Identity and Access Management Flashcards
What is IAM?
A web service that enables you to manage access to your AWS account and resources.
What is an IAM User?
A person or service that interacts with AWS services.
What is an IAM Group?
A collection of users.
What is an IAM Policy?
To manage access and provide permissions to AWS services, you create IAM policies and attach them to IAM users, groups, and roles.
What are the 4 major sections to an IAM Policy?
- Version
- Effect (allow or deny)
- Action (type of action)
- Resource (object or objects policy covers)
Benefits of multiple accounts (WLC)?
- Group workloads
- Centralize logging
- Constrain access
- Limit blast radius
- Manage cost
- Distribute API request rates
What is an IAM role?
An IAM role is an identity that you can create in your account, and it has specific permissions.
a role can be assumed by anyone who needs it
What is a service role?
A role created and assumed by a service.
Delegation
Delegation is the granting of permissions to someone to allow access to resources that you control.
Delegation involves setting up a trust between two accounts. The first account is the account that owns the resource (the trusting account). The second account is the account that contains the users that need to access the resource (the trusted account).
Federation
Federation is the creation of a trust relationship between an external IdP and AWS. Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with OIDC. Users can also sign in to an enterprise identity system that’s compatible with SAML 2.0, such as Microsoft Active Directory Federation Services. When you use OIDC and SAML 2.0 to configure a trust relationship between these external IdPs and AWS, the user is assigned to an IAM role. The user also receives temporary credentials that allow the user to access your AWS resources.
Federated User
Instead of creating an IAM user, you can use existing identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These identities are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider.
Trust Policy
A trust policy is a JSON policy document where you define the principals that you trust to assume the role. A role trust policy is a required, resource-based policy that’s attached to a role in IAM. The principals that you can specify in the trust policy include users, roles, accounts, and services.
Permission Boundary
A permissions boundary is an advanced feature where you use policies to limit the maximum permissions that an identity-based policy can grant to a role. You can’t apply a permissions boundary to a service-linked role.
for example, a developer is in a developer group with privledges. We can attach a PB to individual users to restrict access that the developer group could be granting to further restrict.
Principal
A principal is an entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role.
What is AWS Organization
AWS Organizations is a management service provided by Amazon Web Services that allows you to centrally manage and govern multiple AWS accounts within your organization.
