Identiy & access management Flashcards
What is Identity & access management (IAM)?
IAM allows you to manage users and their level of access to theri AWS console.
Functionality involves:
- Create users and grant permissions to those users.
- Create groups and roles
- Control access to AWS ressources
What is the root account?
The root account is the email address you used to sign up for AWS. The roor account has full administrative access to AWS. For this reason, It’s important to secure this account.
What are the 4 steps you should take to secure your AWS root account?
- The simplest and most important one to enable multi-factor authentication on the root account.
- You don’t want to ever login to your root account again, so create an admin group for your administrators, and assign the appropirate permissions to this group.
- Create user accounts for your administrators.
- Add your users to the admin group.
How do you control permissions using IAM, and what could that look like?
You do this by assigning permissions in to your policy documents which are stored as JSON.
Example is:
{
“Version”: “2012-10-17”
“Statement”: [
{
“Effect”: “Allow”
“Action”: “”
“Resource”: “”
}
]
}
This examples show you have a statement, and inside of that statement we have an effect which is allow. Then we have * in Action which means allow any action. In Ressource we have * as well, which means allow any action on any ressource essentially.
What can you assign IAM policy documents to and what is best practice to do?
You can assign IAM policy documents to:
* Groups
* Users
*Roles
Best practice is to not assign IAM policy documents to a user, since it becomes more and more difficult to manage as more users are created.
instead you want to assign the IAM policy document to Groups since all users inside that group inherits all permissions from that group.
On what level can IAM exist?
IAM can only exist on the global level. You can’t assign IAM to a user in a specific region.
What are the building blocks/elements of IAM?
- Users
Users is an account you create for a physical person, and should only be used for a physical person.
- Groups
Groups is a way to contain users. You for instance create a finance group with x amount of permissions, and you assign everyone in finance to that group.
- Roles
Internal usage of AWS
Why is it important that one user equals one physical person?
The primary reason for this is assume you gave a team of 5 one AWS user account, that they split, and that user intentionally or unintentionally causes some mess in AWS, now you can’ track who the 5 people created that mess.
What is the principle of least privilege?
This is a concept regarding security. That is you only assign a user the minimum amount of privileges they need to do their job.
For instance HR or Finance probably don’t need to create virtual machines or do machine learning. So they shouldn’t have those privileges.
When creating a user why are tags a good idea?
You can give different tags to user you create. For instance you can tag a user with their department and employee id.
So if that user creates a virtual machine that virtual machine will be tagged with which department it belongs to, and which user created it.
What happens if you create an user, but don’t assign them to a group?
That user will be assigned the policy document IAMUserChangePassword. This is a policy that only allows the user to changes their password, and they will keep these restricted policies until they are assigned to a group or assigned a new policy document.
What is programmatic access, and how do you grant it?
Programmatic access means a user can access AWS through the command line, and enables the AWS CLI to access the AWS account.
To do this you go to a user and press create access key and select command line interface.
From their you can create access key where that user will get an access key (functionally the same as a username, and a secret access key (functionally the same as a password).
But remember you can’t use these instead of your regular username and password when you log in.
What is identity providers and what do they allow you to do?
Identity provider allows you to connect IAM to other services like active directory. So it allows you to create identity access management in your internal network if you need other services you use to access your AWS.
So if you login to a windows environment with SSO or single sing-in and want to access your AWS console you need to create a SAML identity provider to do that.
If you need Google or Salesforce to access the AWS console you need to create an OpenID Connect identity provider.
In AWS you should always setup password rotations and customize it.
This makes AWS less vulnerable to attacks since the password will be exchanged regularly.
You can also create your own password policies to decided how strong passwords should a user have, and how often this password is rotated.
Which one overwrites the other in policies?
Deny overwrites Allow or the other way around?
A deny policy will always overwrite an allow policy