AWS IAM
- IAM allows you to manage users and their level of access to the AWS
- It is important to understand IAM and how it works, both for the exam and for administrating a company's AWS account in real life
Key Features of IAM
Identity Access Management (IAM) offers the following features:
- Centralized control of your AWS account
- Shared Access to your AWS account
- Granular permissions
- Identity Federation (including Active Directory, FB, Linkedin, etc.) - same user ID and pwd of these can be used to login AWS account
- Multifactor Authentication
- Provides temporary access for users/devices and services where necessary
- Allows you to set up your own password rotation policy
- Integrates with many different AWS services
- Supports PCI DSS compliance - ex: for using credit card details, compliance is required+
Key Terminology for IAM
Users
End users such as people, employees of an organization, etc.
Groups
A collection of users. Each user in the group will inherit the permission of the group
Policies
Policies are made up of documents, called Policy documents. These documents are in a format called JSON and they give permissions as to what as user/group/role is able to do
Roles
You can create roles and assign them to AWS resources
Note:
- IAM is universal. It does not apply to regions at this time.
- The "root account" is simply the account created when first setup your AWS account. It has complete admin access.
- New users have no permissions when first created
- New users are assigned Access Key ID and Secret Access Keys when first created.
- These are not the same as a password. You cannot use the Access Key ID & Secret access key to login to the console. You can use this to access AWS via the APIs and command line, however.
- You can only get to view these once. If you lose them, you have to regenerate them. So, save them in a secure location.
- Always set us Multifactor Authentication on your root account.
- You can create and customize your own password rotation policies.
- Power users access allows access to all AWS services except for the management of groups and users within IAM
- Policy documents are written in JSON format
Sample question :
- You are a solutions architect working for a large engineering company who are moving their existing legacy hardware to AWS. You have configured their first AWS account and you have set up IAM. Your company will be primarily based out of West Germany, however, they will have a small subsidiary operating out of South Korea and you will need an AWS environment configured there as well. Which of the following statements is true;
Ans: You will need to configure the users and policy documents only once, as these are applied globally
- You have a client who is considering moving to AWS services and do not yet have an account. What is the first thing the company should do to set up an AWS Account?
Ans: set up an account using their company's email address
- You are a security administrator working for a hotel chain. You have a new member of staff who has started as a systems administrator and they will need full access to the AWS console. You have created the user account and generated the access key id and the secret access key. You have moved this user into the group where the other administrators are and you have provided the new user with their secret access key and their access key id. However, when they go to log in to the AWS console, they cannot sign in. What could be the cause of this?
Ans: You cannot log in to the console using Access Key ID and Secret Access Key, instead you must generate the password for the user and supply the user with this password, as well as the unique link to sign in to the AWS console
Comments
Post a Comment