Identity & Access Management (IAM) Flashcards
IAM Users
assigned to individual
an entity that represents a person or service
can be assigned:
an access key ID and secret access key for programmatic access to the AWS application programming interface (API), command line interface (CLI), (software development kit (SDK), or other development tools
a password for access to the management console
By default users cannot access anything in your account; created with no permissions
the account root user credentials are the email address used to create the account and a password (root account)
IAM users can be created to represent applications and these are known as “service accounts”
You can have up to 5000 users per AWS account
Each user account has a friendly name and an Amazon Resource Name (ARN) which uniquely identifies the user across AWS
You should create individual IAM accounts for users (best practice to not share accounts)
A password policy can be defined for enforcing password length, complexity, etc. (applies to all users)
Root Account
has full administrative permissions as required. email address is the root account credential.
Best Practices are:
- Don’t use root user credentials
- Don’t share the root user credentials
- create an IAM user and assign administrative permissions as required
- enable multi-factor authentication (MFA)
IAM Groups
Collection of users that you attach a policy to (that defines the permissions for that group)
Separate users into collections that perform similar job roles (developers, operations, etc.)
Use groups to assign permissions to users
Use the principal of at least privilege when assigning permissions
You cannot nest groups (groups within groups)
IAM Roles
IAM entity used to delegate permissions
roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests
You won’t have to configure a username / password
Delegate permissions to resources for users and services w/o using permanent credentials (username / password)
IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls (using software to launch, configure, etc. services)
You can delegate using roles
There are no credentials associated with a role (password or access keys)
IAM Policies
Document that defines permissions and can be applied to users, groups, and roles
Written in JSON (Javascript Object Notation) - key value pair that consists of an attribute and a value)
All permission are implicitly denied by default
The most restrictive policy is applied
IAM policy simulator is a tool to help you understand, test, and validate the effects of access control policies
the Condition element can be used to apply further conditional logic
IAM Authentication Method:
Access Key
composed of an access key ID and a secret access key
used to make programmatic calls to AWS when using the API in program code or at a command prompt when using the AWS CLI or the AWS PowerShell tools
Can create, modify, view, or rotate access keys
When created IAM returns the access key ID and secret access key
the secret access is returned only at creation time and if lost a new key must be created
Ensure access keys and secret access keys are stored securely
Users can be given access to change their own keys through IAM policy (not from the console)
You can disable a user’s access key which prevents it from being used for API calls
IAM Authentication Method:
IAM Console Password / IAM User
a password that the user can enter to sign in to interactive sessions such as AWS management console
you can allow users to change their own passwords
you can allow selected IAM users to change their passwords by disabling the option for all users and using an IAM policy to grant permissions for the selected users
User Account - go to AWS web console using a web-browser, where you can log on; MFA can be an extra level of protection
IAM Authentication Method:
Signing Certificate
might not be on exam, but just know its the 3rd authentication method
enabled for some AWS services
SSL/TLS certificates that you can use to authenticate with some AWS services
AWS recommends you use AWS Certificate Manager (ACM) to provision, manage, and deploy your server certificates
Use IAM only when you must support HTTPS connections in a region that is not supported by ACM
Multi-Factor Authentication (MFA)
Something that you know (password - it’s a secret and only you know it)
Something you have (something in your physical possession; a text or code sent to your mobile phone)
Something you are (thumbprint; biometrics, facial scan)
MFA for AWS
Something you know, but passwords could be compromised
Something you have -
- virtual MFA device - google authentication on your smartphone (free)
- physical MFA device - would have to pay for this
AWS Security Tool Service (STS)
web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)
STS is available as a global service, and all AWS STS requests go to a single endpoint (view link)
all regions are enables for STS by default but can be disabled
region in which temporary credentials are requested must be enabled
credentials will always work globally
IAM Best Practices
will be on exam!
1 - lock away the AWS root user access keys
2 - Create individual IAM users
3- Use AWS defined policies to assign permissions whenever possible (AWS has pre-configured policies)
4 - Use groups to assign permissions to IAM users
5 - Grant least privilege
6 - Use access levels to review IAM permissions
7 - Configure a strong password policy for users
8 - Enable MFA for privileged users
(AWS updated this advice. It is now recommended to enable MFA for all users and to use UTF or hardware MFA devices for privileged users)
9 - Use roles for applications that run on AWS EC2 instances
10 - Delegate by using roles instead of sharing credentials
11 - rotate credentials regularly
12 - Remove unnecessary credentials
13 - Use policy conditions for extra security
(IP address should be a certain value connecting to AWS from a certain computer)
14 - Monitor activity in your AWS account