AWS Identity Basics Flashcards

1
Q

What’s an example of how IAM allows you to maintain records of identity?

A

The user list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What five elements is IAM commonly used to manage

A
  • Users
  • Groups
  • Roles
  • IAM Policies
  • Authentication attributes (uids, pwds, keys, mfa, pwd policies)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What two methods can IAM use to authenticate your identity

A
  • Userid/Password presentation at the console

- Access key usage at the API level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What two components form an IAM access key?

A
  • Access key ID

- Secret access key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Are userid/passwords and access keys considered long term or short term access credentials? What makes them so?

A

Long term access credentials. No expiration / no changes unless initiated by the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What kinds of keys can an IAM user maintain for AWS CodeCommit?

A
  • SSH Keys

- HTTPS Git credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Users and roles are both known as what kind of identity? Why?

A

Real identities.

  • Have an Amazon reference name
  • Can be referenced in other areas of AWS (policies)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IAM can enforce specific password character types. Which types can it enforce?

A
  • Uppercase
  • Lowercase
  • Number
  • Non-alphanumeric
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can IAM enforce a minimum password length?

A

Ayep.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What three provisions can IAM enforce around password changes?

A
  • Enforced password expiration periods
  • Enforced password reuse rejection
  • Enforce admin requirement to reset after expiry
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which permission policies are attached to a new IAM user?

A

None.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Without explicit allowances, is an IAM user ALLOWed or DENYed access to services?

A

Denied. All policies have an implicit deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When multiple policies conflict explicitly, does an ALLOW or a DENY override the conflict?

A

DENY. Explicit denies always ‘win’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

IAM can allow external identities to access AWS resources. What’s the mechanism it uses to do this, and what’s this usage known as?

A

STS (security token service) - the usage is known as Federated Identities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What’s the limit of IAM users per account?

A

5000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Is there any way to get around the limitation of max IAM users per account?

A

Yes - use STS and Identity Federation. Delegate the provision of identities to an external provider, and once that entity is verified you can allow it access to AWS resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What three elements are ALWAYS present in an IAM policy?

A

Effect, Action, and Resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the Effect element of an IAM policy do?

A

Determines what effect the rest of the statement has - generally of the Allow or Deny flavors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does the Action element of an IAM policy do?

A

Action refers to one or more API calls that the policy is meant to refer to.

20
Q

When using the Action element, what value types are appropriate?

A
  • Single element
  • List of specific elements
  • A ‘*’ which represents all actions
  • A mix of the above two (“s3:* would give blanket access to all S3 api calls).
21
Q

What does the Resource element of an IAM policy do?

A

Limits the resources for which the policy applies (by ARN).

22
Q

When using the Resource key, what value types are appropriate for use, and in what formats?

A

ARNs, in either:

  • single ARNs,
  • lists of multiple ARNs
    • for all possible ARNs, or
  • Mixes of the above.
23
Q

What’s the typical use case for in-line IAM policies?

A

To provide one-off exceptions for users who are otherwise assigned standardized or managed policies but need something in addition to the standardized policy.

Using inline policies for all users is considered an antipattern.

24
Q

What does the Condition element of an IAM policy do?

A

Allows a policy item to be applied if a variable meets the condition’s requirements.

25
Q

What three attributes are necessary for a Condition element in an IAM policy?

A
  • Condition-Operator (“StringEquals”)
  • Condition-Key (“aws:username”)
  • Condition-Value (“joe”)
26
Q

What does the format of a Condition in an IAM policy look like?

A

“Condition”: {“StringEquals”: {“aws:username”: “joe”}}

27
Q

There is a way for IAM to substitute the values of system variables in a Condition element. What’s the mechanism called, and what does its format look like?

A

Yes - it’s a Variable, of course. In use it looks like ${aws:username}, for example.

28
Q

What does the Principal element of an IAM policy do?

A

Limits the application of the policy only to users who match the name of the Principal involved. All users can be allowed via a * notation.

29
Q

Is the Principal element required in an Identity policy or a Resource policy?

A

A Resource policy. Principal is assumed to be the identity itself in an Identity policy.

30
Q

When is a resource policy best used?

A

When you want to control the access of many identities to a single resource.

31
Q

What four use cases are best suited for the use of an IAM Role?

A
  • Letting an AWS service do something on your behalf
  • When many identities need to perform a similar function
  • When an application needs to interact with one or more AWS resources
  • When a remote account wants to grant one or more members of multiple AWS accounts access to its resources.
32
Q

What two main components does an IAM Role consist of?

A
  • Trust policy. This is checked to see if an IAM user has the ability to assume the role
  • Permissions policy. As we’ve discussed prior.
33
Q

How often are trust policies evaluated for assumed roles?

A

Only when roles are assumed.

34
Q

How often are permissions policies evaluated for assumed roles?

A

Every time a service is accessed.

35
Q

What’s the IP address where EC2 instance info is always available?

A

http://169.254.169.254/

36
Q

What kind of credentials are provided when assuming a role? What mechanism issues those credentials? Are there any special limitations to those credentials?

A

Temporary credentials (including access and secret keys) are issued, using STS. These credentials have an expiration date.

37
Q

What mechanism does IAM use to revoke role assumption sessions?

A

It creates an IAM policy which issues an explicit deny effect for all resources when the aws:TokenIssueTime is less than the current time.

38
Q

AWS products and services use IAM service roles for what reason?

A

To interact with other AWS services, both within a single account and across accounts using sts-assume-role

39
Q

What functional call do you make to assume a role at the command line? What arguments are required, and what values do they represent?

A

sts-assume-role

  • role-arm - the AWS ARN of the role to be assumed
  • role-session-name - the name of the session
40
Q

What two cases still exist where you need to use ACLs to control access to S3 buckets?

A
  • Control access to objects at the object level

- Configuring S3 access logs.

41
Q

What’s the key limitation to using ACLs to control access to S3 buckets?

A

Bucket owner has no access to objects uploaded by others (object is owned by uploader)

42
Q

What are two limitations to using bucket policies to control putObject access to S3 buckets?

A
  • Uploader cannot verify upload (no permissions to view objects, only pub)
  • Bucket owner has no access to objects uploaded by others (object is owned by uploader)
43
Q

Under what circumstances does it become problematic when a bucket owner does not have permissions to an object in a bucket?

A
  • Cross-region replication
44
Q

What is the method used to force externally authorized bucket users via a bucket policy to only allow uploads when bucket owners also own the uploads?

A

Add an explicit deny to the action and principal with the condition that the x-amz-acl attribute does NOT equal bucket-full-owner-control

45
Q

What is the easiest way, from an admin load perspective, to ensure that objects uploaded to a bucket by a third party are owned by the bucket owner?

A

Have the third party assume a role on the destination account using sts:AssumeRole.