IAM Flashcards
(31 cards)
What is Access Keys?
A pair of key consisting of the Access Key ID and the Secret Access Key.
While the ID is open (like a username) and shared, the Secret can only be downloaded once.
Do the Access Keys expire?
No - but it is best practice to rotate keys
How many Access Keys can a user have?
Two (doesn’t matter if active or inactive) - But you can always delete the keys
What is best practice to remove a key?
First set the key inactive - check for any problems.
Then delete the key and create a new one
What are the two “types” of policies and what are they attached/used for?
Identity policy: Given to a user or a group
Resource policy: Attached to a resource such as EC2
Describe the Attributes of a policy statement
Sid: Statement ID - What is the purpose?
Effect: What does the policy do? Allow / Deny
Action: Scope for the effect in terms of rights
Resource: What part of AWS is affected? (Service, S3 Bucket, DynamoDB table etc.)
Condition: Under what conditions does the policy take effect
What would dynamodb:Delete* do?
Access or denial of everything under :Delete
:DeleteBackup, :DeleteItem, :DeleteTable
What would dynamodb:*Table do?
Access or denial of everything ending with Table, dynamodb:CreateGlobalTable e.g.
What is the difference between and Permission and a Trust Policy?
Permission: Like a normal policy for a user, gives perssions to the role
Trust: Defines who can assume the role (EC2 e.g.)
Is it possible to give a role to resources in another account?
Yes, using the account in the trust policy
Can you restrict permissions to the Master Account in an AWS Organization?
No.
Only for Member Accounts or Organizational Units
What are the ways to add an account into an AWS Organization?
Invite an existing account
Create a new account
Which service control policy allows access to all AWS services within an attached member account?
FullAWSAccess
Is the master account affected by a SCP set on the root?
No, the master account is not affected by a Service Control Policy.
AWS Organizations use Inverse Tree Architecture, which starts at the root and flows onto any member or organization unit below.
How can you restrict a root user of an Organization Unit(!!) account?
By creating and attaching a service control policy
How to distinguish policy item on bucket/object level?
With the *
bucket: s3::bucketname
object: s3::bucketname/*
What does ec2:describe as an action do?
Gives read only access to the ec2 instances
What are the four types of roles?
- Service Roles (Allowing a service - EC2 e.g. - to access other services)
- AWS Service-Linked roles (very speciific rules for example for the Amazon Lex Bot)
- Cross Access Roles (Access for the trusted account to access the trusting account)
- Identity Provider (Access for Web/SAML Identitiy Providers to access the services)
What are the two types of policies?
Managed Policies (AWS managed & Customer managed) Inline Policies (directly attached to a group or user)
Can you change the role of a running EC2 instance?
No, there should be an AMI created and on launch the new role should be created
Organisations:
What are the four main functions of AWS Organisations?
- Centrally Manage Policies accross multiple accounts
- Controll access to the services
- Automate Account Creations
- Consolidate Billing across accounts
What are SCPs?
Service Control Policies
Created and managed in AWS Organisations, limit access across accounts.
Have precedence over IAM policies
What is an Identity-based policy?
Identity-based policies are JSON permissions policy documents that control what actions an identity (users, groups of users, and roles) can perform, on which resources, and under what conditions.
There are AWS managed and Customer managed policies
It’s also possible to attach the policy directly as an inline policy
What is a Resource-based policy?
Directly attached to the service (S3 Bucket, Dynamo DB table e.g.) direclty
With resource-based policies, you can specify who has access to the resource and what actions they can perform on it.