- What does IAM stand for?
- Is it a global service?
- Identity and Access Management.
- Yes, IAM is a global service.
- What is the IAM Root Account?
- Should you use or share the root account?
- The root account is the account created by default. A root account is a user account for administrative purposes, and typically has the highest access rights on the system.
- A root account should not be used or shared, rather, you should create a user with certain access permissions to use, even for yourself. Sharing the root account would give someone complete and total access to change everything.
What are IAM Users?
Users are people within your organization, and can be grouped.
- What are IAM Groups?
- How can you use them to grant access permissions?
- Which principle should you always adhere to when creating groups?
- Groups only contain users, not other groups
- Users don’t have to belong to a group, and user can belong to multiple groups
- Usually, you create an access permission for a group, then add users who fit that access permission.
- Always use the principle of least privilege (only access what is necessary)!
Describe the below image from an IAM standpoint:
Users don’t have to belong to a group, and user can belong to multiple groups.
Describe IAM Permissions, like, which type of document is assigned and which principle to follow.
- Users or Groups can be assigned JSON documents called policies
- These policies define the permissions of the users
- In AWS you apply the least privilege principle: don’t give more permissions than a user needs
Graphically describe IAM Policies Inheritance by way of different groups or users who are not in any group.
- If a user is only part of one group, then they inherit only the permissions of that group.
- If a user is part of multiple groups, then they inherit the permissions of each (for example, one group could exclude a permission, while the other allows it, so if the user was a part of both groups, they’d be allowed said permission).
- Individual users not assigned to a group have inline permissions, specifically granted in the IAM users terminal.
Describe this code from an IAM perspective.
General
- Version: policy language version, always include “2012-10-17”
- Id: an identifier for the policy (optional)
- Statement: one or more individual statements (required)
Statement
- Sid: an identifier for the statement (optional)
- Effect: whether the statement allows or denies access (Allow, Deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource: list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect (optional, not shown)
List all the ways in which you can set an IAM Password Policy.
Strong passwords = higher security for your account
In AWS, you can setup a password policy:
- Set a minimum password length
- Require specific character types:
- including uppercase letters
- lowercase letters
- numbers
- non-alphanumeric characters
- Allow all IAM users to change their own passwords
- Require users to change their password after some time (password expiration)
- Prevent password re-use
Why use MFA (Multi Factor Authentication)?
IAM
- Users have access to your account and can possible change configurations or delete resources in your AWS account
- You want to protect your Root Accounts and IAM users
- MFA = password you know + security device you own
- Main benefit: if a password is stolen or hacked, the account is not compromised.
List the virtual MFA devices:
IAM
- Google Authenticator (phone only)
- Authy (multi-device)
Both of these options support multiple tokens on a single device. You’ve used MFA on other devices before, this is no different. You get a one-time passcode to enter as a secondary authentication.
List the physical MFA devices:
IAM
- Universal 2nd factor (U2F) security key (ex: YubiKey by Yubico (3rd Party))
- Hardware key fob MFA device (ex: Gemalto (3rd Party))
- Harware key fob MFA device for AWS GovCloud (US) (ex: SurePassID (3rd Party))
All of these options have support for multiple root and IAM users using a single security key.
How can users access AWS? List the three options.
IAM
- AWS Management Console (protected by password + MFA)
- AWS Command Line Interface (CLI): protected by access keys
- AWS Software Developer Kit (SDK) - for code: protected by access keys
What are access keys? Provide an example of the two types of access keys.
IAM
- Access Keys are generated through the AWS Console
- Users manage their own access keys
- Access Keys are secret, just like a password. Don’t share them
- Access Key ID ~= username
- Secret Access Key ~= password
Example Keys
- Access key ID: AKIASK4E37PV4983d6C
- Secret Access Key: AZPN3zojWozWCndIjhB0Unh8239a1bzbzO5fqqkZq
What is AWS CLI?
IAM
- A tool that enables you to interact with AWS services using commands in your command-line shell
- Direct access to the public APIs of AWS services
- You can develop scripts to manage your resources
- It’s open-source https://github.com/aws/aws-cli
- Alternative to using AWS Management Console
What is AWS SDK?
IAM
- AWS Software Development Kit (AWS SDK)
- Language-specific APIs (set of libraries)
- Enables you to access and manage AWS services programmatically
- Embedded within your application
- Supports
- SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, C++)
- Mobile SDKs (Android, iOS, …)
- IoT Device SDKs (Embedded C, Arduino, …)
- Example: AWS CLI is built on AWS SDK for Python
What are IAM Roles for Services?
- Some AWS service will need to perform actions on your behalf
- To do so, we will assign permissions to AWS services with IAM Roles
Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation
List the two IAM security tools for auditing permissions:
IAM Credentials Report (account-level)
- A report that lists all your account’s users and the status of their various credentials
IAM Access Advisor (user-level)
- Access advisor shows the service permissions granted to a user and when those services were last accessed.
- You can use this information to revise your policies.
Describe the IAM Guidelines and Best Practices:
- Don’t use the root account except for AWS account setup
- One physical user = One AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce the use of Multi Factor Authentication (MFA)
- Create and use Roles for giving permissions to AWS services
- Use Access Keys for Programmatic Access (CLI / SDK)
- Audit permissions of your account with the IAM Credentials Report
- Never share IAM users & Access Keys
Review the IAM section summary, if you find something unfamiliar, rate this card as poor knowledge so you can review.
- Users: mapped to a physical user, has a password for AWS Console
- Groups: contains users only
- Policies: JSON document that outlines permissions for users or groups
- Roles: for EC2 instances or AWS services
- Security: MFA + Password Policy
- Access Keys: access AWS using the CLI or SDK
- Audit: IAM credential reports and IAM access advisor
