Lec 5: IAM Flashcards
How does virtualization contribute to the benefits of cloud computing?
A. Virtualization eliminates the need for internet connectivity.
B. Virtualization increases hardware resource costs.
C. Virtualization enables efficient utilization of physical hardware by creating multiple virtual instances on a single server.
D. Virtualization limits the scalability of cloud services.
C. Virtualization enables efficient utilization of physical hardware by creating multiple virtual instances on a single server.
What is Amazon EC2 used for in AWS?
A. Managing DNS records for domains.
B. Storing and managing relational databases.
C. Scaling compute capacity and launching virtual servers in the cloud.
D. Sending and receiving emails.
C. Scaling compute capacity and launching virtual servers in the cloud.
Which of the following is NOT correct about cloud computing?
A. On-demand self service
B. Broad network access
C. Resource pooling
D. Slow elasticity
D. Slow elasticity
Which of the following best describes ARN?
A. a unique ID for AWS S3 buckets
B. a unique ID for AWS EC2 instances
C. a unique ID for AWS IAM users
D. a unique ID for any AWS resources
D. a unique ID for any AWS resources
Which of the following is the main feature of EBS?
A. A cloud-based email service for sending and receiving messages.
B. A service for launching and managing virtual servers in the cloud.
C. A block storage service that provides persistent storage.
D. A service that manages domain names and translates them to IP addresses.
C. A block storage service that provides persistent storage.
Which of the following statements are correct in cloud computing? (Select all that apply)
A. Cloud providers allow users to pay as they go.
B. Data centers are usually distributed globally.
C. Cloud computing is built upon data centers.
D. Cooling may not be needed for data centers.
A. Cloud providers allow users to pay as they go.
B. Data centers are usually distributed globally.
C. Cloud computing is built upon data centers.
Which of the following are the main types of application architecture? (Select all that apply)
A. Monolithic architecture.
B. Client/Server architecture.
C. Three-tier architecture.
D. Cloud-based serverless architecture.
A. Monolithic architecture.
B. Client/Server architecture.
C. Three-tier architecture.
D. Cloud-based serverless architecture.
Which of the following statements are correct? (Select all that apply)
A. Page tables translate virtual memory into physical memory in modern OS.
B. When translating a 32-bit virtual address, two levels of page tables are needed.
C. Ring 0 is the least privileged and Ring 3 is the most privileged.
D. The number of processes is much smaller than the number of physical CPUs.
A. Page tables translate virtual memory into physical memory in modern OS.
B. When translating a 32-bit virtual address, two levels of page tables are needed.
1 import boto3
2 s3_resource = boto3.resource(‘s3’)
3 s3_resource.Object(‘bucket-mst’, ‘A2.txt’).copy_from(CopySource =’bucket-mst/A1.txt’)
4 s3_resource.Object(‘bucket-mst’, ‘A1.txt’).delete()
Read the python code snippet above. Explain Line 3 and Line4 and conclude what essential file operation has been performed.
Line 3 copies the object named ‘A1.txt’ from the ‘bucket-mst’ bucket to a new object named ‘A2.txt’ within the same bucket.
Line 4 deletes ‘A1.txt’ from the ‘bucket-mst’ bucket.
The operation is to rename the object from A1.txt to A2.txt.
Read query and show its table output
aws dynamodb query \
–table-name MusicAlbum \
–key-condition-expression “Artist = :A1 or Artist = :A2” \
–expression-attribute-values ‘{“:A1”:{“S”:”Tom”}, “:A2”:{“S”:”Jerry”}}’
Outputs a table with Artist and Song, with Artist=Tom or Artist=Jerry
Name 3 of the keys in a Policy. Explain their role. An example of a key is “Version” that specifies the version of the policy syntax and is normally “Version”: “2012-10-17”
Statement: represents a permission rule.
Effect: what the effect will be when a user requests the specific action—this can be eitherAlloworDeny.
Action: defines a set of resource operations a user/application is allowed (or denied) to perform.
Resource: specifies AWS resources for which a user is allowed or denied to take actions.
Amazon DynamoDB: Maximum table throughput
By default, maximum table throughput does not apply and on-demand throughput is only limited by the default DynamoDB table quotas
What is cybersecurity?
It is about the protection of digital information from unauthorised access, harm or misuse.
This is done by preserving the CIA triad of the information, i.e., Confidentiality, Integrity and Availability.
What is confidentiality?
Confidentiality: keeps sensitive information private and ensures that only authorized individuals or entities have access to it.
What is integrity?
Integrity: maintains the accuracy, consistency, and reliability of information.
What is availability?
Availability: ensures that information such as services and data are accessible and operational for authorized users.
CIA can be extended to include…
Authentication
Authorization
Non-Repudiation
What is authentication?
Authentication: verifies the identity of a user, system, or entity trying to access a resource or system.
What is authorization?
Authorization: determines what actions or resources an authenticated user or system is allowed to perform or access.
What is non-repudiation?
Non-Repudiation: prevents individuals or entities from denying their involvement in a particular digital transaction.
What is cryptography?
It is the practice and study of techniques for secure communication in the presence of adversaries or potential threats.
It is mainly about the use of mathematical algorithms to transform plain, readable data (i.e., plaintext) into an unintelligible data (i.e., ciphertext) and vise versa
Attacker exploits the insecure channel between Alice and Bob
What is Caesar cipher?
Caesar cipher: an old-fashion substitution cipher where each letter in the plaintext is shifted a certain number of positions down the alphabet.
ROT3 (letter is shifted 3 times to the right/forward)
plaintext : HELLO
ciphertext : KHOOR
H > I > J > K
L > M > N > O
What are examples of modern cryptography methods?
Symmetric key cryptography
Asymmetric key cryptography (public key cryptography)
Hash functions
What is symmetric key cryptography?
Symmetric key cryptography: the same key is used for data transformation.
The transformation involves encryption and decryption:
Encryption: takes plaintext and converts it into ciphertext
Decryption: reverses the encryption process
What are examples of symmetric key cryptography?
DES (insecure), 3DES (insecure), AES (AES-128, AES-192, AES-256)
What are applications of symmetric key cryptography?
data (file, network packets) encryption (AES-256 used by S3)
What is asymmetric key cryptography?
Asymmetric key cryptography: a pair of distinct keys is used for encryption and decryption.
Distinct keys: public key for encryption and private key for decryption
What are examples of asymmetric key cryptography?
ECC, RSA
What are applications of asymmetric key cryptography?
remote authentication (SSH communication)
What is the method of hash functions?
Hash functions: take an input (e.g., a large block of text) and transform it into a fixed-size value (i.e., hash digest/checksum). The hash value serves as a ‘fingerprint’ of the input.
What are examples of hash functions?
MD5 (insecure), SHA-1 (insecure), SHA-2 (e.g., SHA-256)
Hash function: SHA256
What are the components of SHA256?
SHA256SUMS: contains a checksum/hash digest fortheiso image to verify the image’s integrity.
SHA256SUMS.gpg: contains a signature for the SHA256SUMS file to verify the image’s authenticity.
What are the properties of hash functions?
The same message results in the same hash digest
Small changes to a message result in large changes to its hash digest
What is hash collision?
While two different messages are very unlikely to generate the same hash, such a possibility still exists, so-called hash collision (e.g., MD5 and SHA-1)
Why is hash collision possible?
Pigeonhole principle: if𝑛 items are put into 𝑚containers, with 𝑛 > 𝑚, then at least one container must contain more than one item.
Which aspect of the CIA triad do the cryptography techniques below protect?
Symmetric key cryptography
Asymmetric key cryptography
Hash functions
Confidentiality
Integrity
What is IAM?
Identity Access Management
It is a web service that helps us securely control access to AWS resources.
It is used to control who is authenticated (signed in) and authorized (has permissions) to use AWS resources.
What is an IAM root user?
complete access to all AWS services and resources in the account
What are the different types of IAM identity?
IAM user
IAM user group
IAM role
What is an IAM user?
IAM user: an identity within a root user account that has specific permissions for a single person or application:
-Each user has an ARN:
—e.g., arn:aws:iam::489389878001:user/12345678@student.uwa.edu.au
What is an IAM user group?
IAM user group: an identity that specifies a set of IAM users:
-Users within the same group are given the same set of permissions.
-Users can belong to different groups.
-Each group has an ARN, e.g., arn:aws:iam::489389878001:group/admins
What is an IAM role?
IAM role: an identity that has specific permissions, similar to IAM user but not relevant to a specific person/application.
-Any users/applications can assume a role to complete a specific task.
—User case: an IAM role grants permissions to applications running on EC2 instances
-Each role has an ARN, e.g., arn:aws:iam:: 489389878001 :role/apps4ec2
How does IAM work?
Step 1: Authenticate a principal.
Step 2: Authorize a principal.
Step 3: Take actions/operations on AWS resources.
What is a principal?
Principal: a person or application that uses an IAM user, a root user, or an IAM role to sign in and make requests to AWS.Wh
What are the main features of IAM?
Shared access to AWS root user account
-Grant other people permission to use resources in our root user account without having to share our password or access key.
Granular permissions
-Grant varying permissions to different individuals for specific resources.
–e.g., some users have complete access to specified EC2 instances while some have read-only access to specific S3 buckets.
Describe IAM policies and permissions
Access permissions (authorization) are managed by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.
Note: IAM policies only define permissions for an action regardless of the method that we use to perform the action
–e.g., if a policy allows theGetUseraction, then a user with that policy can get user information with all three methods.
What are the most frequently used policy types?
Identity-based policy
Resource-based policy
Permissions boundary
What is an identity-based policy?
It controls what actions an identity can perform.
Managed policy: standalone identity-based policy that we can attach to multiple users, groups, and roles.
-AWS managed policy: created and managed by AWS
—full-access, power-user, partial-user
-Customer managed policy: created and managed by AWS users.
Inline policy: it maintains a strict one-to-one relationship between a policy and an identity. If the identity is deleted, the policy is deleted as well.
What are the two types of identity-based policy?
Managed policy
Inline policy
What are the two types of identity-based managed policy?
AWS managed policy
Customer managed policy
What is a managed policy?
Managed policy: standalone identity-based policy that we can attach to multiple users, groups, and roles.
What is an AWS managed policy?
AWS managed policy: managed policy created and managed by AWS
What is an customer managed policy?
Customer managed policy: managed policy created and managed by AWS users.
What is an inline policy?
Inline policy: it maintains a strict one-to-one relationship between a policy and an identity. If the identity is deleted, the policy is deleted as well.
What are the types of AWS managed policy?
full-access managed policy
power-user managed policy
partial-usermanaged policy
What is a full-access managed policy?
full-access managed policy: defines permissions for administrators by granting full access to services.
What is a power-user managed policy?
power-user managed policy: provides full access to services and resources, but disallows managing users and groups, i.e., a subset of full-access managed policy.
What is a partial-user managed policy?
partial-usermanaged policy: provides varying access to specific services, i.e., a subset of power-user managed policy.
Structure of AWS managed policy: Policy AdministratorAccess
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “”,
“Resource”: “”
}
]
}
Version: indicates the language version of the policy language.
Statement: represents a permission rule.
Effect: what the effect will be when a user requests the specific action—this can be either’Allow’or’Deny’.
Action: defines a set of resource operations a user/application is allowed (or denied) to perform.
Resource: specifies AWS resources for which a user is allowed or denied to take actions. ARN is often used.
Structure of AWS managed policy: Policy PowerUserAccess
Organizations: are a service that allows us to consolidate multiple AWS accounts into an organizational structure.
This policy allows all actions on all resources except those related to IAM, Organizations, and Account management. However, it explicitly allows three actions of ListRoles, DescribeOrganization and GetAccountInformation, providing limited access to any resource.
{
“Version”: “2012-10-17”,
“Statement”: [
{ “Effect”: “Allow”,
“NotAction”: [
“iam:”,
“organizations:”,
“account:”
],
“Resource”: “”
},
{ “Effect”: “Allow”,
“Action”: [
“iam:ListRoles”,
“organizations:DescribeOrganization”,
“account:GetAccountInformation”
],
“Resource”: “*”
}
]
}
Structure of AWS managed policy: AWSCloudTrail_ReadOnlyAccess
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“cloudtrail:Get”,
“cloudtrail:Describe”,
“cloudtrail:List”,
],
“Resource”: “”
}
]
}
What is CloudTrail?
CloudTrail is a service that provides visibility into user activity and resource usage.
The DynamoDB-books-app policy is used by both roles. Is it shared?
No, each role has its own copy of the policy so it is not shared.
What is a resource-based policy?
It specifies which principal has access to the resource and what actions they can perform on it, e.g., bucket policy.
Note: it is an inline policy.
What is a permissions boundary?
It sets the maximum permissions that an identity-based policy can grant.
e.g., The permissions boundary is attached to an IAM user named Alice.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:”,
“ec2:”
],
“Resource”: “*”
}
]
}
Both policies are attached to Alice:
identity-based policy:
{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Action”: “iam:CreateUser”,
“Resource”: “*”
}
}
permissions boundary:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:”,
“ec2:”
],
“Resource”: “*”
}
]
}
Can Alice create a user?
Can Alice create S3 buckets and EC2 instances?
Both answers are NO.
Effective permissions are in the intersection of Identity-based policies and permissions boundaries.
An organisation has 5 departments and has separated out each of the IAM users into separate groups using paths following the pattern companybucket/department1/, companybucket /department2/, companybucket /department3/* etc.
Their IAM account names follow the pattern user@department1.company.com, user@department2.company.com etc.
You are tasked with securing a bucket that contains a folder for each of 5 departments in an organisation. Only people within a department can write to their own folder. Everyone can read from all folders.
Discuss the principles that you would use to create a policy that would achieve this objective.
Write the policy as a JSON file that you would use.
Note: you can have individual statements for each department.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::companybucket/”
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department1/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “@department1.company.com”
}
}
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department2/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “@department2.company.com”
}
}
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department3/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “@department3.company.com”
}
}
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department4/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “@department4.company.com”
}
}
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department5/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “*@department5.company.com”
}
}
}
]
}
