IAM: Identity and Access Management Flashcards
(29 cards)
What AWS service is used to create and manage permissions for users, groups, and roles?
Identity and Access Management (IAM)
What are Identity Policies?
Identity Policies are rules that can be attached to an identity and grant or deny access to AWS resources.
When Identity Policy statements overlap, which statement takes precedence?
Explicit denies have the highest priority, then explicit allows, then implicit denies.
Why should you use a managed policy instead of an inline policy?
Managed policies are reusable, whereas inline policies have to be applied as lines of json to each individual identity. If you need to change part of that json, you would have to do it for each identity instead of just once in the managed policy.
When should you use inline policies?
For special or exceptional allow or deny cases on a small set of users.
What does an IAM user represent?
A human or application that needs to access resources within an AWS account.
What does an IAM group represent?
A collection of users that need the same permissions.
What does an IAM role represent?
A temporary grant of permissions to specified resources within an AWS account.
What scope and level of resilience does IAM have?
IAM is a global service with global resilience.
What type of credentials are used when accessing AWS resources via the command line interface (CLI)?
IAM Access Keys
How many access keys can a single IAM user have?
Two.
When can you download a secret access key for an IAM user?
Only when it is created.
Are IAM access key mutable or immutable?
Immutable. A key cannot be changed; you must create a new key to replace it.
What are the two types of credentials that can be used to authenticate an IAM user?
Username/password and access keys.
What is the maximum number of IAM users an AWS account can have?
5,000.
What is the maximum number of groups an IAM user can be a member of?
10.
Can you log in as an IAM Group?
No.
Are IAM Policies attached to IAM Users, IAM Groups, or both?
Both.
Is there a default “All Users” group in IAM?
No.
How many levels deep can IAM Groups be nested?
Zero. IAM Groups cannot be nested.
What is the default limit for IAM Groups per AWS account?
300, but this can be increased by contacting AWS.
What types of IAM stuctures can Resource Policies reference? IAM Users, IAM Groups, or IAM Roles?
IAM User and IAM Roles. A Resource Policy cannot reference an IAM Group. IAM Groups are not identities, they are just a collection of identities.
What is the difference between an IAM User and an IAM Role?
An IAM User represents a single principle (a person or an application) that has certain access rights to resources. An IAM Role is an identity that can be assumed to temporarily grant access rights for a short period of time.
What are the two types of policies that can be attached to an IAM Role?
A Trust Policy and a Permissions Policy.
The Trust Policy specifies what identities can assume the Role.
The Permissions Policy specifies what access to resources the Role has.
