AWS IAM: Identity and Access Management

Questions and Answers

Which of the following is NOT a best practice for using IAM?

Use the principle of least privilege when assigning permissions

Use the root account for daily operations (correct)

Create individual IAM accounts for users

Change access keys and passwords regularly

Which of the following is TRUE about IAM Roles?

Roles cannot be used with federated users who sign in using an external identity provider.

IAM roles allow you to delegate permissions to resources for users and services without using permanent credentials. (correct)

Roles are used to assign permissions to resources, but cannot be used to delegate permissions to other users or services.

Roles are associated with permanent credentials like user names and passwords.

What is the maximum number of users that can be created in a single AWS account?

1000

10000

2000

5000 (correct)

What is the purpose of temporary security credentials in IAM?

To provide users with temporary access to specific AWS services and resources.

Which of the following is NOT a valid method of authentication in IAM?

Two-factor authentication

What is the purpose of IAM policies?

To define the permissions that are granted to specific IAM users, groups, and roles.

Which of the following statements about IAM Groups is TRUE?

Groups are used to assign permissions to users.

What is the difference between an IAM user and a service account?

IAM users are created for human users, while service accounts are created for applications.

What is the purpose of the AWS access key ID and secret access key?

To provide users with permanent access to AWS services and resources.

Which of the following is a valid method of assuming an IAM role?

All of the above

What is the default state of all requests in IAM policy evaluation logic?

Implicitly denied

What is the purpose of the Condition element in IAM policies?

To apply further conditional logic

What is an AWS managed policy?

A standalone policy created and administered by AWS

What is the purpose of an instance profile in IAM?

To pass role information to an EC2 instance

What is the advantage of using regional endpoints for AWS STS?

Reduced latency

What is the purpose of AWS STS?

To request temporary, limited-privilege credentials

What is Cross Account Access used for in AWS?

To allow users from one AWS account access resources in another

How do explicit denies in IAM policies work?

They override any allows

What is a customer managed policy in IAM?

A standalone policy created and administered by the customer

What is the default behavior of IAM policy evaluation logic?

All requests are implicitly denied

What is the primary purpose of IAM in AWS?

To securely control individual and group access to AWS resources

What happens by default when a new IAM user is created?

They can only access services with explicit permission

Which of the following components are part of an IAM user?

Access keys, passwords, and multi-factor authentication devices

What is a recommended best practice regarding multi-factor authentication (MFA)?

Enable MFA for all users, using hardware or U2F devices for privileged users

Which of the following statements best describes IAM's nature regarding AWS regions?

IAM is universal and does not apply to regions

What is required for a user to access an AWS service using IAM?

Permission must be explicitly granted

How does IAM handle user permissions?

By applying granular permissions at user and group levels

What is the purpose of multi-factor authentication (MFA) in AWS IAM?

To enhance security by requiring additional verification

What is the default state of all requests in IAM policy evaluation logic?

Implicitly denied

What is the purpose of the Condition element in IAM policies?

To apply further conditional logic

What is an AWS managed policy?

A standalone policy that is created and administered by AWS

What is the purpose of an instance profile in IAM?

To pass role information to an EC2 instance

What is the advantage of using regional endpoints for AWS STS?

Reduced latency

What is Cross Account Access used for in AWS?

To access resources in another AWS account

How do explicit denies in IAM policies work?

They override all allows

What is a customer managed policy in IAM?

A standalone policy that is created and administered by the customer

What is the primary purpose of IAM in AWS?

To provide identity and access management

What is the purpose of temporary security credentials in IAM?

To provide temporary, limited-privilege access to AWS resources

What is the primary purpose of an IAM role?

To delegate permissions to resources without using permanent credentials

What is the maximum number of IAM users that can be created in a single AWS account?

5000

What is the purpose of an IAM group?

To assign permissions to users

What is the purpose of the AWS access key ID and secret access key?

To make programmatic API calls to AWS services

What is a recommended best practice for IAM users?

Create individual IAM accounts for users

What is the difference between an IAM user and an IAM role?

An IAM user represents a person or service, while an IAM role defines a set of permissions

What is the purpose of temporary security credentials in IAM?

To delegate permissions to resources without using permanent credentials

What is the purpose of IAM policies?

To delegate permissions to resources

What is a characteristic of IAM roles?

They define a set of permissions for making AWS service requests

What is a recommended best practice for the root account?

Use the root account only for billing and create IAM users for other tasks

What is the main purpose of IAM in AWS?

To securely control individual and group access to AWS resources.

What must be done for a newly created IAM user to access AWS services?

Access must be explicitly granted through permissions.

Which of the following is NOT a component of an IAM user?

Root account permissions

What is a significant benefit of using multi-factor authentication (MFA) in AWS IAM?

It adds an extra layer of security for user authentication.

What does Identity Federation allow in AWS IAM?

Secure access to AWS resources without creating IAM user accounts.

Which best describes the consistency model of IAM?

Eventually consistent.

What is a best practice concerning the use of MFA?

To use MFA for all users and especially for privileged users.

Which statement regarding IAM's application in AWS regions is true?

IAM operates independently of the AWS regions.

What is the role of IAM users in AWS?

They have been granted access to an AWS account.

What should be done before enabling multi-factor authentication (MFA) on an AWS account?

Delete the root account access key.

What is the primary purpose of IAM in AWS?

To securely control individual and group access to AWS resources

What happens by default when a new IAM user is created?

The user is granted no access to any AWS services

What is a characteristic of IAM?

It is eventually consistent

What is the purpose of multi-factor authentication (MFA) in AWS IAM?

To provide an additional layer of security beyond passwords

What can be configured to allow secure access to resources in an AWS account without creating an IAM user account?

Identity Federation

What is a recommended best practice for the root account?

To use MFA for all users, and U2F or hardware MFA devices for all privileged users

What is required for a user to access an AWS service using IAM?

Explicit permission must be granted

What are the three main components of an IAM user?

Username, password, and access key

What is the purpose of IAM in managing access to AWS resources?

To provide a centralized control of access to AWS resources

What is the benefit of using IAM to manage access to AWS resources?

It allows for fine-grained access control

What best practice should be followed regarding the use of the root account?

Use it only for billing purposes.

What is the role of groups in IAM?

Groups are collections of users with attached policies.

Which of the following statements regarding IAM roles is correct?

Roles are created and then assumed by trusted entities.

What is a significant characteristic of temporary security credentials in IAM?

They consist of an access key ID, secret access key, and security token.

How can IAM enforce password policies?

By applying a policy that defines password length and complexity requirements.

What is a limitation of IAM groups?

Groups cannot be identified as principals in an IAM policy.

Which of the following is NOT a method of authentication available with IAM?

Session tokens

What is required for IAM users to access AWS services?

They must have security credentials.

What is a key advantage of using roles in IAM?

Roles help to delegate permissions without using permanent credentials.

What is true about the creation of IAM users?

Users must be created with a unique friendly name and ARN.

Which of the following statements is TRUE about IAM policies?

The Condition element can be used to apply further conditional logic.

What is the primary function of an IAM Instance Profile?

To associate an IAM role with an EC2 instance at launch.

Which of the following statements is TRUE about AWS managed policies?

They are designed for specific job functions.

Which of the following is NOT a primary source of users for AWS Cognito?

AWS Management Console

What is the purpose of the AWS Security Token Service (STS)?

To provide temporary security credentials for accessing AWS resources.

Which of the following best describes the relationship between a permissions boundary and an IAM role?

A permissions boundary is used to limit the maximum permissions an IAM role can assume.

How does IAM policy evaluation logic determine which permissions are granted to a user or role?

By evaluating policies in a specific order based on their type and precedence.

In the context of Cross Account Access, what is the primary purpose of using the AWS Management Console?

To switch roles and manage resources in different accounts.

Which of the following is a key advantage of using AWS STS to generate temporary security credentials?

They can be limited to specific actions and resources.

Which of the following best describes the concept of "least privilege" when applied to IAM policies?

Granting the minimum necessary permissions to perform a task.

What is the primary purpose of IAM in AWS?

To provide secure access to AWS resources

What happens by default when a new IAM user is created?

They can only login to the AWS console

What is a characteristic of IAM?

It is eventually consistent

What is the purpose of multi-factor authentication (MFA) in AWS IAM?

To add an extra layer of security to user authentication

What is a recommended best practice regarding multi-factor authentication (MFA)?

Use it for all users and use U2F or hardware MFA devices for all privileged users

What are the three main components of an IAM user?

Username, password, and access key

What is the purpose of Identity Federation in IAM?

To allow secure access to resources in an AWS account without creating an IAM user account

What is the 'root account' in AWS?

The account created when you setup the AWS account

What is a benefit of using IAM?

It provides granular permissions and makes it easy to provide multiple users secure access to AWS resources

What is the nature of IAM regarding AWS regions?

It is universal (global) and does not apply to regions

What is the primary purpose of an IAM policy?

To authorize access to AWS resources

What is the difference between an AWS managed policy and a customer managed policy?

AWS managed policies are created by AWS, while customer managed policies are created by customers

What is the purpose of the Condition element in IAM policies?

To apply further conditional logic to the policy

What is the advantage of using regional endpoints for AWS STS?

Reduced latency

What is Cross Account Access used for in AWS?

To access resources in another AWS account

What happens by default when a policy is applied to an IAM user or role?

All requests are implicitly denied

What is the purpose of an IAM instance profile?

To pass role information to an EC2 instance

How do explicit denies in IAM policies work?

They override any allows in the policy

What is the purpose of the AWS Security Token Service (STS)?

To provide temporary, limited-privilege credentials for IAM users

What is the default state of all requests in IAM policy evaluation logic?

Implicitly denied

What type of access does the root account have in an AWS account?

Full administrative permissions

Which statement correctly describes IAM users?

IAM users have no default access rights until assigned permissions.

Why should Access Key IDs and Secret Access Keys be regenerated if lost?

They are permanent credentials and cannot be recovered.

What is the primary purpose of using IAM roles?

To delegate temporary permissions without using permanent credentials.

Which of the following is true about IAM groups?

Groups are used to assign permissions collectively to users.

What happens to temporary security credentials when using IAM roles?

They automatically expire after a defined time.

What does the IAM policy evaluation logic default to for new requests?

Always deny

What is a recommended best practice regarding password policies in IAM?

Define a policy for minimum length and complexity.

Which of the following statements is correct regarding the use of AWS SDKs with IAM?

AWS SDKs are recommended for programmatic API calls to IAM.

Which assertion about authentication methods in IAM is correct?

IAM supports multiple authentication methods including console passwords and access keys.

Which of the following statements about IAM policies is FALSE?

All permissions are explicitly denied by default.

What is the primary purpose of AWS Security Token Service (STS)?

To provide temporary, limited-privilege credentials for IAM users or federated users.

Which of the following is a valid way to use AWS STS to enable cross-account access?

Using the assume-role API action to temporarily assume a role in the target account.

What is the purpose of an IAM instance profile?

To provide temporary security credentials to EC2 instances.

Which of the following statements accurately describes the relationship between IAM roles and instance profiles?

An IAM role can be included in multiple instance profiles.

What is the primary benefit of using temporary security credentials provided by AWS STS?

They expire after a specific duration, reducing the risk of unauthorized access.

Which of the following is a valid scenario for using cross-account access?

A developer in a development account needs to access and manage resources in a production account.

Which of the following statements about IAM policy evaluation logic is TRUE?

Explicit denies always take precedence over explicit allows.

What is the primary function of the Condition element in IAM policies?

To add conditional logic to grant or deny access based on specific criteria.

Which of the following is a key difference between AWS managed policies and customer managed policies?

AWS managed policies are not customizable, while customer managed policies can be modified.

What is the primary function of IAM in AWS?

Controlling individual and group access to AWS resources

Which statement accurately describes the default state of new IAM users?

They have no access to any AWS services.

How can IAM users authenticate securely?

By using multi-factor authentication devices

What allows secure access to AWS resources without creating an IAM user account?

Identity Federation

What does enabling multi-factor authentication (MFA) for users accomplish?

It enhances access security for users.

Which of the following is NOT a main component of an IAM user?

User groups

What is a recommended best practice regarding the root account in AWS?

Enable multi-factor authentication for the root account.

What type of permissions can be applied using IAM?

Granular permissions

Which statement is true about IAM's behavior regarding AWS regions?

IAM is global and does not apply to specific regions.

What type of access does the root account provide?

Full control over all AWS resources

Which authentication method is NOT typically associated with IAM user accounts?

Server certificates

What is the primary purpose of an IAM role?

To provide temporary access to AWS services without using permanent credentials.

Which statement accurately describes the relationship between IAM users and service accounts?

Service accounts are a type of IAM user that represent applications.

What is a key benefit of using IAM Roles instead of providing permanent credentials to users?

Roles eliminate the need for password management.

What is the primary purpose of an IAM policy?

To grant or deny access to AWS services and resources.

How does the principle of least privilege apply to IAM permissions?

Users should be granted only the permissions they need to perform their assigned tasks.

Which of the following is a recommended best practice for managing the AWS root account?

Use the root account only for billing and account management.

What is the purpose of temporary security credentials in IAM?

To grant temporary access to AWS services for specific tasks or resources.

What is the main difference between an IAM user and an IAM role?

IAM users are permanent entities while roles are temporary.

Which of the following is NOT a valid method of assuming an IAM role?

Using the IAM Query API.

What best describes the primary use of temporary security credentials in IAM?

They provide users with limited access to services/resources for a short period.

What is a unique identifier for an IAM user across AWS?

The ARN associated with the user.

Which statement accurately describes IAM roles?

They can be assumed temporarily by users or AWS services.

What is the primary purpose of using IAM groups?

To attach policies for managing permissions collectively for multiple users.

What is a best practice for handling the root account in AWS?

Limit its use to billing and account setup tasks.

How many IAM users can be created within a single AWS account?

5000

What best describes a service account in IAM?

An IAM user specifically created for applications.

What is true about IAM permissions when using the principle of least privilege?

Users are permitted only the access necessary for their specific tasks.

Which of the following is NOT a method of authentication supported by IAM?

Access tokens from external providers

What happens by default when a new IAM user is created?

The user has no permissions and cannot access anything.

What is the default access level for newly created IAM users in AWS?

No access to any AWS services

Which component is NOT associated with IAM users?

IAM roles

What does enabling Multi-factor authentication (MFA) ensure for AWS accounts?

Higher security through additional authentication steps

What is one key feature of IAM regarding its regional application?

IAM is universal and does not apply to regions

Which of the following is NOT a method of authentication provided by IAM?

Social media login integration

What is a primary function of Identity Federation in IAM?

To enable access without creating IAM user accounts

Which authentication method generates random, single-use authentication codes?

Multi-factor authentication devices

What is the significance of the root account in an AWS account?

It is the account created upon setting up the AWS account

What does the ability to apply granular permissions with IAM allow?

Detailing specific permissions for individual users

Which of the following is not a recommended practice related to Multi-factor authentication (MFA)?

Disable MFA for performance reasons

What is the function of the IAM policy simulator?

To help understand and validate access control policies.

What happens when an explicit deny is included in any policy?

It overrides any explicit allow permissions.

Which type of policy can be attached to multiple principal entities in an AWS account?

Customer Managed Policy

What best describes AWS Managed Policies?

Standalone policies created and administered by AWS.

Which statement is accurate regarding the default behavior of IAM policies?

All permissions are implicitly denied unless specified otherwise.

What is an instance profile in AWS IAM?

A container for an IAM role for EC2 instances.

What is a key benefit of using AWS Security Token Service (STS)?

It provides temporary security credentials.

For which scenario is Cross Account Access primarily intended?

Facilitating access between separate AWS accounts.

How does the policy evaluation logic handle permissions boundaries?

It can override allows with implicit denies.

What is the primary use of the Condition element in IAM policies?

To apply additional logical conditions to permission grants.

Which service is a managed message broker service for ActiveMQ?

Amazon MQ

Which of the following services is best suited for human-enabled workflows like an order fulfillment system?

Amazon SWF

Which of the following is NOT a feature of AWS Step Functions?

Provides a managed message broker service for ActiveMQ

What is the purpose of the decider in an Amazon SWF application?

To control the coordination of tasks, including their ordering, concurrency, and scheduling

Which of the following is NOT a component of an Amazon SWF application?

Queue

What is the main purpose of Amazon MQ?

To provide a managed message broker service for ActiveMQ

Which of the following services is recommended by AWS for new applications instead of Amazon SWF?

AWS Step Functions

Which of the following is a benefit of using Amazon MQ?

Provides cost-efficient and flexible messaging capacity

Which service provides a visual interface that describes flow and real-time status of a workflow?

AWS Step Functions

What is the purpose of the Amazon State Language declarative JSON in AWS Step Functions?

To define the workflow as a state machine

Which of the following statements accurately describes Amazon SNS Fanout?

SNS Fanout allows messages to be delivered to multiple endpoints, including SQS queues, Lambda functions, and HTTPS endpoints.

What is the primary advantage of using Amazon SQS over a traditional message queue?

Amazon SQS handles message delivery and queuing, allowing for loose coupling between components in an application.

Which type of Amazon SQS queue offers exactly-once processing and guarantees message ordering?

FIFO Queue

What is the purpose of the Message Group ID parameter in Amazon SQS FIFO queues?

To ensure that messages are delivered in the same order they were sent.

Which of the following is a feature of Amazon SQS standard queues?

Best-effort ordering

What is the significance of the visibility timeout in Amazon SQS?

It defines the period for which a message is hidden from other consumers after being retrieved.

Which of the following best describes the scalability aspect of Amazon SQS?

SQS allows for horizontal scaling by creating multiple queues to handle increased workloads.

What is the primary purpose of Amazon SNS?

To provide a secure, reliable, and scalable messaging service for sending notifications to various endpoints.

Which of the following scenarios would be best suited for using Amazon SQS?

Decoupling components in an application to improve scalability and reliability.

What is the purpose of using Message Deduplication ID in Amazon SQS FIFO queues?

To prevent duplicate messages from being added to the queue.

What is the primary function of a dead-letter queue in Amazon SQS?

To handle message failures and isolate problematic messages

What distinguishes long polling from short polling in SQS?

Long polling can wait up to 20 seconds for messages; short polling retrieves immediately

What happens to messages in a dead-letter queue?

They are set aside for analysis after exceeding maxReceiveCount

What is the maximum delay period you can set for messages in a delay queue in SQS?

15 minutes

Which of the following statements about Amazon SQS Extended Client Library for Java is true?

It allows storing messages up to 2 GB in size using Amazon S3

In SQS, how does CloudWatch track an active queue?

If it contains messages or has any API action accessing it within the last 6 hours

What is the purpose of using IAM policies with Amazon SQS?

To control access and permissions for reading/writing messages

What is the primary benefit of using AWS Application Integration Services in applications?

They facilitate decoupled communication between application components.

What is one characteristic of a standard SQS queue regarding delivery of messages?

It allows for at-least-once delivery of messages

Which of the following best describes Amazon SNS?

A messaging service that supports pub/sub functionality.

Which API action in Amazon SQS allows you to change the visibility timeout of a message?

ChangeMessageVisibility

Which of the following is NOT a feature of Amazon SNS?

Processing messages synchronously.

What role do topics play in Amazon SNS?

They facilitate the grouping of multiple recipients for message delivery.

Which statement about the pay-as-you-go model of Amazon SNS is true?

It charges based on actual usage with no upfront costs.

How does Amazon SNS contribute to application resilience?

By decoupling applications, allowing them to withstand individual component failures.

In what type of architecture are AWS Application Integration Services primarily utilized?

Decoupled architecture including microservices.

Which method does Amazon SNS NOT support for sending notifications?

Direct database queries.

What is a significant characteristic of messaging in Amazon SNS?

Messages can be processed asynchronously to enhance performance.

Study Notes

AWS Identity and Access Management (IAM) Overview

• IAM allows secure control of individual and group access to AWS resources.
• It provides centralized account control and shared access management.
• By default, new users have no access; permissions must be explicitly granted.

IAM Users

• IAM users are entities that represent individuals or services accessing AWS accounts.
• Each user has three main components: security credentials, permissions, and user names.
• It's best practice to create individual accounts for users rather than sharing credentials.
• Up to 5,000 users can be created per AWS account.

Permissions and Policies

• Granular permissions can be applied to IAM users.
• IAM users can be assigned access keys, passwords, and configured with multi-factor authentication (MFA).
• Permissions are defined using policies written in JSON, and all permissions are implicitly denied by default.

Multi-Factor Authentication (MFA)

• MFA can be enabled for the AWS account and individual users, enhancing security.
• MFA involves a device generating random, single-use authentication codes.

Roles and Groups

• Roles define a set of permissions and can be assumed by trusted entities.
• Groups are collections of users with attached policies, but cannot be used as principals in IAM policies.
• Roles can grant temporary security credentials without permanent credentials.

Policy Types

• Types of policies include managed policies (AWS-defined) and inline policies (user-defined for specific users/groups).
• AWS managed policies cannot be modified, while customer-managed policies can be attached to multiple roles or users.

IAM Policy Evaluation Logic

• All requests are implicitly denied unless explicitly allowed.
• An explicit deny in any policy overrides any allow.
• The most restrictive policy takes precedence if multiple policies apply.

AWS Security Token Service (STS)

• STS provides temporary, limited-privilege credentials for IAM users and federated users.
• Credentials can be requested globally, and help facilitate cross-account access.

Cross-Account Access

• Allows users from one AWS account to access resources in another account.
• Requires attached resource-based policies or assuming roles in the target account.

IAM Best Practices

• Do not use the root account for administrative tasks.
• Use MFA for all users, especially for privileged accounts.
• Implement the principle of least privilege when assigning permissions.
• Regularly change access keys and passwords.

AWS Identity and Access Management (IAM) Overview

• IAM allows secure control of individual and group access to AWS resources.
• It provides centralized account control and shared access management.
• By default, new users have no access; permissions must be explicitly granted.

IAM Users

• IAM users are entities that represent individuals or services accessing AWS accounts.
• Each user has three main components: security credentials, permissions, and user names.
• It's best practice to create individual accounts for users rather than sharing credentials.
• Up to 5,000 users can be created per AWS account.

Permissions and Policies

• Granular permissions can be applied to IAM users.
• IAM users can be assigned access keys, passwords, and configured with multi-factor authentication (MFA).
• Permissions are defined using policies written in JSON, and all permissions are implicitly denied by default.

Multi-Factor Authentication (MFA)

• MFA can be enabled for the AWS account and individual users, enhancing security.
• MFA involves a device generating random, single-use authentication codes.

Roles and Groups

• Roles define a set of permissions and can be assumed by trusted entities.
• Groups are collections of users with attached policies, but cannot be used as principals in IAM policies.
• Roles can grant temporary security credentials without permanent credentials.

Policy Types

• Types of policies include managed policies (AWS-defined) and inline policies (user-defined for specific users/groups).
• AWS managed policies cannot be modified, while customer-managed policies can be attached to multiple roles or users.

IAM Policy Evaluation Logic

• All requests are implicitly denied unless explicitly allowed.
• An explicit deny in any policy overrides any allow.
• The most restrictive policy takes precedence if multiple policies apply.

AWS Security Token Service (STS)

• STS provides temporary, limited-privilege credentials for IAM users and federated users.
• Credentials can be requested globally, and help facilitate cross-account access.

Cross-Account Access

• Allows users from one AWS account to access resources in another account.
• Requires attached resource-based policies or assuming roles in the target account.

IAM Best Practices

• Do not use the root account for administrative tasks.
• Use MFA for all users, especially for privileged accounts.
• Implement the principle of least privilege when assigning permissions.
• Regularly change access keys and passwords.

AWS Identity and Access Management (IAM) Overview

• IAM allows secure control of individual and group access to AWS resources.
• It provides centralized account control and shared access management.
• By default, new users have no access; permissions must be explicitly granted.

IAM Users

• IAM users are entities that represent individuals or services accessing AWS accounts.
• Each user has three main components: security credentials, permissions, and user names.
• It's best practice to create individual accounts for users rather than sharing credentials.
• Up to 5,000 users can be created per AWS account.

Permissions and Policies

• Granular permissions can be applied to IAM users.
• IAM users can be assigned access keys, passwords, and configured with multi-factor authentication (MFA).
• Permissions are defined using policies written in JSON, and all permissions are implicitly denied by default.

Multi-Factor Authentication (MFA)

• MFA can be enabled for the AWS account and individual users, enhancing security.
• MFA involves a device generating random, single-use authentication codes.

Roles and Groups

• Roles define a set of permissions and can be assumed by trusted entities.
• Groups are collections of users with attached policies, but cannot be used as principals in IAM policies.
• Roles can grant temporary security credentials without permanent credentials.

Policy Types

• Types of policies include managed policies (AWS-defined) and inline policies (user-defined for specific users/groups).
• AWS managed policies cannot be modified, while customer-managed policies can be attached to multiple roles or users.

IAM Policy Evaluation Logic

• All requests are implicitly denied unless explicitly allowed.
• An explicit deny in any policy overrides any allow.
• The most restrictive policy takes precedence if multiple policies apply.

AWS Security Token Service (STS)

• STS provides temporary, limited-privilege credentials for IAM users and federated users.
• Credentials can be requested globally, and help facilitate cross-account access.

Cross-Account Access

• Allows users from one AWS account to access resources in another account.
• Requires attached resource-based policies or assuming roles in the target account.

IAM Best Practices

• Do not use the root account for administrative tasks.
• Use MFA for all users, especially for privileged accounts.
• Implement the principle of least privilege when assigning permissions.
• Regularly change access keys and passwords.

AWS Identity and Access Management (IAM) Overview

• IAM allows secure control of individual and group access to AWS resources.
• It provides centralized account control and shared access management.
• By default, new users have no access; permissions must be explicitly granted.

IAM Users

• IAM users are entities that represent individuals or services accessing AWS accounts.
• Each user has three main components: security credentials, permissions, and user names.
• It's best practice to create individual accounts for users rather than sharing credentials.
• Up to 5,000 users can be created per AWS account.

Permissions and Policies

• Granular permissions can be applied to IAM users.
• IAM users can be assigned access keys, passwords, and configured with multi-factor authentication (MFA).
• Permissions are defined using policies written in JSON, and all permissions are implicitly denied by default.

Multi-Factor Authentication (MFA)

• MFA can be enabled for the AWS account and individual users, enhancing security.
• MFA involves a device generating random, single-use authentication codes.

Roles and Groups

• Roles define a set of permissions and can be assumed by trusted entities.
• Groups are collections of users with attached policies, but cannot be used as principals in IAM policies.
• Roles can grant temporary security credentials without permanent credentials.

Policy Types

• Types of policies include managed policies (AWS-defined) and inline policies (user-defined for specific users/groups).
• AWS managed policies cannot be modified, while customer-managed policies can be attached to multiple roles or users.

IAM Policy Evaluation Logic

• All requests are implicitly denied unless explicitly allowed.
• An explicit deny in any policy overrides any allow.
• The most restrictive policy takes precedence if multiple policies apply.

AWS Security Token Service (STS)

• STS provides temporary, limited-privilege credentials for IAM users and federated users.
• Credentials can be requested globally, and help facilitate cross-account access.

Cross-Account Access

• Allows users from one AWS account to access resources in another account.
• Requires attached resource-based policies or assuming roles in the target account.

IAM Best Practices

• Do not use the root account for administrative tasks.
• Use MFA for all users, especially for privileged accounts.
• Implement the principle of least privilege when assigning permissions.
• Regularly change access keys and passwords.

AWS Identity and Access Management (IAM) Overview

• IAM allows secure control of individual and group access to AWS resources.
• It provides centralized account control and shared access management.
• By default, new users have no access; permissions must be explicitly granted.

IAM Users

• IAM users are entities that represent individuals or services accessing AWS accounts.
• Each user has three main components: security credentials, permissions, and user names.
• It's best practice to create individual accounts for users rather than sharing credentials.
• Up to 5,000 users can be created per AWS account.

Permissions and Policies

• Granular permissions can be applied to IAM users.
• IAM users can be assigned access keys, passwords, and configured with multi-factor authentication (MFA).
• Permissions are defined using policies written in JSON, and all permissions are implicitly denied by default.

Multi-Factor Authentication (MFA)

• MFA can be enabled for the AWS account and individual users, enhancing security.
• MFA involves a device generating random, single-use authentication codes.

Roles and Groups

• Roles define a set of permissions and can be assumed by trusted entities.
• Groups are collections of users with attached policies, but cannot be used as principals in IAM policies.
• Roles can grant temporary security credentials without permanent credentials.

Policy Types

• Types of policies include managed policies (AWS-defined) and inline policies (user-defined for specific users/groups).
• AWS managed policies cannot be modified, while customer-managed policies can be attached to multiple roles or users.

IAM Policy Evaluation Logic

• All requests are implicitly denied unless explicitly allowed.
• An explicit deny in any policy overrides any allow.
• The most restrictive policy takes precedence if multiple policies apply.

AWS Security Token Service (STS)

• STS provides temporary, limited-privilege credentials for IAM users and federated users.
• Credentials can be requested globally, and help facilitate cross-account access.

Cross-Account Access

• Allows users from one AWS account to access resources in another account.
• Requires attached resource-based policies or assuming roles in the target account.

IAM Best Practices

• Do not use the root account for administrative tasks.
• Use MFA for all users, especially for privileged accounts.
• Implement the principle of least privilege when assigning permissions.
• Regularly change access keys and passwords.

AWS Identity and Access Management (IAM) Overview

• IAM allows secure control of individual and group access to AWS resources.
• It provides centralized account control and shared access management.
• By default, new users have no access; permissions must be explicitly granted.

IAM Users

• IAM users are entities that represent individuals or services accessing AWS accounts.
• Each user has three main components: security credentials, permissions, and user names.
• It's best practice to create individual accounts for users rather than sharing credentials.
• Up to 5,000 users can be created per AWS account.

Permissions and Policies

• Granular permissions can be applied to IAM users.
• IAM users can be assigned access keys, passwords, and configured with multi-factor authentication (MFA).
• Permissions are defined using policies written in JSON, and all permissions are implicitly denied by default.

Multi-Factor Authentication (MFA)

• MFA can be enabled for the AWS account and individual users, enhancing security.
• MFA involves a device generating random, single-use authentication codes.

Roles and Groups

• Roles define a set of permissions and can be assumed by trusted entities.
• Groups are collections of users with attached policies, but cannot be used as principals in IAM policies.
• Roles can grant temporary security credentials without permanent credentials.

Policy Types

• Types of policies include managed policies (AWS-defined) and inline policies (user-defined for specific users/groups).
• AWS managed policies cannot be modified, while customer-managed policies can be attached to multiple roles or users.

IAM Policy Evaluation Logic

• All requests are implicitly denied unless explicitly allowed.
• An explicit deny in any policy overrides any allow.
• The most restrictive policy takes precedence if multiple policies apply.

AWS Security Token Service (STS)

• STS provides temporary, limited-privilege credentials for IAM users and federated users.
• Credentials can be requested globally, and help facilitate cross-account access.

Cross-Account Access

• Allows users from one AWS account to access resources in another account.
• Requires attached resource-based policies or assuming roles in the target account.

IAM Best Practices

• Do not use the root account for administrative tasks.
• Use MFA for all users, especially for privileged accounts.
• Implement the principle of least privilege when assigning permissions.
• Regularly change access keys and passwords.

AWS Application Integration Services

• A suite of services designed for decoupled communication between application components.
• Supports microservices, distributed systems, and serverless architectures.
• Enables connectivity without custom code, ensuring resilience against failures in individual components.

Amazon Simple Notification Service (SNS)

• Managed messaging service for application-to-application (A2A) and application-to-person (A2P) communication.
• Utilizes a pub/sub model for high throughput, push-based messaging.
• Supports notifications to multiple platforms, including mobile devices, SMS, email, and any HTTP endpoint.
• Triggers AWS Lambda functions to process messages automatically.
• Messages can be stored redundantly across multiple availability zones, ensuring durability.
• Allows grouping of multiple recipients via Topics, enabling dynamic subscription to notifications.

Amazon Simple Queue Service (SQS)

• Provides a distributed queue system for reliable message queuing between application components.
• Acts as a buffer to help manage differences in processing speed between producers and consumers, promoting decoupling.
• Messages can be stored for 1 minute to 14 days, with a default retention of 4 days.
• Guarantees at least once delivery of messages, with two queue types: Standard and FIFO.

Standard Queues

• Default type, supports nearly unlimited transactions per second.
• Guarantees at least once delivery but may deliver duplicates out of order.
• Best-effort ordering generalizes message delivery in the order sent.

FIFO Queues

• Ensures strictly ordered, exactly-once processing of messages.
• Supports message groups for containing multiple ordered groups within a single queue.
• Limited to 300 transactions per second, preventing duplicate messages with Message Group ID and Message Deduplication ID requirements.

SQS Visibility Timeout

• Defines the period a message remains invisible after being read to avoid multiple processing.
• Default is 30 seconds, adjustable to a maximum of 12 hours.

SQS Polling

• Long polling retrieves messages only when available, improving efficiency compared to short polling, which returns immediately.
• Long polling can be activated at the queue or API level.

Dead-Letter Queues

• Isolates and manages messages that fail processing for further analysis.
• Messages move to this queue after exceeding a predefined maxReceiveCount.

Delay Queues

• Allows postponing message deliveries for up to 900 seconds (15 minutes).
• Changes affect only new messages, not those already in the queue.

Amazon Simple Workflow Service (SWF)

• Coordinates distributed application components through workflows with parallel or sequential steps.
• Ideal for longer tasks that require state tracking and retry capabilities.
• Integrates with a task-oriented API, providing a domain for application resources and managing tasks' state.

Amazon MQ

• Managed message broker service supporting ActiveMQ, facilitating migration without code rewrites.
• Automatically provisions infrastructure for high availability and redundancy across Availability Zones.
• Supports standard messaging APIs such as JMS, NMS, MQTT, and WebSockets.
• Ensures security through SSL connections, VPC isolation, and message encryption.

AWS Step Functions

• Orchestrates components of distributed applications via visual workflows and state machines.
• Allows the definition of tasks with sequential, parallel, and branching steps.
• Provides a visual interface for execution status and detailed logs for monitoring each step.

Description

Learn about AWS IAM, a service that securely controls access to AWS resources, providing centralized control and enabling shared access with customizable permission settings.