AWS IAM Flashcards
What is AWS Identity and Access Management (IAM)?
IAM is a service that allows you to define users and the types of access they will have to AWS services.
What are the key components of IAM?
Users, groups, roles, and policies are the key components used to manage access in IAM.
What is the purpose of IAM groups?
Groups are used to apply permissions efficiently by defining access policies for a collection of users with similar responsibilities.
What is an IAM policy?
An IAM policy is a document that defines access permissions independently of users and groups. It specifies what actions are allowed or denied on AWS services.
What is the principle of least privilege in IAM?
The principle of least privilege means granting only the minimum permissions necessary for users, groups, and roles to perform their tasks, enhancing security by limiting access.
What is the difference between identity-based policies and resource-based policies in IAM?
Identity-based policies are attached to users, groups, or roles and specify permissions for those identities. Resource-based policies are attached to resources like S3 buckets and control who can access the resource and what actions they can perform.
What is an IAM role?
An IAM role is an identity in AWS with specific permissions that can be assumed by anyone who needs it. It does not have long-term credentials like passwords or access keys associated with it.
What is multi-factor authentication (MFA) in IAM?
MFA adds an additional layer of security by requiring users to provide an additional piece of information (such as an MFA code from a device) along with their username and password for access.
How does IAM handle authorization?
IAM users, groups, and roles do not have permissions by default. Permissions must be explicitly granted through policies, following the principle of least privilege.
How does IAM determine permission when a user requests access?
IAM first checks for explicit denial policies. If none exist, it checks for explicit allow policies. If neither is found, IAM defaults to deny access (implicit deny) unless an explicit allow statement is present.
What is programmatic access in AWS IAM?
Programmatic access allows users to interact with AWS services through APIs, requiring an access key ID and secret access key.
What is AWS Management Console access in IAM?
AWS Management Console access allows users to interact with AWS services through the web-based management console, requiring a username and password.
What is multi-factor authentication (MFA), and why is it recommended?
MFA adds an extra layer of security by requiring users to provide a second form of verification, such as a code from a mobile app or a hardware token. It’s recommended to enhance security and protect against unauthorized access.
How does IAM handle permissions in case of conflicting policies?
In IAM, if there is a conflict between an explicit allow statement and an explicit deny statement for the same action, the deny statement takes precedence, ensuring more restrictive access controls.
Can IAM groups contain other groups?
No, IAM groups cannot contain other groups. Each group can only contain users, and users can belong to multiple groups.