01-AWS SAA-C03 Exam Guide

AWS Identity & Access Management (IAM)

AWS Identity & Access Management Summary Design by saurabhshcs

Types of policy

1. Identity-based policy- attached to users, groups, or roles.
2. Resource-based policy- attached to a resource; define permissions for a principal accessing the resource.
3. IAM permissions boundaries- Set the maximum permissions for an identity-based policy that can grant an IAM entity.
4. AWS Organisations Service Control Policies (SCP)- specify the maximum permissions for an organisation or OU.

5. Session Policies- used with Assume Role* API actions.

Evaluating Policies within an AWS Account

Determination Rules

1. By default, all requests are implicitly denied (through the root user has full access)
2. An explicit allow in an identity-based or resource-based policy overrides this default.
3. If a permission boundary, organisation SCP, or sessions policy is present, it might override the allow with an implicit deny.
4. An explicit denial is any policy overrides any allows.

Exam Crams

• IAM is used to securely control individual and group access to AWS resources
• IAM makes it easy to provide multiple users with secure access to AWS resources
• IAM can be used to manage:
• Users
• Groups
• Access Policies
• Roles
• User credentials
• User password policies
• Multi-factor authentication (MFA)
• API keys for programmatic access (CLI)
• By default, new users are created with NO access to any AWS services — they can only log-in to the AWS console
• Permission must be explicitly granted to allow a user to access an AWS service
• IAM users are individuals who have been granted access to an AWS account
• IAM is universal (global) and does not apply to regions
• • IAM is eventually consistent
• Authentication methods:
• Console password — used to login to AWS Management Console
• Access keys — used for programmatic access • Server certificates — uses SSL/TLS certificates

IAM Policies

• Policies are documents that define permissions and can be applied to users, groups and roles
• Policy documents are written in JSON (key-value pair that consists of an attribute and a value)
• All permissions are implicitly denied by default
• The most restrictive policy is applied

Types of IAM Policy

• Identity-based policies — attached to users, groups, or roles
• Resource-based policies — attached to a resource; define permissions for a principal accessing the resource
• IAM permissions boundaries — set the maximum permissions an identity-based policy can grant an IAM entity
• AWS Organisations service control policies (SCP) — specify the maximum permissions for an organisation or OU
• Session policies — used with AssumeRole* API actions

AWS IAM Best Practices

• Lock away your AWS account root user access keys • Create individual IAM users
• Use groups to assign permissions to IAM users
• Grant least privilege
• Get started using permissions with AWS-managed policies • Use customer-managed policies instead of inline policies • Use access levels to review IAM permissions
• Configure a strong password policy for your users
• Enable MFA
• Use roles for applications that run on Amazon EC2 instances
• Use roles to delegate permissions
• Do not share access keys
• Rotate credentials regularly
• Remove unnecessary credentials
• Use policy conditions for extra security
• Monitor activity in your AWS account