Identity Access Management & S3

Question 1

What is a principal in IAM ?

Answer 1

A principal can be a user, role, federated user, aws account or a service within or external to the organisation but not a group

Question 2

What is the relationship between principals and resources ?

Answer 2

Principals perform actions on resources

Question 3

Is IAM a global or a regional service ?

Answer 3

Global - designed to be a one stop shop for all IAM related activity so to stop a proliferation of differing regional IAM solutions

Question 4

What is an IAM User?

Answer 4

These are your day to day users

Question 5

What is a root user ?

Answer 5

Privileged User

Question 6

What are IAM groups ?

Answer 6

A collection of users with common permissions

Question 7

What are roles ?

Answer 7

The ability to give temp access credentials to either a service or a user

Question 8

What is a principal-based policy in IAM ?

Answer 8

Access is limited to a group of principals and attached to the principals

Question 9

What is a resource based policy ?

Answer 9

Attached to the resource and restricts access to the listed principals ?

Question 10

What is the difference between a resource based policy and an principal based policy ?

Answer 10

Question 11

What is the principal of least privilege ?

Answer 11

It is the minimum amount of access a principal (subject) needs to access a resource (object) to do their job

Question 12

Why do microservices offer a better security model over monolithic applications ?

Answer 12

Microservices are modular and can have specific credentials to access modular parts of the whole solution. If compromised the attacker would have a smaller attack plane than with a monolithic application

Question 13

In IAM policies what does PARC-E represent ?

Answer 13

P - principal the who or what is allowed access
A - action what the statement applies to
R - Resources that the statement is applicable for
C - Conditions
E - Effect whether the statement is to allow or deny

Question 14

What is a principal based policy in IAM ?

Answer 14

Principal based policies are applied to a user, group or role. The resource being accessed can be within the same account or a different account

Question 15

What in IAM is the default deny rule ?

Answer 15

By default the principal is denied access unless it is explicitly given

Question 16

What is a resource based policy ?

Answer 16

It is attached to a resource and list the principals that have access or not to the resource.

Question 17

I want to specify a group as a principal in a trust policy on a role is this possible ?

Answer 17

No a group is not an IAM principal

Question 18

A user who had previously access to you root credentials for your account has left what should you do to protect the root account. (Clue there are five items) ?

Answer 18

1. Logon as root.
2. Change Passwords.
3. Delete and re-install MFA.
4. Delete any programmatic access - Root should not have programmatic access.
5. Review any IAM accounts that user has access to.

Question 19

What are the three types of policies in IAM ?

Answer 19

1. Customer Managed
2. AWS Managed
3. Inline

Question 20

Can AWS Managed policies change ?

Answer 20

Yes but these changes are carefully controlled.

Question 21

Why might you use a customer managed policy ?

Answer 21

You may not want to risk AWS changing a AWS managed policy and having that affect your accounts

Question 22

What is the use case for an IAM inline policy ?

Answer 22

You may want a very specific policy attached to a particular user and you dont want to run the risk of having a policy that can be attached to many users.

Question 23

Why would you use a S3 Bucket policy ?

Answer 23

Ease of administration

Bucket Policies can be a bigger size (20kb) than IAM (10Kb)

Way of giving cross account access without using roles

Question 24

In a bucket policy in the reources section I paste my bucket arn but still get an error why ?

Answer 24

You need the arn followed by a path such as /*

Question 25

What are the main differences IAM policies, S3 bucket policies and S3 Acls

Answer 25

Scope - IAM affects the whole platform, bucket policies the bucket and acl the objects within the bucket

Question 26

What happens if a user has access to everything in S3 but there is a specific deny on a S3 bucket

Answer 26

Deny wins for that bucket

Question 27

What should you use if you want to apply permissions on individual items within an S3 bucket?

Answer 27

ACLS

Question 28

Besides fine grained access to infividual files what is another use case for ACLs ?

Answer 28

If the bucket policy is close to hitting its maximum of 20kb

Question 29

With ACLs can I let other accounts have access to individual S3 objects ?

Answer 29

Yes

Question 30

Can I assign acls to individual users via the console ?

Answer 30

No you need to use the canonical user id with aws-cli or sdk

Question 31

When a principal issues a command to s3 how are security policies evaluated ?

Answer 31

As a union of ACL, IAM and Bucket policies an explicit deny overrides an allow

Question 32

If you dont specify an allow on an s3 bucket was is the default access ?

Answer 32

Deny

Question 33

Under what circumstances will an allow to an S3 bucket be allowed ?

Answer 33

If there are no explicit denies and there is at least one explicit allow

Question 34

What is the principal of least privilege ?

Answer 34

It is achieved by following the rules

1. Give the right access
2. Only to the right individuals
3. To perform the right action
4. Only when the time is right

Question 35

Why do microservices lend themselves to the Principal of Least Privelege better than monoliths ?

Answer 35

A microservice does one thing well and we can give it access to do just that one thing rather than everything

Question 36

What is the default rule for IAM ?

Answer 36

Default Deny - So when a user is added account they will have no access to resources

Question 37

How does the zone of trust work with single account access in IAM ?

Answer 37

If a principal within the same account as the resource it wants access to then IAM policies on their own are enough to grant access

Question 38

How does the zone of trust work with cross account access ?

Answer 38

In a cross account access you need both an IAM policy in the asking account and a resource based policy in the account that has the resource

Question 39

What is the general format of IAM Conditions

Answer 39

“Condition” : { “{condition-operator}” : { “{condition-key}” : “{condition-value}” }}

Question 40

What are the six string operator conditions in IAM

Answer 40

1. Stringlike
2. StringNotLike
3. StringEquals
4. StringNotEquals
5. StringEqualsIgnoreCase
6. StringNotEqualsIgnoreCase

Question 41

What are condition keys ?

Answer 41

conditions fire on operators which test that a condition key has or does not have a certain value. Each service has thier own condition keys

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-policy-keys

Question 42

What are the three sources of users that come to STS

Answer 42

Cross Account, Federation or Web Federation

Question 43

In Federated environments do users have to exist in AWS ?

Answer 43

No just Active Directory

Question 44

What does an Identity Broker authenticate against first STS or Identity Store

Answer 44

Identity Store

Question 45

What are the four items returned by STS ?

Answer 45

Secret Access Key, Access Key, Duration (1 - 36 hours) and Token

Question 46

Does cognito support the idea of guest users ?

Answer 46

Yes

Question 47

How does Cognito work ?

Answer 47

A user logs into the user pool either directly or with a web provider such as Facebook and recieves as JWT token that they can exchange for an identity from the identity pool which gives them access to AWS Resources.

Question 48

What is a Glacier vault ?

Answer 48

A collection of archives which are tar files containing one or more files

Question 49

What are the common use cases for a vault lock policy ?

Answer 49

A write once read many policy or creation of date retention rules to enforce compliance

Question 50

What is the process for using a vault lock policy ?

Answer 50

Write Policy

Attach Policy to Vault

Verify its working (24 hours to change)

Once validated policy is immutable and cant be changed

Question 51

Can SCPs be used to grant access ?

Answer 51

No

Question 52

Can SCPs be used to create permissions boundaries ?

Answer 52

Yes by overrriding local settings we can use them to enforce compliance

Question 53

What does the IAM Credential Report show ?

Answer 53

CSV Report that lists all the users in your account

Shows MFA enabled, Access Key Rotation and Password Used and rotation.

Question 54

What two permissions do you need to interact with an IAM Credential Report ?

Answer 54

GetCredentialReport, GenerateCredentialReport