IAM - Users and Groups/Policies/MFA Flashcards
What is the role of the root user in AWS IAM?
The root user is created by default when you create an AWS account. It should be used only for initial setup and not for daily operations.
What does each IAM user represent?
Each IAM user represents an individual person within your organisation, allowing you to manage their permissions.
Can an IAM group contain other groups?
A: No, an IAM group can only contain users, not other groups.
What is the principle of least privilege in AWS IAM?
The principle of least privilege means granting users only the permissions they absolutely need to perform their tasks, no more.
What is a best practice for managing IAM users?
A best practice is to not use the root account for everyday tasks and to organise users into groups with appropriate permissions.
Can an IAM user belong to multiple groups?
Yes, an IAM user can belong to multiple groups in AWS.
How do IAM group policies affect users?
Group policies apply to all users within that group. For example, if Alice, Bob, and Charles are in the Developers group, they will all inherit the same policy.
What are inline policies in IAM?
Inline policies are attached to individual users rather than to groups. They allow for specific permissions for a single user, regardless of group membership.
What are the key components of an IAM policy statement?
The key components are:
Sid (optional): Statement ID.
Effect: Allow or Deny.
Principal: The entity the policy applies to.
Action: The allowed or denied API calls.
Resource: The resources the actions apply to.
Condition (optional): Specific conditions under which the policy is applied.
What are the two possible values for the Effect in an IAM policy?
The two values are:
Allow: Grants the specified permissions.
Deny: Denies the specified permissions.
What is the first defense mechanism to protect users in AWS?
The first defense mechanism is setting up a password policy to enforce stronger passwords for accounts.
What options can you configure in a password policy in AWS?
Minimum password length.
Require specific character types (uppercase, lowercase, number, non-alphanumeric).
Allow users to change their own passwords.
Require users to change passwords periodically (e.g., every 90 days).
Prevent password reuse (users cannot revert to previous passwords).
What is the second defense mechanism to protect users in AWS?
The second defense mechanism is Multi-Factor Authentication (MFA), which adds an additional layer of security beyond just passwords.
Why is MFA recommended for AWS users, especially administrators?
MFA is important because it combines something you know (a password) and something you have (a security device), greatly increasing security. Even if the password is compromised, the account won’t be accessed without the second factor (e.g., a physical device like a phone).
What is the main benefit of using MFA in AWS?
The benefit of MFA is that it protects accounts from being compromised, even if the password is stolen, since the attacker would also need the physical device to authenticate.
