IAM 101

Question 1

What does IAM stand for?

Answer 1

Identity Access Management

Question 2

What are the key features of IAM?

Answer 2

• Centralized control of your AWS account
• Shared Access to your AWS account
• Granular Permissions
• Identity Federation (i.e. Active Directory, Facebook, LinkedIn, etc.)
• Multifactor authentication (you should ALWAYS do this)
• Temporary access for users/devices and services when necessary
• Custom Password rotation policy
• Integration w/ many AWS services
• Supports PCI DSS compliance

Question 3

What are Users and Groups? What is the key relationship between them?

Answer 3

• Users are end users (people, employees of an organization, etc.)
• Groups are collections of Users.
• Each user in a group inherits the permissions of the group.

Question 4

What are IAM Policies?

Answer 4

Policies are comprised of policy documents, which are JSON docs that give permissions to a user, group, or role.

Question 5

What is an IAM Role, and what is its purpose in AWS?

Answer 5

A Role is an identity with specific permissions that does not have long-term credentials (like a password or access key). It is assumed by a user, service, or resource.

Question 6

How broad is the IAM namespace?

Answer 6

IAM has a global namespace

Question 7

What permissions does an IAM user have when first created?

Answer 7

A new user has NO permissions when first created (think least privileges)

Question 8

At a very high level, what does AWS IAM do?

Answer 8

IAM allows you to manage users and their level of access to the AWS console

Question 9

Which account is the root account in IAM?

Answer 9

• The root account is the account created when you first setup your AWS account.

Question 10

What access does the root account have?

Answer 10

The root account has complete admin access (god mode)

Question 11

What are Access Key ID and Secret Access Key used for?

Answer 11

• Access Key ID and Secret Access Key are used for programmatic access (AWS APIs and CLI)…think of it like the username/password for programmatic access
• Access Key ID and Secret Access Key can NOT be used to log in to the console.

Question 12

Can your Access Key ID and Secret Access Key be used to log in to the AWS CLIs/API?

Answer 12

Yes

Question 13

Can your Access Key ID and Secret Access Key be used to log in to the AWS console?

Answer 13

No

Question 14

How are you assigned an Access Key ID and Secret Access Key?

Answer 14

• Access Key ID and Secret Access Key are assigned to new users upon creation
• You can only view them ONCE.

Question 15

If you lose your AWS Access Key ID and Secret Access Key, how can you recover them?

Answer 15

You can’t!

_{(You’ll need to generate a new pair)}

Question 16

Can IAM User Groups contain other User Groups?

Answer 16

NO

Question 17

What does IAM Credentials Report do?

Answer 17

IAM Credentials report lists all your AWS Account’s IAM Users and the status of their various credentials.

Question 18

What are the components of an IAM Policy?

Answer 18

• Version
• Id (optional)
• Statement(s) which consists of
  *Sid (Statement Id) (optional)
  * Effect (ALLOW or DENY)
  * Principal(s) (account/user/role)
  * Action(s) (thing(s) you can/can’t do)
  * Resource(s) (what you are/not allowed to do those things to)
  * Condition(s) (the circumstances under which this rule applies)

So, “<Sid> says that <Principal> (<Can/Can't by effect>) do <Action> to <Resource> when <Condition>)</Condition></Resource></Action></Principal></Sid>