IAM - Identity and Access Management

Question 1

Least-privileged access

Answer 1

AWS recommended security principle where users are granted only the minimum level of access needed to perform their job duties

Question 2

IAM default permissions

Answer 2

IAM identities start with no permissions on an AWS Account, but can be granted permissions (almost) up to those held by the Account Root User.

Question 3

Types of IAM identity objects

Answer 3

1 - Users: represent humans or applications that need access to the AWS account
2 - Groups: collection of related users. e.g. dev team, finance or HR
3 - Roles: can be used by AWS Services, or for granting external access to an AWS account

Question 4

IAM Policy

Answer 4

Allow or deny access to AWS services, when and only when they are attached to IAM Users, Groups or Roles

Question 5

IAM 3 main jobs

Answer 5

1 - Identity Provider (IDP): create, modify and delete identities
2 - Identity Authenticator: authenticates the principal
3 - Identity Authoriser: allow or deny access to resources based on the Policy attached to the identity

Question 6

IAM basics

Answer 6

• No costs for creating Users, Groups or Roles
• Global service / Global resilience (can cope with AWS infrastructure failures)
• Allow or deny its identities on its AWS account
• No direct control over external accounts or users
• Identity Federation and MFA