AWS Identity Basics Flashcards
(45 cards)
What’s an example of how IAM allows you to maintain records of identity?
The user list.
What five elements is IAM commonly used to manage
- Users
- Groups
- Roles
- IAM Policies
- Authentication attributes (uids, pwds, keys, mfa, pwd policies)
What two methods can IAM use to authenticate your identity
- Userid/Password presentation at the console
- Access key usage at the API level
What two components form an IAM access key?
- Access key ID
- Secret access key
Are userid/passwords and access keys considered long term or short term access credentials? What makes them so?
Long term access credentials. No expiration / no changes unless initiated by the user.
What kinds of keys can an IAM user maintain for AWS CodeCommit?
- SSH Keys
- HTTPS Git credentials
Users and roles are both known as what kind of identity? Why?
Real identities.
- Have an Amazon reference name
- Can be referenced in other areas of AWS (policies)
IAM can enforce specific password character types. Which types can it enforce?
- Uppercase
- Lowercase
- Number
- Non-alphanumeric
Can IAM enforce a minimum password length?
Ayep.
What three provisions can IAM enforce around password changes?
- Enforced password expiration periods
- Enforced password reuse rejection
- Enforce admin requirement to reset after expiry
Which permission policies are attached to a new IAM user?
None.
Without explicit allowances, is an IAM user ALLOWed or DENYed access to services?
Denied. All policies have an implicit deny.
When multiple policies conflict explicitly, does an ALLOW or a DENY override the conflict?
DENY. Explicit denies always ‘win’.
IAM can allow external identities to access AWS resources. What’s the mechanism it uses to do this, and what’s this usage known as?
STS (security token service) - the usage is known as Federated Identities.
What’s the limit of IAM users per account?
5000
Is there any way to get around the limitation of max IAM users per account?
Yes - use STS and Identity Federation. Delegate the provision of identities to an external provider, and once that entity is verified you can allow it access to AWS resources.
What three elements are ALWAYS present in an IAM policy?
Effect, Action, and Resource
What does the Effect element of an IAM policy do?
Determines what effect the rest of the statement has - generally of the Allow or Deny flavors.
What does the Action element of an IAM policy do?
Action refers to one or more API calls that the policy is meant to refer to.
When using the Action element, what value types are appropriate?
- Single element
- List of specific elements
- A ‘*’ which represents all actions
- A mix of the above two (“s3:* would give blanket access to all S3 api calls).
What does the Resource element of an IAM policy do?
Limits the resources for which the policy applies (by ARN).
When using the Resource key, what value types are appropriate for use, and in what formats?
ARNs, in either:
- single ARNs,
- lists of multiple ARNs
- for all possible ARNs, or
- Mixes of the above.
What’s the typical use case for in-line IAM policies?
To provide one-off exceptions for users who are otherwise assigned standardized or managed policies but need something in addition to the standardized policy.
Using inline policies for all users is considered an antipattern.
What does the Condition element of an IAM policy do?
Allows a policy item to be applied if a variable meets the condition’s requirements.
