Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Practitioner Cert > Identity and Access Management > Flashcards

Identity and Access Management Flashcards

1
Q

What is IAM?

A
  • Identity and Access Management
  • A web service that helps you securely control access to AWS resources
  • IAM is used to control who is authenticated and authorized to use resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What main credential is used for an AWS root account?

A

The email address used to create the account and the password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is an ARN?

A

Amazon Resource Name - associated with users and groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What IAM entity can be used to delegate permissions?

A

Role - can provide permissions to resources for users and services without using permanent credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What can IAM be used to manage?

A
  • Users
  • Groups
  • Roles
  • User credentials
  • User password policies
  • Multi-factor authentication (MFA)
  • API keys for programmatic access (CLI)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What features does IAM provide?

A
  • Shared access to your AWS account
  • Granular permissions
  • Secure access to AWS resources for application that run on Amazon EC2
  • Multi-factor authentication
  • Identity federation
  • Identity information for assurance
  • PCI DSS compliance
  • Integrated with many AWS services
  • Free to use
  • Consistent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What ways can you work with IAM?

A
  • AWS Management Console
  • AWS Command Line Tools
  • AWS SDKs
  • IAM HTTPS API
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What components does and IAM user have?

A
  • Username
  • Password
  • Permissions to access various resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a user?

A
  • Individual accounts you log in with that represent a person or service
  • Users have NO permissions by default
  • Can be assigned an access key ID and secret access key for programmatic access to the AWS API, CLI, SDK and other tools
  • Can be assigned a password for access to management console
  • You can have up to 5,000 users per AWS account
  • Each user account has a friendly name and an ARN which uniquely identifies the user across AWS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a group?

A
  • Groups are collections of users and have policies attached to them
  • A group is not an identity and cannot be identified as a principal in an IAM policy
  • Groups are used to assign permissions to users
  • Groups cannot be nested within other groups
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are roles?

A
  • Roles are used for delegating permissions and are assumed by services
  • Roles allow you to delegate permissions to resources for users and services without using permanent credentials
  • IAM users or services can assume a role to obtain temporary security credentials to make AWS API calls (temporary credentials will automatically expire)
  • There are no credentials associated with roles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can an IAM role work with EC2 instances?

A
  • IAM roles can be used for granting applications running on EC2 permissions to AWS API requests using instance profiles
  • Only one role can be assigned to an EC2 instance at a time
  • A role can be assigned when an EC2 instance is created or anytime after
  • Applications retrieve temporary security credentials from the instance metadata
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does role delegation work?

A
  • A role can be created with two policies:
    • Permissions policy - grants the user the required permissions on a resource
    • Trust policy - specifies the trusted accounts that are allowed to assume the role
  • Wildcards (*) cannot be specified as a principal
  • A permissions policy must also be attached to the user in the trusted account
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a policy?

A
  • Policies define permissions and can be applied to users, groups and roles
  • Policies are written in JSON format
  • The Condition element can be used to apply further conditional logic to the policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is an SCP?

A
  • Service Control Policies are features of AWS Organizations
  • SCPs control the maximum available permissions in an AWS account (The permissions you’re allowed to grant)
  • SCPs do not grant permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some IAM Best Practices?

A
  • Lock away your AWS account root user access keys
  • Create individual IAM users
  • Use groups to assign permissions to IAM users
  • Grant least privilege
  • Get started using permissions with AWS managed policies
  • Use customer managed policies instead of inline policies
  • Use access levels to review IAM permissions
  • Configure a strong password policy for your users
  • Enable MFA
  • Use roles for applications that run on Amazon EC2 instances
  • Use roles to delegate permissions
  • Do not share access keys
  • Rotate credentials regularly
  • Remove unnecessary credentials
  • Use policy conditions for extra security
  • Monitor activity in your AWS account
17
Q

What is AWS STS?

A
  • AWS Security Token Service
  • ## Enables you to request temporary limited-privilege credentials for IAM users or for users that you authenticate (federated users)
18
Q

What are the differences between temporary security credentials and long-term access key credentials?

A
  • Temporary are short-term (Can be anywhere from a few minutes to several hours)
  • After temporary credentials expire, AWS no longer recognizes them or allows any kind of access to API requests made by them
  • Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested
  • When the temporary security credentials expire, the user can request new credentials, if the user requesting them still has permission to do so
19
Q

What are the advantages of STS?

A
  • Do not have to distribute or embed long-term AWS security credentials with an application
  • You can provide access to your AWS resources to users without having to define an AWS identity for them
  • The temporary security credentials have a limited lifetime, so you do not have to rotate them or explicitly revoke them when they’re no longer needed
  • After expiration, they cannot be reused
20
Q

What 3 sources can users come from?

A
  • Federation (typically AD)
    - Uses SAML 2.0
    - Grants temp access based on the users AD credentials
    - Des not need to be a user in IAM
    - Single sign-on allows users to login to the AWS console without assigning IAM credentials
  • Federation with Mobile Apps
    - Facebook/Amazon/Google or other OpenID providers to login
  • Cross Account Access
    - Allows users from one AWS account to access resources in another
    - To make a request in a different account the resource in that account must have an attached resource-based policy with the permissions you need
    - Or you must assume a role (identity based policy) within that account with the permissions you need
21
Q

An access key ID and secret access key is associated with which IAM entity?

A

User

22
Q

What is the main credential for an AWS root account?

A

The email address used to create the account

23
Q

Which IAM entity can be used to delegate permissions?

A

Role

AWS Practitioner Cert (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions