Identity & Access Management (IAM)

Question 1

Access Key

Answer 1

Manage programmatic access in IAM. Use for CLI access.

IAM is NOT used for application level authentication.
Access key = access key ID + secret access key. Can only be used once. Access keys are long-term credentials that can be used to sign programmatic requests to AWS.

Question 2

IAM Group

Answer 2

Collection of users. Used to control who can access an instance.

Groups cannot be nested.

Question 3

IAM Permission/Access Policy

Answer 3

Gives permission to specific AWS services. Can be applied to an IAM Group or user or role and controls what actions a user can perform after accessing an instance (Conditions can be added).

IAM policy simulator allows for testing of policies.

Question 4

IAM Role

Answer 4

Gives permission for one AWS service to access another service. Roles can be used by a service or a user.

A role does not need/use separate credentials, they are assigned.

Roles can also be temporary. EC2 instances can only use 1 role at a time.

Question 5

MFA

Answer 5

Multi-factor authentication rules can be established in IAM for designated services. Can be enabled for the whole account or for individual users.

Question 6

Root User

Answer 6

Root user credentials = email address used to create the account + password. Has full permissions. Cannot be restricted.

Question 7

Security Token

Answer 7

Security tokens are temporary credentials that can also be used to interact with AWS resources programmatically.

Question 8

Trust Policy

Answer 8

Specifies which accounts may assume a role. The user in the trusted account must also be assigned the required Permissions policy.

Question 9

User

Answer 9

Individuals who have been granted access to an AWS account. A user has a user name, password, and permissions.

By default a user has no permissions, they must be explicitly granted. Except for root account which has all permissions.

If a user is created for an application, it is called a service account.

Can have 5000 users per account.

Question 10

What is IAM?

Answer 10

Identity and Access Management: Service where AWS user accounts and their access to various AWS services is managed

Question 11

Access Policy Management Types

Answer 11

AWS Managed: Standalone policy that is created and administered by AWS. Align with common IT job functions and are updated as new operations become available

Customer Managed Policies: Standalone policy that is created and administered in your own AWS account.

Inline Policies: An inline policy is a policy that’s embedded in a principal entity (a user, group, or role)—that is, the policy is an inherent part of the principal entity. You can create a policy and embed it in a principal entity, either when you create the principal entity or later.