Module 2 - Account Security Flashcards
(45 cards)
What is AWS IAM?
AWS Identity & Access Management, a web service that helps you securely control access to AWS resources.
What is an IAM user? How many can you have per AWS account?
An entity that allows people to sign in to the Management Console (or CLI) to make requests. These exist within one AWS account but each has its own credentials.
5000 users per account max.
What do you need to access the Management Console or CLI?
A user with a username and password, and up to 2 access keys.
How do you grant permissions to an IAM user? E.g. I need to give a dev access to a resource. How would I go about doing that?
- Make it a member of a user group that has appropriate permission policies attached. (This is the recommended method.)
- Attach policies to the user
- Clone the permissions of an existing IAM user, which automatically makes the new user a member of the same user groups and attaches all the same policies
What is a security principal?
An entity that can request an action or operation on an AWS resource, e.g. IAM user. It can also be a service or an identity outside of AWS (such as Google login).
What is a root user?
The user with complete access to services and resources. NOT for day-to-day operations. This account cannot be restricted.
What is the principle of least privilege?
Grant users only the level of access they require and nothing more.
How do you manage access in AWS, broadly?
You create policies and attach them to users, groups of users, roles, or to specific services.
Note: a group is not an identity itself and cannot be a principal in a policy.
How are most policies stored in AWS? I.e. what format?
As JSON.
What is a federated user?
An external identity that does not have an AWS account. You assign it a role to grant temporary access.
When do you need an access key ID and secret access key?
When you need programmatic access, such as API calls or using the CLI. If you are just using the Management Console then you only need a username and password.
Why might you use the AWS CLI?
You can control multiple AWS services from the command line and automate them through scripts.
What is an IAM role?
A way to deliver temporary credentials. Users can assume a role without sharing credentials, and permissions are only valid when operating under that role. Like limited sudo access to AWS.
Commonly used to allow EC2 instances or Lambda to call services on your behalf.
How do you assume an IAM role? How is access granted when you assume a role?
Use the console or CLI and use the AssumeRole API. This calls AWS Security Token Service (AWS STS) which provides a temporary access key ID, a secret access key, and a security token. Then you use those credentials to access resources.
What are the different policy types? There are 4.
- Identity-based policies – users, groups, and roles.
- Resource-based policies – E.g. Amazon S3 bucket policies and IAM role trust policies.
- AWS Organizations Service Control Policies (SCPs) – define the maximum permissions for account members of an organization or organizational unit (OU).
- IAM permissions boundaries - set the maximum permissions that an IAM entity can receive.
What is an identity-based policy?
A document that controls what actions a user can perform, on what resources, under what conditions.
What kinds of identity-based policies are there?
Managed: standalone policies that you attach to multiple users/groups/roles, managed by AWS or the customer.
Inline: Policies that you add directly to a single user, group, or role. These maintain a strict one-to-one relationship between a policy and an identity.
How does a resource-based policy work?
They grant the principal permission to do specific actions under specific circumstances. These are inline policies, never managed.
What is AWS KMS?
AWS Key Management Service. The main purpose is to store and manage encryption keys that encrypt your data outside of AWS KMS.
What is the difference between AWS KMS and secrets manager?
AWS Secrets Manager is an AWS service that encrypts and stores your secrets, and transparently decrypts and returns them to you in plaintext.
It’s designed especially to store application secrets, such as login credentials, that change periodically and should not be hard-coded or stored in plaintext in the application. In place of hard-coded credentials or table lookups, your application calls Secrets Manager.
Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret value with a unique data key that is protected by an AWS KMS key. This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted
Secrets Manager uses the plaintext data key and the Advanced Encryption Standard (AES) algorithm to encrypt the secret value outside of AWS KMS. It removes the plaintext key from memory as soon as possible after using it.
Which is better, inline or customer-managed policy?
An inline policy is one that you create and embed directly to an IAM group, user, or role.
Inline policies can’t be reused on other identities or managed outside of the identity where they exist.
As a best practice, use customer-managed policies instead of inline policies.
What is included in a policy? When you look at a policy JSON, what are the individual parts?
CARPE(S)
- Sid (statement ID, optional)
- Effect – Allow or Deny access.
- Principal (required in only some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you want to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
- Action – a list of allowed actions
- Resource (required only in some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, the resource to which the action applies is the resource to which the policy is attached.
- Condition – Specify the circumstances.
What does this policy do?
{
"Effect":"Deny",
"Action": [
"dynamodb:*",
"s3:*”
],
"NotResource":
[ "arn:aws:dynamodb:region:account-number-without-hyphens:table/EXAMPLE-TABLE", "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*”
] }Denies access to any resource in Amazon Simple Storage Service (Amazon S3) or Amazon DynamoDB, except for three listed resources
What does this policy do?
{
“Version”: “2012-10-17”,
“Statement”: [ {
“Effect”: “Allow”,
“Action”: [
“ec2:StartInstances”, “ec2:StopInstances”
],
“Resource”: “arn:aws:ec2:::instance/*”,
“Condition”: { “StringEquals”: {
“ec2:ResourceTag/Owner”: “${aws:username}” } } } ] }
Grants the user permission to start and stop instances, only if the EC2 owner tag matches the username of the entity making the call.
