IAM – AWS Developer Certified Exam Notes

  • Doesn’t need a region, it’s universal
  • New users have NO permissions when first created
  • New users are assigned Access Key ID & Secret Access Keys when first created, and these are used via the APIs and Command line
  • Fine-grained access control to AWS resources is a feature of IAM
  • The AWS sign-in endpoint for SAML is https://signin.aws.amazon.com/saml
  • STS: Security Token Service
    • Grant users limited and temporary access to AWS resources. Users come from three sources:
      • Federation (Typically Active Directory)
      • Federation with Mobile Apps (Google, Facebook.. Open ID to login in
      • Cross Account access: Let users from one AWS account access resources in another
    • Federation: Combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (AD, Facebook)
    • Identity Broker: a service that allows you to take an identity from point A and join it to point B
    • Identity Store: Services like AD, Facebook, Google
    • Identities: a users of a service like Facebook etc.
    • Example:
      • You are hosting a company website on some EC2 web servers in you VPC. Users of the  website must log in to the site which then authenticates against the companies active directory servers which are based on site at the companies head quarters. Your VPC is connected to your company HQ via a secure IPSEC VPN. Once logged in the user can only have access to their own S3 bucket.
    • Solution:
      • Develop an Identity Broker to communicate with LDAP and AWS STS
      • Identity Broker always authenticates with LDAP first, Then with AWS STS
      • Application then gets temporary access to AWS resources
  • Active Directory Federation: Through SAML and AD first then sign in to AWS using AssumeRoleWithSAML API
  • Web Identity Federation:
    • Authenticate first with your identity provider
    • get your temporary security credentials
    • call AssumeRoleWithWebIdentity API then you are able to access your AWS resources
  • IAM Groups cannot belong to other groups
  • IAM users can have any combination of credentials that AWS supports, such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device
  • You can organize users and groups under paths, similar to object paths in Amazon S3
  • User access keys and X.509 certificates can be rotated
  • NOT POSSIBLE that an IAM user have individual EC2 SSH keys
  • SSH Keys can only be used with CodeCommit
  • Cannot put a quote for individual users (limit EC2 instances … )
  • IAM roles ARE NOT ASSOCIATED WITH a specific user or group
  • There is no limit to the number of IAM roles you can assume, but you can only act as one IAM role when making requests to AWS services.
  • An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
  • CANNOT add an IAM role to an IAM group
  • Add as many inline policies as you wan to IAM role, and up to 10 managed policies
  • A service-linked role is a type of role that links to an AWS service
  • Temporary security credentials consist of the AWS access key ID, secret access key, and security token. Temporary security credentials are valid for a specified duration and for a specific set of permissions. Temporary security credentials are sometimes simply referred to as tokens. Tokens can be requested for IAM users or for federated users you manage in your own corporate directory
  • The default expiration for these temporary credentials is 12 hours; the minimum is 15 minutes, and the maximum is 36 hours.
  • No. You cannot restrict the temporary security credentials to a particular region or subset of regions
  • Federated users CAN access the AWS Management Console
  • You can specify a session limit between 15 minutes and 36 hours (for GetFederationToken and GetSessionToken) and between 15 minutes and 12 hours (for AssumeRole* APIs), during which time the federated user can access the console
  • There is no limit to the number of federated users who can be given access to the console.
  • Web Identity federation removes for creating individual IAM users. Instead, users can sign in to an Identity Provider and then obtain temporary security credentials from from AWS STS

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s