Identity Access Management & S3 Flashcards
What is a principal in IAM ?
A principal can be a user, role, federated user, aws account or a service within or external to the organisation but not a group
What is the relationship between principals and resources ?
Principals perform actions on resources
Is IAM a global or a regional service ?
Global - designed to be a one stop shop for all IAM related activity so to stop a proliferation of differing regional IAM solutions
What is an IAM User?
These are your day to day users
What is a root user ?
Privileged User
What are IAM groups ?
A collection of users with common permissions
What are roles ?
The ability to give temp access credentials to either a service or a user
What is a principal-based policy in IAM ?
Access is limited to a group of principals and attached to the principals
What is a resource based policy ?
Attached to the resource and restricts access to the listed principals ?
What is the difference between a resource based policy and an principal based policy ?
What is the principal of least privilege ?
It is the minimum amount of access a principal (subject) needs to access a resource (object) to do their job
Why do microservices offer a better security model over monolithic applications ?
Microservices are modular and can have specific credentials to access modular parts of the whole solution. If compromised the attacker would have a smaller attack plane than with a monolithic application
In IAM policies what does PARC-E represent ?
P - principal the who or what is allowed access
A - action what the statement applies to
R - Resources that the statement is applicable for
C - Conditions
E - Effect whether the statement is to allow or deny
What is a principal based policy in IAM ?
Principal based policies are applied to a user, group or role. The resource being accessed can be within the same account or a different account
What in IAM is the default deny rule ?
By default the principal is denied access unless it is explicitly given
What is a resource based policy ?
It is attached to a resource and list the principals that have access or not to the resource.
I want to specify a group as a principal in a trust policy on a role is this possible ?
No a group is not an IAM principal
A user who had previously access to you root credentials for your account has left what should you do to protect the root account. (Clue there are five items) ?
- Logon as root.
- Change Passwords.
- Delete and re-install MFA.
- Delete any programmatic access - Root should not have programmatic access.
- Review any IAM accounts that user has access to.
What are the three types of policies in IAM ?
- Customer Managed
- AWS Managed
- Inline
Can AWS Managed policies change ?
Yes but these changes are carefully controlled.
Why might you use a customer managed policy ?
You may not want to risk AWS changing a AWS managed policy and having that affect your accounts
What is the use case for an IAM inline policy ?
You may want a very specific policy attached to a particular user and you dont want to run the risk of having a policy that can be attached to many users.
Why would you use a S3 Bucket policy ?
Ease of administration
Bucket Policies can be a bigger size (20kb) than IAM (10Kb)
Way of giving cross account access without using roles
In a bucket policy in the reources section I paste my bucket arn but still get an error why ?
You need the arn followed by a path such as /*
What are the main differences IAM policies, S3 bucket policies and S3 Acls
Scope - IAM affects the whole platform, bucket policies the bucket and acl the objects within the bucket
What happens if a user has access to everything in S3 but there is a specific deny on a S3 bucket
Deny wins for that bucket
What should you use if you want to apply permissions on individual items within an S3 bucket?
ACLS
Besides fine grained access to infividual files what is another use case for ACLs ?
If the bucket policy is close to hitting its maximum of 20kb
With ACLs can I let other accounts have access to individual S3 objects ?
Yes
Can I assign acls to individual users via the console ?
No you need to use the canonical user id with aws-cli or sdk
When a principal issues a command to s3 how are security policies evaluated ?
As a union of ACL, IAM and Bucket policies an explicit deny overrides an allow
If you dont specify an allow on an s3 bucket was is the default access ?
Deny
Under what circumstances will an allow to an S3 bucket be allowed ?
If there are no explicit denies and there is at least one explicit allow
What is the principal of least privilege ?
It is achieved by following the rules
- Give the right access
- Only to the right individuals
- To perform the right action
- Only when the time is right
Why do microservices lend themselves to the Principal of Least Privelege better than monoliths ?
A microservice does one thing well and we can give it access to do just that one thing rather than everything
What is the default rule for IAM ?
Default Deny - So when a user is added account they will have no access to resources
How does the zone of trust work with single account access in IAM ?
If a principal within the same account as the resource it wants access to then IAM policies on their own are enough to grant access
How does the zone of trust work with cross account access ?
In a cross account access you need both an IAM policy in the asking account and a resource based policy in the account that has the resource
What is the general format of IAM Conditions
“Condition” : { “{condition-operator}” : { “{condition-key}” : “{condition-value}” }}
What are the six string operator conditions in IAM
- Stringlike
- StringNotLike
- StringEquals
- StringNotEquals
- StringEqualsIgnoreCase
- StringNotEqualsIgnoreCase
What are condition keys ?
conditions fire on operators which test that a condition key has or does not have a certain value. Each service has thier own condition keys
What are the three sources of users that come to STS
Cross Account, Federation or Web Federation
In Federated environments do users have to exist in AWS ?
No just Active Directory
What does an Identity Broker authenticate against first STS or Identity Store
Identity Store
What are the four items returned by STS ?
Secret Access Key, Access Key, Duration (1 - 36 hours) and Token
Does cognito support the idea of guest users ?
Yes
How does Cognito work ?
A user logs into the user pool either directly or with a web provider such as Facebook and recieves as JWT token that they can exchange for an identity from the identity pool which gives them access to AWS Resources.
What is a Glacier vault ?
A collection of archives which are tar files containing one or more files
What are the common use cases for a vault lock policy ?
A write once read many policy or creation of date retention rules to enforce compliance
What is the process for using a vault lock policy ?
Write Policy
Attach Policy to Vault
Verify its working (24 hours to change)
Once validated policy is immutable and cant be changed
Can SCPs be used to grant access ?
No
Can SCPs be used to create permissions boundaries ?
Yes by overrriding local settings we can use them to enforce compliance
What does the IAM Credential Report show ?
CSV Report that lists all the users in your account
Shows MFA enabled, Access Key Rotation and Password Used and rotation.
What two permissions do you need to interact with an IAM Credential Report ?
GetCredentialReport, GenerateCredentialReport
