{"id":200,"date":"2022-01-30T02:32:44","date_gmt":"2022-01-30T02:32:44","guid":{"rendered":"https:\/\/192.168.1.3\/wordpress\/?p=200"},"modified":"2024-12-20T03:46:51","modified_gmt":"2024-12-20T03:46:51","slug":"aws-solution-architect-associate-saac02-review-material-iam","status":"publish","type":"post","link":"https:\/\/mylinuxsite.com\/wordpress\/?p=200","title":{"rendered":"AWS Solution Architect Associate (SAA-C02) Review Material &#8211; IAM"},"content":{"rendered":"\n<!--more Continue reading-->\n\n\n\n<h4 class=\"wp-block-heading\">General<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>It is a global service<\/li><li>Has the following entities:<ul><li>Identities:<ul><li>User<\/li><li>Group<\/li><li>Role<\/li><\/ul><\/li><\/ul><ul><li>Policies<\/li><\/ul><\/li><li>Answers the question &#8220;Who (user, group, role) can access (policies) what (AWS resources)?&#8221;<\/li><li>The Root account will not be part of any of the above identities.<\/li><li>Can define password policy for IAM Users (e.g. password length, required password characters, password expiration)<\/li><li>Can enable the use of MFA for Root and IAM Users.<\/li><li>Can provide certificates (configured through CLI, not console)<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">IAM User<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Represents a person or a service.<\/li><li>Can assign to an IAM Group<\/li><li>Can attach an IAM Policy<\/li><li>Can define <strong>Inline<\/strong> policy<\/li><li>Can <strong>delegate<\/strong> an IAM Role. The user can switch roles either:<ol><li>by using AWS STS Assume Role<\/li><li>through the console.<\/li><\/ol><\/li><li>Can have programmatic (via AWS Keys and Secret) or console access (username and password).<\/li><li>Can set <strong>Permission Boundary. <\/strong><\/li><li>Can be tagged.<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">IAM Group<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>A collection of IAM Users.<\/li><li>Cannot contain another IAM Group.<\/li><li>Can attach IAM Policy.<\/li><li><strong>No Inline policy<\/strong>.<\/li><li>Cannot be tagged.<\/li><li><strong>No<\/strong> <strong>Permission Boundary. <\/strong><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">IAM Role<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Determines what the identity can and cannot do in AWS.<\/li><li>Can attach IAM Policy (similar to IAM User).<\/li><li><em>Unlike<\/em> IAM User, has no username and password.<\/li><li>Intended to be assumed by the following identities:<ul><li>an AWS service <\/li><li>another AWS account. Which can then delegate to its own IAM User.<\/li><li>a Web Identity<\/li><li>a SAML2.0 Federation<\/li><\/ul><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">IAM Policies<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Defines the permission of identity or resource.<\/li><li>Policy Types:<ul><li>Identity-based (assigned to a user, group or role) <ul><li>Managed (AWS or Customer Defined)<\/li><li>Inline<\/li><\/ul><\/li><li>Resource-based<ul><li>Acts as an inline policy to resources e.g. S3 Bucket Policy<\/li><\/ul><\/li><li>Permission boundaries<ul><li>Defines the maximum permission for a given set of policies.<\/li><li>Applicable only to Identity-based policies.<\/li><li>Does not grant permission<\/li><\/ul><\/li><li>Organization SCP<ul><li>Defines the maximum permissions for account members of an organization or organizational unit (OU)<\/li><li>Does not grant permission<\/li><\/ul><\/li><li>Access Control List (ACL)<ul><li>Controls which principals in other accounts can access the resource to which the ACL is attached <\/li><li>It&#8217;s a <strong>cross-account <\/strong>permissions policy that grants permissions to the specified principal. <\/li><li>Cannot grant permissions to entities within the same account.<\/li><li>It does not use JSON format.<\/li><\/ul><\/li><li>Session Policies<ul><li>Used with AWS CLI or API.<\/li><li>Limits permission in a session.<\/li><li>Does not grant permission<\/li><\/ul><\/li><\/ul><\/li><li>Policy Structure:<ul><li>Consists of:<ul><li>Version &#8211; always 2012-10-17<\/li><li>Id &#8211; an identifier. Usually a descriptive text. Optional<\/li><li>Statement &#8211; Mandatory<\/li><\/ul><\/li><li>Statement Structure:<ul><li>Sid<ul><li>an identifier. <\/li><li>usually a descriptive text.<\/li><li>optional.<\/li><\/ul><\/li><li>Effect<ul><li>defines whether to allow or deny the Actions<\/li><li>value is either <strong>Allow<\/strong> or <strong>Deny<\/strong><\/li><li>mandatory<\/li><\/ul><\/li><li>Action<ul><li>list of AWS API names.<\/li><li>can use wild cards allowed i.e. either * or APIName*<\/li><li>mandatory<\/li><\/ul><\/li><li>Resources<ul><li>list of AWS resources that the action is applied to<\/li><li>in ARN format<\/li><li>can be a wildcard (*)<\/li><li>mandatory<\/li><\/ul><\/li><li>Principal<ul><li>an account,  user or role<\/li><li>in ARN format<\/li><li>optional<\/li><\/ul><\/li><li>Condition<ul><li>Added condition when the policy would be in effect<\/li><li>optional<\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">IAM Reporting Tools<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Credentials Report<ul><li>Account-level reporting<\/li><li>Lists all users in your account and the status of their various credentials.<\/li><li>For auditing and compliance<\/li><\/ul><\/li><li>Access Advisor<ul><li>User-level reporting<\/li><li>Show service  last accessed information<\/li><\/ul><\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">AWS STS<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Grant limited access to AWS resources through the use of tokens<\/li><li>Tokens are valid for up to 1 hour.<\/li><li>Created through API and CLI<\/li><li>APIs to obtain tokens:<ul><li><strong>AssumeRole<\/strong><ul><li>allowing <span class=\"has-inline-color has-vivid-cyan-blue-color\">existing IAM users<\/span> to access AWS resources that they don&#8217;t already have access to <strong>(including cross-account access<\/strong>)<\/li><\/ul><\/li><\/ul><ul><li><strong>AssumeRoleWithWebIdentity<\/strong><ul><li>for federated users who are authenticated through a <span class=\"has-inline-color has-vivid-cyan-blue-color\">public identity provider<\/span>.<\/li><\/ul><\/li><li><strong>AssumeRoleWithSAML<\/strong>&nbsp;<ul><li>for federated users who are authenticated by <span class=\"has-inline-color has-vivid-cyan-blue-color\">your organization&#8217;s existing identity system<\/span><\/li><\/ul><\/li><li><strong>GetFederationToke<\/strong>n<ul><li>for federated users.<\/li><\/ul><\/li><li><strong>GetSessionToken<\/strong><ul><li>credentials to an existing IAM user<\/li><li>providing enhanced security, such as allowing AWS requests only when MFA is enabled for the IAM user<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"626\" height=\"220\" src=\"http:\/\/192.168.1.3\/wordpress\/wp-content\/uploads\/2022\/02\/DelegationVennDiagram.png\" alt=\"\" class=\"wp-image-229\" srcset=\"https:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2022\/02\/DelegationVennDiagram.png 626w, https:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2022\/02\/DelegationVennDiagram-300x105.png 300w\" sizes=\"auto, (max-width: 626px) 100vw, 626px\" \/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[11],"tags":[],"class_list":["post-200","post","type-post","status-publish","format-standard","hentry","category-aws-review-notes"],"_links":{"self":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=200"}],"version-history":[{"count":17,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/200\/revisions"}],"predecessor-version":[{"id":1408,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/200\/revisions\/1408"}],"wp:attachment":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}