IAM Access Control

avatar
Created by
Ivan

Cards (28)

  • All IAM Policy permissions are implicitly or explicitly denied by default in AWS?
    Implicitly denied by default
  • What additional JSON fields does an IAM Resource policy have which an Identity-based policy doesn't?
    Effect, Principle, Action, Resource, Condition
  • IAM Authentication MFA - Where do the physical MFA tokens come from?
    Third parties
  • With IAM, you only ever have the user accounts in one place and you can use those accounts with any region around the world. Do you need to log into the Global account to create a new user?
    No. The IAM (Identity and Access Management) service is Global regardless of which region you were in.
  • IAM Fundamentals: What does STS stand for and what is is?
    AWS Security Token Service (STS). This service provides short lived or temporary credentials.
  • STS: How does the app running on EC2 get authorised to actually access S3?
    We can create an Instance Profile and attach an IAM role to it.
  • STS temporary credentials (AccessKey, Expiration, Secret Access Key, Session Token) are used in several situations that includes what?

    Identity Federation, delegation, cross account access, and IAM roles.
  • Identity-based policies - Ways that you can attach.
    1. Inline Policy - 1:1 relationship with the user, the group, or the role. You can't share them, or use them across other roles. If you delete that user, for example, you'll delete the policy along with it.
    2. Managed Policies - AWS managed or customer managed. Can be attached to multiple entities.
  • Is it possible to attach a resource-based policy to an IAM role?
    Yes - with IAM we have a trust policy and a permissions policy that we apply to the role.
  • For an IAM Role, the permissions policy is an example of what type of policy?
    An identity-based policy. A trust policy is also an example of a resource-based policy.
  • What two methods for access control are there?
    Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). (R-Back and A-Back)
  • Attribute-Based Access Control (ABAC): Which Policy condition attribute of a user tag (Attribute-Based) defines access to our resources?
    PrincipleTag - e.g. aws:PrincipleTag/Development
  • Permissions Boundaries are attached to users and roles. The policy statement has only Effect, Action & Resource. What permission boundary is to allow all S3 actions?

    "Action":["s3:*"]
  • How can you prevent Privilege Escalation?
    Apply a Permission Boundary policy to a user.
  • Evaluation Logic
    Order:
    1. Deny (any)
    (Explicit Allow required to progress)
    2. Org SCPs**
    3. Resource-based policies**
    4. Identity-based policies*
    5. IAM permission boundaries **
    6. Session - a Principle? => No: Final Allow
    * 7. Session - Policy exist? Yes:Allow => Final Allow | Yes:No Allow: => Final Deny
    ** (No Session Policy) 8. Session - a Role? Yes => Final Allow | No => Final Deny
    *If no Id policy for principle => Implicit Deny
    ** the effective permissions are those that are granted in both the this and the identity based policy.
  • Order of Evaluation Logic
    A) Any Deny
    B) Org SCPs
    C) Resource-based
    D) Identity-based
    E) IAM permission boundaries
    F) Session
  • Steps for Authorising Requests to AWS
    1. AUTHENTICATION (Are you who you say you are?
    2. PROCESSING the request context (e.g. is the source IP allowed?)
    3. EVALUATING all policies within the account (SCP, Resource- based, Identity-based, IAM permissions boundaries, Session).
    4. Determining whether a request is ALLOWED or DENIED
  • Who is a Principal?
    The user, role, federated user, or application that sent the request
  • What is SCP?
    AWS Organisations Service Control Policies – specify the maximum permissions for an org or OU
  • Which evaluations MIGHT override the allow with an Implicit Deny?
    If present, org SCP, a permissions boundary, or session policy
  • Which JSON property is used to identify a Resource-based IAM Policy?
    ' Principle '.
    Not the ' Resource ' which specifies the resource that's affected by the action.
  • IAM: What does RBAC stand for?
    Role-Based Access Control
  • Permissions Boundary
    • no privilege escalation,
    • no modification of permissions boundaries, and
    • no creation of users that don't have a permissions boundary attached.
  • What type of permissions can be specified for delegating use of the key to AWS services?
    Temporary Permissions in the use of Grants. These can be used without modifying key policies or IAM policies
  • Security for AWS Lambda Functions - What type of role must provide permissions to AWS services for Lambda functions?
    Function execution role must provide permissions to AWS services
  • As from 2022, AWS Single Sign-On (AWS SSO) has been renamed to what?
    AWS IAM Identity Center
  • Accessing Services
    EC2 instances will need to connect to other services, e.g. save data to storage service. We can use:
    • ACCESS KEYS - insecure; saved in 'credentials' file and accessible. EC2 => IAM Policy => S3.
    • INSTANCE PROFILE - connect the IAM role to the EC2. No credentials stored. Instance has assumed the role and has been given the permissions assigned to that role.
  • IdP Implementation within AWS via SAML is configured in either:
    • IAM (SAML 2.0 compatible LDAP source, typically AD + ADFS) - legacy.
    • AWS IAM Identity Centre (formally AWS SSO) preferred