IAM Flashcards
This deck aims to help retain concepts related to the AWS IAM service.
Which policies are attached to IAM identities (Users, User groups, or Roles) and grant permissions to an identity?
Identity-based policies
What types of identity-based policies are there?
- Managed policies (customer-managed, aws-managed)
- Inline policies
What type of identity-based managed policy is created and administered by you?
Customer-managed policy
What type of identity-based managed policy is created and managed by AWS?
Hint: it has an ARN that includes the policy name.
AWS-managed policy
What type of identity-based policy is created for a single IAM identity (a user, group, or role)?
Hint: it maintains a one-to-one relationship with the identity and is deleted when the identity is deleted.
Inline policy
Which policies are attached to resources (such as an S3 bucket or an IAM role trust policy) and grant permissions to the principal specified in the policy (principals can be in the same account as the resource or in other accounts)?
Resource-based policies
Which policy type uses a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity, but does not grant permissions itself?
Permissions boundary
Which policy type is used to limit the permissions that the role or user’s identity-based policies grant when using AWS CLI or AWS API to assume a role or a federated user, but does not grant permissions itself?
Session policy
Which type of cross-account permissions policies, not utilizing the JSON policy document structure, are used to control which principals in other accounts can access the resource?
Access control lists (ACLs)
Which type of policy is used to define the maximum permissions for account members of an organization or organizational unit (OU), limiting permissions that identity-based or resource-based policies grant to entities (users or roles) within the account, but does not grant permissions itself?
Service control policies (SCPs)
In which order are the “Effect” rules (Allow, Deny) applied when AWS processes policy statements?
- Explicit Deny (overrides all Allow effects)
- Explicit Allow (provides access to the listed resources)
- Implicit Deny (denies access by default)
What identity types are in AWS IAM?
Users, User groups, and Roles
Which identity type is used for long-term AWS access, representing an application, a person, or a service account?
User
What is the limit on the number of IAM groups IAM users can be members of?
Each IAM user can be a member of a maximum of 10 groups
What is the limit on the number of IAM users that can be created per account?
There is a limit of 5000 IAM users per account
Which IAM identities specify a collection of IAM users, primarily focusing on policy management simplification for a large set of users?
User groups
Which IAM identities cannot be used to sign in and do not support nesting?
User groups
Which IAM identities cannot be referenced as principals in a resource-based policy?
User groups
What is the default limit for IAM User groups per account, which can be increased with a support ticket?
300 User groups
Which IAM identity is used to provide short-term access permissions to internal or external principals and can be referenced as principals in resource-based policies?
Role
Which type of IAM policy defines which principals can assume the role and under which conditions?
Trust policy
Which type of IAM policy defines the specific permissions and actions that the IAM identity is allowed or denied within AWS services and resources?
Permissions policy (IAM policy)
Which two types of policies do IAM roles have attached?
Permissions policy and trust policy
Which type of IAM role is associated directly with an AWS service and includes all the permissions required to call other AWS services on your behalf?
Service-linked role
