AWS Identity Basics Flashcards Preview

AWS SA Pro Cert 2020 > AWS Identity Basics > Flashcards

Flashcards in AWS Identity Basics Deck (45)
Loading flashcards...

What's an example of how IAM allows you to maintain records of identity?

The user list.


What five elements is IAM commonly used to manage

- Users
- Groups
- Roles
- IAM Policies
- Authentication attributes (uids, pwds, keys, mfa, pwd policies)


What two methods can IAM use to authenticate your identity

- Userid/Password presentation at the console
- Access key usage at the API level


What two components form an IAM access key?

- Access key ID
- Secret access key


Are userid/passwords and access keys considered long term or short term access credentials? What makes them so?

Long term access credentials. No expiration / no changes unless initiated by the user.


What kinds of keys can an IAM user maintain for AWS CodeCommit?

- SSH Keys
- HTTPS Git credentials


Users and roles are both known as what kind of identity? Why?

Real identities.
- Have an Amazon reference name
- Can be referenced in other areas of AWS (policies)


IAM can enforce specific password character types. Which types can it enforce?

- Uppercase
- Lowercase
- Number
- Non-alphanumeric


Can IAM enforce a minimum password length?



What three provisions can IAM enforce around password changes?

- Enforced password expiration periods
- Enforced password reuse rejection
- Enforce admin requirement to reset after expiry


Which permission policies are attached to a new IAM user?



Without explicit allowances, is an IAM user ALLOWed or DENYed access to services?

Denied. All policies have an implicit deny.


When multiple policies conflict explicitly, does an ALLOW or a DENY override the conflict?

DENY. Explicit denies always 'win'.


IAM can allow external identities to access AWS resources. What's the mechanism it uses to do this, and what's this usage known as?

STS (security token service) - the usage is known as Federated Identities.


What's the limit of IAM users per account?



Is there any way to get around the limitation of max IAM users per account?

Yes - use STS and Identity Federation. Delegate the provision of identities to an external provider, and once that entity is verified you can allow it access to AWS resources.


What three elements are ALWAYS present in an IAM policy?

Effect, Action, and Resource


What does the Effect element of an IAM policy do?

Determines what effect the rest of the statement has - generally of the Allow or Deny flavors.


What does the Action element of an IAM policy do?

Action refers to one or more API calls that the policy is meant to refer to.


When using the Action element, what value types are appropriate?

- Single element
- List of specific elements
- A '*' which represents all actions
- A mix of the above two ("s3:* would give blanket access to all S3 api calls).


What does the Resource element of an IAM policy do?

Limits the resources for which the policy applies (by ARN).


When using the Resource key, what value types are appropriate for use, and in what formats?

ARNs, in either:
- single ARNs,
- lists of multiple ARNs
- * for all possible ARNs, or
- Mixes of the above.


What's the typical use case for in-line IAM policies?

To provide one-off exceptions for users who are otherwise assigned standardized or managed policies but need something in addition to the standardized policy.

Using inline policies for all users is considered an antipattern.


What does the Condition element of an IAM policy do?

Allows a policy item to be applied if a variable meets the condition's requirements.


What three attributes are necessary for a Condition element in an IAM policy?

- Condition-Operator ("StringEquals")
- Condition-Key ("aws:username")
- Condition-Value ("joe")


What does the format of a Condition in an IAM policy look like?

"Condition": {"StringEquals": {"aws:username": "joe"}}


There is a way for IAM to substitute the values of system variables in a Condition element. What's the mechanism called, and what does its format look like?

Yes - it's a Variable, of course. In use it looks like ${aws:username}, for example.


What does the Principal element of an IAM policy do?

Limits the application of the policy only to users who match the name of the Principal involved. All users can be allowed via a * notation.


Is the Principal element required in an Identity policy or a Resource policy?

A Resource policy. Principal is assumed to be the identity itself in an Identity policy.


When is a resource policy best used?

When you want to control the access of many identities to a single resource.


What four use cases are best suited for the use of an IAM Role?

- Letting an AWS service do something on your behalf
- When many identities need to perform a similar function
- When an application needs to interact with one or more AWS resources
- When a remote account wants to grant one or more members of multiple AWS accounts access to its resources.


What two main components does an IAM Role consist of?

- Trust policy. This is checked to see if an IAM user has the ability to assume the role
- Permissions policy. As we've discussed prior.


How often are trust policies evaluated for assumed roles?

Only when roles are assumed.


How often are permissions policies evaluated for assumed roles?

Every time a service is accessed.


What's the IP address where EC2 instance info is always available?


What kind of credentials are provided when assuming a role? What mechanism issues those credentials? Are there any special limitations to those credentials?

Temporary credentials (including access and secret keys) are issued, using STS. These credentials have an expiration date.


What mechanism does IAM use to revoke role assumption sessions?

It creates an IAM policy which issues an explicit deny effect for all resources when the aws:TokenIssueTime is less than the current time.


AWS products and services use IAM service roles for what reason?

To interact with other AWS services, both within a single account and across accounts using sts-assume-role


What functional call do you make to assume a role at the command line? What arguments are required, and what values do they represent?

- role-arm - the AWS ARN of the role to be assumed
- role-session-name - the name of the session


What two cases still exist where you need to use ACLs to control access to S3 buckets?

- Control access to objects at the object level
- Configuring S3 access logs.


What's the key limitation to using ACLs to control access to S3 buckets?

Bucket owner has no access to objects uploaded by others (object is owned by uploader)


What are two limitations to using bucket policies to control putObject access to S3 buckets?

- Uploader cannot verify upload (no permissions to view objects, only pub)
- Bucket owner has no access to objects uploaded by others (object is owned by uploader)


Under what circumstances does it become problematic when a bucket owner does not have permissions to an object in a bucket?

- Cross-region replication


What is the method used to force externally authorized bucket users via a bucket policy to only allow uploads when bucket owners also own the uploads?

Add an explicit deny to the action and principal with the condition that the x-amz-acl attribute does NOT equal bucket-full-owner-control


What is the easiest way, from an admin load perspective, to ensure that objects uploaded to a bucket by a third party are owned by the bucket owner?

Have the third party assume a role on the destination account using sts:AssumeRole.