AWS Identity & Access Management

IAM

Identity and Access Management, It lets you create and manage users, groups, roles, and permissions to control who can do what in your AWS environment.

Root account

Default AWS account created with AWS setup; should not be used or shared.

Why shouldn't the root account be used?

It's a best practice to avoid using the root account because it has full, unrestricted access and cannot be limited—using it increases the risk of accidental or malicious changes.

User (IAM)

An individual identity in AWS with specific credentials (username, password, access keys) used to access and interact with AWS services.

Group (IAM)

A collection of users; cannot contain other groups.

Can users belong to multiple groups?

Yes, users can belong to multiple groups or none at all.

Why create users and groups in AWS?

To control access per person and assign permissions efficiently to a collection of people.

Policy (IAM)

JSON documents that define permissions for users or groups.

What principle should policies follow in AWS?

Least privilege—users get only the permissions they need.

What is IAM policy inheritance?

Users inherit policies attached to their group.

What are inline policies in IAM?

they are policies directly attached to a single user, group, or role, and they do not apply to others. They're used for one-to-one permission assignments.

What are the main components of an IAM policy?

Version, Id (optional), Statement(s).

What does an IAM policy Statement include?

Sid (optional), Effect (Allow/Deny), Principal, Action, Resource, Condition (optional).

What is the recommended version for IAM policies?

"2012-10-17"

What can AWS password policies enforce?

Minimum length, character types, password changes, expiration, reuse prevention.

What is MFA in AWS?

is an extra layer of security that requires users to provide a second form of verification (like a code from a phone or hardware device) in addition to their password when signing in.

Why use MFA?

To enhance account security by requiring a second verification step, reducing the risk of unauthorized access.

What is a U2F security key?

is a physical USB device used for two-factor authentication.

How can users access AWS?

AWS Management Console (password + MFA), AWS CLI (access keys), AWS SDK (access keys).

What are access keys in AWS?

are a pair of credentials (Access Key ID and Secret Access Key) used by IAM users to programmatically access AWS services via the CLI, SDKs, or APIs.

How should access keys be treated?

As secrets; never share them.

What is the AWS CLI?

A command-line tool to interact with AWS services via public APIs. It is used to script and manage AWS resources as an alternative to the Console.

What is the AWS SDK?

is a set of tools and libraries that enables developers to interact with AWS services using programming languages, making it easier to integrate AWS into applications.

What is AWS CloudShell?

is a browser-based, pre-configured command-line environment provided by AWS, allowing users to manage AWS resources securely without needing to install or configure the AWS CLI locally.

Why do some AWS services need IAM roles?

Some AWS services need IAM roles to securely access other AWS resources on your behalf. Roles grant temporary permissions without exposing long-term credentials, ensuring secure, controlled access based on defined policies.

What is an IAM role?

is an AWS identity with specific permissions that can be assumed by users, applications, or services to securely access AWS resources without using permanent credentials.

What is the IAM Credentials Report?

is a downloadable report in AWS that provides detailed information about all IAM users and the status of their credentials, such as passwords, access keys, and MFA settings, helping with security auditing.

What does IAM Access Advisor (last-access) show?

shows the last time an IAM user or role accessed specific AWS services, helping identify unused permissions to improve security by refining access policies.

What is the recommended user-to-AWS-user ratio?

One physical user should have one AWS user account.

How should permissions be assigned?

Assign users to groups, and assign permissions to groups.

What security feature should be enforced on IAM users?

Multi-Factor Authentication (MFA).

When should you use IAM Roles?

To give permissions to AWS services securely.

What is the use of Access Keys?

For programmatic access via CLI and SDK.

How do you audit AWS permissions?

Use IAM Credentials Report and IAM Access Advisor.

What security responsibilities does AWS have and what responsibilities does the user have ?

1. AWS

   1. Infrastructure (global network security)

   2. Configuration and vulnerability analysis of their services

   3. Compliance validation

2. You

   1. Users, Groups, Roles, Policies management and monitoring

   2. Enable MFA on all accounts

   3. Rotate all your keys often

   4. Use IAM tools to apply appropriate permissions

   5. Analyze access patterns & review permissions

What is recommended for key management?

Rotate all your keys often.