Introduction to IAM

Question 1

Principle of Shared Responsability Model

Answer 1

• AWS secures the hardware, software, facilities, and networks that run all of its products and services
• Customers are responsible for securely configuring the services they sign up for and anything they put on those services

Question 2

The items managed in IAM

Answer 2

• Users
• Groups
• Policies
• Roles

Question 3

3 advices for creating policies

Answer 3

• Follow the standard security advice of granting least privilege
• Determine what users need to do, then craft policies for them
• Create policies for individual resources that identify precisely who is allowed to access the resource, and allow only the minimal permissions for those users

Question 4

What is the default accesses of an IAM user

Answer 4

Nothing

Question 5

IAM permission types

Answer 5

• Identity-based permissions are attached to the IAM user and indicate what the user is permitted to do.
• Resource-based permissions are attached to a resource and indicate what a specified user (or group of users) is permitted to do with it.

Question 6

IAM policy types

Answer 6

• Managed policies are standalone policies that you can attach to multiple users, groups, and roles
  
  • AWS Managed
  • Customer managed
• Inline Policies are embedded in a principal entity such as a user, group, or role.

Question 7

The different parts of an ARN (and what is ARN)

Answer 7

Amazon Resource Name
- starts with arn:aws
- Identifier for product or service
- AWS region that the resources reside in
- Account number (without hyphens)
- Resource identifer

arn:aws:service:region:account:resourceId

Only one wildcard allowed
For S3, region and account can be empty (because S3 bucket names are globally unique)

Question 8

Rules for evaluating IAM policies

Answer 8

• By default, all requests are denied.
• An explicit allow overrides this default.
• An explicit deny overrides any allows.
• When one policy allows an action and another policy denies an action, the policy that denies the action is applied.
• Any actions that you didn’t explicitly allow are denied
• Any actions that you explicitly deny are always denied

Question 9

How do you authenticate API requests?

Answer 9

Credentials are used to authenticate API requests.
They contain:
- access key ID
- secret access key

Question 10

What are SSL sessions used for?

Answer 10

Secure Sockets Layer (SSL) sessions are used to authenticate API requests in the same as access keys do. However, SSL sessions are intended for temporary use and must be paired with a session token.

Question 11

What are IAM user credentials used for? What do they contain?

Answer 11

IAM user credentials are used to provide sign-in access to the AWS Management Console.
They contain username and password.

Question 12

How do you setup the AWS credentials?

Answer 12

1. Create a credentials profile in these locations based on the operating system:
   • For Linux, macOS, or Unix: ~/.aws/credentials
   • For Windows: C:\Users\USERNAME .aws\credentials
2. Add the aws_access_key_id and aws_secret_access_key that you received when you set up your account and downloaded your AWS credentials

Question 13

What is the security requirement for requests to AWS services?

Answer 13

Requests to AWS services must be signed. Requests are signed by using the access key ID and secret access key of an AWS account or of an IAM user.