Users are…
people in an organization that can be grouped
Can groups contain other groups?
No
How can you structure users?
Users dont need to belong to a group but they can belong to multiple groups
How is a JSON policy document of a user or group structured?
It contains
- a version
- a list of statements
- Effect
- Action
- Resource
What basic principle do you need to follow for giving permissions?
You apply the least privilege principle: only as many permissions as users need
How can permissions be obtained?
They can be:
- given by an inline policy directly to the user
- inherited from every group policy a user is member of
A user’s password has been guessed correctly. How can you prevent this from happening in the future? How can damage be controlled?
- Enable MultiFactorAuthentication (MFA)
- Enable password rules:
- Set minimum password length
- require special characters, numbers, letters, non alpha characters
- require password change after some time
- prevent password reuse
- never share IAM users & Access Keys
- never use the root user (only for user setup)
AWS devices for MFA?
- Virtual MFA device
- Universal 2nd Factor (U2F) Security Key
- Hardware Key Fob MFA
How can you access AWS?
- AWS Management Console (password+MFA)
- AWS CLI
- AWS SDK
How can AWS services get permissions?
-Through IAM roles that can be given permissions
How can you check the current user/policy configuration?
- IAM Credentials Report (a report that lists all users and their credentials)
- IAM Access advisor (shows the permissions granted to a user and time of last access)
