Identity and Access Management Flashcards
What is a web service that helps you securely control access to AWS resources
AWS Identify and Access Management (IAM)
You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources
IAM Principals must be authenticated to send requests
A PRINCIPAL is person or application that can make a request for an action or operation on an AWS resource
When creating IAM you never need to select a region b/c all regions are in all the accounts
What is the best way to organize users and applying policies?
Policies
Roles
Users
Groups
Groups
-used for ORGANIZING users and applying policies
the main reason to use groups is to apply permissions to users using policies
- users have NO permissions by default
- the user gains the permissions applied to the group through the policy
- you CANNOT nest a group within a group like we do at State Farm (LDAP groups)
What is the best way to define permissions?
Policies
Roles
Users
Groups
Policies
- used for DEFNING permissions
- policies are documents that define permissions and are written in JSON (Java Script Object Notation)
- Identity-based policies can be applied to users, groups, and roles
- Resource based policies apply to resources such as S3 buckets or DyanmoDB tables
- Policies define the permissions for the identities or resources they are associated with-
What is the best way to delegate permissions?
Policies
Roles
Users
Groups
Roles
- Used for DELEGATING permissions and are assumed by users, applications, and services
- When user accesses the role they are no longer acting as a user - they are acting as the role and have permissions assigned to the role
- When assuming a role you DON’T need to store credentials so this is a better option
Which group represents individual accounts used to login with a user name and password?
Policies
Roles
Users
Groups
Users
- Log in to the AWS Management Console with a user name and password
- Users are INDIVIDUAL accounts you log in with
- ROOT USER is the user that created the account
- —>Root users have full permissions and cannot be restricted
- —>It is a best practice to avoid using the root user account and enable MFA
-Main credential for an AWS root account is the email addr used to create the account
What is the name of the user that created the account and what is their main credential to access AWS?
Root User
- Main credential for an AWS root account is the email addr used to create the account
- Root users have full permissions and cannot be restricted
- It is a best practice to avoid using the root user account and enable MFA
How does a user connect to CLI (Command Line Interface) and APIs?
Access Keys
What two things does an Access Key consist of?
Access keys consist of an access key ID and secret access key
Authentication that uses a second factor in addition to a password is known as…..
Multi-factor authentication (MFA)
- Something you know - IM user account and password
- Something you have - virtual MFA (like Google Authenticator) or physical (like yubikey) which comes from a third party
- Something you are - fingerprint (this is not used in AWS)
What/who controls the maximum available permissions in an AWS account?
Identity and Access Management (IAM)
Root User
Service Control Policies
APIs
Service Control Policies (SCP’s) control the maximum available permissions in an AWS account
- SCP’s are a feature of AWS Organizations
- Users in the management account are not restricted
- Tag policies enforce tag standardization
- SCP’s do not grant permission
- —>They control the available permissions (take permissions ‘away’)
- —>Ex: Add control that restricts child account so they can’t create EC2 incidents
