AWS Identity Access Management – IAM – Certification

AWS IAM Overview

  • AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users.
  • IAM is used to control
    • Identity – who can use your AWS resources (authentication)
    • Access – what resources they can use and in what ways (authorization)
  • IAM can also keep your account credentials private.
  • With IAM, multiple IAM users can be created under the umbrella of the AWS account or temporary access can be enabled through identity federation with corporate directory.or third party providers
  • IAM also enables access to resources across AWS accounts.

IAM Features

  • Shared access to your AWS account
    • Grant other people permission to administer and use resources in your AWS account without having to share your password or access key.
  • Granular permissions
    • Each user can be granted with different set granular permissions as required to perform their job
  • Secure access to AWS resources for applications that run on EC2
    • IAM can help provide applications running on EC2 instance temporary credentials that they need in order to access other AWS resources
  • Identity federation
    • IAM allows users to access AWS resources, without requiring the user to have accounts with AWS, by providing temporary credentials for e.g. through corporate network or Google or Amazon authentication 
  • Identity information for assurance
    • CloudTrail can be used to receive log records that include information about those who made requests for resources in the account.
  • PCI DSS Compliance
    • IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being Payment Card Industry Data Security Standard (PCI DSS) compliant
  • Integrated with many AWS services
    • IAM integrates with almost all the AWS services
  • Eventually Consistent
    • IAM, like many other AWS services, is eventually consistent and achieves high availability by replicating data across multiple servers within Amazon’s data centers around the world.
    • Changes made to IAM would be eventually consistent and hence would take some time to reflect
  • Free to use
    • IAM is offered at no additional charge and charges are applied only for use of other AWS products by your IAM users.
  • AWS Security Token Service
    • IAM provide STS which is an included feature of the AWS account offered at no additional charge.
    • AWS charges only for the use of other AWS services accessed by the AWS STS temporary security credentials.

Identities

IAM identities determine who can access and help to provide authentication for people and processes in your AWS account

IAM Identities

Account Root User

  • Root Account Credentials are the email address and password with which you sign-in into the AWS account
  • Root Credentials has full unrestricted access to AWS account including the account security credentials which include sensitive information
  • IAM Best Practice – Do not use or share the Root account once the AWS account is created, instead create a separate user with admin privilege
  • An Administrator account can be created for all the activities which too has full access to the AWS account except the accounts security credentials, billing information and ability to change password

IAM Users

  • IAM user represents the person or service who uses the access to interact with AWS.
  • IAM Best Practice – Create Individual Users
  • User credentials can consist of the following
    • Password to access AWS services through AWS Management Console
    • Access Key/Secret Access Key to access AWS services through API, CLI or SDK
  • IAM user starts with no permissions and is not authorized to perform any AWS actions on any AWS resources and should be granted permissions as per the job function requirement
  • IAM Best Practice – Grant least Privilege
  • Each IAM user is associated with one and only one AWS account.
  • IAM User cannot be renamed from AWS management console and has to be done from CLI or SDK tools.
  • IAM handles the renaming of user w.r.t unique id, groups, policies where the user was mentioned as a principal. However, you need to handle the renaming in the policies where the user was mentioned as a resource

IAM Credentials

IAM Groups

  • IAM group is a collection of IAM users
  • IAM groups can be used to specify permissions for a collection of users sharing the same job function making it easier to manage
  • IAM Best Practice – Use groups to assign permissions to IAM Users
  • A group is not truly an identity because it cannot be identified as a Principal in an access policy. It is only a way to attach policies to multiple users at one time
  • A group can have multiple users, while a user can belong to multiple groups (10 max)
  • Groups cannot be nested and can only have users within it
  • AWS does not provide any default group to hold all users in it and if one is required it should be created with all users assigned to it.
  • Renaming of a group name or path, IAM handles the renaming w.r.t to policies attached to the group, unique ids, users within the group. However, IAM does not update the policies where the group is mentioned as a resource and must be handled manually
  • Deletion of the groups requires you to detach users and managed policies and delete any inline policies before deleting the group. With AWS management console, the deletion and detachment is taken care of.

IAM Roles

Refer to My Blog Post about IAM Role

MultiFactor Authentication (MFA)

  • For increased security and to help protect the AWS resources, Multi-Factor authentication can be configured
  • IAM Best Practice – Enable MFA on Root accounts and privilege users
  • Multi-Factor Authentication can be configured using
    • Security token-based
      • AWS Root user or IAM user can be assigned a hardware/virtual MFA device
      • Device generates a six digit numeric code based upon a time-synchronized one-time password algorithm which needs to be provided during authentication
    • SMS text message-based (Preview Mode)
      • IAM user can be configured with the phone number of the user’s SMS-compatible mobile device which would receive a 6 digit code from AWS
      • SMS-based MFA is available only for IAM users and does not work for AWS root account
  • MFA needs to enabled on the Root user and IAM user separately as they are distinct entities. Enabling MFA on Root does not enable it for all other users
  • MFA device can be associated with only one AWS account or IAM user and vice versa
  • If the MFA device stops working or is lost, you won’t be able to login into the AWS console and would need to reach out to AWS support to deactivate MFA
  • MFA protection can be enabled for service api’s calls using “Condition”: {“Bool”: {“aws:MultiFactorAuthPresent”: “true”}} and is available only if the service supports temporary security credentials.

IAM Access Management

Refer to My Blog Post about IAM Policy and Permissions

Credential Report

  • IAM allows you to generate and download a credential report that lists all users in the account and the status of their various credentials, including passwords, access keys, and MFA devices.
  • Credential report can be used to assist in auditing and compliance efforts
  • Credential report can be used to audit the effects of credential lifecycle requirements, such as password and access key rotation.
  • IAM Best Practice – Perform Audits and Remove all unused users and credentials
  • Credential report is generated as often as once every four hours. If the existing report was generated less than four hours, the same is available for download. If more then four hours, IAM generates and downloads a new report.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which service enables AWS customers to manage users and permissions in AWS?
    1. AWS Access Control Service (ACS)
    2. AWS Identity and Access Management (IAM)
    3. AWS Identity Manager (AIM)
  2. IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information
    1. Read Only Access
    2. Power User Access
    3. AWS Cloud Formation Read Only Access
    4. Administrator Access
  3. Every user you create in the IAM system starts with _________.
    1. Partial permissions
    2. Full permissions
    3. No permissions
  4. Groups can’t _____.
    1. be nested more than 3 levels
    2. be nested at all
    3. be nested more than 4 levels
    4. be nested more than 2 levels
  5. The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console.
    1. Amazon RDS
    2. AWS Integrity Management
    3. AWS Identity and Access Management
    4. Amazon EMR
  6. An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x.509 certificate that contains the specific instanceid. In addition an x.509 certificates must be designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?
    1. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
    2. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
    3. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
    4. Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature that contains the specific instance-id.
  7. When assessing an organization AWS use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers
    1. Key pairs
    2. Console passwords
    3. Access keys
    4. Signing certificates
    5. Security Group memberships (required for EC2 instance access)
  8. An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?
    1. The organization has to create a special password policy and attach it to each user
    2. The root account owner has to use CLI which forces each IAM user to change their password on first login
    3. By default each IAM user can modify their passwords
    4. Root account owner can set the policy from the IAM console under the password policy screen
  9. An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level?
    1. Use the IAM groups and add users as per their role to different groups and apply policy to group
    2. The user can create a policy and apply it to multiple users in a single go with the AWS CLI
    3. Add each user to the IAM role as per their organization role to achieve effective policy setup
    4. Use the IAM role and implement access at the role level
  10. Your organization’s security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password. Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers
    1. Configure multi-factor authentication for privileged IAM users
    2. Create IAM users for privileged accounts (can set password policy)
    3. Implement identity federation between your organization’s Identity provider leveraging the IAM Security Token Service
    4. Enable the IAM single-use password policy option for privileged users (no such option the password expiration can be set from 1 to 1095 days)
  11. Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
    1. Create individual IAM users for everyone in your organization
    2. Configure MFA on the root account and for privileged IAM users
    3. Assign IAM users and groups configured with policies granting least privilege access
    4. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate
  12. A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
    1. Create a new IAM role and associated policies within the new region
    2. Assign the existing IAM role to the Amazon EC2 instances in the new region
    3. Copy the IAM role and associated policies to the new region and attach it to the instances
    4. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature
  13. After creating a new IAM user which of the following must be done before they can successfully make API calls?
    1. Add a password to the user.
    2. Enable Multi-Factor Authentication for the user.
    3. Assign a Password Policy to the user.
    4. Create a set of Access Keys for the user
  14. An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM?
    1. One IAM user can be a part of a maximum of 10 groups (Refer link)
    2. Organization can create 100 groups per AWS account
    3. One AWS account can have a maximum of 5000 IAM users
    4. One AWS account can have 250 roles
  15. Within the IAM service a GROUP is regarded as a:
    1. A collection of AWS accounts
    2. It’s the group of EC2 machines that gain the permissions specified in the GROUP.
    3. There’s no GROUP in IAM, but only USERS and RESOURCES.
    4. A collection of users.
  16. Is there a limit to the number of groups you can have?
    1. Yes for all users except root
    2. No
    3. Yes unless special permission granted
    4. Yes for all users
  17. What is the default maximum number of MFA devices in use per AWS account (at the root account level)?
    1. 1
    2. 5
    3. 15
    4. 10
  18. When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.
    1. FALSE
    2. This is configurable
    3. TRUE
  19. You are setting up a blog on AWS. In which of the following scenarios will you need AWS credentials? (Choose 3)
    1. Sign in to the AWS management console to launch an Amazon EC2 instance
    2. Sign in to the running instance to instance some software (needs ssh keys)
    3. Launch an Amazon RDS instance
    4. Log into your blog’s content management system to write a blog post (need to authenticate using blog authentication)
    5. Post pictures to your blog on Amazon S3
  20. An organization has 500 employees. The organization wants to set up AWS access for each department. Which of the below mentioned options is a possible solution?
    1. Create IAM roles based on the permission and assign users to each role
    2. Create IAM users and provide individual permission to each
    3. Create IAM groups based on the permission and assign IAM users to the groups
    4. It is not possible to manage more than 100 IAM users with AWS
  21. An organization has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The organization is planning to implement certain security best practices. Which of the below mentioned pointers will not help the organization achieve better security arrangement?
    1. Apply the latest patch of OS and always keep it updated.
    2. Allow only IAM users to connect with the EC2 instances with their own secret access key. (Refer link)
    3. Disable the password-based login for all the users. All the users should use their own keys to connect with the instance securely.
    4. Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.

AWS IAM Access Management

IAM Access Management

  • IAM Access Management is all about Permissions and Policies
  • Permission allows you to define who has access and what actions can they perform
  • IAM Policy helps to fine tune the permissions granted to the policy owner
  • IAM Policy is a document that formally states one or more permissions.
  • Most restrictive Policy always wins
  • IAM Policy is defined in the JSON (JavaScript Object Notation) format
  • IAM policy basically states “Principal A is allowed or denied (effect) to perform Action B on Resource C given Conditions D are satisfied”

{
    “Version”: “2012-10-17”,
    “Statement”: {
       “Principal“: {“AWS”: [“arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root”]},
       “Action“: “s3:ListBucket”,
       “Effect“: “Allow”,
       “Resource“: “arn:aws:s3:::example_bucket”,
       “Condition“: {“StringLike”: {
           “s3:prefix”: [ “home/${aws:username}/” ]
              }
          }
    }
}

  • An Entity can be associated with Multiple Policies and a Policy can have multiple statements where each statement in a policy refers to a single permission. If your policy includes multiple statements, a logical OR is applied across the statements at evaluation time. Similarly, if multiple policies are applicable to a request, a logical OR is applied across the policies at evaluation time.
  • Principal can either be specified within the Policy for resource Based policies while for user bases policies the principal is the user, group or role to which the policy is attached

Identity-Based vs Resource-Based Permissions

  • Identity-based, or IAM permissions
    • Identity-based, or IAM permissions are attached to an IAM user, group, or role and specify what the user, group or role can do
    • User, group, or role itself acts as a Principal
    • IAM permissions can be applied to almost all the AWS services
    • IAM Policies can either be inline or managed
    • IAM Policy version has to be 2012-10-17
  • Resource-based permissions
    • Resource-based permissions are attached to a resource for e.g. S3, SNS 
    • Resource-based permissions specifies both who has access to the resource (Principal) and what actions they can perform on it (Actions)
    • Resource-based policies are inline only, not managed.
    • Resource-based permissions are supported only by some AWS services
    • Resource-based policies are always attached inline policy and are not managed
    • Resource-based policies can be defined with version 2012-10-17 or 2008-10-17

Managed Policies and Inline Policies

  • Managed policies
    • Managed policies are Standalone policies that can be attached to multiple users, groups, and roles in an AWS account.
    • Managed policies apply only to identities (users, groups, and roles) but not to resources.
    • Managed policies allow reusability
    • Managed policy changes are implemented as versions (limited to 5), an new change to the existing policy creates a new version which is useful to compare the changes and revert back, if needed
    • Managed policies have their own ARN
    • Two types of managed policies:
      • AWS managed policies
        • Managed policies that are created and managed by AWS.
        • AWS maintains and can upgrades these policies for e.g. if a new service is introduced, the changes automatically effects all the existing principals attached to the policy
        • AWS takes care of not breaking the policies for e.g. adding an restriction of removal of permission
        • Managed policies cannot be modified
      • Customer managed policies
        • Managed policies are standalone and custom policies created and administered by you.
        • Customer managed policies allows more precise control over the policies than when using AWS managed policies.
  • Inline policies
    • Inline policies are created and managed by you, and are embedded directly into a single user, group, or role.
    • Deletion of the Entity (User, Group or Role) or Resource deletes the In-Line policy as well

IAM Policy Simulator

  • IAM Policy Simulator helps test and troubleshoot IAM and resource-based policies
  • IAM Policy Simulator can help test the following ways :-
    • Test IAM based policies. If multiple policies attached, you can test all the policies, or select individual policies to test. You can test which actions are allowed or denied by the selected policies for specific resources.
    • Test Resource based policies. However, Resource based policies cannot be tested standalone and have to be attached with the Resource
    • Test new IAM policies that are not yet attached to a user, group, or role by typing or copying them into the simulator. These are used only in the simulation and are not saved.
    • Test the policies with selected services, actions, and resources
    • Simulate real-world scenarios by providing context keys, such as an IP address or date, that are included in Condition elements in the policies being tested.
    • Identify which specific statement in a policy results in allowing or denying access to a particular resource or action.
  • IAM Policy Simulator does not make an actual AWS service request and hence does not make unwanted changes to the AWS live environment
  • IAM Policy Simulator just reports the result Allowed or Denied
  • IAM Policy Simulator allows to you modify the policy and test. These changes are not propogated to the actual policies attached to the entities
  • Introductory Video for Policy Simulator

IAM Policy Evaluation

When determining if permission is allowed, the hierarchy is followed

IAM Permission Policy Evaluation

  1. Decision allows starts with Deny
  2. IAM combines and evaluates all the policies
  3. Explicit Deny
    • First IAM checks for an explicit denial policy.
    • Explicit Deny overrides everything and if something is explicitly deined it can never be allowed
  4. Explicit Allow
    • If one does not exist, it then checks for an explicit allow policy.
    • For granting User any permission, the permission must be explicitly allowed
  5. Implicit Deny
    • If neither an explicit deny or explicit allow policy exist, it reverts to the default: implicit deny.
    • All permissions are implicity denied by default

IAM Policy Variables

  • Policy variables provide a feature to specify placeholders in a policy.
  • When the policy is evaluated, the policy variables are replaced with values that come from the request itself
  • Policy variables allow a single policy to be applied to a group of users to control access for e.g. all user having access to S3 bucket folder with their name only
  • Policy variable is marked using a $ prefix followed by a pair of curly braces ({ }). Inside the ${ } characters, with the name of the value from the request that you want to use in the policy
  • Policy variables work only with policies defined with Version 2012-10-17
  • Policy variables can only be used in the Resource element and in string comparisons in the Condition element
  • Policy variables are case sensitive and include variables like aws:username, aws:userid, aws:SourceIp, aws:CurrentTime etc.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. IAM’s Policy Evaluation Logic always starts with a default ____________ for every request, except for those that use the AWS account’s root security credentials b
    1. Permit
    2. Deny
    3. Cancel
  2. An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DynamoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?
    1. Define the group policy and add a condition which allows the access based on the IAM name
    2. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
    3. Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
    4. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables
  3. An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?
    1. Create an IAM policy with the security group and use that security group for AWS console login
    2. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
    3. Configure the EC2 instance security group which allows traffic only from the organization’s IP range
    4. Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console
  4. Can I attach more than one policy to a particular entity?
    1. Yes always
    2. Only if within GovCloud
    3. No
    4. Only if within VPC
  5. A __________ is a document that provides a formal statement of one or more permissions.
    1. policy
    2. permission
    3. Role
    4. resource
  6. A __________ is the concept of allowing (or disallowing) an entity such as a user, group, or role some type of access to one or more resources.
    1. user
    2. AWS Account
    3. resource
    4. permission
  7. True or False: When using IAM to control access to your RDS resources, the key names that can be used are case sensitive. For example, aws:CurrentTime is NOT equivalent to AWS:currenttime.
    1. TRUE
    2. FALSE (Refer link)
  8. A user has set an IAM policy where it allows all requests if a request from IP 10.10.10.1/32. Another policy allows all the requests between 5 PM to 7 PM. What will happen when a user is requesting access from IP 10.10.10.1/32 at 6 PM?
    1. IAM will throw an error for policy conflict
    2. It is not possible to set a policy based on the time or IP
    3. It will deny access
    4. It will allow access
  9. Which of the following are correct statements with policy evaluation logic in AWS Identity and Access Management? Choose 2 answers.
    1. By default, all requests are denied
    2. An explicit allow overrides an explicit deny
    3. An explicit allow overrides default deny
    4. An explicit deny does not override an explicit allow
    5. By default, all request are allowed
  10. A web design company currently runs several FTP servers that their 250 customers use to upload and download large graphic files. They wish to move this system to AWS to make it more scalable, but they wish to maintain customer privacy and keep costs to a minimum. What AWS architecture would you recommend? [PROFESSIONAL]
    1. Ask their customers to use an S3 client instead of an FTP client. Create a single S3 bucket. Create an IAM user for each customer. Put the IAM Users in a Group that has an IAM policy that permits access to subdirectories within the bucket via use of the ‘username’ Policy variable.
    2. Create a single S3 bucket with Reduced Redundancy Storage turned on and ask their customers to use an S3 client instead of an FTP client. Create a bucket for each customer with a Bucket Policy that permits access only to that one customer. (Creating bucket for each user is not a scalable model, also 100 buckets are a limit earlier without extending which has since changed link)
    3. Create an auto-scaling group of FTP servers with a scaling policy to automatically scale-in when minimum network traffic on the auto-scaling group is below a given threshold. Load a central list of ftp users from S3 as part of the user Data startup script on each Instance (Expensive)
    4. Create a single S3 bucket with Requester Pays turned on and ask their customers to use an S3 client instead of an FTP client. Create a bucket tor each customer with a Bucket Policy that permits access only to that one customer. (Creating bucket for each user is not a scalable model, also 100 buckets are a limit earlier without extending which has since changed link)

AWS IAM Roles vs Resource Based Policies

AWS IAM Roles vs Resource Based Policies

AWS allows granting cross-account access to AWS resources, which can be done using IAM Roles or Resource Based policies

IAM Roles

  • Roles can be created to act as a proxy to allow users or services to access resources
  • Roles supports trust policy which helps determine who can access the resources and permission policy which helps to determine what they can access
  • User who assumes a role temporarily gives up his or her own permissions and instead takes on the permissions of the role. When the user exits, or stops using the role, the original user permissions are restored.
  • Roles can be used to provision access to almost all the AWS resources
  • Permissions provided to the User through the Role can be further restricted per user by passing optional policy to the STS request. This policy cannot be used to elevate privileges beyond what the assumed role is allowed to access

Resource based Policies

  • Resource based policy allows you to attach a policy directly to the resource that you want to share, instead of using a role as a proxy.
  • Resource-based policy specifies who, as a Principal in the form of a list of AWS account ID numbers, can access that resource and what they can access
  • With Cross-account access with a resource-based policy, User still works in the trusted account and does not have to give up her user permissions in place of the role permissions.
  • User can work on the resources from both the accounts at the same time and this can be useful for scenarios for e.g. copying of objects from one bucket to the other
  • Resource that you want to share are limited to resources which support resource-based policies
    • Amazon S3 allows you to define Bucket policy to grant access to the bucket and the objects
    • Amazon Simple Notification Service (SNS)
    • Amazon Simple Queue Service (SQS)
    • Amazon Glacier Vaults
    • AWS OpsWorks stacks
    • AWS Lambda functions
  • Resource based policies need the trusted account to create users with permissions to be able to access the resources from the trusting account
  • Only permissions equivalent to, or less than, the permissions granted to your account by the resource owning account can be delegated

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. What are the two permission types used by AWS?
    1. Resource-based and Product-based
    2. Product-based and Service-based
    3. Service-based
    4. User-based and Resource-based
  2. What’s the policy used for cross account access? (Choose 2)
    1. Trust policy
    2. Permissions Policy
    3. Key policy

AWS IAM Best Practices – Certification

AWS IAM Best Practices

To help secure AWS resources, AWS recommends the following AWSIdentity and Access Management (IAM) service – IAM Best Practices

Root Account -Don’t use & Lock away access keys

  • Do not use AWS Root account which has full access to all the AWS resources and services including the Billing information.
  • Permissions associated with your AWS Root account cannot be restricted.
  • Do not generate the access keys, if not required
  • If already generated and not needed, delete the access keys.
  • If access keys needed, rotate (change) the access key regularly
  • Never share your Root account credentials or access keys, instead create IAM users or Roles to grant granular access
  • Enable AWS multifactor authentication (MFA) on your AWS account

User – Create individual IAM users

  • Don’t use your AWS root account credentials to access AWS, and don’t share your credentials with anyone else.
  • Start by creating a IAM User with Administrator role, which has access to all resources as the Root user except to the account’s security credentials
  • Create individual users for anyone who needs access to your AWS account and give each user unique credentials and grant different permissions

Groups – Use groups to assign permissions to IAM users

  • Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group as per the job function, and then associate IAM users to those groups.
  • Users in an IAM group inherit the permissions assigned to the group and a User can belong to multiple groups
  • It is much easier to add new users, remove users and modify the permissions of a group of users.

Permission – Grant least privilege

  • IAM user, by default, is created with no permissions
  • Users should be granted LEAST PRIVILEGE as required to perform a task.
  • Starting with minimal permissions and add to the permissions as required to perform the job function is far better then granting access all and trying to then tightening it down

Passwords – Enforce strong password policy for users

  • Enforce user to create strong passwords and enforce them to rotate their passwords periodically
  • Enable a strong password policy to define passwords requirements forcing users to create passwords with requirements like at least one capital letter, one number, how frequently it should be rotated.

MFA – Enable MFA for privileged users

  • For extra security, Enable MultiFactor Authentication (MFA) for privileged IAM users, who are allowed access to sensitive resources or APIs.

Role – Use roles for applications that run on EC2 instances

  • Use roles for applications running on EC2 instances instead of creating IAM user and hardcoding the credentials within that application.
  • Roles do not have a permanent set of credentials associated with it but dynamically provide temporary credentials that are automatically rotated
  • Hardcoding of credentials can compromise the access and are also hard to rotate. Also, they may pose a problem in the creation of new EC2 instances through AutoScaling and handling credential rotation.

Sharing – Delegate using roles

  • Allow users from same AWS account, another AWS account, or externally authenticated users (either through any corporate authentication service or through Google, Facebook etc) to use IAM roles to specify the permissions which can then be assumed by them
  • A role can be defined that specifies what permissions the IAM users in the other account are allowed, and from which AWS accounts the IAM users are allowed to assume the role

Rotation – Rotate credentials regularly

  • Change your own passwords and access keys regularly and enforce it through a strong password policy. So even if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources
  • Access keys allows creation of 2 active keys at the same time for an user. These can be used to rotate the keys.

Track – Remove unnecessary credentials

  • Remove IAM user and credentials (that is, passwords and access keys) that are not needed
  • Use the Credential report that lists all IAM users in the account and status of their various credentials, including passwords, access keys, and MFA devices and usage pattern to figure out what can be removed
  • Passwords and access keys that have not been used recently might be good candidates for removal.

Conditions – Use policy conditions for extra security

  • Define conditions under which IAM policies allow access to a resource.
  • Conditions would help provide finer access control to the AWS services and resources for e.g. access limited to specific ip range or allowing only encrypted request for uploads to S3 buckets etc.

Auditing – Monitor activity in the AWS account

  • Enable logging features provided through CloudTrail, S3, CloudFront in AWS to determine the actions users have taken in the account and the resources that were used.
  • Log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.
 

AWS Certification Exam Practice Questions

  1. Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
    1. Create individual IAM users for everyone in your organization (May not be needed as can use Roles as well)
    2. Configure MFA on the root account and for privileged IAM users
    3. Assign IAM users and groups configured with policies granting least privilege access
    4. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate (Must be assigned only if using console or through command line)
  2. What are the recommended best practices for IAM? (Choose 3 answers)
    1. Grant least privilege
    2. User the AWS account(root) for regular user
    3. Use Mutli-Factor Authentication (MFA)
    4. Store access key/private key in git
    5. Rotate credentials regularly
  3. Which of the below mentioned options is not a best practice to securely manage the AWS access credentials?
    1. Enable MFA for privileged users
    2. Create individual IAM users
    3. Keep rotating your secure access credentials at regular intervals
    4. Create strong access key and secret access key and attach to the root account
  4. Your CTO is very worried about the security of your AWS account. How best can you prevent hackers from completely hijacking your account?
    1. Use short but complex password on the root account and any administrators.
    2. Use AWS IAM Geo-Lock and disallow anyone from logging in except for in your city.
    3. Use MFA on all users and accounts, especially on the root account. (For increased security, it is recommend to configure MFA to help protect AWS resources)
    4. Don’t write down or remember the root account password after creating the AWS account.
  5. Fill the blanks: ____ helps us track AWS API calls and transitions, ____ helps to understand what resources we have now, and ____ allows auditing credentials and logins.
    1. AWS Config, CloudTrail, IAM Credential Reports
    2. CloudTrail, IAM Credential Reports, AWS Config
    3. CloudTrail, AWS Config, IAM Credential Reports
    4. AWS Config, IAM Credential Reports, CloudTrail
References