Podcast
Questions and Answers
Which AWS service component grants or denies permissions to AWS resources?
Which AWS service component grants or denies permissions to AWS resources?
- IAM Groups
- IAM Roles
- IAM Users
- IAM Policies (correct)
What is the initial step an identity must take when attempting to access AWS resources?
What is the initial step an identity must take when attempting to access AWS resources?
- Authentication (correct)
- Enumeration
- Authorization
- Compliance
What does the 'Effect' element of an IAM policy statement control?
What does the 'Effect' element of an IAM policy statement control?
- The specific actions that the identity can perform.
- Whether the policy allows or denies the specified actions. (correct)
- The conditions under which the policy is in effect.
- The AWS resource(s) that the policy applies to.
An IAM policy includes the following two statements:
- An explicit allow for
s3:*
on arn:aws:s3:::examplebucket
- An explicit deny for
s3:GetObject
on arn:aws:s3:::examplebucket/confidential/*
What is the outcome? Assume the user attempts to access a document within the 'confidential' folder.
An IAM policy includes the following two statements:
- An explicit allow for
s3:*
onarn:aws:s3:::examplebucket
- An explicit deny for
s3:GetObject
onarn:aws:s3:::examplebucket/confidential/*
What is the outcome? Assume the user attempts to access a document within the 'confidential' folder.
What is the main difference between an inline policy and a managed policy?
What is the main difference between an inline policy and a managed policy?
In which situation would using an inline policy be most appropriate?
In which situation would using an inline policy be most appropriate?
What are the two primary types of managed policies available in AWS?
What are the two primary types of managed policies available in AWS?
Which of the following can access AWS resources?
Which of the following can access AWS resources?
What type of identity is best suited for a scenario that requires multiple principals to make use of?
What type of identity is best suited for a scenario that requires multiple principals to make use of?
When should an IAM role be used instead of an IAM user?
When should an IAM role be used instead of an IAM user?
What are the two types of policy related to IAM roles?
What are the two types of policy related to IAM roles?
What service is used to generate temporary security credentials when assuming an IAM role?
What service is used to generate temporary security credentials when assuming an IAM role?
Your company needs AWS Lambda to be able to access S3 buckets in order to perform backups. What is the recommended way to secure backups?
Your company needs AWS Lambda to be able to access S3 buckets in order to perform backups. What is the recommended way to secure backups?
Under which scenario would you use IAM Roles?
Under which scenario would you use IAM Roles?
Which of the following best describes a "break glass" scenario in the context of IAM roles?
Which of the following best describes a "break glass" scenario in the context of IAM roles?
What is the purpose of an AWS Organizations?
What is the purpose of an AWS Organizations?
Which of the following statements is true regarding the management account in AWS Organizations?
Which of the following statements is true regarding the management account in AWS Organizations?
Which AWS Organizations construct allows you to group accounts for organizational purposes, such as by department or environment?
Which AWS Organizations construct allows you to group accounts for organizational purposes, such as by department or environment?
What is a primary benefit of consolidated billing in AWS Organizations?
What is a primary benefit of consolidated billing in AWS Organizations?
Which statement is most accurate about how AWS Organizations handles existing AWS acccounts?
Which statement is most accurate about how AWS Organizations handles existing AWS acccounts?
Which of the following can be defined in service-linked roles?
Which of the following can be defined in service-linked roles?
When using service-linked roles, what is the key difference between them and normal roles?
When using service-linked roles, what is the key difference between them and normal roles?
Alice wants to build the policy which allows her to pass a service role from TeamA into TeamB. What components must Alice define?
Alice wants to build the policy which allows her to pass a service role from TeamA into TeamB. What components must Alice define?
Which of the following is a key distinction of service-linked roles?
Which of the following is a key distinction of service-linked roles?
Your company must log all API calls made within the AWS account for security and compliance reasons. Which service provides this functionality?
Your company must log all API calls made within the AWS account for security and compliance reasons. Which service provides this functionality?
By default, how long does CloudTrail store events in the Event history?
By default, how long does CloudTrail store events in the Event history?
What is the difference between management events and data events in CloudTrail?
What is the difference between management events and data events in CloudTrail?
What is the feature associated to AWS Control Tower which has single-page oversight of the entire organization?
What is the feature associated to AWS Control Tower which has single-page oversight of the entire organization?
A company is using AWS Organizations with several member accounts. They need to ensure that no IAM user in any of the member accounts can launch EC2 instances in the eu-west-1
region. What is the MOST effective way to achieve this?
A company is using AWS Organizations with several member accounts. They need to ensure that no IAM user in any of the member accounts can launch EC2 instances in the eu-west-1
region. What is the MOST effective way to achieve this?
What does a service control policy control?
What does a service control policy control?
Which of the following accurately describes a key characteristic of service control policies (SCPs) in AWS Organizations?
Which of the following accurately describes a key characteristic of service control policies (SCPs) in AWS Organizations?
What are the two modes that AWS service control policies can be used?
What are the two modes that AWS service control policies can be used?
You're designing a multi-account AWS environment and want to implement guardrails to ensure that all accounts comply with specific security standards. Which AWS service provides the ability to centrally manage and enforce these guardrails across all accounts?
You're designing a multi-account AWS environment and want to implement guardrails to ensure that all accounts comply with specific security standards. Which AWS service provides the ability to centrally manage and enforce these guardrails across all accounts?
What are cloud watch logs?
What are cloud watch logs?
What are the components a basic CloudWatch logging data level at a very basic level?
What are the components a basic CloudWatch logging data level at a very basic level?
You have a Linux instance you'd like to monitor through SSH. Which technology do you implement that enables logging the logging information?
You have a Linux instance you'd like to monitor through SSH. Which technology do you implement that enables logging the logging information?
What is the function of Log Streams in AWS CloudWatch Logs?
What is the function of Log Streams in AWS CloudWatch Logs?
Which of the following best describes a CloudTrail trail configured to log global service events?
Which of the following best describes a CloudTrail trail configured to log global service events?
Which of the following accurately states one of the limitations of using CloudTrail for logging?
Which of the following accurately states one of the limitations of using CloudTrail for logging?
What are the data event and management events described as in CloudTrail Essentials
What are the data event and management events described as in CloudTrail Essentials
What is a key benefit of setting up an organizational trail in CloudTrail?
What is a key benefit of setting up an organizational trail in CloudTrail?
What type of resource performs orchestrations in a multi account environment through AWS?
What type of resource performs orchestrations in a multi account environment through AWS?
You have to set up and provision a multi-account environment to be used by your company. Which service is the best in setting this multi-account environment?
You have to set up and provision a multi-account environment to be used by your company. Which service is the best in setting this multi-account environment?
In an IAM policy, what is the purpose of the 'Sid' element within a statement?
In an IAM policy, what is the purpose of the 'Sid' element within a statement?
What is the effect of including s3:*
within the 'Action' element of an IAM policy statement?
What is the effect of including s3:*
within the 'Action' element of an IAM policy statement?
How does AWS evaluate multiple IAM policies attached to an identity when determining access to a resource?
How does AWS evaluate multiple IAM policies attached to an identity when determining access to a resource?
In the context of IAM policies, what is the effect of an explicit 'deny' statement?
In the context of IAM policies, what is the effect of an explicit 'deny' statement?
If a user has an IAM policy that allows access to all S3 buckets, but is also a member of a group with a policy that denies access to a specific S3 bucket, what will the user's effective permissions be regarding that specified bucket?
If a user has an IAM policy that allows access to all S3 buckets, but is also a member of a group with a policy that denies access to a specific S3 bucket, what will the user's effective permissions be regarding that specified bucket?
By default, what level of access do new IAM users have to AWS resources?
By default, what level of access do new IAM users have to AWS resources?
You need to grant a developer temporary access to create and manage EC2 instances. Which of the following approaches is the MOST secure?
You need to grant a developer temporary access to create and manage EC2 instances. Which of the following approaches is the MOST secure?
What is the primary purpose of an Amazon Resource Name (ARN)?
What is the primary purpose of an Amazon Resource Name (ARN)?
In an ARN structure, what does the 'service' component represent?
In an ARN structure, what does the 'service' component represent?
What does arn:aws:s3:::examplebucket
refer to?
What does arn:aws:s3:::examplebucket
refer to?
What is the difference between arn:aws:s3:::examplebucket
and arn:aws:s3:::examplebucket/*
?
What is the difference between arn:aws:s3:::examplebucket
and arn:aws:s3:::examplebucket/*
?
When should you generally use an IAM inline policy?
When should you generally use an IAM inline policy?
When should you choose a managed IAM policy over an inline policy?
When should you choose a managed IAM policy over an inline policy?
Which of the following is TRUE regarding an IAM group?
Which of the following is TRUE regarding an IAM group?
You have a scenario where a user needs to perform tasks that require permissions from multiple roles. What is the AWS recommended way to handle this requirement?
You have a scenario where a user needs to perform tasks that require permissions from multiple roles. What is the AWS recommended way to handle this requirement?
Your company uses IAM roles to grant EC2 instances access to S3 buckets. You need to ensure that even if an instance is compromised, the attacker cannot use the instance's credentials indefinitely. How can you make sure?
Your company uses IAM roles to grant EC2 instances access to S3 buckets. You need to ensure that even if an instance is compromised, the attacker cannot use the instance's credentials indefinitely. How can you make sure?
You have created an IAM Role for an application running on an EC2 instance. After a while, you notice that the application is experiencing 'access denied' errors. What is the MOST likely reason for this?
You have created an IAM Role for an application running on an EC2 instance. After a while, you notice that the application is experiencing 'access denied' errors. What is the MOST likely reason for this?
When using IAM roles within AWS Organizations, what does the trust policy of the IAM role define?
When using IAM roles within AWS Organizations, what does the trust policy of the IAM role define?
An organization uses AWS Organizations with multiple accounts. They want to grant an external vendor access to a specific S3 bucket in one of their member accounts. What's the recommended approach?
An organization uses AWS Organizations with multiple accounts. They want to grant an external vendor access to a specific S3 bucket in one of their member accounts. What's the recommended approach?
Which of the following best describes the function of AWS Organizations organizational units (OUs)?
Which of the following best describes the function of AWS Organizations organizational units (OUs)?
In AWS Organizations, the management account has some special restrictions. Which of the following restrictions is true?
In AWS Organizations, the management account has some special restrictions. Which of the following restrictions is true?
What is the relationship between Organizational Units (OUs) and Service Control Policies (SCPs) in AWS Organizations?
What is the relationship between Organizational Units (OUs) and Service Control Policies (SCPs) in AWS Organizations?
Which AWS service would you use to ensure that developers do not create EC2 instances above a certain size (e.g., m5.xlarge
) within your organization's AWS accounts?
Which AWS service would you use to ensure that developers do not create EC2 instances above a certain size (e.g., m5.xlarge
) within your organization's AWS accounts?
How can an organization take advantage of volume discounts and consolidated billing through AWS Organizations?
How can an organization take advantage of volume discounts and consolidated billing through AWS Organizations?
What happens to the billing of existing AWS accounts when they are added to an AWS Organization?
What happens to the billing of existing AWS accounts when they are added to an AWS Organization?
In CloudWatch Logs, what is the relationship between Log Events, Log Streams, and Log Groups?
In CloudWatch Logs, what is the relationship between Log Events, Log Streams, and Log Groups?
You have a Linux server on-premises and want to send its system logs to CloudWatch Logs. Which component do you need to install and configure on the server?
You have a Linux server on-premises and want to send its system logs to CloudWatch Logs. Which component do you need to install and configure on the server?
You need to monitor the occurrence of specific error messages within your application logs in CloudWatch Logs and trigger an alarm when the error rate exceeds a threshold. How can you achieve this?
You need to monitor the occurrence of specific error messages within your application logs in CloudWatch Logs and trigger an alarm when the error rate exceeds a threshold. How can you achieve this?
For how long are CloudTrail events stored in the Event history by default?
For how long are CloudTrail events stored in the Event history by default?
What is the main difference between CloudTrail 'management events' and 'data events'?
What is the main difference between CloudTrail 'management events' and 'data events'?
You need to investigate who accessed a specific S3 object in your AWS account. Which type of CloudTrail event should you analyze?
You need to investigate who accessed a specific S3 object in your AWS account. Which type of CloudTrail event should you analyze?
What does it mean to configure a CloudTrail trail to log 'global service events'?
What does it mean to configure a CloudTrail trail to log 'global service events'?
You need to store CloudTrail logs for compliance reasons for more than 90 days. Which is the recommended method?
You need to store CloudTrail logs for compliance reasons for more than 90 days. Which is the recommended method?
Within AWS Organizations what is an 'organizational trail' in CloudTrail?
Within AWS Organizations what is an 'organizational trail' in CloudTrail?
An administrator asks if they can use CloudTrail to get real-time alerts for security events. What would you say?
An administrator asks if they can use CloudTrail to get real-time alerts for security events. What would you say?
When setting up AWS Control Tower, which of the following components provides oversight of the entire environment?
When setting up AWS Control Tower, which of the following components provides oversight of the entire environment?
What is the purpose of 'Landing Zone' in the context of AWS Control Tower?
What is the purpose of 'Landing Zone' in the context of AWS Control Tower?
What are Guardrails and how do they function in an AWS Control Tower setup?
What are Guardrails and how do they function in an AWS Control Tower setup?
Which AWS service is used to identify non-compliant data?
Which AWS service is used to identify non-compliant data?
What does 'Account Factory' refer to in an AWS Control Tower setup?
What does 'Account Factory' refer to in an AWS Control Tower setup?
When you implement Control Tower, what is true about the foundational vs custom organizational units?
When you implement Control Tower, what is true about the foundational vs custom organizational units?
When an IAM user attempts to perform an action on an AWS resource, what determines whether the action is allowed?
When an IAM user attempts to perform an action on an AWS resource, what determines whether the action is allowed?
Your company has multiple AWS accounts managed under AWS Organizations. You need to ensure that no IAM user in any of the accounts can create new IAM roles. What is the MOST effective way to achieve this?
Your company has multiple AWS accounts managed under AWS Organizations. You need to ensure that no IAM user in any of the accounts can create new IAM roles. What is the MOST effective way to achieve this?
You need to set up centralized logging for all API calls made in your AWS Organization. Your organization consists of one management account and 20 member accounts. Which method is MOST efficient for achieving this?
You need to set up centralized logging for all API calls made in your AWS Organization. Your organization consists of one management account and 20 member accounts. Which method is MOST efficient for achieving this?
Which factor is MOST important when determining whether to use an IAM user versus an IAM role?
Which factor is MOST important when determining whether to use an IAM user versus an IAM role?
What is the MOST important security benefit of using IAM roles instead of hardcoding AWS credentials into an application?
What is the MOST important security benefit of using IAM roles instead of hardcoding AWS credentials into an application?
In the context of CloudWatch Logs, what is the hierarchical relationship between Log Events, Log Streams, and Log Groups?
In the context of CloudWatch Logs, what is the hierarchical relationship between Log Events, Log Streams, and Log Groups?
When setting up an IAM role, which of the following policy types defines which principals are allowed to assume the role?
When setting up an IAM role, which of the following policy types defines which principals are allowed to assume the role?
What is the MOST significant difference between an IAM inline policy and an IAM managed policy?
What is the MOST significant difference between an IAM inline policy and an IAM managed policy?
Your company wants to enforce a policy that all EC2 instances launched in any AWS account within your AWS Organization are of a specific instance type (e.g., t3.micro
) to manage costs. What AWS service should you use to achieve this?
Your company wants to enforce a policy that all EC2 instances launched in any AWS account within your AWS Organization are of a specific instance type (e.g., t3.micro
) to manage costs. What AWS service should you use to achieve this?
Which of the following statements BEST describes the purpose of an Amazon Resource Name (ARN)?
Which of the following statements BEST describes the purpose of an Amazon Resource Name (ARN)?
When using CloudTrail, what type of event is recorded when a user accesses data stored in an S3 bucket?
When using CloudTrail, what type of event is recorded when a user accesses data stored in an S3 bucket?
Your organization has an existing Active Directory and wants to provide its users with the ability to access AWS resources using their existing Active Directory credentials. Which approach is BEST suited for this scenario?
Your organization has an existing Active Directory and wants to provide its users with the ability to access AWS resources using their existing Active Directory credentials. Which approach is BEST suited for this scenario?
What is the purpose of the AWS Control Tower Landing Zone?
What is the purpose of the AWS Control Tower Landing Zone?
Your company stores application logs in CloudWatch Logs. You want to be notified immediately when a specific error message appears in those logs. What CloudWatch feature should you use?
Your company stores application logs in CloudWatch Logs. You want to be notified immediately when a specific error message appears in those logs. What CloudWatch feature should you use?
Flashcards
IAM Identity Policy
IAM Identity Policy
A policy attached to AWS identities (users, groups roles), granting or denying access to AWS resources.
IAM Policy
IAM Policy
A set of security statements granting or denying access to AWS resources.
Statement ID (SID)
Statement ID (SID)
An optional field within an IAM policy statement that IDs the statement.
Action
Action
Signup and view all the flashcards
Resource
Resource
Signup and view all the flashcards
Effect
Effect
Signup and view all the flashcards
Authentication
Authentication
Signup and view all the flashcards
Amazon Resource Name (ARN)
Amazon Resource Name (ARN)
Signup and view all the flashcards
Policy Evaluation Logic
Policy Evaluation Logic
Signup and view all the flashcards
IAM User
IAM User
Signup and view all the flashcards
IAM Role
IAM Role
Signup and view all the flashcards
IAM Group
IAM Group
Signup and view all the flashcards
AWS Service Roles
AWS Service Roles
Signup and view all the flashcards
ARNs
ARNs
Signup and view all the flashcards
Inline and Managed Policies
Inline and Managed Policies
Signup and view all the flashcards
5000 User limit.
5000 User limit.
Signup and view all the flashcards
Trust policy
Trust policy
Signup and view all the flashcards
AWS Organizations
AWS Organizations
Signup and view all the flashcards
Service-linked roles
Service-linked roles
Signup and view all the flashcards
Roles
Roles
Signup and view all the flashcards
AWS Organizations
AWS Organizations
Signup and view all the flashcards
Service Control Policies
Service Control Policies
Signup and view all the flashcards
Single principal
Single principal
Signup and view all the flashcards
Multiple principal
Multiple principal
Signup and view all the flashcards
Role separation
Role separation
Signup and view all the flashcards
predifined
predifined
Signup and view all the flashcards
SCPs
SCPs
Signup and view all the flashcards
Cloud Trail
Cloud Trail
Signup and view all the flashcards
CloudWatch Logs
CloudWatch Logs
Signup and view all the flashcards
Control Tower
Control Tower
Signup and view all the flashcards
Study Notes
IAM Identity Policies
- IAM policies attach to identities inside AWS
- Identities can be IAM users, groups, and roles
- Understanding IAM policies is crucial for AWS exams and solution implementation
- There are three stages to understanding policies:
- Understanding their architecture and how they work
- Gaining the ability to read and understand the policy
- Learning to write them
IAM Policies as Security Statements
- IAM policies are sets of security statements in AWS.
- They grant or deny access to AWS features.
- Policies are created using JSON.
- Policy documents contain one or more statements.
- Statements grant or deny permissions to AWS services.
Statements, Authentication, and Authorization
- To access AWS resources, an identity needs to prove its identity through authentication.
- Authenticated identities are known as authenticated identities.
- AWS has a collection of all statements applicable to an identity.
- AWS knows which resources the identity is interacting with and the intended actions.
- AWS processes the statements to determine access.
Statement Components: SID and Actions
- A statement includes a statement ID (SID), an optional field for identifying a statement.
- Best practice is to use SIDs regardless of the policy document size.
- Interactions with AWS involve resources and the actions performed on them.
- A statement applies if the interaction matches the action and the resource.
- The action part of a statement matches one or more actions and can be specific.
- The format is service:operation, like s3:GetObject.
Actions (cont) and Resources
- Wildcards can match any operations (e.g., s3:*).
- Actions can be a list of individual actions.
- Resources are matched similarly, using individual ARNs, lists, or wildcards.
- Using wildcards refers to every resource.
Effects: Allow and Deny
- The effect determines what AWS does if the action and resource parts of a statement match.
- Effect can be either allow or deny.
- AWS will allow or deny access to resources depending on if the action.
- S3 statement matches, and effect is allow.
- Actions part of a statement matches.
Overlapping policies
- It is possible to be both allowed and denied at the same time.
- Explicit denies take precedence over explicit allows.
- If neither apply, the default implicit deny takes effect.
- AWS identities start with no access, except for the account root user.
Multiple Policies and Evaluation
- AWS collects all statements from applicable policies when an identity accesses a resource.
- This includes direct policies, group policies, and resource policies.
- The same deny, allow, deny rule applies.
- Explicit deny always wins. If no explicit deny, an explicit allow grants access, unless there is an explicit deny. If none, the default takes effect.
Inline vs Managed Policies
- JSON policy documents are the same for both inline and managed policies.
- The difference is how they are managed.
- With inline policies, change can be achieved on three access rights, with inline policies.
- The first being permission across the required resources for that project, this is known as an inline policy.
- Secondly, the use of the same managed policy can be useful for a large number of users or group roles, it will use managed policies for the default.
- Thirdly, managed policies are low management overhead.
AWS-Managed vs. Customer-Managed Policies
- AWS-managed policies are created and managed by AWS
- AWS-managed policies may not fit your exact business needs.
- Customer-managed policies are created and managed by the business.
- Customer-managed policies enables defining them as per business requirements.
Policy Usage
- Inline policies are suitable for special or exceptional circumstances.
- In special circumstances, you will likely want to use an inline policy.
- If it is not special circumstances, it will likely be AWS-managed policies.
IAM Users
- IAM Users are identities
- Used for long-term AWS access
- Examples include humans, applications, or service accounts
- If you need long-term access, you should select this
- 99% of the time, you would use an IAM user
IAM and Principal
- IAM starts with a principal, which is an entity trying to access on an AWS account
- Principals can be individual people, computers, services or a group of any of those things
- To authenticate and be authorized, the principal needs to authenticate and be authorized
- Principles and IAM makes requests with resources in mind
- An IAM user is an identity which can be used this way and authentication is the first step
Processes for Authentication
- Authentication- proving to IAM that the principal on the left proves an IAM entity.
- It proves that it is an identity that it claims to be..
- Proof that it is indeed sally with username and password
- It is either username and password, or access keys.
Authentication and Authorisation
- Usernames and passwords are used if accessing via the console UI.
- If it is a human attempting AWS command line tools, access keys are used
- Access key sets, if the IAM can be verified it can interact with AWS.
- Access key sets, which is part of an authorised identity
- AWS checks the statement to allow access
Authorization
- Authorization is the process of checking statements and allowing access to the request resource
- It is a very distinct process, from authencation
- AWS checks how the IAm that its being used is using access keys
ARNs
- ARNs are the next thing to talk about.
- ARNs uniquely identify the resources within the AWS accounts.
- ARNs allow specification of a group if needed
- ARNs are required because things can be named in a different way but in a similar way
- ARNs, similar characteristics in different accounts
- Have a format
- Used generally by IAM users
Use Cases
- There are two yet very different ARNs
- They both identify the cats gif bucket
- Both specify a S3 directory
- They don't need to identify a name or an account
Similarities
- Naming of S3 is globally unique
- If you need to work with double colon, this is where it won't need to be specific and can be specified
- Keep in mind wild card collections, also
- First up is the partition with which resource is in. with AWS-CN, AWS would be anything that does not say AWS-CN.
Partition, Service and Region
- The next part is the service namespace that specifies the AWS product, usually IAM or RDS, S3 .
- the region is the specific resource that is residing.
- This might be omitted as certain ARNs don't require a region
Account ID and Resource
- Account ID is the next field.
- This relates to the AWS account that owns the resource
- S3 does not specify this
IAM Facts
- 5,000 IAM users per account per region
- Per account limit
- an IAM user can be a member of 10 accounts
More Facts
- 5,000 Identities cant be over the limit with IAM user for each entity
- If you are going to be over 5,000 the IAM roles are not the right idea.
What this would mean
- 5,000 user limit that is used for questions regarding application that uses on the internet
- Application has millions of users
- IAM would not be the set identity
IAM Groups
- IAM Groups are an easier form of containers for users
- They assist to make the management of IAM users easier.
- You can't log into IAM groups
- Has no credentials to use
Multiple Group Types
- Can be both developers/QA in AWS
- That would mean they are part of the developers and QA group/
- They can be a member of a group
Groups Benefits
- Assist with effective group management of users.
- They now have all users or group members with all policy components
Group Policy Attachments
- This benefits the group's ability to connect and control policies that attach them.
- This applies with inline and managed policies.
- The developers group must have a group attached.
Developers/QA
- The person can have those with their own inline or managed policies
- IAM used such as Sally, gets the policies that get attached to that role
- The people now also get the polices for QA/Dev
- An AWS manager merges all into Permissions
Account limits
There is a an effective and unchangeable limit on the number of users in a group
- There is not an actual user group. All members are put into that section.
Groups limitations
- Nesting with groups
- Only a member and a permission role
A policy that grants a resource that Sally wants may make the policy
- There are 300 group members allowed with accounts
- There has to also be a support ticket for the group member
ARM & ARMS
- With that these identities are used to create this or that policy.
- It can reference a way that helps Sally to have permissions on bucket
- Its controls identity to access the bucket
ARM & ARMS Continued
- You cannot group everything under each others roles
- This groups helps that in these groups that IAM users inherit
- They help that the correct uses for the right identity in the right section.
IAM Roles
- Identity related topics is one of the most difficult things to do in AWS.
- To understand that role
- They are IAM roles
- IAM user type
IAM Roles & Processes
- It has a process
- Which what who wants to authenticate
- What was used to verify identity with AWS
Single Principal Use
- IAM is used where an instance would use
- IAM roles are used just as something where best suited Used by an unknown member
Roles & Identities
- Roles can't get to verify a number and is a candidate in an IAM
- Something which is used on a temporary basis
- This gives away and is that a role is something that represents an AWS account
IAM Uses
- Used short term by another account to allow a level of access
- They assume that role
- Not a person that has the intent but is a reflection
- Identity is with outside
IAM Role Distinctions
- Distinction as a mobile application and what assumed the role inside and gains from all of the permissions that the role can perform
- Differences and logging is what Identity gets out. So you need to have the right identity.
- And the right that has with that.
- This is how Iam users comes in
IAM has identity permission attached to the JSON, managed ones
- This control permission inside the AWS
- A permission grants to what can deny with that
- This was to the the to policy
- IAM has the to identity
- Policies get to what is allowed
The policies
- Two policies
- Policy control, the identity is an identity of that the AWS
- With the to are allowed because identity A
B Policy
- The Identity which the security the credientials and are available
- Credentials. Temporary
- These are of limited time
IAM facts
- Used with AWS management.
- It has a process to run a test to a role
- If something you can't log then is is not a user
- This includes Facebook, Facebook, or social media accounts
IAM Roles
- These are for services on behaif
- Provide static credentials.
- If you change or rotate to those access it is very important to know
It's is ideal as well if you don't know what number to use
- A the most can that is ideal to be used
- The to used and get that credentials
- If 1 a temporary is where you can log in as well
You can always assume the action with the AWS account
- To assume when
- Assumes a AWS and is key on has a certain in a to help
- The is on now
- Its team need and
If to as that it does there that
- is is are all
- Is as as
- What you to for use a for is
- This use as this for
- There all be a for this as so
- What for this is these where
- Is where then
- This are
- Can to
4.6 Service-Linked Roles and PassRole
- Service-linked roles
- IAM role linked to a specific AWS service
- Predefined by a service . . .providing permissions that a service needs to interact with other AWS services on your behalf
- Service might create/delete the role . ..
- or allow you to during the setup or within IAM
- You can't delete the role until it's no longer required
Role permissions
- They provide s set of permissions which is predefined by a service.
- So provide permissions that a single AWS service needs to interact with AWS aervices in yiur behalf
- Now, service-linked are of the the setup.
-
is that to a it no within that
the to are of a a to. can is to that
Cloud Organization Basics
- is a to to way with no It is a through with to of the features it
- to the in that is in that
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.