IAM 3

Question 1

ABAC

What is ABAC?

Answer 1

Access-based access control: make AuthZ decisions based on Tags

Question 2

ABAC

Why does ABAC scale so well?

Answer 2

Don’t modify tons of Role Policies when you add new things, just tag each resource.

Question 3

ABAC

Why is ABAC more flexible than RBAC?

Answer 3

A human with 5 roles just has 5 Tags on their IAM User – Policies grant from Tags.

Question 4

ABAC

How do I do ABAC when I federate from SAML, etc.?

Answer 4

Have the provider pass session tags with the identity – they are Tags in AWS.

Question 5

ABAC

How do you restrict what an IAM User can do if I tag the IAM User?

Answer 5

Use ${PrincipalTag/department} in Resources or Conditions

Question 6

AAA

What is “AAA” for security?

Answer 6

Authentication, Authorization, and Access control

Question 7

AAA

What is an example of Authentication?

Answer 7

Username + password, token from web federated login

Question 8

AAA

What is an example of Authorization?

Answer 8

IAM Policy

Question 9

AAA

What is Access control?

Answer 9

Higher-level concept including the other two parts of AAA

Question 10

AAA

Example of simplest Access Control?

Answer 10

Username, password, IAM Role

Question 11

AAA

Example of network Access Control?

Answer 11

NACLs in a VPC: no username, humans, or logins at all

Question 12

MFA

What are 4 types of MFA Factors?

Answer 12

Knowledge, posession, inherent, location

Question 13

MFA

Examples of MFA factor knowledge?

Answer 13

username, password, combination

Question 14

MFA

Examples of MFA factor posession?

Answer 14

Bank card, dongle, MFA phone app, yubikey

Question 15

MFA

Examples of MFA factor inherent?

Answer 15

Fingerprint, face, voice, iris

Question 16

MFA

Examples of MFA factor location?

Answer 16

physical GPS location, bluetooth pair, network (corp or wifi)

Question 17

MFA

Three types of MFA devices?

Answer 17

Physical, U2F key, virtual

Question 18

MFA

Example of a physical MFA device?

Answer 18

Gemalto token that generates numbers

Question 19

MFA

Example of a U2F key?

Answer 19

Yubikey that generates long string of alphanum

Question 20

MFA

Examples of virtual MFA device?

Answer 20

Google authenticator and Duo Mobile

Question 21

MFA

How does physical MFA tech work?

Answer 21

Key written on physical device, enter it on AWS conosle

Question 22

MFA

How does virtual MFA device work?

Answer 22

Scan QR code or enter Secret Key created by AWS on AWS Console

Question 23

MFA

MFA lost/stolen?

Answer 23

“Sign in using alternative factors”: verification email, AWS calls your registered phone number

Question 24

MFA

You login with a username and a password: 1fa/2fa/3fa?

Answer 24

1-factor: both user and pass are things you KNOW

Question 25

Permission Boundaries

What do Permission Boundaries apply to?

Answer 25

Only to Principals (Users or Roles), not Groups or Resource Policies.

Question 26

Permission Boundaries

Where do you create Boundry Policies?

Answer 26

Policies. Boundary Policies are just Policies.

Question 27

Permission Boundaries

What’s the use case for Permission Boundaries?

Answer 27

Delegating admin permissions: can alter other accts, can’t elevate yourself.

Question 28

Permission Boundaries

Permission Boundary grants you s3:GetObject, your User policies don’t deny it. Have it?

Answer 28

No: Permission Boundaries don’t grant anything, they define the edges of what you can have.