Identity and Access Management

Question 1

What is IAM?

Answer 1

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.

You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

IAM users are individuals who have been granted access to an AWS account.

Question 2

What is a root user?

Answer 2

When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the root user.

The account root user credentials are the email address used to create the account and a password.

Question 3

What are the three main components to IAM?

Answer 3

• A user-name
• A password
• Permissions to access various resources

Question 4

What do you need to sign in?

Answer 4

To sign-in you must provide your account ID or account alias in addition to a user name and password.

The sign-in URL includes the account ID or account alias, e.g:

https://My_AWS_Account_ID.signin.aws.amazon.com/console/.

Question 5

What are some authentication methods?

Answer 5

• Console password
• Access keys (These can be used to make programmatic calls to AWS when using the API in program code or at a command prompt when using the AWS CLI or the AWS PowerShell tools)
• Server certificates

Question 6

What are a few things to know about IAM users?

Answer 6

• An IAM user is an entity that represents a person or service.
• IAM users can be created to represent applications and these are known as “service accounts”.
• You should create individual IAM accounts for users (best practice not to share accounts).
• The Access Key ID and Secret Access Key are not the same as a password and cannot be used to login to the AWS console.
• The Access Key ID and Secret Access Key can only be used once and must be regenerated if lost.

Question 7

What are a few things to know about Groups?

Answer 7

• Groups are collections of users and have policies attached to them.
• A group is not an identity and cannot be identified as a principal in an IAM policy.
• Use groups to assign permissions to users.
• Use the principle of least privilege when assigning permissions.
• You cannot nest groups (groups within groups).

Question 8

What is a role?

Answer 8

Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls.

IAM roles can be used for granting applications running on EC2 instances permissions to AWS API requests using instance profiles. Only one role can be assigned to an EC2 instance at a time. A role can be assigned at the EC2 instance creation time or at any time afterwards.

Question 9

What are policies?

Answer 9

Policies are documents that define permissions and can be applied to users, groups and roles.

Policy documents are written in JSON (key value pair that consists of an attribute and a value).