IAM and AWS CLI Flashcards
(13 cards)
Can groups contain other groups?
No
What are policies?
JSON documents that define permissions of users
What is an account alias?
Allows for custom sign in URL for user
What are tags?
Optional key value pairs that you can add to AWS resources to help identify/organise/search for resources (eg. Key = Department, Value = Engineering)
What is an inline policy?
Policy that is only attached to a user
AWS password policies
Can setup policy for setting min password length, specific character types, allowing IAM users to change their own passwords, password expiration, preventing password reuse, MFA
AWS MFA options
Virtual MFA device (eg. google authenticator) or U2F security key (eg. YubiKey) or Hardware Key Fob or Hardware key Fob MFA for AWS GovCloud (USA)
3 ways to access AWS
- AWS Management Console (protected by password)
- AWS CLI (protected by access keys)
- AWS SDK (protected by access keys)
What does aws configure do?
Allows your to configure your AWS CLI (eg. add access keys, region)
What are IAM roles?
Used to assign permissions to AWS services with IAM roles (eg. create IAM role for EC2 instance), gives AWS services permission to do stuff on AWS
What is AWS cloudshell?
Terminal in cloud of AWS online, can download files from it (only available in some regions)
IAM security tools
- IAM Credentials Report (account-level) - lists all your account’s users and the status of their various credentials
- IAM Access Advisor/LastAccess (user-level) - Shows service permissions granted to a user and when those services were last accessed
IAM best practices
- Dont use root account except for AWS account setup
- One physical user = one AWS user
- Assign users to groups and assign permissions to groups
- Strong password policy
- Use and enforce MFA
- Create and use roles for giving permissions to AWS services
- Use access keys for CLI / SDK
- Audit permissions using IAM Credentials Report and AccessAdvisor/LastAccess
