Identity and Access Management Flashcards
1
Q
What is IAM?
A
- Identity and Access Management
- A web service that helps you securely control access to AWS resources
- IAM is used to control who is authenticated and authorized to use resources
2
Q
What main credential is used for an AWS root account?
A
The email address used to create the account and the password
3
Q
What is an ARN?
A
Amazon Resource Name - associated with users and groups
4
Q
What IAM entity can be used to delegate permissions?
A
Role - can provide permissions to resources for users and services without using permanent credentials
5
Q
What can IAM be used to manage?
A
- Users
- Groups
- Roles
- User credentials
- User password policies
- Multi-factor authentication (MFA)
- API keys for programmatic access (CLI)
6
Q
What features does IAM provide?
A
- Shared access to your AWS account
- Granular permissions
- Secure access to AWS resources for application that run on Amazon EC2
- Multi-factor authentication
- Identity federation
- Identity information for assurance
- PCI DSS compliance
- Integrated with many AWS services
- Free to use
- Consistent
7
Q
What ways can you work with IAM?
A
- AWS Management Console
- AWS Command Line Tools
- AWS SDKs
- IAM HTTPS API
8
Q
What components does and IAM user have?
A
- Username
- Password
- Permissions to access various resources
9
Q
What is a user?
A
- Individual accounts you log in with that represent a person or service
- Users have NO permissions by default
- Can be assigned an access key ID and secret access key for programmatic access to the AWS API, CLI, SDK and other tools
- Can be assigned a password for access to management console
- You can have up to 5,000 users per AWS account
- Each user account has a friendly name and an ARN which uniquely identifies the user across AWS
10
Q
What is a group?
A
- Groups are collections of users and have policies attached to them
- A group is not an identity and cannot be identified as a principal in an IAM policy
- Groups are used to assign permissions to users
- Groups cannot be nested within other groups
11
Q
What are roles?
A
- Roles are used for delegating permissions and are assumed by services
- Roles allow you to delegate permissions to resources for users and services without using permanent credentials
- IAM users or services can assume a role to obtain temporary security credentials to make AWS API calls (temporary credentials will automatically expire)
- There are no credentials associated with roles
12
Q
How can an IAM role work with EC2 instances?
A
- IAM roles can be used for granting applications running on EC2 permissions to AWS API requests using instance profiles
- Only one role can be assigned to an EC2 instance at a time
- A role can be assigned when an EC2 instance is created or anytime after
- Applications retrieve temporary security credentials from the instance metadata
13
Q
How does role delegation work?
A
- A role can be created with two policies:
- Permissions policy - grants the user the required permissions on a resource
- Trust policy - specifies the trusted accounts that are allowed to assume the role
- Wildcards (*) cannot be specified as a principal
- A permissions policy must also be attached to the user in the trusted account
14
Q
What is a policy?
A
- Policies define permissions and can be applied to users, groups and roles
- Policies are written in JSON format
- The Condition element can be used to apply further conditional logic to the policy
15
Q
What is an SCP?
A
- Service Control Policies are features of AWS Organizations
- SCPs control the maximum available permissions in an AWS account (The permissions you’re allowed to grant)
- SCPs do not grant permissions