Advanced IAM

Question 1

What does ARN stand for?

Answer 1

Amazon Resource Name

Question 2

What are the major differences between the two types of IAM Policies?

Answer 2

• Identity Policies
  
  • attached to an IAM user, group, or role
  • specify what an identity can do
• Resource policies
  
  • attached to a resource
  • specify who can do what to the resource

Question 3

Do IAM policies take effect upon creation?

Answer 3

No. An IAM Policy has no effect until it is attached to a resource or role.

Question 4

What is the basic format of an IAM policy document?

Answer 4

• Version # (YYYY-MM-DD)
• List of statements, each individual statement enclosed in {}
  
  • Each statement matches an AWS API Request​​​
  • Each statement has an Effect, either allow or deny
  • Each statement has A list of Actions with the effect, of the form *servicename:ActionName*
  • Each statement has a Resource the Action is against (in ARN form)
  • Idea: (Allow/Deny) Resource to do Actions

Question 5

If an IAM policy does not explicitly allow an API action, might it still be implicitly allowed?

Answer 5

No

If an action is not explicitly allowed, it is implicitly denied

Question 6

In general, how does AWS reconcile multiple attached policies to the same user or resource?

Answer 6

AWS joins all applicable policies

Question 7

Suppose your IAM user has 2 policies, one of which explicitly denies access to all S3 buckets, the other of which explicitly allows access to a specific S3 bucket. Will this user be allowed to access to the specific S3 bucket?

Answer 7

No

An explicit deny overrides anything else in any other policy

Question 8

What is the purpose of AWS Permission Boundaries?

Answer 8

• The idea is to prevent priviledge escalation or unnecessarily overbroad permissions
• Controls maximum permissions an IAM policy can grant

Question 9

What are some use cases for AWS Permission Boundaries?

Answer 9

• Developers creating roles for Lambda functions
• Application owners creating roles for EC2 instances
• Administrators creating ad hoc users

Question 10

In the context of IAM, what does RAM stand for?

Answer 10

Resource Access Manager

Question 11

What does SSO stand for?

Answer 11

Single Sign-On

Question 12

What does SAML stand for?

Answer 12

Security Assertion Markup Language

Question 13

What are the general use cases for AWS SSO?

Answer 13

• Centrally manage access to AWS Resources
• Using existing identities to log in to AWS
• Governing account-level permissions
• SAML

Question 14

What does SaaS stand for?

Answer 14

Software As A Service

Question 15

What is the specific policy document that determines which AWS service or account can assume an IAM Role?

Answer 15

The Trust Policy (or Trust Relationship). This is the key difference from an Identity Policy.

Question 16

When creating a role for a Lambda function or EC2 instance, which service name must be listed in the role’s Trust Policy?

Answer 16

lambda.amazonaws.com (for Lambda) or ec2.amazonaws.com (for EC2).