AWS Solution Architect Associate (SAA-C02) Review Material – IAM

General

  • It is a global service
  • Has the following entities:
    • Identities:
      • User
      • Group
      • Role
    • Policies
  • Answers the question “Who (user, group, role) can access (policies) what (AWS resources)?”
  • The Root account will not be part of any of the above identities.
  • Can define password policy for IAM Users (e.g. password length, required password characters, password expiration)
  • Can enable the use of MFA for Root and IAM Users.
  • Can provide certificates (configured through CLI, not console)

IAM User

  • Represents a person or a service.
  • Can assign to an IAM Group
  • Can attach an IAM Policy
  • Can define Inline policy
  • Can delegate an IAM Role. The user can switch roles either:
    1. by using AWS STS Assume Role
    2. through the console.
  • Can have programmatic (via AWS Keys and Secret) or console access (username and password).
  • Can set Permission Boundary.
  • Can be tagged.

IAM Group

  • A collection of IAM Users.
  • Cannot contain another IAM Group.
  • Can attach IAM Policy.
  • No Inline policy.
  • Cannot be tagged.
  • No Permission Boundary.

IAM Role

  • Determines what the identity can and cannot do in AWS.
  • Can attach IAM Policy (similar to IAM User).
  • Unlike IAM User, has no username and password.
  • Intended to be assumed by the following identities:
    • an AWS service
    • another AWS account. Which can then delegate to its own IAM User.
    • a Web Identity
    • a SAML2.0 Federation

IAM Policies

  • Defines the permission of identity or resource.
  • Policy Types:
    • Identity-based (assigned to a user, group or role)
      • Managed (AWS or Customer Defined)
      • Inline
    • Resource-based
      • Acts as an inline policy to resources e.g. S3 Bucket Policy
    • Permission boundaries
      • Defines the maximum permission for a given set of policies.
      • Applicable only to Identity-based policies.
      • Does not grant permission
    • Organization SCP
      • Defines the maximum permissions for account members of an organization or organizational unit (OU)
      • Does not grant permission
    • Access Control List (ACL)
      • Controls which principals in other accounts can access the resource to which the ACL is attached
      • It’s a cross-account permissions policy that grants permissions to the specified principal.
      • Cannot grant permissions to entities within the same account.
      • It does not use JSON format.
    • Session Policies
      • Used with AWS CLI or API.
      • Limits permission in a session.
      • Does not grant permission
  • Policy Structure:
    • Consists of:
      • Version – always 2012-10-17
      • Id – an identifier. Usually a descriptive text. Optional
      • Statement – Mandatory
    • Statement Structure:
      • Sid
        • an identifier.
        • usually a descriptive text.
        • optional.
      • Effect
        • defines whether to allow or deny the Actions
        • value is either Allow or Deny
        • mandatory
      • Action
        • list of AWS API names.
        • can use wild cards allowed i.e. either * or APIName*
        • mandatory
      • Resources
        • list of AWS resources that the action is applied to
        • in ARN format
        • can be a wildcard (*)
        • mandatory
      • Principal
        • an account, user or role
        • in ARN format
        • optional
      • Condition
        • Added condition when the policy would be in effect
        • optional

IAM Reporting Tools

  • Credentials Report
    • Account-level reporting
    • Lists all users in your account and the status of their various credentials.
    • For auditing and compliance
  • Access Advisor
    • User-level reporting
    • Show service last accessed information

AWS STS

  • Grant limited access to AWS resources through the use of tokens
  • Tokens are valid for up to 1 hour.
  • Created through API and CLI
  • APIs to obtain tokens:
    • AssumeRole
      • allowing existing IAM users to access AWS resources that they don’t already have access to (including cross-account access)
    • AssumeRoleWithWebIdentity
      • for federated users who are authenticated through a public identity provider.
    • AssumeRoleWithSAML 
      • for federated users who are authenticated by your organization’s existing identity system
    • GetFederationToken
      • for federated users.
    • GetSessionToken
      • credentials to an existing IAM user
      • providing enhanced security, such as allowing AWS requests only when MFA is enabled for the IAM user

Leave a Comment

Your email address will not be published. Required fields are marked *