AWS IAM

What is IAM ?

• AWS Identity and Access Management (IAM) is a web service that helps you securely
control access to AWS resources for your users.

• You use IAM to control who can use your AWS resources (authentication) and what
resources they can use and in what ways (authorization).

• IAM is a feature of your AWS account offered at no additional charge. You will be charged
only for use of other AWS services by your users.
IAM Functionality

1. Shared access to your AWS account.

2. Granular permissions.
3. Secure access to AWS resources for applications that run on Amazon EC2.
4. Multi-factor authentication (MFA).
5. Identity federation.
6. Free to use.
Topics Cover In IAM

Access Management:
• Users
• Groups
• Roles
• Policies
• Identity Providers
• Account Settings
Topics Cover In IAM

Access Reports:
• Access Analyzer
• Credential Report
• Organization Activity
• Service Control Policies(SCPs)
Way To Access AWS

1. AWS Management Console.

2. AWS CLI
3. AWS SDK and API.
Administrator User and Power User

1. Administrator User:
Administrator users are ones who have full access to AWS services with management
of IAM users and groups.

2. Power User:
Power users are ones who have full access to AWS services but management of
IAM users and groups is not allowed to them.
Permission Boundaries for IAM.

• AWS supports permissions boundaries for IAM entities (users or roles).

• A permissions boundary is an advanced feature for using a managed policy to set the
maximum permissions that an identity-based policy can grant to an IAM entity.
• An entity's permissions boundary allows it to perform only the actions that are allowed by
both its identity-based policies and its permissions boundaries.
IAM QUIZ
1. What is an additional way to secure the AWS accounts of both the root account
and new users alike?

a) Implement Multi-Factor Authentication for all accounts.

b) Store the access key id and secret access key of all users in a publicly accessible plain text
document on S3 of which only you and members of your organisation know the address to.
c) Configure the AWS Console so that you can only log in to it from a specific IP Address
range
d) Configure the AWS Console so that you can only log in to it from your internal network IP
address range.
2. What is the default level of access a newly created IAM user is granted?

a) No access to any AWS services.

b) Read only access to all AWS services.
c) Administrator access to all AWS services.
d) Power user access to all AWS services.
3. Which of the following is not a feature of IAM?

a) IAM integrates with existing active directory account allowing single sign-on.
b) IAM offers centralized control of your AWS account.
c) IAM allows you to setup biometric authentication, so that no passwords are required.
d) IAM offers fine-grained access control to AWS resources.
4. What level of access does the "root" account have?

a) Administrator Access
b) No Access
c) Power User Access
d) Read Only Access
5. In what language are policy documents written?

a) Python
b) JSON
c) Node.js
d) Java
6. Power User Access allows ________.

a) Read Only access to all AWS services and resources.

b) Users to inspect the source code of the AWS platform
c) Full Access to all AWS services and resources.
d) Access to all AWS services except the management of groups and users within IAM.
7. Which of the following is not a component of IAM?

a) Organizational Units
b) Roles
c) Users
d) Groups
8. Which statement best describes IAM?

a) IAM stands for Improvised Application Management, and it allows you to deploy and
manage applications in the AWS Cloud.
b) IAM allows you to manage users' passwords only. AWS staff must create new users for
your organisation. This is done by raising a ticket.
c) IAM allows you to manage users, groups, roles, and their corresponding level of access
to the AWS Platform.
d) IAM allows you to manage permissions for AWS resources only.
9. When you create a new user, that user ________.

a) Will be able to log in to the console only after multi-factor authentication is enabled on
their account.
b) Will be able to interact with AWS using their access key ID and secret access key using
the API, CLI, or the AWS SDKs.
c) Will be able to log in to the console anywhere in the world, using their access key ID
and secret access key.
d) Will only be able to log in to the console in the region in which that user was created.
10. You have a client who is considering a move to AWS. In establishing a new
account, what is the first thing the company should do?

a) Set up an account via SNS (Simple Notification Service)

b) Set up an account via SQS (Simple Queue Service)
c) Set up an account using Cloud Search.
d) Set up an account using their company email address.
11. You are a developer at a fast growing start up. Until now, you have used the
root account to log in to the AWS console. However, as you have taken on more
staff, you will now need to stop sharing the root account to prevent accidental
damage to your AWS infrastructure. What should you do so that everyone can
access the AWS resources they need to do their jobs? (Choose 2)

a) Create an additional AWS root account for each new user.

b) Give your users the root account credentials so that they can also sign in.
c) Create a customized sign in link such as "yourcompany.signin.aws.amazon.com/console" for
your new users to use to sign in with.
d) Create individual user accounts with minimum necessary rights and tell the staff to log in to the
console using the credentials provided.
12. A new employee has just started work, and it is your job to give her administrator access
to the AWS console. You have given her a user name, an access key ID, a secret access
key, and you have generated a password for her. She is now able to log in to the AWS
console, but she is unable to interact with any AWS services. What should you do next?

a) Grant her Administrator access by adding her to the Administrators' group.

b) Ensure she is logging in to the AWS console from your corporate network and not the normal
internet.
c) Require multi-factor authentication for her user account.
d) Tell her to log out and try logging back in again.
13. You are a security administrator working for a hotel chain. You have a new member of
staff who has started as a systems administrator, and she will need full access to the AWS
console. You have created the user account and generated the access key id and the secret
access key. You have moved this user into the group where the other administrators are, and
you have provided the new user with their secret access key and their access key id. However,
when she tries to log in to the AWS console, she cannot. Why might that be?

a) You have not applied the "log in from console" policy document to the user. You must apply this
first so that they can log in.
b) You have not yet activated multi-factor authentication for the user, so by default they will not be
able to log in.
c) You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair. Instead,
you must generate a password for the user, and supply the user with this password and your
organization's unique AWS console login URL.
d) Your user is trying to log in from the AWS console from outside the corporate network. This is
not possible.
14. You are a solutions architect working for a large engineering company who are moving from
a legacy infrastructure to AWS. You have configured the company's first AWS account and
you have set up IAM. Your company is based in Andorra, but there will be a small subsidiary
operating out of South Korea, so that office will need its own AWS environment. Which of
the following statements is true?

a) You will need to configure Users and Policy Documents only once, as these are applied globally.
b) You will then need to configure Users and Policy Documents for each region respectively.
c) You will need to configure your users regionally, however your policy documents are global.
d) You will need to configure your policy documents regionally, however your users are global.
15. You have created a new AWS account for your company, and you have also
configured multi-factor authentication on the root account. You are about to
create your new users. What strategy should you consider in order to ensure that
there is good security on this account ?

a) Enact a strong password policy: user passwords must be changed every 45 days, with each
password containing a combination of capital letters, lower case letters, numbers, and special
symbols.
b) Give all users the same password so that if they forget their password they can just ask their co-
workers.
c) Restrict login to the corporate network only.
d) Require users to only be able to log in using biometric authentication.
THANK YOU ..!