Identity and Access Management (IAM) is an indispensable aspect to consider when preparing for the AWS Certified Developer – Associate (DVA-C02) exam. It is one of the critical services that conceptionalizes the security and access control paradigms for AWS resources. IAM helps create and manage AWS users and groups, setting appropriate permissions to allow or deny their access to AWS resources.
1. Understanding IAM
IAM implements a principle of least privilege, meaning an entity is granted only those accesses that it needs to perform its job and nothing more. This reduces the risks associated with theft, alteration, or destruction of data and unwanted access to AWS resources.
2. IAM Users
IAM Users are individuals with unique credentials that allow them to interact with AWS services. These credentials can be an access key for programmatic access or a username and password combo for login into the AWS Management Console. Users can be grouped for simplified permission management.
3. IAM Policies
On AWS, permissions are defined using policies in a JSON format. Policies are objects in IAM that grant or deny access to AWS services and resources. Policies are attached to IAM identities like users, groups, and roles.
Here’s a very basic example of an AWS policy in JSON format;
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}]
}
This policy gives the identity attached to it access to list all the S3 buckets.
4. IAM Roles
IAM Roles are sets of permissions that aren’t specific to a user, but rather a kind of identity that one can assume when needed. Combining IAM roles with the AWS Security Token Service (STS), the roles can be assumed by anyone who needs them to carry out temporary actions.
5. IAM Access Key
An IAM Access Key is a combination of an access key ID (like `AKIAIOSFODNN7EXAMPLE`) and a secret access key (like `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). You can use these to sign programmatic requests that you make to AWS.
IAM vs. IAM Access Key vs. IAM Roles Comparison
| IAM | IAM Access Key | IAM Role |
|---|---|---|
| Contains sign-in credentials | Has an access key ID and secret access key | Doesn’t have any credentials stored with it |
| Highly recommended not to use root user | Capable of making programmatic requests | Can be assumed by trusted entities |
| Permissions are assigned directly to users, or to groups | Often used when you need long-term access to AWS services | Ideal for temporary access |
6. IAM Security Token Service (STS)
IAM STS is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).
Preparing for the AWS Certified Developer – Associate (DVA-C02) exam, understanding IAM is essential because it’s at the core of managing and delegating access to AWS services and resources. With well-implemented IAM policies, you stand to greatly enhance the security and manageability of your AWS workloads.
Practice Test
Identity and Access Management (IAM) is a network product that AWS does not provide.
- True
- False
Answer: False
Explanation: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.
Which of the following are benefits of using IAM? (Select all that apply)
- Centralized control of your AWS account
- Integration with existing active directory
- Granular permissions
- Shared access to your AWS account resources
Answer: All of the above
Explanation: IAM combines all these benefits. It allows central control, integrates with active directories, offers granular permissions, and allows sharing of access to resources.
With IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
- True
- False
Answer: True
Explanation: With IAM you can create and manage identities and manage the permissions for accessing resources.
IAM is regional.
- True
- False
Answer: False
Explanation: IAM is global. Therefore, any policy or user you create exists across all regions.
The AWS Management Console is a feature provided by IAM.
- True
- False
Answer: False
Explanation: The AWS Management Console is an interface for access to AWS services. IAM is used to manage access to the console, but is not a feature of it.
Which of the following is not an IAM feature?
- Federated users and confirmations
- Free to use
- Is region specific
- Sharing of access to AWS resources
Answer: Is region specific
Explanation: IAM is a global service that is not specific to any region.
IAM allows you to grant unique security credentials to different people for different roles.
- True
- False
Answer: True
Explanation: IAM enables you to manage access to AWS services and resources securely by providing individual people with unique security credentials.
You can use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
- True
- False
Answer: True
Explanation: IAM lets you manage both who can sign in to your AWS environment (authentication) and what resources they can use in your AWS environment (authorization).
IAM supports a standard set of permissions that can’t be customized.
- True
- False
Answer: False
Explanation: IAM allows you to create customized permissions for different users or systems.
What features does IAM provide for non-AWS managed access control? (Select all that apply)
- Multifactor authentication (MFA)
- Federated (Single Sign-On) access
- Password policies management
- Pre-configured IAM roles for Lambda
Answer: Multifactor authentication (MFA), Federated (Single Sign-On) access, Password policies management
Explanation: These are features provided by IAM for both AWS managed and non-AWS managed access control. The pre-configured IAM roles is not an IAM feature for non-AWS managed access control.
IAM provides the ability to track user activity in your AWS account for auditing purposes.
- True
- False
Answer: True
Explanation: IAM integrates with AWS CloudTrail to provide a record (audit trail) of IAM user activity.
IAM supports the management of temporary credentials, giving you an option to grant limited-privilege access to your AWS account.
- True
- False
Answer: True
Explanation: IAM provides roles that enable you to delegate permissions to resources in your AWS account, but do not grant permanent, direct access to those resources. This allows the management of temporary credentials.
AWS IAM policies are documents that define permissions and can be attached to multiple users, groups, or roles.
- True
- False
Answer: True
Explanation: Policies are IAM objects that define the permissions and can be attached to multiple IAM entities.
Interview Questions
What is Identity and Access Management (IAM) in AWS?
Amazon IAM is a web service that helps you securely control access to Amazon Web Services resources. It controls who can sign in to your AWS environment and who is authorized to use the resources.
What do IAM roles in AWS offer over traditional AWS security credentials?
IAM roles allow you to delegate permissions that determine what the role can and cannot do. Also, roles do not require the long-term credentials (Access Keys) that user names do.
What is the function of a policy in AWS IAM?
A policy in AWS IAM is an object in AWS that, when associated with an identity or resource, defines their permission. With policy, you can specify what actions are allowed or denied on what AWS resources.
How can you implement federation with AWS IAM?
You can implement federation with AWS IAM by using SAML (Security Assertion Markup Language) for single sign-on access to AWS. You can integrate your corporate directory with IAM and enable single sign-on and federation to AWS.
What does the AWS Security Token Service (STS) provide?
AWS Security Token Service provides short-term, limited-privilege credentials that you can use to access AWS resources that you need in your application. It enables you to manage the temporary security credentials for federated users and roles.
Are IAM policies attached to the user directly?
No, IAM policies are not necessarily attached directly to the user. They could also be attached to the groups to which the user belongs, or to roles that the user assumes.
Can an IAM user belong to multiple IAM groups?
Yes, an IAM User can be a part of multiple IAM groups.
What is a principal in the context of AWS IAM?
In AWS IAM, a principal is an entity that is allowed to interact with AWS resources. Principals can be an AWS Account, an IAM User, or an IAM role.
How many IAM roles can be created in an AWS account?
You can create up to 5000 IAM roles per AWS account.
What is the significance of an IAM root user?
The IAM root user refers to the initial account sign-in credential that is created when you first set up your AWS account. It has full access to all resources in the account as it can’t be controlled using an IAM policy.
Can IAM policies be used to manage access on a global scale across all AWS resources?
Yes, because IAM is a global service, it provides a uniform mechanism to manage access control across all of your AWS resources, irrespective of their region.
How are permissions designated in AWS IAM?
Permissions are designated in AWS IAM through JSON policy documents. Each policy document contains one or more permissions, each of which links together an action, a resource, and an effect.
What does Multi-Factor Authentication (MFA) provide in an AWS environment?
Multi-Factor Authentication adds an extra layer of protection on your AWS account. It requires users to present two separate forms of identification: something they know (password), and something they have (a trusted device).
In AWS IAM, who is the “Owner”?
The “owner” refers to the AWS account root user, or the IAM user which the credentials were first created by. The “owner” has full permissions to all resources in the account.
What is AWS Cognito and how does it relate to IAM?
Amazon Cognito is a user identity and data synchronization service that helps manage and secure user data across devices. It allows you to authenticate users through an external identity provider and provides temporary security credential to access your app’s backend resources in AWS or any service behind Amazon API Gateway. Cognito integrates with IAM allowing you to set permissions to control resource access.
extutorials.com