IAM

Question 1

What is IAM?

Answer 1

Identity and Access Management for AWS

Question 2

Is it Global? Or region-specific?

Answer 2

It is Global Service

Question 3

What is main point of IAM?

Answer 3

Create a user and then grouped them

Question 4

Group

Answer 4

Each group can consist of USers, it impossible to have one group inside other group

Question 5

IAM Permission

Answer 5

USers and Groups can be assigned to JSON (Plain English) docs called policy

Question 6

IAM Policies inheritance

Answer 6

Group policies will affect all users in the current group, but if User does not assign to any group, we can have an inline policy specific to User without group

Question 7

IAM Policies Structure

Answer 7

It is a JSON looks file, consist of:
Version: policy lang version
ID: an identifier for policy (optional)
Statement: one or more statement (required)
Statement consist of:
Sid: an identifier for statement (optional)
Effect: allows or denies access
Principal: account/user/role to which this policy applied to
Action: list of actions this policy allows to denies
Resource: list of resource to which the action applied to
Condition: condition for when this policy is in effect (optional)

Question 8

How can user access AWS?

Answer 8

AWS Management Console (pass + MFA)
AWS CLI (access key)
AWS SDK - for code (access by keys)

Question 9

What is the AWS CLI?

Answer 9

A tool that enables you to interact with AWS services using the commands in cli. You can develop scripts to manage resources
Alternative to use AWS Management Console

Question 10

What is the AWS SDK?

Answer 10

It is set of libraries. Enables you to access and manage AWS services programmatically (for example, you can import library that allows you to create a S3 bucket in your python app)

Question 11

What is IAM Identity Center

Answer 11

It is ex-AWS SSO service

Question 12

IAM Role

Answer 12

It is very similar to IAM User, but will not used by physical person, it will be used by AWS services (for example, EC2 instance and it required IAM Role to perform some action)

Question 13

IAM Security Tools

Answer 13

There are two Security Tools available:
IAM Credentials Report (account-level) - it is a report that lists all accounts users and the status of their creds

IAM Access Advisor (user-level) - it is shows the service permissions granted to a user and when user accessed to service last time

Question 14

IAM Best Practices

Answer 14

Don’t use the root acc on daily basis, just to setup AWS Account
One user = one AWS user
Assign users to groups and assign permission to groups
Strong password policy
Use MFA
Create and use Roles for AWS services
Access Key for AWS SDK or AWS Cli
Never share IAM users and access keys