IAM Flashcards
1
Q
What is IAM
A
Amazon Identity Access Management is a web service that helps you securely control access to AWS resources.
2
Q
Authentication vs Authorization
A
Authentication - Able to sign in
Authorization - Access to resources.
3
Q
Consistency type of IAM
A
Eventually consistent.
4
Q
You access IAM via:
A
- AWS Management Console
- AWS Command Line Tools
- AWS SDKs
- IAM HTTPS API
5
Q
When you use the ________, you must include code to digitally sign requests using your credentials
A
HTTPS API
6
Q
What are IAM Resources
A
- User
- Group
- Role
- Identity Provider Objects
7
Q
Can you add/delete/modify IAM resources?
A
With given permissions, yes
8
Q
What are Identity Provider Objects?
A
If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account.
9
Q
What are IAM Identities?
A
IAM resource objects that are used to identify and group such as users, groups and roles.
10
Q
You attach policies to _______
A
IAM identities.
11
Q
What are IAM Entities?
A
IAM Resource objects that AWS use for authentication such as users and roles.
12
Q
What is a principal
A
A principal is a person or applicaion that uses AWS root user, an IAM User or an IAM role to sign in and make requests to AWS.
13
Q
Principals include users such as _______ and _________
A
Federated users and assumed roles.
14
Q
AWS users and roles, that are used to authenticate are called as _________
A
IAM entities
15
Q
Out of users, groups and roles, you don’t use this for authentication.
A
Groups
16
Q
_________ are used for AWS authentication?
A
IAM Entities.
17
Q
What information does a request from principal to AWS resource include?
A
- Actions or operations.
- Resources
- Principal
- Environment Data
- Resource Data
18
Q
AWS gathers the information from request into a ________ which is used to authorize the request
A
Request context
19
Q
To authenticate a principal from the API or AWS CLI, you must provide your ________ and __________
A
access key and secret key.
20
Q
Most policies are stored in AWS as ___________
A
JSON documents
21
Q
__________ specify the permissions for principal entities
A
Policies
22
Q
To provide your users with permissions to access the AWS resources in their own account, you need only _________.
A
identity-based policies
23
Q
Resource-based policies are popular for ___________
A
granting cross-account access
24
Q
When does AWS Denies a request?
A
- Explicit Deny
2. Denied by default
25
What is Explicit Deny?
If a single permissions policy includes a denied action, AWS denies the entire request and stops evaluating.
26
What is Denied by default
AWS property that by default, all requests are denied.
27
When does AWS Accepts a request?
If the action is allowed in the permissions policy, with no other policy denying it
28
An _________ in any policy overrides any allows.
explicit deny
29
If one or more of ________ policy types exists, they must all allow the request. Otherwise, it is ___________
1. Organizations' SCP (Service Control Policies)
2. IAM Permissions boundary
3. Session Policy
Implicitly denied
30
What is Organizations' SCP
AWS Organizations service control policy (SCP) defines the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
31
What is IAM Permission boundary
IAM Permission Boundary for AWS Entities is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to IAM entity. It does not grant permissions.
32
An entity's permissions boundary allows it to perform only the actions that are allowed by _______________
identity-based policies and its permissions boundaries.
33
What is a Session Policy
A session policy is an inline permissions policy which users pass in the session when they assume the role.
34
What is Federating existing users
If the users in your organization already have a way to be authenticated, such as by signing in to your corporate network, you don't have to create separate IAM users for them. Instead, you can federate those user identities into AWS.
35
How to Federate users when you have identities in your corporate directory that is compatible with Security Assertion Markup Language 2.0 (SAML2.0)
If your corporate directory is compatible with SAML 2.0, you can configure your corporate directory to provide single-sign on (SSO) access to the AWS Management Console for your users.
36
How to Federate users when you have identities in your corporate directory that is NOT compatible with Security Assertion Markup Language 2.0 (SAML2.0)
If your corporate directory is not compatible with SAML 2.0, you can create an identity broker application to provide single-sign on (SSO) access to the AWS Management Console for your users.
37
How to Federate users when you have identities if your corporate directory is Microsoft Active Directory?
If your corporate directory is Microsoft Active Directory, you can use AWS Directory Service to establish trust between your corporate directory and your AWS account.
38
What are principal entities?
A principal entity is a person or application that is authenticated using an IAM entity (user or role)
39
_________ is often referred to as authorization.
Access management
40
You manage access in AWS by _________
creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.
41
What is a policy?
A policy is an AWS Object that , when associated to a
42
_______ in the policies determine whether the request is allowed or denied.
Permissions
43
IAM users are ________ in the service.
identities
44
You give permissions to a user by creating an ________, which is a policy that is attached to the user or a group to which the user belongs
identity-based policy
45
You can organize IAM users into _______
IAM groups
46
________ don't have permanent identities in your AWS account the way that IAM users do.
Federated users
47
To assign permissions to federated users, you can create an entity referred to as a ______ and define permissions for that
role
48
What are Identity-based policies
Identity-based policies are permissions policies (managed or inline) that you attach to an IAM identity, such as an IAM user, group, or role. They grant permissions to an identity.
49
What are Resource-based policies
Resource-based policies are permissions policies (inline) that you attach to a resource such as an Amazon S3 bucket (bucket policies) or an IAM role trust policy. Resource-based policies grant permissions to the principal that is specified in the policy.
50
What actions does Identity-based policies control
Identity-based policies control what actions the identity can perform, on which resources, and under what conditions
51
What actions does Resource-based policies control
Resource-based policies control what actions a specified principal can perform on that resource and under what conditions.
52
Identity-based policies can be further categorized:
1. Managed Policies
| 2. Inline Policies
53
What are Managed Policies?
Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account.
54
Types of Managed Policies:
1. AWS Managed Policies
| 2. Customer Managed Policies
55
What are AWS Managed Policies
Managed policies that are created and managed by AWS
56
What are Customer managed policies
Managed policies that you create and manage in your AWS account
57
What are Inline Policies?
Policies that you create and manage and that are embedded directly into a single user, group, or role. There is a strict 1:1 relationship between the entity and the policy.
58
Resource-based policies are _______ policies, and there are no______ policies.
inline policies; managed resource-based
59
To enable cross-account access, you can specify an entire account or IAM entities in another account as the ______in a resource-based policy.
principal
60
The IAM service supports only one type of resource-based policy called a_____ , which is attached to an IAM ____
role trust policy; role
61
IAM role is both _________ and ___________
an identity and a resource
62
______ define which principal entities (accounts, users, roles, and federated users) can assume the role.
Trust policies
63
ABAC Full form
Attribute-based access control (ABAC)
64
What is ABAC for AWS?
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes.
65
In AWS ABAC, these attributes are called _______
tags
66
How ABAC Policies allow operations?
The ABAC policies can be designed to allow operations when the principal's tag matches the resource tag.
67
RBAC Stands for
role-based access control
68
The traditional authorization model used in IAM is called _________
role-based access control (RBAC).
69
______ defines permissions based on a person's job function, known outside of AWS as a _____.
RBAC ; role
70
What is disadvantage to using the traditional RBAC model
The disadvantage to using the traditional RBAC model is that when employees add new resources, you must update policies to allow access to those resources.
71
Advantages of ABAC model over RBAC model
1. ABAC Permissions scale with innovation.
2. ABAC requires fewer permissions
3. Using ABAC, teams can change quickly
4, Granular permissions are possible with ABAC
5. Use employee attributes (metadata on tags) from your corporate directory with ABAC
72
How ABAC permissions scale with innovation
It's no longer necessary for an administrator to update existing policies to allow access to new resources - rather new resources are updated with tags.
73
AWS enables temporary access through _______ with your corporate directory.
identity federation
74
Each IAM user is associated with ______ AWS accounts
only one
75
To change a user's name or path, you must use the __________ . There is no option in the ______to rename a user
AWS CLI, Tools for Windows PowerShell, or AWS API; Console
76
IAM __________ reviews your AWS________ and generates a policy template that contains the permissions that have been used by the entity in your specified date range.
Access Analyzer; CloudTrail logs
77
________ are long-term credentials for an IAM user or the AWS account root user.
Access keys
78
You can have a maximum of ____ access keys.
two
79
The account password policy does not apply to the _______ credentials.
root user
80
What is a credential report
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices.
81
A role does not have ________ credentials
standard long-term
82
When you assume a role, it provides you with __________ for your role session.
temporary security credentials
83
An IAM role has some similarities to an ______
IAM user
84
Instead of being uniquely associated with one person, a role is intended to be ___________
assumable by anyone who needs it
85
What is AWS service role
A role that a service assumes to perform actions on your behalf
86
You must define a _____ for the service to assume.
role
87
Service roles provide access only within your account and cannot be used to grant _______
access to services in other accounts.
88
________ is a special type of service role that an application running on an Amazon EC2 instance can assume to perform actions in your account
AWS service role for an EC2 instance
89
AWS service role for an EC2 instance is assigned when ___________
EC2 instance is launched.
90
With AWS Service role for an EC2 instance, an application can __________
retrieve temporary security credentials to perform actions that the role allows.
91
What is AWS service-linked role
A unique type of service role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
92
service role vs service-linked role
Service role- You must define the role a service must assume (dev, admin etc)
Service-linked role- service-linked roles are pre-defined by the service.
93
Role chaining
Role chaining occurs when you use a role to assume a second role through AWS CLI or API
94
Role chaining example
1. User1 assumes Role-A and Role-B
2. Role-A assumes Role-B
3. User1 assumes Role-A by using User1's long term credentials and Role-A returns Role-A short term credentials.
4. To engage in role-chaining. User1 uses Role-A's short -term credentials to assume Role-B
95
How do a user enable/engage role-chaining when assuming a role?
When a user assumes a role, the user can pass the session tag and set the tag to 'Transitive'. These transitive session tags are passed to all subsequent sessions in a role chain.
96
Role chaining limits you AWS CLI or API role session to _______
Maximum of one hour.
97
What happens if you assume a role using role chaining and provide DurationSeconds Parameter value to greater than one hour?
The operation fails.
98
What is delegation?
The granting of permissions to someone to allow access to resources that you control.
99
Delegation involves setting up __________
Trust between two accounts.
100
In delegation, the trusted and trusting accounts can any one of the following:
1. Both belong to the same account
2. Both belong to same organization
3. Two accounts owned by two different organizations.
101
To delegate permissions to access a resource, you need to setup a IAM role in trusting account with _________ and __________ policies attached.
Permission policy and trust policy
102
What is permission policy?
Permission policy grants the user of the role the needed permissions to carryout the intended tasks on the resource.
103
What is trust policy?
Trusted policy defines which trusted account members are allowed to assume the role
104
When you create a trust policy, you cannot specify * as a ____________
principal.
105
__________ policy is attached to the trusting account and _____ policy is attached to the trusted account
Trust policy, Permissions policy
106
How does delegation happen once the role is ready to be assumed.
The user assuming a role, temporarily gives up their permissions and instead takes on the permissions from their role. When the user exits and stops using the role, the original permissions are restored.
107
In delegation, __________ parameter helps with the secure use of roles between accounts that are not controlled by the same organizations
externalID
108
Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with ____________
OpenID Connect (OIDC)
109
A role trust policy is a required _____________ that is attached to a role in IAM
resource-based policy
110
________ are the primary way to grant cross-account access.
However, some AWS services allow you to attach a ______ directly to a resource and are called ____________, and you can use them to grant principals in another AWS account access to the resource.
Roles
Policy
resource-based policies
111
With a resource that is accessed through a ___________, the principal still works in the trusted account and does not have to give up his or her permissions to receive the role permissions.
resource-based policy
112
You can use the_________ to create and provide trusted users with temporary security credentials that can control access to your AWS resources.
AWS Security Token Service (AWS STS)
113
What are the advantages of using Temporary security credentials?
1. You don't have to distribute or embed long-term security credentials within an application.
2. You can provide access to your aws resources to users without having to define an identity for them.
3. You don't have to rotate or explicitly rotate the credentials as they expire automatically for a specific period.
114
Temporary credentials are the basis for _______ and ________ identities
roles and identity federation.
115
By default, AWS STS is a ____ service with a ______ at https://sts.amazonaws.com.
global; single endpoint
116
Temporary credentials are useful in scenarios that involve ___________
identity federation, delegation, cross-account access, and IAM roles.
117
AWS recommends using _______ AWS STS endpoints instead of the global endpoint to ____________
Regional; reduce latency, build in redundancy, and increase session token validity.
118
IAM and AWS STS are integrated with AWS _____, a service that provides a record of actions taken by an IAM user or role.
CloudTrail
119
If you create a trail, you can enable continuous delivery of CloudTrail events to an ________
Amazon S3 bucket.
120
If you don't configure a trail, you can still view the most recent events in the CloudTrail console in _________
Event history.
121
Types of policies:
6 types of policies
1. Identity Based Policies
2. Resource based policies
3. Permissions boundaries
4. Organizations' SCP - Service Control Policy
5. ACLs
6. Session Policies
122
Permissions boundaries do not define the maximum permissions that a _________ can grant to an entity.
resource-based policy
123
What are ACLs?
ACLs control which principals in other accounts can access the resource to which the ACL is attached.
124
ACLs are similar to _________ policies
resource-based
125
____________ are the only policy type that does not use the JSON policy document structure.
ACLs
126
When are ACLs used?
ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account.
127
What are session policies?
Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit permissions for a created session, but do not grant permissions.
128
Session policies limit the permissions that the___________ grant to the session.
role or user's identity-based policies
