IAM Flashcards Preview

Spark > IAM > Flashcards

Flashcards in IAM Deck (128)
Loading flashcards...
1
Q

What is IAM

A

Amazon Identity Access Management is a web service that helps you securely control access to AWS resources.

2
Q

Authentication vs Authorization

A

Authentication - Able to sign in

Authorization - Access to resources.

3
Q

Consistency type of IAM

A

Eventually consistent.

4
Q

You access IAM via:

A
  1. AWS Management Console
  2. AWS Command Line Tools
  3. AWS SDKs
  4. IAM HTTPS API
5
Q

When you use the ________, you must include code to digitally sign requests using your credentials

A

HTTPS API

6
Q

What are IAM Resources

A
  1. User
  2. Group
  3. Role
  4. Identity Provider Objects
7
Q

Can you add/delete/modify IAM resources?

A

With given permissions, yes

8
Q

What are Identity Provider Objects?

A

If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account.

9
Q

What are IAM Identities?

A

IAM resource objects that are used to identify and group such as users, groups and roles.

10
Q

You attach policies to _______

A

IAM identities.

11
Q

What are IAM Entities?

A

IAM Resource objects that AWS use for authentication such as users and roles.

12
Q

What is a principal

A

A principal is a person or applicaion that uses AWS root user, an IAM User or an IAM role to sign in and make requests to AWS.

13
Q

Principals include users such as _______ and _________

A

Federated users and assumed roles.

14
Q

AWS users and roles, that are used to authenticate are called as _________

A

IAM entities

15
Q

Out of users, groups and roles, you don’t use this for authentication.

A

Groups

16
Q

_________ are used for AWS authentication?

A

IAM Entities.

17
Q

What information does a request from principal to AWS resource include?

A
  1. Actions or operations.
  2. Resources
  3. Principal
  4. Environment Data
  5. Resource Data
18
Q

AWS gathers the information from request into a ________ which is used to authorize the request

A

Request context

19
Q

To authenticate a principal from the API or AWS CLI, you must provide your ________ and __________

A

access key and secret key.

20
Q

Most policies are stored in AWS as ___________

A

JSON documents

21
Q

__________ specify the permissions for principal entities

A

Policies

22
Q

To provide your users with permissions to access the AWS resources in their own account, you need only _________.

A

identity-based policies

23
Q

Resource-based policies are popular for ___________

A

granting cross-account access

24
Q

When does AWS Denies a request?

A
  1. Explicit Deny

2. Denied by default

25
Q

What is Explicit Deny?

A

If a single permissions policy includes a denied action, AWS denies the entire request and stops evaluating.

26
Q

What is Denied by default

A

AWS property that by default, all requests are denied.

27
Q

When does AWS Accepts a request?

A

If the action is allowed in the permissions policy, with no other policy denying it

28
Q

An _________ in any policy overrides any allows.

A

explicit deny

29
Q

If one or more of ________ policy types exists, they must all allow the request. Otherwise, it is ___________

A
  1. Organizations’ SCP (Service Control Policies)
  2. IAM Permissions boundary
  3. Session Policy
    Implicitly denied
30
Q

What is Organizations’ SCP

A

AWS Organizations service control policy (SCP) defines the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.

31
Q

What is IAM Permission boundary

A

IAM Permission Boundary for AWS Entities is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to IAM entity. It does not grant permissions.

32
Q

An entity’s permissions boundary allows it to perform only the actions that are allowed by _______________

A

identity-based policies and its permissions boundaries.

33
Q

What is a Session Policy

A

A session policy is an inline permissions policy which users pass in the session when they assume the role.

34
Q

What is Federating existing users

A

If the users in your organization already have a way to be authenticated, such as by signing in to your corporate network, you don’t have to create separate IAM users for them. Instead, you can federate those user identities into AWS.

35
Q

How to Federate users when you have identities in your corporate directory that is compatible with Security Assertion Markup Language 2.0 (SAML2.0)

A

If your corporate directory is compatible with SAML 2.0, you can configure your corporate directory to provide single-sign on (SSO) access to the AWS Management Console for your users.

36
Q

How to Federate users when you have identities in your corporate directory that is NOT compatible with Security Assertion Markup Language 2.0 (SAML2.0)

A

If your corporate directory is not compatible with SAML 2.0, you can create an identity broker application to provide single-sign on (SSO) access to the AWS Management Console for your users.

37
Q

How to Federate users when you have identities if your corporate directory is Microsoft Active Directory?

A

If your corporate directory is Microsoft Active Directory, you can use AWS Directory Service to establish trust between your corporate directory and your AWS account.

38
Q

What are principal entities?

A

A principal entity is a person or application that is authenticated using an IAM entity (user or role)

39
Q

_________ is often referred to as authorization.

A

Access management

40
Q

You manage access in AWS by _________

A

creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.

41
Q

What is a policy?

A

A policy is an AWS Object that , when associated to a

42
Q

_______ in the policies determine whether the request is allowed or denied.

A

Permissions

43
Q

IAM users are ________ in the service.

A

identities

44
Q

You give permissions to a user by creating an ________, which is a policy that is attached to the user or a group to which the user belongs

A

identity-based policy

45
Q

You can organize IAM users into _______

A

IAM groups

46
Q

________ don’t have permanent identities in your AWS account the way that IAM users do.

A

Federated users

47
Q

To assign permissions to federated users, you can create an entity referred to as a ______ and define permissions for that

A

role

48
Q

What are Identity-based policies

A

Identity-based policies are permissions policies (managed or inline) that you attach to an IAM identity, such as an IAM user, group, or role. They grant permissions to an identity.

49
Q

What are Resource-based policies

A

Resource-based policies are permissions policies (inline) that you attach to a resource such as an Amazon S3 bucket (bucket policies) or an IAM role trust policy. Resource-based policies grant permissions to the principal that is specified in the policy.

50
Q

What actions does Identity-based policies control

A

Identity-based policies control what actions the identity can perform, on which resources, and under what conditions

51
Q

What actions does Resource-based policies control

A

Resource-based policies control what actions a specified principal can perform on that resource and under what conditions.

52
Q

Identity-based policies can be further categorized:

A
  1. Managed Policies

2. Inline Policies

53
Q

What are Managed Policies?

A

Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account.

54
Q

Types of Managed Policies:

A
  1. AWS Managed Policies

2. Customer Managed Policies

55
Q

What are AWS Managed Policies

A

Managed policies that are created and managed by AWS

56
Q

What are Customer managed policies

A

Managed policies that you create and manage in your AWS account

57
Q

What are Inline Policies?

A

Policies that you create and manage and that are embedded directly into a single user, group, or role. There is a strict 1:1 relationship between the entity and the policy.

58
Q

Resource-based policies are _______ policies, and there are no______ policies.

A

inline policies; managed resource-based

59
Q

To enable cross-account access, you can specify an entire account or IAM entities in another account as the ______in a resource-based policy.

A

principal

60
Q

The IAM service supports only one type of resource-based policy called a_____ , which is attached to an IAM ____

A

role trust policy; role

61
Q

IAM role is both _________ and ___________

A

an identity and a resource

62
Q

______ define which principal entities (accounts, users, roles, and federated users) can assume the role.

A

Trust policies

63
Q

ABAC Full form

A

Attribute-based access control (ABAC)

64
Q

What is ABAC for AWS?

A

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes.

65
Q

In AWS ABAC, these attributes are called _______

A

tags

66
Q

How ABAC Policies allow operations?

A

The ABAC policies can be designed to allow operations when the principal’s tag matches the resource tag.

67
Q

RBAC Stands for

A

role-based access control

68
Q

The traditional authorization model used in IAM is called _________

A

role-based access control (RBAC).

69
Q

______ defines permissions based on a person’s job function, known outside of AWS as a _____.

A

RBAC ; role

70
Q

What is disadvantage to using the traditional RBAC model

A

The disadvantage to using the traditional RBAC model is that when employees add new resources, you must update policies to allow access to those resources.

71
Q

Advantages of ABAC model over RBAC model

A
  1. ABAC Permissions scale with innovation.
  2. ABAC requires fewer permissions
  3. Using ABAC, teams can change quickly
    4, Granular permissions are possible with ABAC
  4. Use employee attributes (metadata on tags) from your corporate directory with ABAC
72
Q

How ABAC permissions scale with innovation

A

It’s no longer necessary for an administrator to update existing policies to allow access to new resources - rather new resources are updated with tags.

73
Q

AWS enables temporary access through _______ with your corporate directory.

A

identity federation

74
Q

Each IAM user is associated with ______ AWS accounts

A

only one

75
Q

To change a user’s name or path, you must use the __________ . There is no option in the ______to rename a user

A

AWS CLI, Tools for Windows PowerShell, or AWS API; Console

76
Q

IAM __________ reviews your AWS________ and generates a policy template that contains the permissions that have been used by the entity in your specified date range.

A

Access Analyzer; CloudTrail logs

77
Q

________ are long-term credentials for an IAM user or the AWS account root user.

A

Access keys

78
Q

You can have a maximum of ____ access keys.

A

two

79
Q

The account password policy does not apply to the _______ credentials.

A

root user

80
Q

What is a credential report

A

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices.

81
Q

A role does not have ________ credentials

A

standard long-term

82
Q

When you assume a role, it provides you with __________ for your role session.

A

temporary security credentials

83
Q

An IAM role has some similarities to an ______

A

IAM user

84
Q

Instead of being uniquely associated with one person, a role is intended to be ___________

A

assumable by anyone who needs it

85
Q

What is AWS service role

A

A role that a service assumes to perform actions on your behalf

86
Q

You must define a _____ for the service to assume.

A

role

87
Q

Service roles provide access only within your account and cannot be used to grant _______

A

access to services in other accounts.

88
Q

________ is a special type of service role that an application running on an Amazon EC2 instance can assume to perform actions in your account

A

AWS service role for an EC2 instance

89
Q

AWS service role for an EC2 instance is assigned when ___________

A

EC2 instance is launched.

90
Q

With AWS Service role for an EC2 instance, an application can __________

A

retrieve temporary security credentials to perform actions that the role allows.

91
Q

What is AWS service-linked role

A

A unique type of service role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.

92
Q

service role vs service-linked role

A

Service role- You must define the role a service must assume (dev, admin etc)
Service-linked role- service-linked roles are pre-defined by the service.

93
Q

Role chaining

A

Role chaining occurs when you use a role to assume a second role through AWS CLI or API

94
Q

Role chaining example

A
  1. User1 assumes Role-A and Role-B
  2. Role-A assumes Role-B
  3. User1 assumes Role-A by using User1’s long term credentials and Role-A returns Role-A short term credentials.
  4. To engage in role-chaining. User1 uses Role-A’s short -term credentials to assume Role-B
95
Q

How do a user enable/engage role-chaining when assuming a role?

A

When a user assumes a role, the user can pass the session tag and set the tag to ‘Transitive’. These transitive session tags are passed to all subsequent sessions in a role chain.

96
Q

Role chaining limits you AWS CLI or API role session to _______

A

Maximum of one hour.

97
Q

What happens if you assume a role using role chaining and provide DurationSeconds Parameter value to greater than one hour?

A

The operation fails.

98
Q

What is delegation?

A

The granting of permissions to someone to allow access to resources that you control.

99
Q

Delegation involves setting up __________

A

Trust between two accounts.

100
Q

In delegation, the trusted and trusting accounts can any one of the following:

A
  1. Both belong to the same account
  2. Both belong to same organization
  3. Two accounts owned by two different organizations.
101
Q

To delegate permissions to access a resource, you need to setup a IAM role in trusting account with _________ and __________ policies attached.

A

Permission policy and trust policy

102
Q

What is permission policy?

A

Permission policy grants the user of the role the needed permissions to carryout the intended tasks on the resource.

103
Q

What is trust policy?

A

Trusted policy defines which trusted account members are allowed to assume the role

104
Q

When you create a trust policy, you cannot specify * as a ____________

A

principal.

105
Q

__________ policy is attached to the trusting account and _____ policy is attached to the trusted account

A

Trust policy, Permissions policy

106
Q

How does delegation happen once the role is ready to be assumed.

A

The user assuming a role, temporarily gives up their permissions and instead takes on the permissions from their role. When the user exits and stops using the role, the original permissions are restored.

107
Q

In delegation, __________ parameter helps with the secure use of roles between accounts that are not controlled by the same organizations

A

externalID

108
Q

Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with ____________

A

OpenID Connect (OIDC)

109
Q

A role trust policy is a required _____________ that is attached to a role in IAM

A

resource-based policy

110
Q

________ are the primary way to grant cross-account access.

However, some AWS services allow you to attach a ______ directly to a resource and are called ____________, and you can use them to grant principals in another AWS account access to the resource.

A

Roles
Policy
resource-based policies

111
Q

With a resource that is accessed through a ___________, the principal still works in the trusted account and does not have to give up his or her permissions to receive the role permissions.

A

resource-based policy

112
Q

You can use the_________ to create and provide trusted users with temporary security credentials that can control access to your AWS resources.

A

AWS Security Token Service (AWS STS)

113
Q

What are the advantages of using Temporary security credentials?

A
  1. You don’t have to distribute or embed long-term security credentials within an application.
  2. You can provide access to your aws resources to users without having to define an identity for them.
  3. You don’t have to rotate or explicitly rotate the credentials as they expire automatically for a specific period.
114
Q

Temporary credentials are the basis for _______ and ________ identities

A

roles and identity federation.

115
Q

By default, AWS STS is a ____ service with a ______ at https://sts.amazonaws.com.

A

global; single endpoint

116
Q

Temporary credentials are useful in scenarios that involve ___________

A

identity federation, delegation, cross-account access, and IAM roles.

117
Q

AWS recommends using _______ AWS STS endpoints instead of the global endpoint to ____________

A

Regional; reduce latency, build in redundancy, and increase session token validity.

118
Q

IAM and AWS STS are integrated with AWS _____, a service that provides a record of actions taken by an IAM user or role.

A

CloudTrail

119
Q

If you create a trail, you can enable continuous delivery of CloudTrail events to an ________

A

Amazon S3 bucket.

120
Q

If you don’t configure a trail, you can still view the most recent events in the CloudTrail console in _________

A

Event history.

121
Q

Types of policies:

A

6 types of policies

  1. Identity Based Policies
  2. Resource based policies
  3. Permissions boundaries
  4. Organizations’ SCP - Service Control Policy
  5. ACLs
  6. Session Policies
122
Q

Permissions boundaries do not define the maximum permissions that a _________ can grant to an entity.

A

resource-based policy

123
Q

What are ACLs?

A

ACLs control which principals in other accounts can access the resource to which the ACL is attached.

124
Q

ACLs are similar to _________ policies

A

resource-based

125
Q

____________ are the only policy type that does not use the JSON policy document structure.

A

ACLs

126
Q

When are ACLs used?

A

ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account.

127
Q

What are session policies?

A

Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit permissions for a created session, but do not grant permissions.

128
Q

Session policies limit the permissions that the___________ grant to the session.

A

role or user’s identity-based policies