4. [M] IAM, Accounts and AWS Organisations

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

Which AWS service component grants or denies permissions to AWS resources?

  • IAM Groups
  • IAM Roles
  • IAM Users
  • IAM Policies (correct)

What is the initial step an identity must take when attempting to access AWS resources?

  • Authentication (correct)
  • Enumeration
  • Authorization
  • Compliance

What does the 'Effect' element of an IAM policy statement control?

  • The specific actions that the identity can perform.
  • Whether the policy allows or denies the specified actions. (correct)
  • The conditions under which the policy is in effect.
  • The AWS resource(s) that the policy applies to.

An IAM policy includes the following two statements:

  1. An explicit allow for s3:* on arn:aws:s3:::examplebucket
  2. An explicit deny for s3:GetObject on arn:aws:s3:::examplebucket/confidential/*

What is the outcome? Assume the user attempts to access a document within the 'confidential' folder.

<p>The user will be denied access to the document. (B)</p> Signup and view all the answers

What is the main difference between an inline policy and a managed policy?

<p>Managed policies are reusable and can be attached to multiple IAM entities; inline policies are directly embedded in a single IAM entity. (A)</p> Signup and view all the answers

In which situation would using an inline policy be most appropriate?

<p>Defining unique, exceptional access rights for a specific IAM user. (C)</p> Signup and view all the answers

What are the two primary types of managed policies available in AWS?

<p>AWS-managed and Customer-managed (D)</p> Signup and view all the answers

Which of the following can access AWS resources?

<p>IAM users (B)</p> Signup and view all the answers

What type of identity is best suited for a scenario that requires multiple principals to make use of?

<p>IAM role (B)</p> Signup and view all the answers

When should an IAM role be used instead of an IAM user?

<p>When access is needed by an AWS service on your behalf. (D)</p> Signup and view all the answers

What are the two types of policy related to IAM roles?

<p>Trust policy and permissions policy. (D)</p> Signup and view all the answers

What service is used to generate temporary security credentials when assuming an IAM role?

<p>STS (Secure Token Service) (D)</p> Signup and view all the answers

Your company needs AWS Lambda to be able to access S3 buckets in order to perform backups. What is the recommended way to secure backups?

<p>Assign the AWS Lambda function an IAM role. (D)</p> Signup and view all the answers

Under which scenario would you use IAM Roles?

<p>For granting permissions to AWS services (B)</p> Signup and view all the answers

Which of the following best describes a "break glass" scenario in the context of IAM roles?

<p>Granting temporary escalated permissions to a user to address an emergency. (B)</p> Signup and view all the answers

What is the purpose of an AWS Organizations?

<p>To consolidate billing and centrally manage multiple AWS accounts. (D)</p> Signup and view all the answers

Which of the following statements is true regarding the management account in AWS Organizations?

<p>It cannot be restricted by service control policies (SCPs). (B)</p> Signup and view all the answers

Which AWS Organizations construct allows you to group accounts for organizational purposes, such as by department or environment?

<p>Organizational Units (OUs) (C)</p> Signup and view all the answers

What is a primary benefit of consolidated billing in AWS Organizations?

<p>Provides one monthly bill and allows for volume discounts. (D)</p> Signup and view all the answers

Which statement is most accurate about how AWS Organizations handles existing AWS acccounts?

<p>Existing AWS acccounts need to approve invitations to join an Organization. (C)</p> Signup and view all the answers

Which of the following can be defined in service-linked roles?

<p>Permissions (D)</p> Signup and view all the answers

When using service-linked roles, what is the key difference between them and normal roles?

<p>You can't delete a service-linked role until it is no longer required. (C)</p> Signup and view all the answers

Alice wants to build the policy which allows her to pass a service role from TeamA into TeamB. What components must Alice define?

<p>ListRole and PassRole permissions on that specific role (B)</p> Signup and view all the answers

Which of the following is a key distinction of service-linked roles?

<p>They cannot be deleted unless their linked service no longer requires them. (B)</p> Signup and view all the answers

Your company must log all API calls made within the AWS account for security and compliance reasons. Which service provides this functionality?

<p>CloudTrail (B)</p> Signup and view all the answers

By default, how long does CloudTrail store events in the Event history?

<p>90 days (B)</p> Signup and view all the answers

What is the difference between management events and data events in CloudTrail?

<p>All of the above. (D)</p> Signup and view all the answers

What is the feature associated to AWS Control Tower which has single-page oversight of the entire organization?

<p>The Dashboard (D)</p> Signup and view all the answers

A company is using AWS Organizations with several member accounts. They need to ensure that no IAM user in any of the member accounts can launch EC2 instances in the eu-west-1 region. What is the MOST effective way to achieve this?

<p>Create a service control policy (SCP) that denies <code>ec2:RunInstances</code> for <code>eu-west-1</code> and attach it to the organization root. (D)</p> Signup and view all the answers

What does a service control policy control?

<p>Whether an AWS account can or cannot perform certain actions (A)</p> Signup and view all the answers

Which of the following accurately describes a key characteristic of service control policies (SCPs) in AWS Organizations?

<p>They define the maximum permissions available to member accounts. (D)</p> Signup and view all the answers

What are the two modes that AWS service control policies can be used?

<p>Allow list and Deny list (C)</p> Signup and view all the answers

You're designing a multi-account AWS environment and want to implement guardrails to ensure that all accounts comply with specific security standards. Which AWS service provides the ability to centrally manage and enforce these guardrails across all accounts?

<p>AWS Organizations with Service Control Policies (SCPs) (D)</p> Signup and view all the answers

What are cloud watch logs?

<p>A service (C)</p> Signup and view all the answers

What are the components a basic CloudWatch logging data level at a very basic level?

<p>Piece of information data, timestamp (C)</p> Signup and view all the answers

You have a Linux instance you'd like to monitor through SSH. Which technology do you implement that enables logging the logging information?

<p>Metric filters (B)</p> Signup and view all the answers

What is the function of Log Streams in AWS CloudWatch Logs?

<p>Provide an analysis from a specific source. (A)</p> Signup and view all the answers

Which of the following best describes a CloudTrail trail configured to log global service events?

<p>It will log events generated by global services like IAM, STS, and CloudFront. (B)</p> Signup and view all the answers

Which of the following accurately states one of the limitations of using CloudTrail for logging?

<p>A &amp; C (C)</p> Signup and view all the answers

What are the data event and management events described as in CloudTrail Essentials

<p>Control Plane (A)</p> Signup and view all the answers

What is a key benefit of setting up an organizational trail in CloudTrail?

<p>It provides a single place to store logs for all the accounts in your organization. (A)</p> Signup and view all the answers

What type of resource performs orchestrations in a multi account environment through AWS?

<p>AWS Control Tower (A)</p> Signup and view all the answers

You have to set up and provision a multi-account environment to be used by your company. Which service is the best in setting this multi-account environment?

<p>AWS Control Tower (C)</p> Signup and view all the answers

In an IAM policy, what is the purpose of the 'Sid' element within a statement?

<p>It uniquely identifies the statement within the policy document. (A)</p> Signup and view all the answers

What is the effect of including s3:* within the 'Action' element of an IAM policy statement?

<p>It allows all S3 related actions; a wildcard can match any S3 operations. (C)</p> Signup and view all the answers

How does AWS evaluate multiple IAM policies attached to an identity when determining access to a resource?

<p>It collects all statements from all applicable policies and evaluates them together. (D)</p> Signup and view all the answers

In the context of IAM policies, what is the effect of an explicit 'deny' statement?

<p>It prevents access, regardless of any 'allow' statements. (D)</p> Signup and view all the answers

If a user has an IAM policy that allows access to all S3 buckets, but is also a member of a group with a policy that denies access to a specific S3 bucket, what will the user's effective permissions be regarding that specified bucket?

<p>The user will have access to all S3 buckets except for the specified one, due to the explicit deny. (C)</p> Signup and view all the answers

By default, what level of access do new IAM users have to AWS resources?

<p>No access to any AWS resources. (C)</p> Signup and view all the answers

You need to grant a developer temporary access to create and manage EC2 instances. Which of the following approaches is the MOST secure?

<p>Create an IAM role with the necessary permissions and have the developer assume the role. (B)</p> Signup and view all the answers

What is the primary purpose of an Amazon Resource Name (ARN)?

<p>To uniquely identify AWS resources. (B)</p> Signup and view all the answers

In an ARN structure, what does the 'service' component represent?

<p>The AWS product the resource belongs to (e.g., S3, EC2, IAM). (D)</p> Signup and view all the answers

What does arn:aws:s3:::examplebucket refer to?

<p>The bucket named 'examplebucket' itself. (A)</p> Signup and view all the answers

What is the difference between arn:aws:s3:::examplebucket and arn:aws:s3:::examplebucket/*?

<p>The first ARN refers to the bucket itself, while the second refers to all objects within the bucket. (A)</p> Signup and view all the answers

When should you generally use an IAM inline policy?

<p>For permissions that are unique to a specific IAM user, group, or role, and not commonly reused. (C)</p> Signup and view all the answers

When should you choose a managed IAM policy over an inline policy?

<p>When you require reusability and centralized management of permissions across multiple IAM identities. (B)</p> Signup and view all the answers

Which of the following is TRUE regarding an IAM group?

<p>An IAM group is a container for IAM users that makes it easier to manage permissions for multiple users. (A)</p> Signup and view all the answers

You have a scenario where a user needs to perform tasks that require permissions from multiple roles. What is the AWS recommended way to handle this requirement?

<p>Have the user assume a role that has permissions to assume all the desired subsequent roles. (A)</p> Signup and view all the answers

Your company uses IAM roles to grant EC2 instances access to S3 buckets. You need to ensure that even if an instance is compromised, the attacker cannot use the instance's credentials indefinitely. How can you make sure?

<p>IAM Roles provide temporary security credentials, unlike IAM Users. The temporary credentials time out and will have to be requested again. (B)</p> Signup and view all the answers

You have created an IAM Role for an application running on an EC2 instance. After a while, you notice that the application is experiencing 'access denied' errors. What is the MOST likely reason for this?

<p>The IAM role has a session duration limit and must be renewed. (C)</p> Signup and view all the answers

When using IAM roles within AWS Organizations, what does the trust policy of the IAM role define?

<p>Identities which can gain access to that role. (C)</p> Signup and view all the answers

An organization uses AWS Organizations with multiple accounts. They want to grant an external vendor access to a specific S3 bucket in one of their member accounts. What's the recommended approach?

<p>Create an IAM role in the member account with the S3 bucket permissions and configure its trust policy to allow the vendor's AWS account to assume it. (C)</p> Signup and view all the answers

Which of the following best describes the function of AWS Organizations organizational units (OUs)?

<p>To group AWS accounts for management purposes, such as applying policies or consolidated billing. (D)</p> Signup and view all the answers

In AWS Organizations, the management account has some special restrictions. Which of the following restrictions is true?

<p>Service Control Policies (SCPs) are not inherited in the Management account. (C)</p> Signup and view all the answers

What is the relationship between Organizational Units (OUs) and Service Control Policies (SCPs) in AWS Organizations?

<p>SCPs can be attached to OUs to define which AWS services and actions are allowed within the accounts belonging to that OU. (D)</p> Signup and view all the answers

Which AWS service would you use to ensure that developers do not create EC2 instances above a certain size (e.g., m5.xlarge) within your organization's AWS accounts?

<p>Service Control Policies (SCPs) (B)</p> Signup and view all the answers

How can an organization take advantage of volume discounts and consolidated billing through AWS Organizations?

<p>AWS Organizations aggregates the usage across all member accounts, allowing the organization to qualify for higher discount tiers. (A)</p> Signup and view all the answers

What happens to the billing of existing AWS accounts when they are added to an AWS Organization?

<p>The linked accounts have their payment methods removed for the Member Accounts within the organization, consolidating billing through the management account's payment method. (B)</p> Signup and view all the answers

In CloudWatch Logs, what is the relationship between Log Events, Log Streams, and Log Groups?

<p>Log Streams contain Log Events, which are organized into Log Groups. (C)</p> Signup and view all the answers

You have a Linux server on-premises and want to send its system logs to CloudWatch Logs. Which component do you need to install and configure on the server?

<p>CloudWatch Agent (D)</p> Signup and view all the answers

You need to monitor the occurrence of specific error messages within your application logs in CloudWatch Logs and trigger an alarm when the error rate exceeds a threshold. How can you achieve this?

<p>Configure a metric filter on the log group to count the error messages and create a CloudWatch Alarm based on the metric. (D)</p> Signup and view all the answers

For how long are CloudTrail events stored in the Event history by default?

<p>90 days (C)</p> Signup and view all the answers

What is the main difference between CloudTrail 'management events' and 'data events'?

<p>Management events record resource configuration changes (control plane operations), while data events record resource operations (data plane operations). (A)</p> Signup and view all the answers

You need to investigate who accessed a specific S3 object in your AWS account. Which type of CloudTrail event should you analyze?

<p>Data events (C)</p> Signup and view all the answers

What does it mean to configure a CloudTrail trail to log 'global service events'?

<p>The trail will log events generated by AWS services that are truly global in scope (e.g., IAM, STS, CloudFront). (C)</p> Signup and view all the answers

You need to store CloudTrail logs for compliance reasons for more than 90 days. Which is the recommended method?

<p>Configure Trail and direct CloudTrail events to an S3 bucket. (A)</p> Signup and view all the answers

Within AWS Organizations what is an 'organizational trail' in CloudTrail?

<p>A trail created in the management account that automatically logs events for all accounts in the organization. (B)</p> Signup and view all the answers

An administrator asks if they can use CloudTrail to get real-time alerts for security events. What would you say?

<p>CloudTrail provides access to historical event data. (D)</p> Signup and view all the answers

When setting up AWS Control Tower, which of the following components provides oversight of the entire environment?

<p>Dashboard (C)</p> Signup and view all the answers

What is the purpose of 'Landing Zone' in the context of AWS Control Tower?

<p>Account baseline multi-account environment for provisioning. (A)</p> Signup and view all the answers

What are Guardrails and how do they function in an AWS Control Tower setup?

<p>Guardrails are rules created through multi-account governance to enforce those rules. (C)</p> Signup and view all the answers

Which AWS service is used to identify non-compliant data?

<p>Guard Rails (C)</p> Signup and view all the answers

What does 'Account Factory' refer to in an AWS Control Tower setup?

<p>Automates and standardizes new account creation through code pipeline integration (A)</p> Signup and view all the answers

When you implement Control Tower, what is true about the foundational vs custom organizational units?

<p>When Control Tower first set up, it generally creates two organizational units, foundational organizational unit by default is Security, and then can also create a custom organizational unit. (A)</p> Signup and view all the answers

When an IAM user attempts to perform an action on an AWS resource, what determines whether the action is allowed?

<p>The evaluation of all applicable IAM policies and resource policies, where any explicit 'deny' overrides all 'allow' statements. (B)</p> Signup and view all the answers

Your company has multiple AWS accounts managed under AWS Organizations. You need to ensure that no IAM user in any of the accounts can create new IAM roles. What is the MOST effective way to achieve this?

<p>Create a Service Control Policy (SCP) that denies the <code>iam:CreateRole</code> action and attach it to the root of the AWS Organization. (B)</p> Signup and view all the answers

You need to set up centralized logging for all API calls made in your AWS Organization. Your organization consists of one management account and 20 member accounts. Which method is MOST efficient for achieving this?

<p>Configure an organizational CloudTrail from the management account to log events from all accounts in the organization. (B)</p> Signup and view all the answers

Which factor is MOST important when determining whether to use an IAM user versus an IAM role?

<p>Whether the access is long-term or temporary. (D)</p> Signup and view all the answers

What is the MOST important security benefit of using IAM roles instead of hardcoding AWS credentials into an application?

<p>IAM roles provide automatic credential rotation, which reduces the risk of compromised long-term credentials. (D)</p> Signup and view all the answers

In the context of CloudWatch Logs, what is the hierarchical relationship between Log Events, Log Streams, and Log Groups?

<p>Log Groups contain Log Streams, which contain Log Events. (A)</p> Signup and view all the answers

When setting up an IAM role, which of the following policy types defines which principals are allowed to assume the role?

<p>Trust policy (A)</p> Signup and view all the answers

What is the MOST significant difference between an IAM inline policy and an IAM managed policy?

<p>Inline policies are attached directly to a single IAM identity and cannot be reused, while managed policies can be attached to multiple identities. (C)</p> Signup and view all the answers

Your company wants to enforce a policy that all EC2 instances launched in any AWS account within your AWS Organization are of a specific instance type (e.g., t3.micro) to manage costs. What AWS service should you use to achieve this?

<p>AWS Organizations with Service Control Policies (SCPs) (C)</p> Signup and view all the answers

Which of the following statements BEST describes the purpose of an Amazon Resource Name (ARN)?

<p>It uniquely identifies an AWS resource. (C)</p> Signup and view all the answers

When using CloudTrail, what type of event is recorded when a user accesses data stored in an S3 bucket?

<p>Data event (D)</p> Signup and view all the answers

Your organization has an existing Active Directory and wants to provide its users with the ability to access AWS resources using their existing Active Directory credentials. Which approach is BEST suited for this scenario?

<p>Implement Identity Federation using IAM Roles. (C)</p> Signup and view all the answers

What is the purpose of the AWS Control Tower Landing Zone?

<p>It provides a multi-account AWS environment based on best practices. (B)</p> Signup and view all the answers

Your company stores application logs in CloudWatch Logs. You want to be notified immediately when a specific error message appears in those logs. What CloudWatch feature should you use?

<p>CloudWatch Alarms based on Metrics (C)</p> Signup and view all the answers

Flashcards

IAM Identity Policy

A policy attached to AWS identities (users, groups roles), granting or denying access to AWS resources.

IAM Policy

A set of security statements granting or denying access to AWS resources.

Statement ID (SID)

An optional field within an IAM policy statement that IDs the statement.

Action

Specifies the AWS service and action to be allowed or denied in a policy.

Signup and view all the flashcards

Resource

Specifies the AWS resource an action applies to, often using ARN format.

Signup and view all the flashcards

Effect

Determines whether a policy statement allows or denies access.

Signup and view all the flashcards

Authentication

An AWS process verifying identity, usually by username/password or access keys.

Signup and view all the flashcards

Amazon Resource Name (ARN)

A unique identifier for AWS resources. Includes partition, service, region and account ID.

Signup and view all the flashcards

Policy Evaluation Logic

Grant access with allows, unless there is explicit deny.

Signup and view all the flashcards

IAM User

Designed for a single principal (human, application, service) requiring long-term AWS access.

Signup and view all the flashcards

IAM Role

Best suited where the identity is to be used by an unknown or multiple principals on a termporary basis.

Signup and view all the flashcards

IAM Group

Containers for IAM users, simplifying permissions management for many users.

Signup and view all the flashcards

AWS Service Roles

Used by services to operate on your behalf so they can perform certain actions.

Signup and view all the flashcards

ARNs

Uniquely identify resources within any AWS accounts.

Signup and view all the flashcards

Inline and Managed Policies

There are two main types of policies.

Signup and view all the flashcards

5000 User limit.

The IAM User limit per account that you need to adhere to.

Signup and view all the flashcards

Trust policy

Controls which identities can assume an IAM role.

Signup and view all the flashcards

AWS Organizations

You can use can use this to connect to other AWS accounts

Signup and view all the flashcards

Service-linked roles

An IAM role linked to a specific AWS service.

Signup and view all the flashcards

Roles

Used within AWS organizations to allow us to log into one account in that organization and access different accounts without having to log in again.

Signup and view all the flashcards

AWS Organizations

AWS product which allows larger businesses to manage multiple AWS accounts in a cost effective way with little to no management overhead.

Signup and view all the flashcards

Service Control Policies

This will effect all accounts inside and outside the organization.

Signup and view all the flashcards

Single principal

Designed for situations where a single principal uses that IAM user.

Signup and view all the flashcards

Multiple principal

Designed for situations where multiple principal use an IAM role.

Signup and view all the flashcards

Role separation

Where you might give one group of people the ability to create roles and another group of people the ability to use them.

Signup and view all the flashcards

predifined

A set of permissions which is predefined by a service.

Signup and view all the flashcards

SCPs

A feature of AWS organizations which can be used to restrict AWS accounts.

Signup and view all the flashcards

Cloud Trail

Logs API calls or account activities.

Signup and view all the flashcards

CloudWatch Logs

The endpoint which applications connect to is hosted in the AWS public zone.

Signup and view all the flashcards

Control Tower

AWS services to provide this functionality.

Signup and view all the flashcards

Study Notes

IAM Identity Policies

  • IAM policies attach to identities inside AWS
  • Identities can be IAM users, groups, and roles
  • Understanding IAM policies is crucial for AWS exams and solution implementation
  • There are three stages to understanding policies:
    • Understanding their architecture and how they work
    • Gaining the ability to read and understand the policy
    • Learning to write them

IAM Policies as Security Statements

  • IAM policies are sets of security statements in AWS.
  • They grant or deny access to AWS features.
  • Policies are created using JSON.
  • Policy documents contain one or more statements.
  • Statements grant or deny permissions to AWS services.

Statements, Authentication, and Authorization

  • To access AWS resources, an identity needs to prove its identity through authentication.
  • Authenticated identities are known as authenticated identities.
  • AWS has a collection of all statements applicable to an identity.
  • AWS knows which resources the identity is interacting with and the intended actions.
  • AWS processes the statements to determine access.

Statement Components: SID and Actions

  • A statement includes a statement ID (SID), an optional field for identifying a statement.
  • Best practice is to use SIDs regardless of the policy document size.
  • Interactions with AWS involve resources and the actions performed on them.
  • A statement applies if the interaction matches the action and the resource.
  • The action part of a statement matches one or more actions and can be specific.
  • The format is service:operation, like s3:GetObject.

Actions (cont) and Resources

  • Wildcards can match any operations (e.g., s3:*).
  • Actions can be a list of individual actions.
  • Resources are matched similarly, using individual ARNs, lists, or wildcards.
  • Using wildcards refers to every resource.

Effects: Allow and Deny

  • The effect determines what AWS does if the action and resource parts of a statement match.
  • Effect can be either allow or deny.
  • AWS will allow or deny access to resources depending on if the action.
  • S3 statement matches, and effect is allow.
  • Actions part of a statement matches.

Overlapping policies

  • It is possible to be both allowed and denied at the same time.
  • Explicit denies take precedence over explicit allows.
  • If neither apply, the default implicit deny takes effect.
  • AWS identities start with no access, except for the account root user.

Multiple Policies and Evaluation

  • AWS collects all statements from applicable policies when an identity accesses a resource.
  • This includes direct policies, group policies, and resource policies.
  • The same deny, allow, deny rule applies.
  • Explicit deny always wins. If no explicit deny, an explicit allow grants access, unless there is an explicit deny. If none, the default takes effect.

Inline vs Managed Policies

  • JSON policy documents are the same for both inline and managed policies.
  • The difference is how they are managed.
  • With inline policies, change can be achieved on three access rights, with inline policies.
  • The first being permission across the required resources for that project, this is known as an inline policy.
  • Secondly, the use of the same managed policy can be useful for a large number of users or group roles, it will use managed policies for the default.
  • Thirdly, managed policies are low management overhead.

AWS-Managed vs. Customer-Managed Policies

  • AWS-managed policies are created and managed by AWS
  • AWS-managed policies may not fit your exact business needs.
  • Customer-managed policies are created and managed by the business.
  • Customer-managed policies enables defining them as per business requirements.

Policy Usage

  • Inline policies are suitable for special or exceptional circumstances.
  • In special circumstances, you will likely want to use an inline policy.
  • If it is not special circumstances, it will likely be AWS-managed policies.

IAM Users

  • IAM Users are identities
  • Used for long-term AWS access
  • Examples include humans, applications, or service accounts
  • If you need long-term access, you should select this
  • 99% of the time, you would use an IAM user

IAM and Principal

  • IAM starts with a principal, which is an entity trying to access on an AWS account
  • Principals can be individual people, computers, services or a group of any of those things
  • To authenticate and be authorized, the principal needs to authenticate and be authorized
  • Principles and IAM makes requests with resources in mind
  • An IAM user is an identity which can be used this way and authentication is the first step

Processes for Authentication

  • Authentication- proving to IAM that the principal on the left proves an IAM entity.
  • It proves that it is an identity that it claims to be..
  • Proof that it is indeed sally with username and password
  • It is either username and password, or access keys.

Authentication and Authorisation

  • Usernames and passwords are used if accessing via the console UI.
  • If it is a human attempting AWS command line tools, access keys are used
  • Access key sets, if the IAM can be verified it can interact with AWS.
  • Access key sets, which is part of an authorised identity
  • AWS checks the statement to allow access

Authorization

  • Authorization is the process of checking statements and allowing access to the request resource
  • It is a very distinct process, from authencation
  • AWS checks how the IAm that its being used is using access keys

ARNs

  • ARNs are the next thing to talk about.
  • ARNs uniquely identify the resources within the AWS accounts.
  • ARNs allow specification of a group if needed
  • ARNs are required because things can be named in a different way but in a similar way
  • ARNs, similar characteristics in different accounts
  • Have a format
  • Used generally by IAM users

Use Cases

  • There are two yet very different ARNs
  • They both identify the cats gif bucket
  • Both specify a S3 directory
  • They don't need to identify a name or an account

Similarities

  • Naming of S3 is globally unique
  • If you need to work with double colon, this is where it won't need to be specific and can be specified
  • Keep in mind wild card collections, also
  • First up is the partition with which resource is in. with AWS-CN, AWS would be anything that does not say AWS-CN.

Partition, Service and Region

  • The next part is the service namespace that specifies the AWS product, usually IAM or RDS, S3 .
  • the region is the specific resource that is residing.
  • This might be omitted as certain ARNs don't require a region

Account ID and Resource

  • Account ID is the next field.
  • This relates to the AWS account that owns the resource
  • S3 does not specify this

IAM Facts

  • 5,000 IAM users per account per region
  • Per account limit
  • an IAM user can be a member of 10 accounts

More Facts

  • 5,000 Identities cant be over the limit with IAM user for each entity
  • If you are going to be over 5,000 the IAM roles are not the right idea.

What this would mean

  • 5,000 user limit that is used for questions regarding application that uses on the internet
  • Application has millions of users
  • IAM would not be the set identity

IAM Groups

  • IAM Groups are an easier form of containers for users
  • They assist to make the management of IAM users easier.
  • You can't log into IAM groups
  • Has no credentials to use

Multiple Group Types

  • Can be both developers/QA in AWS
  • That would mean they are part of the developers and QA group/
  • They can be a member of a group

Groups Benefits

  • Assist with effective group management of users.
  • They now have all users or group members with all policy components

Group Policy Attachments

  • This benefits the group's ability to connect and control policies that attach them.
  • This applies with inline and managed policies.
  • The developers group must have a group attached.

Developers/QA

  • The person can have those with their own inline or managed policies
  • IAM used such as Sally, gets the policies that get attached to that role
  • The people now also get the polices for QA/Dev
  • An AWS manager merges all into Permissions

Account limits

There is a an effective and unchangeable limit on the number of users in a group

  • There is not an actual user group. All members are put into that section.

Groups limitations

  • Nesting with groups
  • Only a member and a permission role

A policy that grants a resource that Sally wants may make the policy

  • There are 300 group members allowed with accounts
  • There has to also be a support ticket for the group member

ARM & ARMS

  • With that these identities are used to create this or that policy.
  • It can reference a way that helps Sally to have permissions on bucket
  • Its controls identity to access the bucket

ARM & ARMS Continued

  • You cannot group everything under each others roles
  • This groups helps that in these groups that IAM users inherit
  • They help that the correct uses for the right identity in the right section.

IAM Roles

  • Identity related topics is one of the most difficult things to do in AWS.
  • To understand that role
  • They are IAM roles
  • IAM user type

IAM Roles & Processes

  • It has a process
  • Which what who wants to authenticate
  • What was used to verify identity with AWS

Single Principal Use

  • IAM is used where an instance would use
  • IAM roles are used just as something where best suited Used by an unknown member

Roles & Identities

  • Roles can't get to verify a number and is a candidate in an IAM
  • Something which is used on a temporary basis
  • This gives away and is that a role is something that represents an AWS account

IAM Uses

  • Used short term by another account to allow a level of access
  • They assume that role
  • Not a person that has the intent but is a reflection
  • Identity is with outside

IAM Role Distinctions

  • Distinction as a mobile application and what assumed the role inside and gains from all of the permissions that the role can perform
  • Differences and logging is what Identity gets out. So you need to have the right identity.
  • And the right that has with that.
  • This is how Iam users comes in

IAM has identity permission attached to the JSON, managed ones

  • This control permission inside the AWS
  • A permission grants to what can deny with that
  • This was to the the to policy
  • IAM has the to identity
  • Policies get to what is allowed

The policies

  • Two policies
  • Policy control, the identity is an identity of that the AWS
  • With the to are allowed because identity A

B Policy

  • The Identity which the security the credientials and are available
  • Credentials. Temporary
  • These are of limited time

IAM facts

  • Used with AWS management.
  • It has a process to run a test to a role
  • If something you can't log then is is not a user
  • This includes Facebook, Facebook, or social media accounts

IAM Roles

  • These are for services on behaif
  • Provide static credentials.
  • If you change or rotate to those access it is very important to know

It's is ideal as well if you don't know what number to use

  • A the most can that is ideal to be used
  • The to used and get that credentials
  • If 1 a temporary is where you can log in as well

You can always assume the action with the AWS account

  • To assume when
  • Assumes a AWS and is key on has a certain in a to help
  • The is on now
  • Its team need and

If to as that it does there that

  • is is are all
  • Is as as
  • What you to for use a for is
  • This use as this for
  • There all be a for this as so
  • What for this is these where
  • Is where then
  • This are
  • Can to

4.6 Service-Linked Roles and PassRole

  • Service-linked roles
    • IAM role linked to a specific AWS service
    • Predefined by a service . . .providing permissions that a service needs to interact with other AWS services on your behalf
  • Service might create/delete the role . ..
    • or allow you to during the setup or within IAM
    • You can't delete the role until it's no longer required

Role permissions

  • They provide s set of permissions which is predefined by a service.
  • So provide permissions that a single AWS service needs to interact with AWS aervices in yiur behalf
  • Now, service-linked are of the the setup.
  •  is that to a it no within that
    

the to are of a a to. can is to that

Cloud Organization Basics

  • is a to to way with no It is a through with to of the features it
  • to the in that is in that

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Related Documents

More Like This

IAM Access and Permissions Quiz
20 questions
IAM Section Quiz: Users, Groups, and Root Account
5 questions
Cloud IAM Overview
48 questions

Cloud IAM Overview

UnequivocalNitrogen7955 avatar
UnequivocalNitrogen7955
4. [VH] IAM, Accounts and AWS Organisations
70 questions
Use Quizgecko on...
Browser
Browser