AWS Identity & Access Management

IAM

Identity and Access Management, It lets you create and manage users, groups, roles, and permissions to control who can do what in your AWS environment.

Root account

Default AWS account created with AWS setup; should not be used or shared.

Why shouldn't the root account be used?

It's a best practice to avoid using the root account because it has full, unrestricted access and cannot be limited—using it increases the risk of accidental or malicious changes.

User (IAM)

An individual identity in AWS with specific credentials (username, password, access keys) used to access and interact with AWS services.

Group (IAM)

A collection of users; cannot contain other groups.

Can users belong to multiple groups?

Yes, users can belong to multiple groups or none at all.

Why create users and groups in AWS?

To securely manage individual access and simplify permission management for a collection of users.

Policy (IAM)

JSON documents that define permissions for users or groups.

What principle should policies follow in AWS?

Least privilege—users get only the permissions they need.

What is IAM policy inheritance?

Users inherit policies attached to their group.

What are inline policies in IAM?

Policies directly attached to individual users.

What are the main components of an IAM policy?

Version, Id (optional), Statement(s).

What does an IAM policy Statement include?

Sid (optional), Effect (Allow/Deny), Principal, Action, Resource, Condition (optional).

What is the recommended version for IAM policies?

"2012-10-17"

Why enforce a strong password policy in AWS?

To increase account security.

What can AWS password policies enforce?

Minimum length, character types, password changes, expiration, reuse prevention.

What is MFA in AWS?

Multi-Factor Authentication combines password + physical device for security.

Why use MFA?

If password is compromised, attacker still needs physical device to access account.

Name some virtual MFA devices.

Google Authenticator, Authy.

What is a U2F security key?

A hardware device supporting multiple users, e.g. YubiKey.

Give an example of hardware MFA key fobs.

Gemalto, SurePassId.

How can users access AWS?

AWS Management Console (password + MFA), AWS CLI (access keys), AWS SDK (access keys).

What are access keys in AWS?

Secret credentials like a username (Access Key ID) and password (Secret Access Key) for CLI/SDK.

How should access keys be treated?

As secrets; never share them.

What is the AWS CLI?

A command-line tool to interact with AWS services via public APIs.

Why use AWS CLI?

To script and manage AWS resources as an alternative to the Console.

What is the AWS SDK?

Language-specific libraries to programmatically access AWS services.

Which languages are supported by AWS SDK?

JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++, and mobile/IoT SDKs.

What is AWS CloudShell?

A browser-based shell inside AWS Console for managing AWS resources.

Name key features of AWS CloudShell.

Pre-authenticated with IAM credentials, pre-installed tools, 1 GB persistent storage, secure isolated environment.

Why do some AWS services need IAM roles?

To perform actions on your behalf securely with assigned permissions.

What is an IAM role?

A set of permissions assigned to AWS services to act on your account.

Name common AWS service roles.

EC2 instance roles, Lambda function roles, CloudFormation roles.

What is the IAM Credentials Report?

A report listing all users and the status of their credentials at the account level.

What does IAM Access Advisor (last-access) show?

Permissions granted to a user and when those services were last accessed.

Why use IAM Access Advisor?

To review and refine user permissions.

What is a key best practice for the root account?

Only use it for AWS account setup; avoid regular use.

What is the recommended user-to-AWS-user ratio?

One physical user should have one AWS user account.

How should permissions be assigned?

Assign users to groups, and assign permissions to groups.

Why create a strong password policy?

To enhance account security.

What security feature should be enforced on IAM users?

Multi-Factor Authentication (MFA).

When should you use IAM Roles?

To give permissions to AWS services securely.

What is the use of Access Keys?

For programmatic access via CLI and SDK.

How do you audit AWS permissions?

Use IAM Credentials Report and IAM Access Advisor.

What is a critical sharing rule for IAM?

Never share IAM users or access keys.

What security responsibilities does AWS have?

Infrastructure security, service configuration/vulnerability analysis, compliance validation.

What security responsibilities do you have?

Manage users/groups/roles/policies, enable MFA, rotate keys, apply least privilege, review permissions.

What is recommended for key management?

Rotate all your keys often.

What should you use to apply appropriate permissions?

AWS IAM tools.

Why analyze access patterns?

To review and adjust permissions for security.