Important Info Flashcards
IAM Principles must be authenticated to send requests (with few exceptions).
True
How many individual user accounts can be created?
5000
What is main reason to use groups?
Apply permissions to users using policies.
How does user gain permissions in User Group?
By permissions applied to group via that policy.
What are access keys used for?
Programmitic Access
What are username & passwords used for?
Console access
What are permissions boundaries attached to?
Users & Roles
What do permission boundaries set?
Maximum permissions that entity can have
What are Determination Rules for Policies?
- Default: all requests are IMPLICITLY denied (though root user has full access)
- An explicit allow in identity-based or resource-based policy overrides default.
- If permissions boundary, Organizations SCP, or session policy present, might override allow with implicit deny.
- Explicit deny in any policy overrides any allows.
What are AWS IAM Best Practices
- Require human users to use federation w/ an identity provider to access AWS using temp credentials.
- Require workloads use temp credentials w/ IAM roles to access AWS.
- Require multi-factor authentication (MFA).
- Upate access keys regularly for use cases that require long-term credentials.
- Safeguard root user credentials & don’t use them for everyday tasks.
- Apply least-privilege permissions.
- Start w/ AWS managed policies & move toward least-privilege permissions.
- Use IAM Access Analyzer to generate least-privilege policies based on access activity.
- Regularly review & remove unused users, roles, permissions, policies, & credentials.
- Use conditions in IAM policies to further restrict access.
- Verify public & cross account access to resources w/ IAM Access Analyzer.
- Use IAM Access Analyzer to validate IAM policies to ensure secure & functional permissions.
- Establish permissions guardrails across multiple accounts.
- Use permissions boundaries to delegate permissions management w/in an account.
Which element of an IAM policy document can be used to specify that a policy should take effect only if the caller is coming from a specific source IP address?
Condition