AWS IAM Roles

Questions and Answers

PDF Questions PDF Answers

What is the primary purpose of creating an IAM group?

To rotate access keys regularly

To create a new IAM user

To assign access keys to users

To simplify user management and permission assignment (correct)

What is a benefit of using IAM groups?

More complex permission management

IAM groups can be used to rotate access keys

IAM groups can be used to create new IAM users

Easier management of large numbers of users (correct)

What are the two parts of an access key?

Root access key and IAM user access key

Access key ID and secret access key (correct)

Username and password

Access key ID and password

What is a recommended best practice for access keys?

Rotate access keys regularly

What can an IAM user be assigned?

Access keys, passwords, and MFA devices

Who can assume an IAM role?

IAM users, AWS services, and external identities

What is a benefit of using IAM roles?

Temporary security credentials are issued

What is the purpose of an IAM policy?

To grant or deny access to AWS resources

What type of policy is attached to an IAM user or group?

Identity-based policy

What is the effect of an IAM policy statement with an 'Allow' effect?

Grants access to the specified resource

What is NOT a benefit of using IAM roles?

Roles are attached to resources

Study Notes

AWS IAM

Roles

• An IAM role is an IAM identity that can be assumed by anyone who needs to access AWS resources
• Roles are used to delegate access to users or services that need to access AWS resources
• Roles can be assumed by:
  • IAM users
  • AWS services (e.g. EC2, Lambda)
  • External identities (e.g. Facebook, Google)
• Benefits:
  • Temporary security credentials are issued when a role is assumed
  • No need to share long-term credentials
  • Easy to manage access to AWS resources

Policies

• An IAM policy is a document that defines a set of permissions
• Policies are used to grant or deny access to AWS resources
• Types of policies:
  • Identity-based policies (attached to users, groups, or roles)
  • Resource-based policies (attached to resources, e.g. S3 buckets)
  • Organization-based policies (attached to an organization or organizational unit)
• Policy structure:
  • Version
  • Statement (one or more)
  • Effect (Allow or Deny)
  • Action (e.g. s3:GetObject)
  • Resource (e.g. arn:aws:s3:::my-bucket)

Users

• An IAM user is an entity that represents a person or service that interacts with AWS resources
• Users can be created and managed in IAM
• Users can be assigned:
  • Access keys (long-term credentials)
  • Passwords (for console access)
  • MFA devices (for added security)
• Users can be members of groups

Groups

• An IAM group is a collection of IAM users
• Groups can be used to simplify user management
• Groups can be assigned policies
• Benefits:
  • Easier to manage large numbers of users
  • Simplifies permission management

Access Keys

• Access keys are long-term credentials used to access AWS resources
• Access keys consist of:
  • Access key ID (public)
  • Secret access key (private)
• Types of access keys:
  • Root access keys (created for the root user)
  • IAM user access keys (created for IAM users)
• Best practices:
  • Rotate access keys regularly
  • Use IAM roles instead of access keys when possible
  • Never share access keys

AWS IAM

Roles

• IAM roles are identities that can be assumed by users or services to access AWS resources
• Roles delegate access to users or services that need to access AWS resources
• Roles can be assumed by IAM users, AWS services, and external identities
• Roles provide temporary security credentials, eliminating the need to share long-term credentials

Policies

• IAM policies define a set of permissions for accessing AWS resources
• Policies grant or deny access to AWS resources
• There are three types of policies: identity-based, resource-based, and organization-based policies
• Policy structure consists of version, statement, effect, action, and resource
• Policies can be attached to users, groups, roles, resources, or organizations

Users

• IAM users are entities that represent people or services interacting with AWS resources
• Users can be created and managed in IAM
• Users can be assigned access keys, passwords, and MFA devices
• Users can be members of groups

Groups

• IAM groups are collections of IAM users
• Groups simplify user management and permission management
• Groups can be assigned policies
• Benefits of using groups include easier management of large numbers of users and simplified permission management

Access Keys

• Access keys are long-term credentials used to access AWS resources
• Access keys consist of an access key ID and a secret access key
• There are two types of access keys: root access keys and IAM user access keys
• Best practices for access keys include rotating them regularly, using IAM roles instead of access keys when possible, and never sharing access keys

Description

Learn about IAM roles, their benefits, and how they delegate access to AWS resources. Understand how roles can be assumed by IAM users, AWS services, and external identities.