Udemy Lecture 2 Flashcards
Whats IAM? What is it a global or regional service?
stand for identity & access management (Its a global service not regional)
In _____ you create your users & assign them to groups
IAM
_________ is created by default (after that dont use it ore share it)
Root account
_______ are people within your organization & can be grouped (1 user represents 1 person) and you can create groups out of those users (think of it like a teacher grouping you for an assignment with your classmates)
users
Groups only contain _____ not other groups
users
Some users don’t have to belong to a group & other users can belong to ________ groups
multiple
Users or groups can be assigned JSON documents called ________
IAM policies
The _______ define the permission of the user
policies
In AWS you apply the least ___________- which is you dont give more permissions than a user needs
privilege principle
The user gains the permission of the _______ its in
group
You create users because on your AWS account you just have you the ________, so you create users (admin user) to allow you to use your account more safely
root user
You attach a policy at the __________ so that every user in the group gets the same root user policy
group level
If a user isnt in a group then you make an __________
inline policy
What is the structure of IAM Policy?
- Version (policy language version, which is usually always include “2012-10-17”
- ID (an identifier for the policy (optional))
- Statements (one or more individual statements (required)
What do statements consists of?
- SID (an identifier for the statement (optional)
- Effect (whether the statement allows or denies access (say allow if allow & deny if it denies)
- Principal (account/user/role to which the policy will be applied to)
- Action (list of actions this policy allows or denies)
-Resources (list of resources to which the actions applied to)
-Condition (conditions for when this policy is in effect (optional))
On the _______ form a star (*) mean anything (allowed to do anything, or everything, so if its on the action then means any action & if its on the resource means ny resource, which is another way of saying giving administrator access to anyone)
JSON
If there is a word in front of the star means you get access to ___________
whatever is in front of the word(ex. Get * (get access to anything that starts with “get”)
Strong passwords = ______________ (can set one up in AWS)
higher security for your account
Can allow IAM users to change their own passwords or __________ after some time (password expiration) & Can prevent password reuse so they cant use the same password twice
require user to change their passwords
Users have access to your account & can do things that you may not want to do so you want to protect your root accounts & IAM users with ______
MFA
_______ is just a password you know + security device you own
MFA
So even if an ______ is forgotten you would need the physical device of the owner
MFA
What are the different types of MFA you can use?
- You can use a virtual MFA device ( can use google authentication)
- Also can use a universal 2nd factor (U2F) security key (ex.Yubikey) n what it does is support for multiple root and IAM users using a single security key
-Can also use hardware key fob MFA device (ex. One by gemalto)
-If your involved with the government then could have a hardware key fob MFA device for AWS GovcloudOne by gemalto)
What are the 3 different ways to access AWS?
-AWS management console (protected by password + MFA)
-AWS command line interface (CLI) (protected by access keys)
-AWS software developer kit (SDK) (for code protected by access keys
___________ are generated through the AWS console & users manage their own _____________
Access keys
Access keys are _______, just like a password (so don’t share them)(Access Key ID is like ur username & secret access key is like your password)
secret
What is AWS Command Line Interface (CLI)?
is a tool that enables you to interact with AWS services using command in your command in line shell
-Direct access to the public APIs of AWS services
-You can develop scripts to manage your resources
What is AWS SDK?
is a software development kit
- Language specific APIs
- Enables you to access and manage -AWS services programmatically
Embedded within your application
Cloud shell is _________ resource
regional so its only available in some regions)
Some AWS services will need to perform actions on your behalf so to do so will need to assign permission to AWS services with ________
IAM roles
__________ are just likes users but instead of being physical ppl they are AWS services (ex. EC2 instance )
IAM roles
Common roles are: EC2, lambda function roles, roles for cloudformation
What are IAM credentials reports (account-level)?
a report that list all your accounts users and the status of their various credentials
What is IAM access advisor (user level)?
access advisor shows the service permissions granted to a user and when those services were last accessed
- You can use this information to revise your policies
When it comes to the IAM model, AWS is responsible for everything they do like what?
- Their infrastructure (global network security)
- Configurations and vulnerability analysis
- Compliance validation that they are responsible for
Regarding IAM you are responsible for what?
- You are responsible for users, groups, roles, policies, management & monitoring them as well
- Responsible for enabling MFA on all accounts
- Rotate all your keys often
- Use IAM tools to apply appropriate permissions
- Analyze access patterns & review permissions
- AWS is responsible for all of its infrastructure & your responsible for how you use it
