Section 2: IAM Flashcards
SAA - CO3
30% Domain 1: Design Secure Architectures
26% Domain 2: Design Resilient Architectures
24% Domain 3: Design High-Performing Architectures
20% - Domain 4: Design Cost-Optimized Architectures
VPC Interface Endpoint vs VPC Gateway Endpoint
https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/
Principal
A person or application that can make a request for an action or operation on an AWS resource
AWS Global Accelerator
a service that improves the availability and performance of applications with local or global users. It provides static IP addresses that act as a fixed entry point to application endpoints in a single or multiple AWS Regions, such as Application Load Balancers, Network Load Balancers or EC2 instances.
https://digitalcloud.training/amazon-route-53/
Policy
Define the PERMISSIONS for the IDENTITIES or RESOURCES they are associated.
Role
Used for DELEGATION and are ASSUMED.
Do you need to select a region with IAM?
No
Trust Policy
Controls who can assume the role.
AWS Security Token Service (STS)
Enables temporary, limited-privilege credentials to be used with identity federation / federated users, delegation, cross-account access, and IAM users / roles.
?Enables temporary, limited-privileges for IAM users and federated users. Users here and roles above from Lesson 25 - Quiz.
AWS Security Token Service (STS) credentials include:
- AccessKeyId
- SecretAccessKey
- Expiration
- SessionToken
*Put in credentials file and make a profile, but they are temporary
Federated User
A user outside AWS.
Temporary credentials are used with:
Identity Federation
Delegation
Cross-Account Access
IAM Roles
Identity-Based IAM Policies
JSON permissions policy documents that control what actions an identity can perform, on which resources, and under what conditions.
Inline Policy
1:1 relationship with User, Group or Role
Lesson 18
Managed Policy
AWS managed (cannot modify) or customer managed which can be attached to multiple entities (User, Group, Role).
Lesson 18
Resource Policy
Attached to a resource; define permissions for a Principal accessing the resource.
JSON permissions policy documents that you attach to a resource such as an Amazon S3 bucket.
Example: ars:aws:iam::[accountId]:user/Eric
Grant the specified Principal (Eric) the permisson to perform specific actions on the resource.
Lesson 18, 20(review)
IAM Role (construction hat)
Have a Trust Policy and a Permission Policy.
Lesson 18
Trust Policy
Is an example of a Resource Policy.
Lesson 18
Permissions Policy
Is an Identity Policy.
Lesson 18
IAM Permissions Boundary
Sets the maximum permissions the entity (User or Role) can have.
Set the maximum permissions an Identity Policy can grant an IAM entity.
Lesson 19, 20
Steps for Authorizing Request to AWS
- AWS IAM authenticates the Principal that makes the request.
- Request context (Actions, Resources, Principal, Environment data, Resource data) must be processed.
- Identity and Resource Policies must be evaluated.
- Then the Action will be allowed/denied.
Lesson 20
Identity Policy
Attached to Users, Groups or Roles.
Lesson 20
AWS Organizations Service Control Policies (SCP)
Specifies the maximum permissions for an Organization or OU.
Lesson 20
AWS Organizations
A way to centrally manage multiple AWS accounts. And you can apply policies to those accounts, which determine the maximum available permission.
Lesson 20
Session Policies
Used with the *AssumeRole API.
Lesson 20
Determination Rules
- By default, all requests are implicitly denied (though the root user has full access).
- An explicit allow in an identity-based or resource-based policy overrides this default.
- If a permissions boundary, Organization’s SCP, or session policy is present, it might override the allow with an implicit deny.
- An implicit deny in any policy overrides any allows.
Lesson 20 (Evaluation Logic slide)
Evaluation Logic
- Deny evaluation (No)
- Organizational SCP Yes)
- Resource Policy (No)
- IAM Permissions Boundaries (Yes)
- Session Policies (Yes)
- Identity Policy (Yes)
Lesson 20 (slide)
IAM Policy Structure
JSON
Effect - Allow/Deny
Action - AWS API
Resource - arn
Condition - Control when policy in effect - {conditionName {key:value}}
Lesson 21
IAM Best Practices
- Lock away your AWS account root user access keys.
- Create individual IAM users.
- Use Groups to assign permissions to IAM Users.
- Grant least privilege.
- Get started using permissions with AWS Managed Policies.
- Use customer managed policies instead of inline policies (assigning a policy directly to a user).
- Use access levels to review IAM permissions.
- Configure a strong password policy for your users.
- Enable MFA.
- Use Roles for applications that on EC2 instances.
- Use Roles to delegate permissions.
- Do not share access keys.
- Rotate credentials regularly.
- Remove unnecessary credentials.
- Use policy conditions for extra security.
- Monitor activity in your AWS account.
Lesson 23
Group
- Collection if users and have policies attached to them.
- a group is not an identity and cannot be identified as a Principal in an IAM policy.
- use Groups to assign permissions to Users.
- use the principle of least privilege when assigning permissions.
- Groups cannot be nested (Groups within Groups).
Lesson 24
IAM Cheat Sheet
Root account best practices
- remove access keys
- set a complex
- enable MFA
- use IAM users for most operations.
Lesson Quiz
