Amazon Web Services (AWS)
Amazon Web Services (AWS) offers a suite of identity and access management tools that allow users to securely gain access to resources within an AWS environment. These tools play vital roles in ensuring the reliable and safe functioning of the AWS architecture. Tools such as AWS Identity and Access Management (IAM) and AWS IAM Identity Center (which includes AWS Single Sign-On) help perform these roles. Understanding these services is fundamental to pursuing the AWS Certified Solutions Architect – Associate (SAA-C03) certification.
AWS Identity and Access Management (IAM)
IAM is a security service that helps manage access to AWS resources in a secure manner. It enables AWS customers to control who can use their AWS resources (authentication) and what resources they can use and in what ways (authorization).
To use AWS, you first sign up for an AWS account, which provides you with access to all AWS services. The AWS account root user has complete access and full permissions to all resources in your AWS account.
To allow other people in your organization to access your AWS resources, you don’t want to provide them your root user credentials. Instead, you can create individual IAM users within your AWS account, and give them access only to the AWS services and resources they need.
An IAM user simply an entity with its associated AWS credentials for authentication. IAM users are not separate accounts; they are users within your account.
Here are some of the ways IAM roles can be implemented:
- Users: The end-user, meaning those people who use your AWS resources.
- Groups: A collection of users under one set of permissions (you can’t actually assign permissions to a user directly, you need to do it through groups).
- Roles: You create roles and they can be assumed by trusted entities (user or services) to carry out tasks.
- Policies: A document defining permissions that can be attached to users/groups/roles.
Example IAM Policy:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:*”
],
“Resource”: “*”
}
]
}
In the above example IAM policy, it allows access to all actions on Amazon S3.
AWS IAM Identity Center
The AWS IAM Identity Center includes AWS Single Sign-On (SSO), a cloud-based service that simplifies managing SSO access to AWS accounts and business applications. AWS Single Sign-On is an identity and access management service for centrally managing access to multiple AWS accounts and business applications.
With AWS SSO, you also get built-in SAML integrations to third-party business applications. AWS SSO also includes built-in integrations to many business applications, including Salesforce, Box, and Microsoft 365.
Some of the benefits of using AWS Single Sign-On include:
- Users sign in only once, with one set of credentials, to have access to all their applications.
- Simplified user management, as well as improved identity security and compliance.
In the AWS SSO setup, you start by setting up an identity source. This is where AWS SSO retrieves user identities for SSO access. You can use AWS SSO built-in identity store, or connect to your Microsoft Active Directory, or manage identities in AWS Managed Microsoft AD in AWS.
For the AWS Certified Solutions Architect – Associate (SAA-C03) exam, grasping the functionality and implementation of AWS IAM and AWS SSO is crucial. These tools together form the foundation of AWS federated access and identity services, ensuring secure and streamlined access to AWS resources.
Practice Test
True or False: AWS Identity and Access Management (IAM) is a web service from Amazon Web Services that controls who is authenticated and authorized to use AWS resources.
- True
- False
Answer: True.
Explanation: Yes, Amazon IAM enables you to manage access to AWS services and resources securely.
Select the correct statement about AWS Single Sign-On (SSO):
- a. AWS SSO allows for centralized management and use of multiple AWS accounts only.
- b. AWS SSO can integrate with other AWS identity services.
- c. AWS SSO does not provide fine-grained access control to AWS resources.
Answer: b. AWS SSO can integrate with other AWS identity services.
Explanation: AWS SSO simplifies AWS account management by enabling you to access all of your AWS accounts through a single user portal. It can integrate with other AWS identity services for centralized identity and access management.
AWS IAM role enables you to:
- a. Delegate access permissions to AWS services or users
- b. Generate access keys for root user
- c. Assign permissions directly to an IAM user
Answer: a. Delegate access permissions to AWS services or users.
Explanation: An IAM role is an AWS identity with permission policies that determine what the identity can and can’t do in AWS. You can use roles to delegate access to users, applications, or services that don’t normally have access to your AWS resources.
True or False: In IAM, when you create a role, you need to create a new set of credentials.
- True
- False
Answer: False.
Explanation: Roles do not have standard long-term credentials (password or access keys) associated with them. Instead, if a user assumes a role, temporary security credentials are created dynamically and provided to the user.
Which of the following is NOT a feature of IAM?
- a. Sharing access without sharing passwords
- b. Centralized control of AWS account
- c. Possibility to grant unlimited permissions to all users
Answer: c. Possibility to grant unlimited permissions to all users.
Explanation: IAM provides the option to grant only the necessary access to users but does not endorse granting unlimited permissions to all users.
True or False: AWS SSO supports SAML
- True
- False
Answer: True.
Explanation: AWS SSO integrates with several business applications that support SAML 0 for single sign-on.
IAM groups are primarily used for:
- a. Grouping EC2 resources
- b. Grouping IAM users
- c. Grouping S3 buckets
Answer: b. Grouping IAM users.
Explanation: IAM groups are used to collectively manage users who require the same set of permissions.
What does AWS Federated Access enable?
- a. It allows users to switch between AWS accounts without having to sign out and sign in each time.
- b. It allows integration with your company’s existing directory and to access AWS Management Console.
- c. It allows the creation of IAM groups and users.
Answer: b. It allows integration with your company’s existing directory and to access AWS Management Console.
Explanation: AWS Federated Access enables you to use your organization’s existing identity systems with AWS.
True or False: IAM policies define what actions are allowed or denied on what AWS resources.
- True
- False
Answer: True.
Explanation: IAM policies are documents that define permissions and can be applied to users, groups, and roles.
True or False: AWS IAM provides resource-based policies but not identity-based policies.
- True
- False
Answer: False.
Explanation: AWS IAM provides both identity-based policies (attached to IAM identities) and resource-based policies (attached to AWS resources).
IAM is a regional service in AWS. True or False?
- True
- False
Answer: False.
Explanation: IAM is a global service in AWS. There is no need to select a region for IAM in AWS console.
AWS SSO requires Multi-Factor Authentication. True or False?
- True
- False
Answer: True.
Explanation: AWS SSO integrates with AWS Organizations for automated, policy-based employee access, with multi-factor authentication (MFA) built in.
AWS IAM supports how many types of access control policies?
- a. 2
- b. 3
- c. 4
Answer: a. 2
Explanation: IAM supports both identity-based policies and resource-based policies.
If a user is attached with 2 policies, one allows access to an action and another denies, what will be the decision?
- a. Deny
- b. Allow
Answer: a. Deny
Explanation: In AWS IAM, an explicit Deny always overrules any Allows.
True or False: IAM users start with full permissions in AWS?
- True
- False
Answer: False.
Explanation: When you first create new users in IAM, they will not have any permissions. Instead, users start with no permissions and you must explicitly give them what they need.
Interview Questions
What is AWS IAM?
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
What does AWS Single Sign-On (SSO) service provide?
AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications. It helps users to sign in into any of the accounts and applications from one place.
How does federated access work in AWS IAM?
Federated access in AWS IAM allows you to associate external identities with IAM roles. This type of access enables you to manage access to your AWS resources without having to create IAM users.
What is the purpose of IAM policies in AWS?
IAM policies are objects in AWS that, when associated with an identity or resource, define their permissions. IAM policies determine what actions are allowed or denied on what AWS resources.
How are IAM roles used in AWS?
IAM roles are AWS identities with permission policies that determine what the identity can and cannot do in AWS. You can use roles to delegate access to users, applications, or services that don’t normally have access to your AWS resources.
What features does AWS provide to secure access to AWS resources?
Some of the security features provided by AWS include IAM for user and access management, AWS Single Sign-On for easy access to AWS accounts and applications, MFA for enhanced security, and AWS Directory Service to integrate corporate directories.
Can you assign AWS IAM policies at the group level?
Yes, you can attach policies to IAM groups. All users in that group automatically inherit the permissions specified in the policies.
Can IAM roles be assumed by AWS service like EC2 instances?
Yes, IAM roles can be assumed by entities such as AWS service like EC2 instances. This allows the services to have necessary permissions to make other API requests.
How does AWS Single Sign-On interplay with AWS IAM?
AWS Single Sign-On works with AWS IAM by providing a way to manage SSO access to multiple AWS accounts and business applications. It uses IAM to assign permissions that determine what actions can be performed on which AWS resources.
What are AWS IAM roles?
IAM roles are a secure way to grant permissions to entities that you trust. Instead of sharing your AWS security credentials, you can grant permissions to other AWS accounts, AWS service, or applications running on AWS to access your resources.