4. [H] IAM, Accounts and AWS Organisations

Questions and Answers

An engineer is designing an IAM policy. Which of the following elements is optional but recommended for each statement within the policy?

• Action
• Resource
• Effect
• Sid (correct)

An IAM policy contains two statements: one allowing full access to S3 and another denying all actions on a specific S3 bucket. What is the effective permission for actions on that specific bucket?

• Explicitly allowed
• Implicitly allowed
• Implicitly denied
• Explicitly denied (correct)

In an IAM policy, what component is used to define whether the policy will allow or deny access to specified resources and actions?

• Resource
• Action
• Sid
• Effect (correct)

You are tasked with granting temporary permissions to an application running on an EC2 instance to access an S3 bucket. The security team requires that the credentials used should automatically rotate and not be stored directly. Which IAM construct should you use?

IAM Role (C)

A company wants to give a third-party application access to specific AWS resources, but the number of principals accessing AWS is high and unidentified. Which IAM entity is best suited for this use case?

IAM Role (C)

Which AWS service provides a secure method to grant access to AWS resources leveraging security best practices, like temporary credentials, but still allowing for cross-account access?

STS (Secure Token Service) and IAM Roles (C)

You need to allow a workload running inside of your AWS account to be assumed by an external identity, which two types of policies would you need to have configured?

Trust and Permissions Policy (C)

A security engineer is setting up IAM permissions for a new project. They need to ensure that no matter what permissions are added in the future, developers can never terminate EC2 instances. What approach should they take?

Implement an AWS Organizations Service Control Policy (SCP) to deny the ec2:TerminateInstances action at the account level. (D)

An application running on EC2 needs to access S3. Which identity should be used avoid hardcoding static credentials?

IAM Role (B)

A company is designing its IAM strategy. They want to ensure that they follow the principle of least privilege while minimizing administrative overhead. The company has a team dedicated to access management. Which AWS IAM capability allows for the separation of who creates roles from who can assume them?

PassRole Permissions (C)

A company uses AWS Organizations with multiple accounts. They need to prevent developers from using specific resource types in all accounts. What is the MOST effective way to achieve this?

Implement Service Control Policies (SCPs) in AWS Organizations to restrict the use of these resources. (C)

A large organization with thousands of employees wants to integrate their existing on-premises Active Directory with AWS to manage access to AWS resources. Which approach should they use to avoid exceeding IAM limits, like the limit on total number of users?

Set up Identity Federation using IAM roles to allow Active Directory users to assume roles and access AWS resources. (D)

Your company is implementing IAM roles within their AWS environment in order to leverage security best practices and are unsure where to start. Which one of the following AWS documented IAM reference architectures is the correct one to choose?

Multi-account AWS environments use IAM roles with administrators in a central 'identity' or primary authentication account. (A)

You want to create a mechanism that creates cloud infrastructure in your different AWS accounts which is very common that many organizations do. You decide to enforce a common account creation solution for developers that is designed to standardize the creation of new accounts with a pre-defined baseline. Which one of the following tools is most appropriate?

You should use the AWS Account Factory to standardize new accounts via Service Catalog. (B)

You are a security engineer setting up AWS Control Tower. You need to ensure that all S3 buckets are encrypted by default and that no user can disable this encryption. What type of guardrail should you implement?

Mandatory Guardrail using SCP (D)

An organization is setting up AWS Control Tower. They require a centralized location to perform security audits across all accounts in their Landing Zone. Which action best supports their requirement?

Direct the team to the log archive account. (B)

When creating a service-linked role, what is typically the format of the resource element at the end of the AWS ARN?

It is advisable but not completely compulsory to refer to AWS documentation due to its complexity. (D)

What is the primary distinction between a service-linked role and a regular IAM role?

Service-linked roles are automatically created and managed by AWS services, while regular IAM roles are managed by users. (C)

What is the effect of attaching a service control policy with an explicit deny statement to the root of an AWS Organization?

The SCP restricts permissions for all AWS accounts in the organization, except for the management account. (A)

A company wants to enforce a policy that all new S3 buckets created in any of their AWS accounts be in the us-east-1 region. The company wants to use a central configuration across all accounts. Given these requirements, which is the BEST way for the company to enforce this policy?

Implement Service Control Policies (SCPs) in AWS Organizations to restrict S3 bucket creation to the us-east-1 region. (A)

In AWS Organizations, how does consolidated billing affect the individual billing methods of member accounts?

The individual billing methods are removed for member accounts, and billing is managed through the management account. (C)

A security engineer is tasked with implementing centralized logging and auditing across all AWS accounts in an AWS Organization. Which AWS service is MOST suited for collecting a comprehensive record of all API calls made within each account?

AWS CloudTrail (C)

You have configured a CloudTrail trail to send logs to an S3 bucket. However, you're missing log data for global services like IAM. What do you need to do to ensure that a trail is picking up the global events?

Enable Global Service Events Logging to capture logs from all AWS services. (C)

You need to audit and secure your AWS infrastructure, what is the tool within the AWS ecosystem that would give you insight if someone were performing an ec2:RunInstances call?

CloudTrail (C)

CloudTrail has just been configured to deliver to cloudwatch logs. You’ve noticed that every log group is being flagged as non-compliant. Which tool should be incorporated for security compliance checks?

AWS Config (B)

An organization has implemented CloudTrail for logging API activity. They want to set up real time alerting. How can the alerts be accomplished?

Export the CloudTrail logs to CloudWatch Logs and create metric filters and alarms. (D)

What does a CloudTrail trail configured for all regions provide?

A collection of trails in every AWS region. This is managed as one logical trail and if AWS adds any additional regions, then the trails are automatically updated. (D)

IAM, STS, and CloudFront are global services; where are their logged data captured?

These cloud services log all data into the us-east-1 region. (D)

Your company has recently set up a new AWS multi-account environment using AWS Organizations. The company also has a requirement to restrict all existing and new AWS regions which are to be set in the environment, which one of the following AWS services is best used in such circumstance?

Using Control Tower Service Control Policies allows administrators to set up regions and disallow bucket policy changes. (A)

You are setting up Control Tower in your organization to better manage multi-account environments. When completing a Control Tower setup, which accounts are implemented inside the foundational units?

Audit and Log Archive Accounts only. (A)

Now that you've gone ahead and enabled AWS organizations and you wanted to set an implicit denier for an S3 bucket, which list would apply?

The implicit deny blocks access to everything. (D)

Given an environment where AWS Organizations and SCPs are in place, which action is NOT permissible?

AWS config provides configuration for both preventive and detective controls. (A)

The most effective technique for maintaining governance and account access management at scale is to set a landing zone; what are two examples of things that are included?

Organizations and the IAM Identity Center (AWS SSO)'s successor and multi-account Id federation. (C)

You are a security engineer in an AWS environment using Control Tower. What is a key consideration when designing preventative and detective controls in AWS?

You should have preventative and detective controls, and it is useful to have an understanding of service behavior. (A)

You need to setup an organization configuration and need all accounts to use the same networking setup. What tool should you use?

Using a baseline network. (D)

What is the purpose of the AWS account root user?

To perform tasks requiring unrestricted access within the AWS account. (D)

What level of access management is offered to specific or special rights?

Special circumstances, inline roles, and/or exceptional access rights. (A)

Why would you want to use IAM user accounts instead of AWS roles within your applications?

To ensure that each process requires long lived security credentials and that you would want to avoid a situation or need to rotate. (C)

You have an emergency or out of usual state scenario. In your security structure, what is another situation where roles might be useful and helpful?

During events where a team needs more help or access. (A)

You want to allow some of your identities in one AWS account to access a certain object in another AWS account. Which statement best facilitates a simple architecture for setting up credentials to interact with objects in another AWS account?

It is best to use a role in a particular AWS account with the proper credentials that can be used to upload objects. (B)

You want to reuse your on-premise identities to assume other AWS roles in such a manner as to not require further authentication prompts. What is this process known as?

Identity federation. (D)

Which are the best services to integrate into your applications that have millions of users for permissioning?

Web Identity Federation which uses IAM Rolls. (D)

To store data into a CloudWatch Log group from a Linux operating system, which of the following configuration steps are required?

To store the logs to CloudWatch logs, there must be an agent installed (D)

In AWS IAM, what determines if a statement will grant or deny access to the specified resources and actions?

The Effect which can be either 'Allow' or 'Deny'. (B)

When multiple IAM policies apply to a single AWS identity, and one policy allows an action while another explicitly denies it, which policy takes precedence?

An explicit deny always overrides an explicit allow. (A)

How does AWS evaluate IAM policies when a user attempts to access a resource, and multiple policies apply?

AWS consolidates all applicable policies and applies them together, with explicit denies overriding allows. (B)

You are managing IAM permissions for a new application and need to restrict access to a particular S3 bucket, in which the objects themselves should also be secured, which ARN will apply?

arn:aws:s3:::bucketname/* (D)

What is the significance of using a double colon (::) in an ARN within AWS IAM policies?

It replaces a value that does not need to be specified. (C)

Which of the following statements accurately describes the relationship between IAM users and IAM groups?

IAM users can be members of multiple IAM groups and inherit the combined permissions of all groups to which they belong. (A)

Which of the following statements correctly differentiates between IAM users and IAM roles within AWS?

IAM users are typically associated with a single person or application using long-term credentials, whereas IAM roles are designed for short-term access and can be assumed by multiple entities. (B)

In the context of AWS IAM, which of the following is a key benefit of using roles over IAM users?

Roles provide a way to grant permissions without needing to create or manage long-term credentials for users or applications. (C)

When should you use an inline policy?

Granting unique, non-reusable permissions to a single IAM identity. (B)

What is a primary difference between AWS-managed policies and customer-managed policies?

AWS-managed policies are created and maintained by AWS, while customer-managed policies are created and maintained by the user. (B)

What is the maximum number of IAM users allowed per AWS account?

5,000 (A)

An application error reporting that it has failed login attempts on million different users, when the architecture uses IAM to specify each individual user. What is the next appropriate action?

Use Federation with IAM Roles. (A)

What condition must be present for external on-premise services to interact with resources in an AWS account?

Create an IAM account and use Federation with IAM Roles. (C)

Can IAM groups be considered a true identity from a resource based permissions perspective?

No, they are for the purpose of grouping users. (D)

What is the maximum number of IAM groups that an IAM user can be a member of?

10 (D)

You are tasked to design a scalable solution for managing permissions in AWS for a large organization. How should you apply the permissions model, if your goal is least privilege?

Use IAM roles associated with federated identities and apply the necessary permissions to the roles. (D)

What are the two aspects needed to effectively implement an IAM role?

The trust policy and the permissions policy. (A)

Consider a scenario where you need to log into one AWS account, without login into them again. Which product within the AWS ecosystem will allow you to log into one account in that organization?

IAM Roles (A)

In a multi-account AWS environment, your organization decides to implement a role-based access strategy to allow developers in a central 'Developer' account to manage resources in various 'Application' accounts. Which configuration steps must be taken?

Establish cross-account trust relationships by defining a role in each 'Application' account that the 'Developer' account's IAM users can assume. (B)

Which AWS service is best capable of generating short term credentials required to assume an IAM role?

STS (B)

When designing a secure architecture for applications running on EC2 what is the most relevant step?

Design the applications for assuming a role. (A)

When working with multi-account permissions, what action needs to first occur before AWS services can act on you behalf?

Use a Role. (D)

You work with a business service desk team, and want to give them read-only access to your AWS account to maintain performance and stop/start instances. What IAM action can you use?

Use an emergency Role that can be assumed with the Role's permission policies. (B)

What are possible examples of when Roles are useful to implement in your application?

Emergency or out of the usable situations. (D)

You are integrating AWS with an existing corporate environment, each of which the existing logins has access to a variety of systems. What AWS product will allow staff single sign-on?

AWS Identity Federation (D)

When designing a popular mobile application with millions of users, what tool can be leveraged to allow users to sign in using web identity.

Web Identity Federation which uses IAM Roles. (B)

You have a partner organization wanting to offer an application to process scientific data, and you need to store data inside an S3 bucket. Instead of your partner creating IAM users, what can your developers do to upload objects?

Have users assume that role and get temporary security credentials. (C)

What statements below are true regarding a service-linked role?

The service can call other AWS services on your behalf, they are predefined, and can’t be deleted. (A)

Can one member configure service links on one role, and another can edit that Role, but not create a role?

Yes, this can be achieved with the AWS service IAM and pass Role. (B)

You are the lead of cloudformation, and do not want to manage certain IAM configurations. How can developer implement IAM configurations?

Give the ability to pass Role into cloudformation for those with proper permissions. (B)

How can AWS Organizations be used?

Restrict AWS accounts. (A)

What statement listed below is true about a standard AWS account?

It is an AWS account which is not within an organisation. (C)

What are the two requirements needed to create a new organizational account with a single email?

A valid, unique email address. (A)

When creating an AWS account and adding it to your organization, what action is required from the pre-existing account/invite process?

Approve the invite to join the organization. (B)

You are working on the organizational unit with an environment. Why would you prefer IAM roles vs. a single AWS account?

To not need to have IAM users inside every single AWS account. (D)

What AWS Organization product lets you enforce requirements with set policies?

Service Control Permissions. (D)

You are designing a production environment with multi-account capabilities. Should you manage the AWS management account yourself and not used for AWS resources?

True, because the management account can't be restricted using service control policies. (B)

What is the two-part process for setting a service control policy?

Deny by default and allow certain services or create an initial user. (A)

When CloudTrail is configured but the data is not being received from the tool, what should the user consider?

Whether it's a regional service vs. global. (A)

When utilizing CloudTrail, you want to look everything in CloudTrail right as it occurs, how can this goal be achieved?

CloudTrail is not the product for this goal. (D)

Where is the default trail configured on AWS?

Management events only. (A)

For CloudWatch Logs, the log endpoint is housed on AWS public zone, but is considered outside of AWS. What tool is commonly used to solve this?

The Unified Agent. (B)

Which AWS service does AWS Control Tower utilize for multi-account structure?

AWS Organizations. (C)

When implementing AWS Control Tower, which product has limited control?

Management Accounts. (A)

Which statement appropriately describes a guardrail?

Essentially a rule for multi-account governance. (B)

Which scenario represents the MOST secure and operationally efficient method for granting AWS Lambda functions access to other AWS resources?

Configuring a Lambda execution role with a trust policy that trusts the Lambda service, and includes a permissions policy to grant access to necessary AWS resources. (A)

Given a scenario where an organization wants to enforce granular restrictions on which AWS services and actions can be used within their accounts, even by the root user, which AWS Organizations feature should they leverage?

Service Control Policies (SCPs) attached to the organization root. (D)

An organization with a diverse set of AWS accounts needs a unified solution for identifying and addressing misconfigurations related to security and compliance. Which strategy offers the MOST comprehensive visibility and remediation capabilities?

Implementing AWS Config rules across all accounts, aggregated in a central dashboard. (D)

A security engineer is tasked with setting up long-term storage and analysis of AWS account activity logs. Which approach provides the MOST comprehensive solution while optimizing for cost and security?

Forwarding all CloudTrail logs to a central S3 bucket with server-side encryption and lifecycle policies for data retention, combined with scheduled AWS Athena queries for analysis. (C)

An organization needs to provide its security team with the ability to investigate unusual API activity across all AWS accounts. Which logging and monitoring configuration would support the near real-time assessment of unusual patterns?

Configuring CloudTrail Insights with CloudWatch Alarms. (B)

Which AWS Organizations feature offers the MOST direct method to centrally manage and enforce the regions in which AWS resources can be provisioned across all accounts?

Service Control Policies (SCPs). (D)

In an environment managed by AWS Control Tower, how can you programmatically create new accounts that automatically conform to the organization's established security and networking baselines?

Using the Control Tower Account Factory through the Service Catalog. (A)

When using AWS Organizations, what is the impact of applying a Service Control Policy (SCP) that explicitly denies access to a specific service to the root of the organization?

It prevents the service from being accessed by any account in the organization, including the management account. (C)

An organization with a large number of existing on-premises identities wants to enable seamless AWS access without duplicating users in IAM or requiring them to re-authenticate. What architectural approach offers the MOST scalable and secure solution?

Configuring Identity Federation using AWS IAM Identity Center (successor to AWS SSO). (D)

A company is designing a mobile application that will be used by millions of users. What is the MOST appropriate method for authenticating these users with AWS resources?

Use web identity federation with IAM roles. (D)

A company needs to grant access to resources in their AWS account to a partner organization. The partner organization has its own AWS accounts and IAM users. How can this be achieved MOST securely?

Create an IAM role in the company's AWS account that the partner organization can assume. (D)

What is the KEY factor that determines whether an all-regions AWS CloudTrail trail captures global service events, such as those produced by IAM?

Global service event logging must be enabled on the CloudTrail trail. (D)

A company wants to implement a policy that automatically encrypts all S3 buckets created in their AWS environment and prevents users from disabling this encryption. Which AWS service and feature would BEST meet this requirement?

AWS Organizations using Service Control Policies (SCPs). (A)

An organization has several AWS accounts organized using AWS Organizations and requires a centralized, immutable record of all API calls made within each account for compliance purposes. Which of the following services would BEST support this requirement?

AWS CloudTrail (A)

An administrator is tasked with troubleshooting an application error and needs to determine which IAM role was used by an EC2 instance when making calls to DynamoDB. Which AWS service provides the MOST detailed information about the identity used for each API call?

AWS CloudTrail (B)

Flashcards

IAM Policies

A type of policy that attaches to identities inside AWS (IAM users, groups, roles).

IAM Identity Policy

A set of security statements that grant or deny access to AWS products and features.

Authentication

The process of proving an identity to AWS.

Amazon Resource Name (ARN)

A unique identifier for AWS resources.

Effect (in IAM Policy)

Controls what AWS does if an action and resource match.

Explicit Deny

First priority in AWS security; nothing can overrule it.

Default Implicit Deny

Takes effect only if there's no explicit allow or deny.

Managed Policies

JSON policy documents created as their own object.

Inline Policies

JSON policy documents applied individually to accounts.

AWS-Managed Policies

Created and managed by AWS.

Customer-Managed Policies

Created and managed by the user.

IAM User

An identify used for programs or people that need extended access to services of AWS.

Principal

Represents an entity trying to access an AWS account.

Authentication

Process where principle proves to IAM who they claim to be.

Username and Password

Used by human when logging into AWS console.

Access Keys

Used by program when accessing AWS.

Authorization

Checking the statements applied to someone in IAM allowing an action to occur.

ARNs

Uniquely identify resources within AWS accounts.

IAM groups

Containers for IAM users. They exist for managing large sets of IAM users easier.

Effective Administration Style

Allow effective administration style management of users.

IAM policies

In AWS IAM groups have the ability to store policies attached to them.

AWS user group ability

A AWS IAM user has the ability to be a member of multiple groups.

All users aws group

Denotes that there isn't a build in all users group inside of AWS.

AWS IAM nesting limitation

You cant have nesting in IAM groups.

AWS IAM group limitation

AWS IAM roles has what kind of user limit for an account.

AWS resource policy

AWS IAM roles, aren't designed with access.

AWS identify

An AWS identify which can assume a role, and gain access.

IAM Roles

Two types of policies which can be attached, the trust and permission policy.

Temporary security credentials

These are what you get with a time limit.

AWS Roles to log in,

Allow us to log into in the AWS organization and access diff accounts without login in again.

AWS Lambda

AWS services often operate on your behalf.

Hard coding AWS function

This would have coding some permission in explicit, but hard. For Lambda function.

Emergency access situations

Emergency AWS or out of the usual situations.

S3 cannot use AD

External accounts that be used directly.

IAM generate

These get generated and we can use them for S3 when AD has an account.

ID Federation

Allows permission to get to access an account.

AWS Account Role

An iam role inside you AWS account to be assumed.

use IAM Rolls

That when, when you use the resource.

use IAM Rolls also

Means existing customer logins

Access to IAM

Its is that role's trust policy

AWS organization

Allow quick and to manage multiple AWS accounts .

Standard AWS account

AWS account which is apart from the company itself.

AWS management account

This becomes what AWS management account for the organization

After join

Join the AWS organization together.

AWS Organization accounts

They can be AWS member or AWS management accounts.

Organization Root

Just a container for AWS accounts witch exists.

5000 IAM Root.

That accounts is limited to 5000 IAM user.

Account types

AWS services on both consolidated billing.

AWS can create,

restrict what accounts in the organization can do.

Not AWS manage system

Are the container itself

Is there something limited

Cloud watch access is what kind of service.

Study Notes

IAM Identity Policies

• IAM policies attach to identities inside AWS like IAM users, groups, and roles.
• Understanding IAM policy architecture, reading policies, and writing them are essential for AWS solution design and implementation.
• An IAM identity policy is a set of security statements granting or denying access to AWS products and features for the identity using the policy.
• Identity policies are created in JSON format.

IAM Policy Documents

• At a high level, a policy document is composed of one or more statements.
• The statements grant or deny permissions to AWS services.
• Identities must prove themselves to AWS through authentication.
• Post authentication, the identity becomes an authenticated identity.
• AWS knows which policies an identity has, even multiple policies.
• AWS compiles all statements from policies applying to the identity.
• AWS knows which resources are being interacted with and the actions being performed.
• AWS reviews each statement one-by-one to check if any apply to the request.

IAM Policy Statement Breakdown

• The first part of a statement is the optional Statement ID (SID).
• SID identifies the statement and its purpose.
• Interactions with AWS require a resource and actions to be performed on that resource.
• A statement applies if the interaction matches the action and the resource.
• Action: Specifies what actions the statement matches by either listing specific actions, using wildcards (s3:*), or listing multiple individual actions.
• Resources: The resources part of a statement must match AWS resources, specified individually, in a list, or using wildcards.
• To refer to individual resources, use the ARN format or Amazon Resource Name.
• Effect: Specifies whether the statement allows or denies access, controls AWS's action if the action and resource parts of a statement match the attempted operation.
• A statement with an "allow" effect will allow access to that resource using those actions.
• A statement with a "deny" effect will deny access to that resource using those actions.
• It is possible to be both allowed and denied at the same time

IAM Policy Conflicts

• Explicit Deny: If a statement explicitly denies access to something, it always takes precedence, overruling any allows.
• Explicit Allow: If there is an explicit allow and no explicit deny, access is granted.
• Default Implicit Deny: AWS identities start with no access, and if there are no allows or explicit denies, the default implicit deny applies.
• The rule is always: Deny, Allow, Deny

Multiple Policies

• AWS collects all statements in all policies that apply to the user directly, the groups the user is in, and resource policies on the resources that the user is attempting to access

Policy Types

• Inline Policies: Assigned directly to a user.
• Managed Policies: Created as their own object and attached to multiple identities
• AWS-managed policies are created and managed by AWS.
• Customer-managed policies are created and managed by the user.
• Inline Policies: Exceptional allows or Denies for a particular user.
• AWS-managed Policies: Don't need to maintain, but might not fit exact needs.
• Customer-managed Policies: Can create and manage to exact business requirements.

IAM Users

• IAM users can be used to access your AWS account.
• Examples: humans, applications, or service accounts.
• 99% of the time the correct identity to select is an IAM user for a single, named thing..
• The process begins with a principal attempting to access an AWS account, which requires authentication against an identity within IAM

Authentication

• Authentication is the process where the principal proves to IAM that it claims to be.
• Authentication for IAM users is done either using a username and password or access keys as examples of long-term credentials.
• After authentication, the principal becomes an authenticated identity.
• Authenticated identity must be able to prove to AWS that it's indeed the identity that it claims to be.
• Now AWS knows which policies apply to that identity.

AWS Authorization

• Authorization is separate from authentication.
• Authorization is verifying the authenticated identity is allowed to perform an action against a resource.

Amazon Resource Names (ARNs)

• ARNs uniquely identify resources within AWS accounts.
• ARNs are needed to refer to these resources in an unambiguous way when using the command line or APIs.
• ARNs refer to a single resource or a group of resources when using wildcard.
• It has a specific format, with some slight service differences
• Not specifying a region and specifying a star don't mean the same thing
• Generally use the double colon when something doesn't need to be specified
• Use a star when referring to a collection of things
• The resource type is AWS

ARN Structure

• ARN Partition: Partition the resource is in; AWS for standard regions, AWS-cn for China.
• ARN Service: AWS product's namespace e.g., "s3," "IAM," "rds"
• ARN Region : The resources region
• ARN Account ID : The AWS account ID that owns the resource.
• ARN Resource or Resource type
• The resource will either be the resource name or the resource type.

IAM User Limits

• An AWS account can only have 5000 IAM users.
• An IAM user can be a member of 10 IAM groups at most.
• Solutions to the former involve using Federation or IAM Roles.

IAM Groups

• IAM groups are containers for IAM users to make organizing large sets of IAM users easier.
• IAM groups have no credentials; you cannot log in to IAM groups.

IAM Group Benefits

• IAM groups allow effective administration style management of users.
• IAM groups can have policies attached to them, both inline and managed.
• When an IAM user is added as a member of a group, that user gets the policies attached to that group.
• AWS merges all policies, one directly and one from each group membership.

IAM Group Limitations

• All users group does not exist inside IAM.
• There is no nesting of IAM groups; you can't have groups within groups.
• There is a limit of 300 groups per account can be increased with a support ticket.
• Resource policies cannot grant access to an IAM group.

IAM Roles

• IAM roles are an identity in an AWS account.
• An IAM user is generally designed for situations where a single principal uses that IAM user.
• Roles are suited to being used by an unknown number or multiple principles.
• General guidelines for using roles: you can't identify the number of principals which use an identity, then it could be a candidate for an IAM role or if you have more than 5000 principals.
• Roles should generally be used on a temporary basis.

Role vs User

• While both offer access rights, roles can be assumed for short-term access.

Trust and Permissions Policies

• IAM users have identity permissions policies attached to them that control what the identity gets inside AWS.
• IAM roles have two types of policies: trust and permissions.
• The trust policy controls which identities can assume that role.
• The trust policy can reference identities in the same or other AWS accounts.
• Upon assumption of a role, AWS generates temporary security credentials very much like access keys.
• After expiration, the identity needs to reassume the role for new credentials.
• Temporary Credentials now have whatever resources are specified in the resources portion of the permissions policy.
• There are also multiple organizational tools in the AWS stack which uses roles including AWS SSO across accounts.

Uses for IAM Roles

• AWS services often use IAM roles to act on your behalf.
• Roles are well suited when the # of principles is unknown or multiple.

When to Use IAM Roles

• AWS Services: AWS services on your behalf need access rights to perform certain actions.
• Emergency Scenarios: Wayne assumes emergency roles and they gain additional permissions.
• Adding AWS into an Existing Corporate Environment
• IAM Roles can be used to reuse existing identities for use within AWS because external accounts can't be used directly.
• Web Identity Federation
• This is a way that mobile identities or other external identities assume responsibility of a set of roles.
• Cross-Account Access: Roles can be used cross account to give access to individual resources.

Service-Linked Roles

• Service-linked roles are linked to a specific AWS service with predefined permissions; the service can interact with other AWS services on your behalf.
• The services create service-linked roles; might allow user to create during setup or in IAM.
• You can’t delete the service-linked role until no-longer required, unlike a normal role you could delete any time.

Role Separation

• Grant one group the capacity to create and assign roles to another group of administrators
• If you want someone to use a pre-existing role with a service, but not create/edit the role, provide PassRole Permission

AWS Organization

• AWS Organizations allows businesses to manage multiple AWS accounts cost effectively and with no Management Overhead.
• It is a simple product to understand. First, you take a single AWS account, which I'll refer to as a standard AWS account from now on. So a standard AWS account is an AWS account which is not within an organization.

Creating an Organization

• The organization isn't created inside AWS standard account.
• The standard AWS becomes the management account. The master account used to be called the management account. Now called master or management account. Both terms mean the same thing.
• You can invite other accounts into the organization. Other accounts need to approve the invites to join the organization.
• The organization has one management account.

AWS Organization Structures and Consolidation

• Hierarchy: the inverted tree to AWS Organization
• Root: container of all AWS account, AWS Account (Member Accounts/Management Accounts. Organization units or OUs
• Nest AWS account structured. The container for root organization and organizational units. A nested structure.
• Don't confuse the organizational root user account- specific to the AWS account you create.
• Billing accounts: consolidate Billing Consolidation and benefits: Remove financial overhead. Pay cheaper.
• Consolidated Billing: single monthly bills. AWS can apply monthly bills.

AWS SCPs

• Can restrict AWS accounts within the organization. These are important, and we will do a dedicated lesson later.
• Create new accounts directly. Need valid email for that AWS new account
• Have a singular and general user logins with permissions via IAM.
• On-Premesis connection. Have a separate account to handle logins. And they do it from 2 accounts perspective. The organizational pattern for all identity switches.

Service Control Policies

• Purpose: Restrict AWS accounts.
• Inheritance: Inherit the organizational tree. Impacts accounts within the organization unit. Impacts accounts in a limited number of suborganizational units.
• Management Account exception: Management accounts is not ever impacted by service control policies.
• Control Types: Account permission boundaries. Account is authorized by AWS. What’s going on is AWS can do.

Service Control Policies : Allow vs Deny

• Allow Control with Services what’s authorized with the list or with an implicit Deny vs implicit Deny?
• Remove AWS full access policy. Implicit default and then add services.
• With Cloudtrail, it creates control plane architecture. Implement those policies that are very specific
• SCPs: two parts architecture that implement

CloudWatch Logs

• Public Service: Can be used from AWS or ON Premise
• Allows you to stare monitore, logging data
• Services EC2, VPC Log, Cloudtrail
• Metric generator based metric filter: This is also known as the metric filter. the Linux instances have operating information log files injected in CLoudWatch.

AWS Architecture Logs

• CloudWatch is all about storing log streams and log events. Regional Service
• Starts at Logging Sources. Server based, and even external API's,
• And those Sources of logging inject data into Cloudwatch, Those are called Log Events- the data, which is time stamped and a message clock.
• Log Events are stored inside log streams and log streams as the exact and same source. (same log file for EC2's , to inject data etc). This is high level arch.
• Log groups as contains as more log streams with for example different instance names, where we would be receiving data for the VAR etc message)
• That one was every time an items was added to var log messages, one log event one Log Stream.
• Now a log group place that stores configuration . We can set a retention settings here and do a permissions that they are going to implement across that group (for storage, monitroring)

Metric filters

• Constant reviewing with patterns
• A metric and metric alarms