4. [VH] IAM, Accounts and AWS Organisations

Questions and Answers

Consider a scenario where an IAM user requires permissions to interact programmatically with a specific S3 bucket for a limited time, leveraging temporary credentials. Which AWS service, orchestrated by Control Tower, is BEST suited for managing the temporary credentials lifecycle, ensuring compliance with centrally defined governance policies?

• AWS IAM Identity Center (successor to AWS SSO), brokering identity assertions from a corporate directory to assume a role with pre-defined, time-bound permissions.
• AWS CloudTrail, configured with multi-region trails and comprehensive data event logging, to audit IAM access key usage anomalies.
• AWS Organizations, employing Service Control Policies (SCPs) to enforce maximum session duration and restrict allowable actions for any assumed role.
• AWS STS (Secure Token Service), integrated with IAM roles and trust policies, dynamically generating temporary credentials conforming to the principle of least privilege. (correct)

In an AWS Organizations environment, a security engineer discovers a discrepancy between the IAM policies applied to an IAM role and the actual permissions the role is exercising, potentially circumventing established governance controls. Which mechanism should the engineer leverage to diagnose and rectify this misalignment, enforcing least privilege consistently?

• Configure AWS Config rules within the management account to continuously evaluate IAM role policies and automatically remediate any deviations from approved configurations.
• Implement AWS CloudTrail multi-region trails, forwarding logs to a centralized Security Information and Event Management (SIEM) system for real-time analysis of IAM role activity.
• Utilize AWS Trusted Advisor to generate recommendations for optimizing IAM configurations, focusing on unused access keys and overly permissive security group rules.
• Employ AWS IAM Access Analyzer to proactively identify overly permissive IAM roles and refine role policies based on observed resource access patterns. (correct)

An organization aims to enforce a strict separation of duties for managing AWS CloudTrail logs. Which strategy BEST aligns with governance best practices to ensure that only authorized personnel can modify or delete CloudTrail configurations and log data?

• Utilize AWS Organizations Service Control Policies (SCPs) to restrict access to CloudTrail API actions in all member accounts, allowing only IAM roles in the management account to modify CloudTrail configurations. (correct)
• Implement a centralized logging solution with an immutable S3 bucket as the destination for CloudTrail logs, enforcing multi-factor authentication and requiring privileged access to manage the bucket's lifecycle policies.
• Delegate CloudTrail configuration and log management responsibilities to a dedicated IAM group, granting the group full access to all CloudTrail resources and denying access to other AWS services.
• Employ AWS CloudTrail Lake to create immutable audit trails, retaining historical logs for compliance purposes, while restricting direct access to the underlying S3 buckets containing the log data.

In a scenario involving high-throughput data ingestion into CloudWatch Logs, how would you design a solution that optimizes for cost-effectiveness while ensuring that critical patterns within the ingested logs trigger alarms with minimal latency?

Leverage CloudWatch Metric Filters to extract quantifiable metrics from the ingested logs, triggering alarms based on metric thresholds, and archive logs to S3 Intelligent-Tiering for cost-effective storage. (A)

An organization implementing a multi-account strategy wants to ensure that all API calls made by IAM users are logged and audited for compliance purposes. Which configuration ensures comprehensive logging and enables seamless analysis of activity across all accounts?

Implement an AWS CloudTrail organizational trail, designating a central S3 bucket as the repository for logs. Configure CloudWatch Logs as a destination for real-time monitoring of events. (B)

Consider a scenario where you need to design a cost-effective system for long-term security log retention and analysis in a multi-account AWS environment. Retention policies vary significantly. Which solution is MOST suitable?

Configure an AWS CloudTrail Organization Trail and forward all logs to Amazon S3. Implement a serverless analytics pipeline with AWS Lambda and Athena with customized partitions for the logs based on retention requirements. (D)

An application running across multiple AWS accounts experiences intermittent access denials because an IAM role has conflicting 'Allow' and 'Deny' statements. How can you determine the precise combination of policy statements causing access denial?

Employ AWS IAM Access Analyzer to simulate the role's access to the affected resources, dissecting the policy evaluation process to reveal the effective permissions and conflicting statements. (C)

An organization has configured CloudTrail to log data events for all S3 buckets across multiple AWS accounts within an AWS Organization. However, the security team reports inconsistencies in data event logging, especially for newly created buckets. How can you ensure consistent and comprehensive data event logging for all S3 buckets?

Configure an AWS CloudTrail organizational trail with data events enabled for all S3 buckets. Utilize AWS Organizations Service Control Policies (SCPs) to prevent any modifications to CloudTrail configurations in member accounts. (C)

In designing a highly secure, multi-account AWS environment, an organization determines that users should only be able to assume IAM roles located within the same AWS account. How can you enforce this constraint across all accounts in an AWS Organization?

Configure a Service Control Policy (SCP) within AWS Organizations that denies the sts:AssumeRole action for any IAM role ARN that does not match the account ID of the user attempting the assumption. (A)

When designing an Identity and Access Management(IAM) setup for a large organization using AWS, which strategy BEST balances security and ease of management for granting permissions to a large number of users across different AWS accounts?

Utilize AWS IAM roles as the primary mechanism for granting permissions, with users assuming these roles either directly or via a centralized identity provider. (A)

What impact does the configuration of a CloudTrail in a central 'logging' AWS account have on the logging of management events in other 'member' accounts, assuming no other CloudTrails are present?

Management events continue to be logged in each member account, independently of the centralized trail. (A)

A company requires that all new AWS accounts adhere to a baseline configuration including specific IAM roles, security groups, and network settings. Evaluate the available methods and determine the MOST effective for automatically enforcing the baseline without manual intervention.

Using AWS CloudFormation StackSets with Service-Managed permissions to deploy baseline resources across all AWS Organizations accounts and regions, combined with AWS Config rules to detect and remediate deviations. (C)

A financial institution wants to implement stringent controls over cross-account IAM role access within its AWS Organization to mitigate risks associated with privileged access misuse. Given this goal, what represents the MOST secure and operationally efficient approach for restricting cross-account role access?

Implementing Service Control Policies (SCPs) on all Organizational Units to deny member accounts from creating or assuming IAM roles located in other AWS accounts, except for explicitly approved roles in the management account. (B)

A security architect is designing an IAM policy to control access to AWS KMS keys used for encrypting data in S3. The policy MUST allow only specific IAM roles from a designated AWS account to decrypt objects with a specific KMS key. Which represents the MOST secure and fine-grained policy?

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AccountId>:role/<RoleName>" }, "Action": "kms:Decrypt", "Resource": "arn:aws:kms:<Region>:<AccountId>:key/<KeyId>" }] } (B)

A cloud architect is designing a system where IAM roles must provide temporary elevated access without permanently modifying the role's permissions. The architect is striving for compliance and accountability and also wants to restrict the use of permanent access keys. Given the constraints, which AWS mechanism BEST facilitates this requirement?

Leveraging AWS STS (Security Token Service) to assume roles with temporary credentials that are automatically revoked after a set time period and associating session policies to the assumed role to limit the scope of the access. (A)

In a highly regulated environment, an organization adopts a zero-trust security model, mandating continuous verification of user access rights to AWS resources. What approach offers the MOST robust real-time authorization mechanism?

Utilizing a custom authorization service that integrates with AWS Security Token Service (STS) through the use of session tags and dynamic policies, continuously validating user access against real-time risk signals. (C)

A global organization employs multiple AWS accounts across various geographical regions. It becomes essential to enforce a security baseline defining which AWS Regions can be used for resource deployment, ensuring compliance with regional data residency requirements. How could you implement this?

Implementing Service Control Policies (SCPs) within AWS Organizations that explicitly deny the use of services in non-approved AWS Regions, thus preventing resource creation in those regions. (D)

An organization uses a combination of inline and managed policies to control IAM permissions. Occasionally, users report access issues even when granted specific managed policies. What steps should a security administrator take to diagnose the MOST precise point of failure?

Combine AWS IAM Access Analyzer and CloudTrail logs. The combination of those can indicate the precise policy or SCP rule preventing full access. (A)

In a large AWS environment with multiple teams managing their own IAM roles and policies, which methodology BEST ensures that the organization's security guardrails are consistently enforced, while allowing teams the flexibility to manage resources?

Implementing AWS Organizations Service Control Policies (SCPs) to enforce organization-wide security constraints. This still allows individual teams to manage IAM roles and policies within defined boundaries. (A)

If cross account access is not working, what part of a role do you look to first?

The trust policy, it should have a Principal element, that has the ID of cross account that’s trying to access. (C)

There is the concept of AWS and Customer Managed Policies, when would you be most inclined to use a customer managed policy?

When access rights need to be granted to multiple teams, in accordance with compliance regulations. (A)

Under what circumstance are Inline policies generally best?

Whenever you need to ensure that a specific set of rights, either giving an individual additional access or blocking permissions, is specific to one user only. (D)

If something can’t be specified, should there be two colons? And does specifying an asterisk instead of specifying something that isn’t needed mean the same thing?

Specifying a region isn’t equivalent to specifying a star, they can not be used interchangeably. (A)

What does this ARN Reference: arn:aws:s3:::catgifs?

Just the bucket itself, not the bucket's objects. (C)

How does AWS evaluate allow or deny permissions, if the allow and deny statements each overlap?

Deny, Allow, then no explicit allow or deny. (B)

What is the maximum number of IAM users to have per account?

5,000 (A)

A developer is trying to configure group permissions for an S3 bucket containing company confidential data; what is the highest security method applicable?

You can't give permission to group directly. Assign IAM policy to the developers group. (C)

What is PassRole Permissions?

Is a method inside AWS which gives you the ability to implement role separation, and it's something which you can also use with service-linked roles. (B)

What best describes Service Linked Roles, and can they be deleted?

You can't delete the role until it's no longer required, and that means that it's no longer used within that AWS service. (D)

Which AWS service facilitates the creation of a standardized, multi-account environment with automated account provisioning and consistent application of security baselines?

AWS Control Tower. (D)

The core features of AWS control tower include all BUT which of the following?

In a complex IAM policy evaluation scenario, multiple policies—including identity-based, resource-based, and session policies—apply to a principal attempting to access an AWS resource. How does AWS determine the final effective permissions when these policies contain conflicting statements regarding conditions, such as source IP or time of day, ensuring both security and operational integrity?

AWS performs a parallel evaluation using a Boolean logic system where all conditions must independently evaluate to true for the request to be allowed; any condition evaluating to false results in an immediate Deny, regardless of other policies. (B)

In an AWS environment with multiple IAM entities (users, roles) operating under various conditions, how does AWS's policy evaluation logic account for the interactions between explicit and implicit permissions, especially when contextual factors such as the source VPC endpoint or the requesting service influence the evaluation?

AWS treats implicit permissions as inherent attributes of the environment, using them as conditional criteria during the policy evaluation process; access is granted only if both explicit permissions and implicit environmental conditions are satisfied. (B)

An organization maintains highly sensitive financial data in an S3 bucket and requires an IAM policy that permits only authorized data scientists to access the data solely from within an encrypted AWS Cloud9 environment during specific business hours. How would you design this policy to enforce these multi-faceted conditions securely and efficiently?

Establish a session policy enforced by AWS STS during the Cloud9 session, asserting conditions that demand the aws:userid corresponds to pre-approved data scientists, the aws:sourceVpc is the designated Cloud9 VPC, and the aws:CurrentTime falls within the specified operational hours. (B)

A globally distributed application utilizes multiple AWS accounts governed by AWS Organizations, each with its own IAM configurations. What advanced strategy can ensure least-privilege access across all accounts while dynamically adapting to infrastructure changes and new service integrations, minimizing administrative overhead and potential security breaches?

Adopt attribute-based access control (ABAC) with dynamically generated tags propagated across IAM roles and AWS resources, coupled with a sophisticated policy engine based on AWS Lambda that evaluates tags in real-time, updating permissions based on predefined business logic and compliance requirements. (D)

An organization aims to transition towards a completely passwordless authentication mechanism for its IAM users accessing the AWS Management Console, while also enforcing stringent compliance requirements for auditability and non-repudiation. How would you architect this solution to maximize security and usability?

Configure AWS IAM Identity Center (successor to AWS SSO) integrated with a SAML 2.0-compliant identity provider that supports certificate-based authentication, leveraging hardware security keys for IAM user validation. (B)

A security architect is tasked with designing a highly resilient IAM system that can withstand regional AWS outages while maintaining robust security controls. What advanced architectural approach should be implemented to ensure continuous authentication and authorization capabilities, minimizing disruption to critical business applications?

Implement a multi-region, active-active AWS IAM Identity Center deployment, with real-time synchronization of IAM policies and user directories, leveraging AWS Global Accelerator for traffic redirection during regional failures. (A)

An organization needs to grant temporary, elevated privileges to a subset of its IAM users for performing emergency incident response activities, while adhering to strict segregation of duties and minimizing the potential for privilege escalation. What is the MOST secure and auditable method to achieve this?

Leverage an IAM role with a restrictive trust policy and a permissions boundary, enabling users to assume the role only after successfully completing a challenge-response authentication process integrated with AWS STS. (A)

A multinational corporation with stringent data residency requirements needs to ensure that all IAM policies and configurations are strictly confined within their respective geographical AWS regions, preventing any cross-border data transfer or policy leakage. What advanced security mechanism is most effective in enforcing this sovereignty?

Implement AWS Organizations Service Control Policies (SCPs) that explicitly deny any IAM-related actions across all AWS accounts unless the target region matches the account’s designated residency. (D)

Consider a scenario where an IAM user is granted permissions to access a specific S3 bucket via both an IAM group policy and an inline policy directly attached to the user. The group policy allows s3:GetObject, while the inline policy allows s3:PutObject. What is the user's effective permission regarding these actions on the specified S3 bucket?

The user is allowed to perform both s3:GetObject and s3:PutObject actions, as AWS IAM policies are additive. (D)

An IAM role is configured with a trust policy that allows EC2 instances in Account A to assume the role. However, when an EC2 instance attempts to assume the role, it's denied. What is the MOST thorough way to diagnose the root cause of this issue?

Evaluate the trust policy of the IAM Role, explicitly verifying the Principal element includes the correct ARN for the EC2 service principal (ec2.amazonaws.com) and that the sts:ExternalId condition, if present, is correctly configured on both the role and the instance. (B)

In a scenario where an IAM policy grants conditional access to an S3 bucket based on the requester's IP address, how would you implement a solution to ensure that only requests originating from a specific VPN gateway can access the S3 bucket, while considering the potential for IP address spoofing or routing misconfigurations?

Employ AWS PrivateLink to create a VPC endpoint for S3, restrict bucket access to the VPC endpoint's network interface(s) using a bucket policy, and ensure all traffic to S3 transits through this endpoint. (A)

An IAM user requires permissions to manage EC2 instances but should be explicitly denied the ability to modify any IAM policies. What is the MOST precise and secure policy configuration to enforce this restriction?

Grant the user ec2:* permissions and attach an IAM permissions boundary that denies all iam:*Policy permissions. (D)

In a complex AWS environment, a security team discovers that an IAM role intended for read-only access to S3 buckets is inadvertently allowing write operations due to a misconfiguration in the policy conditions. How can they MOST effectively identify which specific condition was responsible for this unintended escalation of privilege?

Employ AWS IAM Policy Simulator to simulate various API calls made by the IAM role, inspecting the evaluation results to identify the specific combination of resource ARNs, actions, and conditions leading to the unwanted behavior. (D)

An organization is using multiple AWS accounts with IAM users and roles in each account. They want to grant an external auditor temporary access to read-only information across several S3 buckets in different accounts, minimizing the need to create new IAM entities. What is the MOST secure and efficient method to accomplish this?

Establish a cross-account IAM role in each AWS account that the auditor can assume, using a single AWS STS endpoint for federated authentication and defining a specific session duration. (D)

A security engineer is designing an AWS CloudTrail implementation for a highly regulated environment. They need to ensure that all API calls across every AWS account in an organization are logged, and that the logs are immutable and cannot be tampered with. Which approach BEST achieves this goal?

Deploy an organization-wide CloudTrail trail that delivers logs to a dedicated S3 bucket with S3 Object Lock in governance mode enabled, and integrate with AWS KMS using a customer-managed key with strict access controls. (D)

An organization requires that all IAM roles created within their AWS environment automatically inherit specific custom tags that denote the application and environment the role is associated with. What is the MOST effective means of enforcing this requirement across all accounts within an AWS Organization?

Leverage AWS Organizations Service Control Policies (SCPs) to explicitly deny the creation of IAM roles that do not include the specified custom tags in their initial configuration. (C)

A company has an IAM role in one AWS account (Account A) that needs to access a KMS key in another account (Account B) to decrypt data. The KMS key policy in Account B already allows the IAM role from Account A to perform decryption. However, the IAM role still cannot decrypt the data. What is the MOST likely cause of this issue?

The IAM role in Account A does not have permissions to call the KMS:Decrypt API. (D)

Your company is adopting a multi-account strategy using AWS Organizations. You need to ensure that all member accounts can ONLY be created using a standardized configuration, including baseline IAM roles, networking settings, and security configurations. How would you BEST achieve this?

Leverage AWS Control Tower's Account Factory to provision new accounts with a predefined baseline configuration, ensuring consistency across the organization. (C)

A cloud architect is designing a secure system for an organization that requires highly granular, context-aware access control to AWS resources. Which access control mechanism offers the MOST flexibility and scalability for managing permissions in this scenario?

Attribute-Based Access Control (ABAC) using IAM policies with conditions based on resource tags, IAM user attributes, and request context. (A)

In an AWS environment, an IAM user reports being unable to perform an action, despite having a policy that explicitly allows it. Assuming all AWS STS endpoints are enabled, what are the MOST critical troubleshooting steps to identify the root cause?

Check all of the above (D)

An organization wants to restrict access to specific AWS services (e.g., EC2, RDS) for all IAM users in a particular AWS account, but they want to retain the flexibility to selectively override these restrictions for specific IAM roles. What combination of IAM features BEST accomplishes this goal?

Use IAM permissions boundaries to limit the maximum permissions that all IAM users can have, and attach more permissive policies directly to individual IAM roles. (C)

Your organization uses AWS Organizations to manage multiple accounts, and you need to ensure that no IAM user or role in any member account can disable AWS CloudTrail. Which strategy is the MOST effective for enforcing this requirement?

Implement an AWS Organizations Service Control Policy (SCP) that denies the cloudtrail:DeleteTrail action, applying it to all member accounts. (B)

In a scenario where an IAM user is assigned to multiple IAM groups, each with its own set of permissions and restrictions, how does AWS resolve potential conflicts when determining the effective permissions for that user when accessing a specific AWS resource?

AWS aggregates all policies, factoring in conditions. Evaluating the aggregate set using deny, allow, default implicit deny priority. (D)

What is the key distinction between an AWS-managed policy and a customer-managed policy for IAM?

AWS-managed policies are created and managed by AWS, while customer-managed policies are created and managed by the customer. (B)

Under what circumstance is using an inline policy with IAM generally MOST appropriate?

When you need to define a custom set of permissions that is unique to a single IAM user, role, or group and will not be reused. (D)

What component within an IAM policy statement lets you inform the policy reader regarding the purpose of the ACL?

SID (D)

Within IAM policies, what is the purpose of specifying arn:aws:s3:::examplebucket/* versus arn:aws:s3:::examplebucket?

arn:aws:s3:::examplebucket/* specifies all objects in examplebucket, while arn:aws:s3:::examplebucket specifies the bucket itself. (A)

In a scenario where an IAM user has both an explicit Allow statement and an explicit Deny statement that apply to the same S3 resource and the same action, which statement ALWAYS takes precedence?

The Deny statement takes precedence, preventing the user from performing the action. (D)

What is the maximum number of IAM users that can be created within a single AWS account?

5,000 (A)

A developer needs to grant an IAM group permissions to manage AWS Lambda functions, ensuring only security-vetted individuals modify function code while allowing others to invoke the functions. What strategy provides the MOST secure separation of duties?

A globally-distributed mobile gaming company leverages Cognito Identity Federation to authenticate millions of players. To ensure optimal AWS resource utilization and minimize costs under varying player load, how should IAM roles be configured in conjunction with Cognito?

Employ a stratified IAM role strategy, dynamically assigning roles to users based on attributes obtained from their identity provider (e.g., geolocation, game progress, spending habits). Utilize AWS Lambda functions triggered by Cognito events to manage role assignments, enabling granular control and cost optimization. (C)

An engineer has defined an IAM policy with an explicit Allow for s3:GetObject on arn:aws:s3:::examplebucket/* but also included a Deny for s3:* on arn:aws:s3:::examplebucket/highly-sensitive/*. A user reports they are unable to download s3://examplebucket/file.txt, despite it not residing within the highly-sensitive subdirectory. What is the root cause?

Policy evaluation follows a precise sequence: AWS first checks for explicit denies. If one is found, evaluation ceases, and the action is denied - regardless of allows also apply. (D)

An organization wishes to enforce a 'least privilege' model strictly, minimizing any possibility of unintended privilege escalation within its AWS accounts. Identify the MOST comprehensive strategy.

Define granular, service-specific IAM policies that grant only the permissions required to perform intended tasks (deny by default). Implement automated policy generators driven by infrastructure-as-code (IaC) principles. Regularly review and refactor policies based on CloudTrail logs using sophisticated machine learning-driven analysis techniques. (C)

Within a complex AWS environment governed by AWS Organizations alongside delegated IAM administration to multiple teams, how can a central security team most effectively guarantee adherence to an organization-wide, non-negotiable policy prohibiting public read access to all S3 buckets?

Implement a Service Control Policy (SCP) within the AWS Organizations root, explicitly denying the s3:GetObject action when the s3:acl condition key evaluates to public-read. Combine this with regular, cross-account, automated penetration testing simulating external attacks. (C)

A global financial institution requires that all IAM roles across its AWS accounts be tagged with metadata indicating ownership, application criticality, and compliance requirements. Devise the MOST scalable and automated strategy for enforcing this?

Leverage AWS Organizations' Tag Policies, defining required tags and enforcement behaviors. Integrate this with an automated CI/CD pipeline incorporating pre-commit hooks that prevent deployment of IAM roles lacking required tags., backed by continuous monitoring. (B)

A security architect discovers that an IAM role, intended to grant read-only access to sensitive financial data stored in an S3 bucket within a highly regulated industry, has been inadvertently misconfigured, allowing certain IAM users to modify the data. How would you set up a solution to identify the misconfiguration?

Employ AWS IAM Access Analyzer to analyze the role’s effective permissions, combining with review of CloudTrail logs and AWS Config to validate historic configurations. Conduct frequent penetration testing against pre-production buckets using the suspect role. (A)

A cloud security engineer receives alerts that a sensitive S3 bucket appears to undergo unauthorized modification. How can they investigate and trace the origin of those modifications?

Implement automated policy deployment via infrastructure-as-code pipelines, and then monitor all PutObject events in CloudTrail, filtering by User Identity and Source IP. (C)

An organization aims to enforce a strict separation of duties for managing AWS CloudTrail logs, what is the best solution to meet the required strict separation of duties?

Implement a multi-account strategy. Enforce cross-account access restrictions via IAM roles and Service Control Policies (SCPs) to prevent unauthorized modification or deletion of CloudTrail configurations and log data. (B)

A cloud architect is designing a system that requires high throughput analysis of log data across multiple AWS accounts. Retention policies vary significantly account to account. Which solution will be the most suitable?

Deploy a Lambda function in each account, routing all logs to a central Elasticsearch cluster utilizing AWS Organizations to centralize long-term storage and analysis, while preserving account-specific retention requirements through dynamic indexing policies. (D)

Flashcards

IAM Policy

A set of security statements granting or denying access to AWS resources.

Authentication

Verifying the identity attempting to access AWS resources.

Statement ID (SID)

An optional identifier for an IAM policy statement.

Action

Specifies allowed or denied actions on AWS resources.

Resource

Specifies which AWS resources an action applies to.

Effect

Specifies whether action is allowed or denied

Explicit Deny Priority

Deny has highest precedence over any allow or implicit deny.

Inline Policies

Attaches JSON to AWS identities for special cases.

Managed Policies

Reusable JSON with statements applied to many.

AWS-Managed Policies

Created by AWS.

Customer-Managed Policies

Created by the user.

IAM Users

Identity used for AWS access (humans, apps).

Principal

First step of accessing resources.

Authentication

Process of principal proving identity.

Username/passwords or access keys

Long-term credentials for IAM users.

Authorization

Statements that IAM checks.

ARNs

Identify resources within any AWS accounts.

ARN Composition

Partition, service, region, account ID, resource.

IAM groups

containers for IAM users.

Group Benefit 1

Allow administration style user management.

Group Benefit 2

Policies attached.

Overlapping Policy

Deny, Allow, Deny applies to users and roles.

Resource policies

IAM policies on resources.

IAM Roles

It's access for short time only

Best Use cases

Not always known, multiple principles, temporary.

Trust policy

Allow to assume role.

Permission policy

Access for assumed identity.

Roles and STS

Identities, creates credentials.

AWS Services

Operate on your behalf.

Rotate access

A need

Break glass

Allow emergency use only.

Corporate env

Reuses identities.

Mobile users

Multiple users exist.

Cross Acccess

Can interact.

Two roles exist

Normal and role.

Service-Linked Role

An IAM role linked to AWS service.

PassRole Permissions

Give ability to use a pre existing role.

Example one can have

Allows user you create a service.

Look up the names

You can find services.

AWS Organizations

Manages multiple accounts.

Standard AWS account

AWS account not in organization.

Management Account

AWS account used to create organization.

Member account

AWS acount in organisation.

Organization Root

Hierarchical structure

Nested Aws

Also container is organizational units.

Consolidation of the bill account

Billing method for organisation.

SCPs

Restricts what AWS account scan do .

A management role does not affect

Used that service control does not affect.

Study Notes

IAM Identity Policies

• IAM policies are attached to identities inside AWS
• Identities are IAM users, IAM groups, and IAM roles

Understanding Policies

• There are three main stages to understanding policies:
  • Understanding their architecture and how they work
  • Gaining the ability to read and understand the policy
  • Learning to write your own policies for the exam

IAM Policies as Security Statements

• An IAM identity policy, or an IAM policy, is a set of security statements to AWS
• It grants or denies access to AWS products and features to any identity which uses that policy
• Identity policies, also known as policy documents, are created using JSON

Policy Documents Explained

• A policy document is just one or more statements
• Inside the statement block, there are multiple statements
• Each of them is inside a pair of curly braces, and these statements grant or deny permissions to AWS services

Authentication

• When an identity attempts to access AWS resources, that identity needs to prove who it is to AWS through authentication
• Once authenticated, that identity is known as an authenticated identity

How AWS Applies Identity Policies

• AWS knows which policies an identity has, which could be multiple
• Each of these policies can have multiple statements in it, so AWS has a collection of all of the statements which apply to a given identity
• AWS also knows which resource or resources being interacted with, as well as performed actions on those resources
• AWS reviews all of the statements one by one, and it reviews any that apply to a particular identity, accessing a particular resource in a particular way

Statement ID (SID)

• The first part of a statement to identify the statement and what it does
• This is an optional field for ease of communicating the purpose of the policy to humans
• States full access or deny Cat Bucket

Resource and Action

• Every interaction with AWS combines two main things
• The resource being interacted with
• The actions attempted to perform on that resource
• A statement only applies if the interaction with AWS matches the action and the resource
• A statement includes the action part, which must match one or more actions

Actions Formatting

• Actions can be very specific and list a specific individual action
• The format is service, colon and then the operation like s3:*
• It is possible to specify individual AWS resources, or list AWS resources as the second example
• Wildcards can also refer to every resource

Effect

• Controls what AWS does if the action and the resource parts of a statement match the operation
  • Allow
  • Deny

How AWS Processes Conflicting Policies

• Explicit denies always take priority
• If there’s no explicit deny, explicit allows are applied
• If neither explicit allow nor deny applies, AWS uses default implicit deny

Multiple Policies

• If multiple policies are involved for an entity, AWS collects all statements from all applying policies
• The same rule (deny, allow, deny) applies, and explicit deny wins over explicit allow

Policy Types

• Inline polices
  • Assign JSON individually on separate accounts
• Managed policies
  • Created as their own object, and then attached to identities who need access rights
    • Reusable
    • Low management overhead

When to Use Inline Policies

• Generally inline policies are for exceptions to the normal access rights, for special circumstances
• For exceptional access rights
• When needing to ensure that a specific set of rights is given

Managed Policy Types

• AWS-managed policies
  • Created and managed by AWS
  • May not fit exact needs
• Customer-managed Policies
  • Created and managed so that they can be defined as per the exact requirements of the business

IAM Users

• IAM Users are an identity used for anything requiring long-term AWS access like humans, applications or service accounts

IAM Authentication Process

• IAM starts with a principle
  • An entity like a person or application that is trying to access an AWS account
• Principles need to authenticate and be authorized in order to do anything

Authentication

• Authentication is a process where the principle proves to IAM that it is an identity that it claims to be, like Sally
• Authentication for IAM users is done either using username and password or access keys
• Access keys are used if it's an application of if a human is trying to use the AWS command line tools

Authorization

• Authorization is where AWS knows which policies apply to that identity to access AWS Resources

Amazon Resource Names (ARNs)

• ARNs do uniquely identify resources within any AWS accounts
• ARNs allow you to refer to a single resource if needed, or using wild cards
• Required since things can be named in a similar way (like similar EC2 instances in diff regions)

ARN Usage

• ARNs are used in IAM policies
• ARNs are generally attached to identities such as IAM users
• Have a defined format (service specific)

ARN Examples

• ARN for S3 bucket arn:aws:s3:::catgifs
• ARN for S3 Objects: arn:aws:s3:::catgifs/*
• The difference between the ARNs are the /* on the end of the second
• These two ARNs don't overlap
• First describes the bucket itself
• 2nd one references anything in that bucket but not the bucket itself
• By specifying /* the matches any objects in the bucket, so any object name

ARN Structure

• Collections of fields split by a colon
• Double colon is for service not needing to be specified
• First field - Partition: The partition that the resource is in. For standard AWS regions, the partition is AWS. If there are resources in other partitions (like AWS-cn), there'll be an AWS partition name
• Second field is service" - the service namespace that identifies the AWS product (S3, IAM or RDS)
• Third field - Region: This is the region that the resource is in. Some ARNs don't require region account ID - the AWS account that owns the resource
• EC2 does, S3 does not
• Content of ARN varies

IAM Limitations

• A single account can only have 5,000 IAM Users
• A single IAM user can only be a member of 10 IAM groups maximum

When to use IAM Roles or Identity Federation

• IF you have any scenario or project with more than 5000 identifiable users, or identities, it's likely that IAM users are not the right identity to pick for that solution
• IF you are faced with an exam question of more than 5000 Users OR it's for an application on the internet that's going to have millions of users AND then then there is an answer which wants to create an IAM for every user of that application that is the wrong answer

IAM Groups

• IAM Groups are containers for IAM users
• Groups make it easier to organize large sets of IAM users
• An IAM user can be a member of multiple IAM groups

Group Restrictions

• You can't log into IAM groups
• IAM groups have no credentials of their own
• Groups cannot be nested

Group Limits

• There is no effective limit for the number of users in a single IAM group.
• There is a limit of 300 groups per account, but it can be increased with a support ticket.

Groups Benefit

• Allow effective administration style management of users
• Groups can actually have policies attached to them"
  • Inline
  • Managed

AWS Considers the Following Policies to a User

• Permissions from all policies from all groups the user is a member
• Permissions from the policy attached to the IAM User

Resource policies

• AWS has ways to attach policies to S3 buckets (or other resources to define an allows those with specific credentials to do actions within these policies)
• a policy on a resource CAN reference IAM users and IAM roles by using the ARN
• Groups arent a true identity , they can't be referenced as a principal in a policy
• Groups are just there to group up IAM users and allows permissiosn to be assigned to those group which the IAM Users inherit

IAM Roles

• One type of identity which exists inside an AWS account
• A role is generally best suited to be used by an unknown number or multiple principles, not just the one
• This might be multiple AWS users inside the same AWS account, or it could be humans, applications or services inside or outside of your AWS account who make use of that role.
• Roles are also something which is generally used on a temporary basis, something becomes that role for a short period of time and and then stops

Roles

• The Role represents a level of access, and it uses short team borrowed permissinos
• Is not something that represents long term

IAM vs Roles

• IAM can access the rights, roles are the way to access those rights

IAM User policies

• Inline
• Managed

IAM Roles

• Trust policy
• Permissions policy

Trusted Policies

• Controls who can assume a role

When to Use Roles for AWS Services

• Most common is AWS serves themselves;
• Instead of hardcoded permissions into your Lambda function, there's a better way.
  -To provide these permissions, we can create an IAM known as a Lambda Execution Role

If a Role is Assumed

• Temp SEC credentials are created
• Each runtime that lambda function uns can use temp credentials to access any aws resources based of whatever permissions have

Emergency

• Emergency or out-of-the-usual situations;

Roles Summary

• The important points were -A Role is very advantageous in the previous case" -Because then there's no key to rotate/update -Also there is a limited number of people who can activate/use
• So Role might be most deal identity to use because it can be unknown

Adding AWS into Exisitng Corporate Environment

• Reuse existing identitites for use within AWS
• Used from the corporate Active Directory
• External Accounts can not be sued here directly - to access an S3 bucket using ADC account (ie FaceBook / twitter. google
• Separate process that allows u to use these external identitiies

Web Identity Federation

• You use web identity Federation (uses iam roles"
• Most mobile applications

Two main categories

• Service-linked Roles
• PassRoles (

Service-Linked roles

• IAM role linked to specific AWS service"
• Predefined by a service
• Providing permissions that as service needs to interact with others
• Might create/delete role -- or allow you do run set up or within in AMS
• Can't delete it until no longer required / in use

service roles vs normal roles

• Key difference is you can't delete a service-linked role

IAM CreateServiceLinkedRole action examples

• The action is IAM create service-linked role, and then it must have this SERVICE-NAME.amazonaws.com

Common mistake

• important DO NOT try to guess THIS because different services express different ways So be careful to not get this wrong

Separation on the Job Level

• Is giving that one group has the ability to create roles & then get another people to them - Might wan to give Bob can use existing role - You create the list role" This allows Bob to pass an existing role to the cloud Formulation - If BOB was configured Service w/ a role & some people with the

ListRole and PassRole permissions only on role this cloud formation

PassRole

• If BOB wants this This allows BOB to pass an existing role to the loud formation & does not create the Stack It is a great way to implement role isolation This is a really important AWS security setup

AWS Organisations

• Allows Larger businesses to manage accounts in in cost effective ways and no mamangent cost
• In order to do this , u need to understanf the evlotion"

Standard VS Orgnisatinal Accounts

• Take a standard AWS account & create an AWS organisation -important -> organization ISNT CREATE In Account !
• You are just doing that to create Organization in that account
• So that 1st standard AWS account now becomes management account for organization It use to be called (master account & if you hear it know its the same thing

Accounts

• U invite standard AWS account and approve the organization this means they have accepted the invite to "Join organization

Standard AWS

• Then they change from being standard → member -Has 1 orgnizational structure & that structure HAS TO Have management structure. / master account Now u have the Organization root & accounts in the structure

Organization Root

• Just a container For accounts that exist @ top of organizatonal structure
  • So youre structure is heirachial, inverted tree & root structure Do not confuse the root container w/ account root User (which is a admin user of AWS ) - This root-> organization root-> container- just a container for that AWS account & that means" member accounts or management accounts

Consolidated Billing

• With it , There are 4 accounts w/ its owning billin info.
  • However it gets passed thr to management to billing
    • You get 1 monthly bill
• Helps take the financial admin over head

With AWS certain users,

• u get cheaped more in same space. By paying the same thing These benefits are pooled in & organizational benefit / cheaper when combined

AWS Organisations also feature

• Service Control Policies (SCPs-> & test the actual AWS account. ! & impt This what lets you act retrict what is the AWS account that the organizaion can now do. . & these all IMPT

As well as being able to invite existing accounts,

• you can create to create new accounts
  • Just need valid unique email " AWS handle the rest : Adding the is, so creating in Organization so you do"not has to have that Invite process

Cloud watch details/summary

• Cloud watch is service that has logging data & can store and monitor it Public set up services but also utilized by AWS Set up cloud set & from. This what u need to look a at.

Cloudd Trail product

  -   has log APi actions which effect set up  accoutns .. but there are APi accounts  &  a name trail

trail

• The events of APis the that was created to help under stand" . Clodd trail regional sevce. That is create or . that is going two operated . IN 1 OR 2 SET One region the trail was If it WAS ONLY EVER in that REGION & IT ONLY EVENTS - All REGION —-> you think what you have Is the AWS region bot it made as 1 LOGIC & got additional benefiitt is AWS adds ANY new region then all regional traffic is what is all to be

How does ClouddTrail know which events that needs or is only which events that is

• Now most service where you can log when event is made then it log"s where event occurs -If you crate an " EC@ instance in south east " it log"s on that REgion & A Trail has to set it be to 1 Reigoion

But certain # of servers log global 1 reason, "

           so global  "  so those services only  Sms, etc
                If is what trail NEEDED to log in Events - those 

Trail Summary

It’s  way you provide configuration where how set operate

Global sevciices

Which you could get to that Data events need to be spicifiy to what enables them - are all what come at extra cost.

• AWS- & also front. WHICH all come as it all as. If is has trail you will have

Cloudtrail

• This list - that is the is what set set do you need, then that what get to

          . that then that if it  all those  to access trail
  

You 0 you" get the that, & what has the

       it  is  to what . YOU. the"  s those which for  data  with 

• with what you" get with

AWS COnttrol Tower

• Lets you set it up & govorn those on a . Aws what those all as a team

• Is the -that is a to set up and govorn is that to work If has to go , then those have Aws to in under stand. . IF NOT &""

  all , " that which &""

             You reall 
          In for those to be and is for ""
  

Now which

• (aws"" and this
• in- is to

that All- what with" then that and so with"" what those""

  for and at a
, what those

Control Tower with all its parts

• • with & like or is that u"" what with what is that at what do""