Tutorial / Cram Notes
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. IAM allows you to create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM is a feature of your AWS account offered at no additional charge.
With AWS IAM, you can implement various security measures, such as:
User and Group Management:
Create individual user accounts with credentials attached, enabling each user to have a unique set of security credentials. You can also organize users into groups, manage permissions in bulk, and apply policies to manage permissions.
Role-Based Access Control (RBAC):
Use roles to delegate access to resources without using individual user credentials. This is particularly useful for scenarios where you need to allow for cross-account access or for federating user identities.
Policy Management:
Define policies in JSON format that explicitly list permissions and attach them to users, groups, or roles to specify allowed or denied actions and resources.
Multi-Factor Authentication (MFA):
Increase security of your AWS environment by requiring a second form of authentication in addition to the username and password.
Integration with Corporate Directories:
Federate your existing directory service to grant permissions to users based on the group memberships in your corporate directory.
Fine-Grained Access Controls:
Set permissions to control the level of access to AWS services and resources for users, groups, and roles.
For example, to attach a policy to a user which allows access only to Amazon S3 buckets, you can use the following AWS CLI command:
aws iam attach-user-policy –policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess –user-name MyUser
This attaches the built-in Amazon S3 read-only policy to a user named “MyUser”.
AWS IAM Identity Center (formerly AWS Single Sign-On or AWS SSO) extends IAM capabilities by centrally managing SSO access and user permissions across all of your AWS accounts, as well as many business applications.
AWS IAM Identity Center provides important features such as:
- Centralized Access Management: Easily manage SSO access and user permissions to all of your AWS accounts from a central location.
- Integration with External Identity Providers: Easily integrate AWS IAM Identity Center with Microsoft Active Directory, a Lightweight Directory Access Protocol (LDAP) directory, or any identity provider that supports SAML 2.0.
- Pre-Built Integrations: Access a catalog of pre-built integrations for business applications (such as Salesforce, Box, and Office 365).
- Automatic User Provisioning: Set up automatic provisioning and de-provisioning of user accounts with SCIM (System for Cross-domain Identity Management) 2.0 compatible identity providers.
- User Portal: Provide users with a user portal where they can find and sign in to their assigned AWS accounts, business applications, and custom applications all from one place.
Here is a brief comparison between IAM and AWS IAM Identity Center:
| Feature | AWS IAM | AWS IAM Identity Center |
|---|---|---|
| User Management | Manual individual user setup | Automatic user provisioning/deprovisioning via identity provider |
| Access Control | Individual AWS resources | Central management for multiple AWS accounts and applications |
| SSO | Not natively supported | Supported with SSO to integrated applications |
| Multi-Account Management | Permissions must be managed separately for each account | Centralized permission management across all accounts |
| Directory Integration | AWS Directory Service and identity federation | Deep integration with external identity providers (e.g., Active Directory, SAML) |
| MFA | Supported | Supported |
| Federated Access | Supported with SAML 2.0 and OpenID Connect | Supported with extensive federation capabilities |
| Application Integrations | Limited to AWS services | Catalog of pre-built connectors for third-party applications |
AWS IAM Identity Center simplifies the management of multiple AWS accounts and applications, making it an essential tool for businesses that need centralized control and consistent security policies across their AWS environment and integrated SaaS applications.
In preparation for the AWS Certified Solutions Architect – Professional (SAP-C02) exam, it’s crucial to understand both these AWS services’ features and capabilities, as well as the scenarios in which they would be appropriately applied within an architectural solution. Being well-versed in IAM and AWS IAM Identity Center can ensure a secure, efficient, and compliant AWS environment.
Practice Test with Explanation
True or False: Once you create an IAM user, you cannot remove the user’s ability to change their own password.
- A) True
- B) False
Answer: B) False
Explanation: IAM users can be granted or denied permissions to change their own password using policies. This can be controlled by the administrator.
AWS IAM Identity Center (formerly AWS Single Sign-On) allows users to authenticate with:
- A) Only an AWS account
- B) Only SAML 0 compliant identity providers
- C) Both an AWS account and SAML 0 compliant identity providers
- D) External identities using Google or Facebook
Answer: C) Both an AWS account and SAML 0 compliant identity providers
Explanation: AWS IAM Identity Center allows users to log in to AWS and third-party apps connected to AWS IAM Identity Center using their existing corporate credentials.
Which of the following is NOT an IAM best practice?
- A) Use multi-factor authentication (MFA) for all users.
- B) Grant least privilege access.
- C) Rotate credentials regularly.
- D) Share IAM users between team members.
Answer: D) Share IAM users between team members.
Explanation: Sharing IAM users is not a best practice. Instead, each individual should have their own IAM user for accountability and security purposes.
True or False: IAM Roles are more secure for granting permissions to AWS services than storing AWS access keys within applications.
- A) True
- B) False
Answer: A) True
Explanation: IAM roles provide temporary security credentials that are automatically rotated and do not require storing access keys, which is a security best practice.
In the context of IAM, what is “permission boundary”?
- A) A set of permissions that defines the maximum permissions IAM entities can have.
- B) The default permissions assigned to a new IAM user.
- C) A policy that defines the minimum permissions required by any IAM user.
- D) A firewall rule that limits access to IAM resources.
Answer: A) A set of permissions that defines the maximum permissions IAM entities can have.
Explanation: A permission boundary is an advanced feature that allows setting the maximum permissions that an IAM entity can have, providing a way to control the maximum level of access to AWS resources.
True or False: AWS IAM Identity Center can be used to manage access to on-premises applications.
- A) True
- B) False
Answer: A) True
Explanation: AWS IAM Identity Center supports single sign-on to both AWS and on-premises applications, facilitating centralized access.
When attaching an IAM policy, which options are available for specifying the target?
- A) Users only
- B) Groups only
- C) Users, groups, and roles
- D) Services only
Answer: C) Users, groups, and roles
Explanation: IAM policies can be attached directly to users, groups, or roles to grant permissions to AWS resources.
True or False: IAM supports resource-based policies for all AWS services.
- A) True
- B) False
Answer: B) False
Explanation: Not all AWS services support resource-based policies. Some services rely solely on IAM user/group/role-based policies.
What feature of AWS IAM Identity Center helps in automating the provisioning of user accounts in various AWS accounts and business applications?
- A) User pools
- B) Federation
- C) Automated provisioning (SCIM)
- D) Access advisor
Answer: C) Automated provisioning (SCIM)
Explanation: Automated provisioning in AWS IAM Identity Center leverages the System for Cross-domain Identity Management (SCIM) standard to automate the lifecycle of user and group provisioning.
True or False: The “Principal” element in an IAM policy is mandatory for all types of policies.
- A) True
- B) False
Answer: B) False
Explanation: In IAM, the “Principal” element is not required in identity-based policies because the principal is the entity to which the policy is attached. However, it is mandatory in resource-based policies.
Which IAM feature allows you to analyze permissions granted and used, to refine policies accordingly?
- A) IAM Policies Simulator
- B) Access Advisor
- C) IAM Credentials Report
- D) Trusted Advisor
Answer: B) Access Advisor
Explanation: Access Advisor shows service permissions granted by policies and when those services were last accessed. This can help in refining policies to adhere to the principle of least privilege.
True or False: Within AWS IAM Identity Center, users are automatically federated and do not require individual management within AWS.
- A) True
- B) False
Answer: A) True
Explanation: AWS IAM Identity Center federates users, which means they log in once to access multiple AWS accounts and applications without needing to be managed individually within AWS.
Interview Questions
What is the primary function of AWS Identity and Access Management (IAM)?
IAM enables AWS customers to manage access to AWS services and resources securely. It allows the creation of users, groups, and roles, and defines policies to grant permissions to various AWS resources.
How does AWS IAM Identity Center (formerly AWS Single Sign-On) differ from IAM?
AWS IAM Identity Center allows users to centrally manage access to multiple AWS accounts and applications using a single sign-on. While IAM manages access within a single AWS account, IAM Identity Center is designed to simplify access across a multitude of AWS accounts and SaaS applications for all users.
Can you describe what IAM roles are and when you would use them over IAM users?
IAM roles are a set of permissions that grant access to actions and resources in AWS but are not uniquely associated with a single person. They are used when you need to delegate permissions to AWS services, for federated users, or for users who already have identity credentials outside of AWS. They are also used for temporary access.
Explain the concept of the Principle of Least Privilege and how it’s applied in AWS IAM.
The Principle of Least Privilege means giving entities only the permissions they need to perform their intended tasks, and no more. In AWS IAM, this can be implemented by creating policies that grant the least amount of access necessary rather than using broader permissions.
What is an IAM policy and how is it structured?
An IAM policy is a document that defines permissions and can be attached to IAM identities (users, groups, and roles). It’s structured in JSON format and includes elements such as policy version, statement ID, action, resource, and effect (allow or deny).
How can you secure IAM credentials within AWS?
To secure IAM credentials, one should enforce strong password policies, use multi-factor authentication (MFA), rotate access keys regularly, apply least privilege access principles, audit permissions with IAM Access Analyzer, and monitor activity with AWS CloudTrail.
Describe a use case where cross-account access with IAM roles is beneficial.
Cross-account access is beneficial when you have multiple AWS accounts and need to allow users or services from one account to access resources in another. This removes the need to create duplicate IAM users in each account and centrally manages permissions.
Can you explain what is meant by MFA in the context of IAM and why it’s important?
MFA, or Multi-Factor Authentication, is an additional layer of security that requires more than just a username and password. In IAM, it usually involves a code from a device or an SMS text. MFA is important because it significantly reduces the risk of unauthorized access if credentials are compromised.
How does AWS IAM support federation with external identity providers?
AWS IAM supports identity federation through SAML 0 and OpenID Connect (OIDC), allowing users to authenticate with external identity providers like corporate directories or third-party services, and then access AWS resources without needing a separate IAM user for each.
What is an identity provider (IdP) and what role does it play in the context of AWS IAM Identity Center?
An IdP is a service that manages digital identities and authenticates users before granting them access to applications and services. In the context of AWS IAM Identity Center, the IdP plays a crucial role by centralizing the login process and providing Single Sign-On access to the AWS Management Console and configured applications.
How does AWS IAM Identity Center simplify the management of permissions for organizations with multiple accounts?
AWS IAM Identity Center simplifies permission management through features like permission sets, which standardize access for users across all AWS accounts in an AWS Organization, and through centralized user access management for multiple AWS accounts and applications.
What logging capabilities does AWS provide to track and audit IAM activity?
AWS offers AWS CloudTrail, which logs all IAM activity such as API calls, console actions, and access events within your AWS environment. These logs can be used for security analysis, resource change tracking, and compliance auditing.
This blog post on AWS IAM and AWS Single Sign-On is really comprehensive. It helps a lot in my preparation for the SAP-C02 exam.
Thanks for the post! Quick question: how does AWS IAM differ from AWS Single Sign-On?
Great explanation of the role-based access control in AWS IAM.
I still feel confused about when to use IAM policies versus SAML for AWS SSO integrations.
Your section on permission boundaries clarified a lot for me. Thanks!
For AWS Certified Solutions Architect – Professional exam, how deep do I need to go into AWS IAM and Single Sign-On?
Your examples on creating IAM roles with trusted entities were spot on!
The blog was helpful, but a bit more detail on AWS SSO configuration would be great.