4 Steps to Secure Your AWS Root Account
- Enable multi-factor authentication on the root account.
- Create an admin group for your administrators, and assign the appropriate permissions to this group.
- Create user accounts for your administrators.
- Add your users to the admin group.
What is IAM Federation?
You can combine your existing user account with AWS. For example, when
you log on to your PC (usually using Microsoft Active Directory), you can use the same credentials to log in to AWS if you set up federation.
What is Identity Federation?
Uses the SAML standard, which is Active Directory.
How many access keys can exist per IAM identity?
You can have only have two access keys per identity(active or inactive). It is helpful if you want to rotate access keys.
What is the difference between managed policies and inline policies?
When you create an inline policy, it is immediately attached to the IAM identity (user, group, or role) for which it is defined upon creation. Inline policies are specific to the IAM identity with which they are associated, and they are applied right away.
When inline policies should be used instead of managed policies?
When you need to ensure that a specific set of rights (allow or deny) to an identity. For special or exceptional allow or deny.
How many IAM users can have per account?
5000
In how many groups maximum can be a member an IAM user?
10
How many groups can exists per account?
300(soft limit). Can be increased by request.
Can groups be referenced as a principal in a policy?
No. Groups are not a “true identity”.
What are the 2 types of policies that can be attached to an IAM role?
- Trust Policy (controls which identities can assume the role)
- Permissions Policy
When a role is assumed which AWS service creates the temporary credentials for the role?
STS (Secure Token Service) sts:AssumeRole
What is a service linked role?
A Service-Linked Role is a predefined IAM role managed by AWS for a specific service to perform actions on your behalf securely.
What is the relationship between an “instance profile” and an “IAM role”?
An “instance profile” and an “IAM role” are closely related in AWS. The “IAM role” defines permissions and policies, while the “instance profile” is a container used to associate the IAM role with EC2 instances. When launching an EC2 instance, you typically select or create an IAM role, and the instance profile is created automatically to link the role to the instance.
How does an EC2 instance use an instance profile to obtain temporary credentials in AWS?
- The EC2 instance contacts the instance metadata service at http://169.254.169.254/latest/meta-data/iam/security-credentials to retrieve the IAM role name associated with the instance profile.
- The EC2 instance constructs a specific URL to get the security credentials for the IAM role. The URL is: http://169.254.169.254/latest/meta-data/iam/security-credentials/<rolename></rolename>
- The EC2 instance makes a request to the constructed URL and retrieves the temporary credentials, which include an access key, a secret key, and a session token.
- An application running on the EC2 instance can then automatically access the credentials by making a request to the constructed URL and use these temporary credentials to make secure API calls to AWS resources.
