA)
• Create and use Roles for giving permissions to AWS services
• Use Access Keys for Programmatic Access (CLI / SDK)
• Audit permissions of your account with the IAM Credentials Report
• Never share IAM users & Access Keys

Question 20

Review the IAM section summary, if you find something unfamiliar, rate this card as poor knowledge so you can review.

Answer 20

• Users: mapped to a physical user, has a password for AWS Console
• Groups: contains users only
• Policies: JSON document that outlines permissions for users or groups
• Roles: for EC2 instances or AWS services
• Security: MFA + Password Policy
• Access Keys: access AWS using the CLI or SDK
• Audit: IAM credential reports and IAM access advisor