Identity Access Management (IAM)

Which of the followings is not BEST PRACTICES for IAM? Choose all that apply.

1. Delete you root access key

2. Apply an IAM password policy

3. Follow the "Principal of Least Privilege"

4. Use Users to assign permissions

5. Don't create individual IAM users

6. Activate MFA on your Root Account

7. Create and use an IAM user with Admin privileges instead of the Root Account.

Use Users to assign permissions

Don't create individual IAM users

True or False

By default, any new IAM user you create in an AWS account is created with NO access to any AWS services.

True

What is the term used to describe this: "By default, any new IAM user you create in an AWS account is created with NO access to any AWS services."

Implicit Deny Rule

What is IAM?

IAM is where you manage your AWS users, groups, and roles and their access to AWS accounts and services.

IAM provides access and access permissions to ....

AWS resources

IAM is ...... service to all the AWS regions, creating a user account will apply to all the .....

global, regions

True or False

For all the users (except the Root user), permissions must be given that grant access to AWS services.

True

How do you grant access to AWS services?

Through attaching/associating IAM policies to the users or groups

How do you log into the console?

How do you log into the CLI and SDK?

Username and password associated with a user or root user

Access keys or API keys

Is it possible to change/customize the user sign-in link?

Yes - right on top of the IAM page, you can click on the customize key to change the url.

Can IAM users share their credentials with each other?

No - credentials should never be shared with each other. Each user should have their unique credentials.

What is a policy?

A policy is a document that formally states one or more permissions. It's a JSON document.

What is the default setting for policies?

By default, all permissions are implicitly denied.

An ____ ___ always overrides an _____ ___

explicit deny, explicit allow

IAM provides pre-built policy templates to assign to users and groups. What are some policy templates?

1. Administrator access: full access to ALL AWS resources

2. Power user access: Admin access except it does not allow user/group management

3. Read only access: Only view AWS resources

What is a visual editor?

Using the visual editor, you can create a custom IAM permission policies.

Can more than one policy be attached to a user, group, or role at the same time?

Yes, more than one policy can be attached to a user or group at the same time.

True or False:

Policies can be directly attached to AWS resources.

False, policies cannot be directly attached to AWS resources.

What is a condition used in IAM policies?

The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. For example, you can specify that only users from certain IP address can access the resource.

What is the default setting for IAM User permission?

When first created, by default an IAM User has an implicit deny for all AWS services - and does not have access to use them until a policy granting allow access has been applied to the user or to the group the user belongs to.

True or False

IAM users receive unique access credentials so you do not (should not) share with others.

True

What should you never do with user credentials?

User credentials should NEVER be stored or "passes' to an EC2 instance.

Can MFA be configured on a per user basis login and resource access/actions?

Yes, MFA can be configured on a per user basis login and resource access/actions.

What is the programmatic access used for? What do you need to provide the users for programmatic access?

Programmatic access is used log into the CommandLine, Software Development Kit. You need to provide the users with Access Keys.

What does the users need to have access to the AWS Management Console?

Users need to have a link, username and password to access the console.

* You can autogenerate the password, or create one yourself and provide it to the user.

How many times can you view the secret access key?

ONLY once, so after the secret access keys are generated, download the keys before moving onto the new screen.

What is an ARN?

Amazon Resource Name (ARN) uniquely identifies the AWS resources.

Each user receives an unique ARN.

True

What is an INLINE policy?

Inline policy is used to create a unique policy for a specific user.

What is the maximum number of access keys can an IAM user have?

Maximum of 2 access keys, which is used to manually rotate and activate an access key.

What allows you to assign IAM permission policies to more than one user at a time.

IAM Groups - this ability allows for easier access management to AWS resources.

What is an IAM Role?

A role is something that another entity (AWS Services, IAM Users, or Groups in same or different AWS account, Federated Users) can "assume", and acquire temporary permissions defined by the role.

Why must roles be used?

Roles must be used because policies cannot be directly attached to AWS services.

What is a Trust Policy?

Trust policy defines the entities that have permission to assume the role.

If you are using an EC2 instance and it need to access an S3 bucket, then what do you do?

1. Instance should assume a role from IAM with the proper required permissions (S3 read-only)

2. Instance can then perform actions based on the role it assumes.

3. You can associate a role with an instance before or after launch. User must have the passRole permission.

4. An EC2 instance can only have ONE role attached at a time.

What are API access keys?

API Access Keys are used to sign programmatic requests to AWS.

When is the Access Keys is used?

Access keys are required to make calls to AWS from the CLI, PowerShell, SDKs and direct HTTP calls.

When you create a new user or reissue a new set of keys, then how many times is it available?

API keys are only available ONE time.

True or False:

AWS will regenerate the same set of access keys.

False - AWS will not generate the same set of access keys.

Do roles have API credentials?

No - roles do not have API credentials and access keys does not have to be manually rotated.

If you need new API credentials, then what should you do?

Deactivate the current set of keys, and generate new one.

What is STS?

STS (Security Token Service) allows you to create temporary security credentials that grant trusted users access to your AWS resources.

These temporary credentials are for short term use, with a configurable session duration between 15 minutes and 12 or 36 hours.

Once expired, they can no longer be used to access your AWS resources.

When you request through an STS API call, what credentials do you receive in return?

* Session Token

* An Access Key ID

* A Secret Access Key

* Expiration Timestamp

What are the benefits of using STS service?

* Avoid distributing or embedding long-term AWS security credentials in an application.

* Grant access to AWS resources without having to create an IAM user.

* Since the credentials are temporary, you don't have to manually rotate or revoke them.

When should you use STS?

* Identity Federation

* Roles for Cross-Account Access

* Roles for Amazon EC2

What are the STS API calls?

* Assume Role

* Assume Role With Web Identity

* Assume Role with SAML

* Get Federation Token

* Get Session Token

What is the difference between Assume Role and Get Tokens?

Assume role - getting permission policy associated with a role

Get Token - getting credentials for a specific IAM user and using the permissions of the IAM user

What is Identity Federation?

It is a way of authenticating users or applications outside of the AWS IAM user and groups process.

What is AWS Organizations?

Manage Multiple Accounts

Allows you to create a root/master account, then invite other accounts to join your organization under the root account, then you can apply service control policies to control what these accounts can do

How does the AWS Organizations allow you to manage multiple accounts?

Through IAM Policy Management and Consolidated Billing.