This series is intended to be a personal study guide. Information may not be comprehensive or accurate. I am sharing it in case others find it useful. Please feel free to comment if any information is inaccurate.
2.3 Identify AWS access management capabilities
Understand the purpose of User and Identity Management
-
Access keys and password policies (rotation, complexity)
-
Access keys
- Long-term credentials for IAM users
- Sign programmatic requests
- Consist of a key ID and a secret access key
-
Password policies
- Temporary credentials are best practice
- IAM policies can require password rotation and length/complexity
-
Access keys
-
Multi-Factor Authentication (MFA)
- Requires authentication in addition to sign-in credentials
- Virtual MFA devices
- U2F security key (physical usb device)
- Hardware MFA device
-
AWS Identity and Access Management (IAM)
- Groups/users - can assign specific permissions per user/group
- Roles - can create permissions that are assumed when a specific task is performed
-
Policies, managed and custom - policies define permissions
that are assigned when associated with an identity
or resource
- Identity-based - attached to an IAM user, group, or role
- Resource-based - attached to a resource
- Permissions boundaries - set the maximum permissions that an identity- based policy can grant
- Organizations SCPS - SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit
- ACLs - service policies that allow you to control which principals in another account can access a resource
- Session policies - advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user
-
Tasks that require use of root accounts
- Change account settings
- Restore IAM user permissions
- Activate IAM access to the Billing and Cost Management console
- View tax invoices
- Close AWS account
- Change or cancel support plan
- Register as a seller
- Configure S3 bucket to enable MFA
- Edit or delete S3 bucket policy that includes an invalid VPC ID
- Sign up for GovCloud
-
Protection of root accounts
- Limit tasks performed with root user
- Lock away root user access keys
- Use a strong password
- Enable MFA
Top comments (0)