Identity and Acess Management (IAM)

Question 1

Quais são as opções que podem ser definidas em uma politica de senhas na AWS ?

Answer 1

Question 2

O que quer dizer IAM ?

Answer 2

Identity Access Management Service

Question 3

Como IAM funciona ?

Answer 3

Question 4

O que são Principals ?

Answer 4

A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS. Principals include federated users and assumed roles.

• Users
• Roles
• Federated Users
• Applications

Question 5

Qual a função de uma REQUEST ?

Answer 5

When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS

Question 6

O que é uma AUTHENTICATION ?

Answer 6

A principal must be authenticated (signed in to AWS) using their credentials to send a request to AWS. Some services, such as Amazon S3 and AWS STS, allow a few requests from anonymous users. However, they are the exception to the rule.

Question 7

Quais são os tipos de autenticação da AWS ?

Answer 7

• Console

To authenticate from the console as a root user, you must sign in with your email address and password.

As an IAM user, provide your account ID or alias, and then your user name and password.

• API / AWS CLI / SDK

To authenticate from the API or AWS CLI, you must provide your access key and secret key.

Question 8

Quais são as informações que deve conter uma REQUEST ?

Answer 8

• Actions or operations

The actions or operations that the principal wants to perform. This can be an action in the AWS Management Console, or an operation in the AWS CLI or AWS API.

• Resources

The AWS resource object upon which the actions or operations are performed.

• Principal

The person or application that used an entity (user or role) to send the request. Information about the principal includes the policies that are associated with the entity that the principal used to sign in.

• Environment data

Information about the IP address, user agent, SSL enabled status, or the time of day.

• Resource data

Data related to the resource that is being requested. This can include information such as a DynamoDB table name or a tag on an Amazon EC2 instance.

Question 9

Para que servem as POLICIES?

Answer 9

A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.

When you create a permissions policy to restrict access to a resource, you can choose an identity-based policy or a resource-based policy.

Question 10

Quais são os tipos de POLICIES que existem?

Answer 10

• Identity-based
• Resource-based
• Permissions boudaries
• Organizations SCPs
• Access Control List (ACL)
• Session policies

Question 11

O que é uma politica IDENTITY-BASED ?

Answer 11

Identity-based policies grant permissions to an identity.

Question 12

O que é uma politica RESOURCE_BASED ?

Answer 12

Resource-based policies grant permissions to the principal that is specified in the policy.

Question 13

Quais permissões tem um USER após ser criado ?

Answer 13

Nenhuma.

Question 14

Qual a quantidade máxima de USERS que um GROUP pode ter ?

Qual a quantidade máxima de GROUPS que um USER pode participar ?

Answer 14

5.000 USERS

10 GROUPS

Question 15

Quais as permissões que um ROOT USER tem ?

Answer 15

Full Permissions.

Question 16

Como faço para autenticar um usuário via AWS CLI / API ?

Answer 16

É necessário utilizar access-key e secret-key.

Question 17

Quais as ventagens de se utilizar MFA ?

Answer 17

Multi-Factor Authentication (MFA) adds extra security because it requires users to provide unique authentication from an AWS supported MFA mechanism in addition to their regular sign-in credentials when they access AWS websites or services.

Question 18

Quais são os tipos de MFAs que poem ser utilizados na AWS ?

Answer 18

• Virtual MFA devices.

A software app that runs on a phone or other device and emulates a physical device. The device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm.

• FIDO Security Key

A device that you plug into a USB port on your computer.

• Hardware MFA device

​A hardware device that generates a six-digit numeric code based upon a time-synchronized one-time password algorithm.

Question 19

O que é AWS STS ?

Answer 19

AWS Security Token Service (AWS STS) as a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate (federated users).

Question 20

Credenciais temporárias podem ser usadas em que casos ?

Answer 20

Temporary credentials are used with identity federation, delegation, cross-account access and IAM roles.

Question 21

O que contém em uma credencial temporária ?

Answer 21

• AccessKeyId
• Expiration
• SecretAccessKey
• SessionToken

Question 22

O que é uma IAM Role ?

Answer 22

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

Question 23

Qual a diferença entre Trust Policy e Permission Policy em uma Role ?

Answer 23

• Trust Policy

​A JSON policy document in which you define the principals that you trust to assume the role.

• Permission Policy

​A permissions document in JSON format in which you define what actions and resources the role can use

Question 24

Qual é a Password Policy Default na AWS ?

Answer 24

• Minimum password length is 8 characters
• Include a minimum of three of the following mix of character types: uppercase, lowercase, numbers, and ! @ # $ % ^ & * ( ) _ + - = [] { } | ‘
• Must not be identical to your AWS account name or email address

Question 25

Qual a diferencça entre EXPLICT and IMPLICIT DENIES ?

Answer 25

A request results in an explicit deny if an applicable policy includes a Deny statement. If policies that apply to a request include an Allow statement and a Deny statement, the Deny statement trumps the Allow statement. The request is explicitly denied.

An implicit denial occurs when there is no applicable Deny statement but also no applicable Allow statement. Because an IAM principal is denied access by default, they must be explicitly allowed to perform an action. Otherwise, they are implicitly denied access.

Question 26

O que é uma INLINE POLICY ?

Answer 26

An inline policy is a policy that’s embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. You can create a policy and embed it in an identity, either when you create the identity or later.

Question 27

O que é uma AWS Managed Policy ?

Answer 27

An AWS managed policy is a standalone policy that is created and administered by AWS.

AWS managed policies are designed to provide permissions for many common use cases.

You cannot change the permissions defined in AWS managed policies.

AWS occasionally updates the permissions defined in an AWS managed policy

Question 28

O que é Customer Managed Policy ?

Answer 28

You can create standalone policies that you administer in your own AWS account.

You can then attach the policies to multiple principal entities in your AWS account.

When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.

Question 29

O que é uma PERMISSION BOUDARY ?

Answer 29

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

Question 30

Qual a principal função do PERMISSION BOUDARY ?

Answer 30

Permission boudary previne privilege escalation.

Question 31

Como se determina se uma request é ALLOW or DENY ?

Answer 31

Question 32

Como funciona a avaliação de Politicas ?

Answer 32

Question 33

Qual a sintaxe de uma Policy (JSON) ?

Answer 33

• Effect: The effect can be Allow or Deny. By default, IAM users don’t have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows.
• Action: The action is the specific API action for which you are granting or denying permission.
• Resource: The resource that’s affected by the action. Some Amazon EC2 API actions allow you to include specific resources in your policy that can be created or modified by the action. You specify a resource using an Amazon Resource Name (ARN) or using the wildcard (*) to indicate that the statement applies to all resources.
• Condition: Conditions are optional. They can be used to control when your policy is in effect.

Question 34

Qual o nome da ferramenta utilizada para testar Policies ?

Answer 34

IAM Policy Simulator