IAM

Question 1

ARNs

Answer 1

Amazon Resource Names
- uniquely identify resources

Starts with:

arn: partition:service:region:account_id:
ex: arn:aws:rds:us-east1:123456789012:

Can ends with:

• resource
• resource_type/resource
• resource_type/resource/qualifier
• resource_type:resource
• resource_type:resource:qualifier

Question 2

What does :: mean in an ARN?

Answer 2

region omitted

- only works when the service doesn’t require a region, like IAM

Question 3

What does * mean within an ARN?

Answer 3

wildcard

- for example, to denote all instances within a region

Question 4

IAM policies

Answer 4

• ** If not explicitly allowed, it is implicitly denied
• JSON doc that defines permissions
• identity policies
• resource policies
• have no effect until applied to a group or user account
• a policy doc is a list of statements that match an AWS API request

Question 5

Permission Boundaries

Answer 5

• used to delegate administration to other users

- prevent privilege escalation or unnecessarily broad permissions

Question 6

Permission Boundaries Use Cases

Answer 6

• developers creating roles for lambda functions
• application owners creating roles for EC2 instances
• admins creating ad-hoc users