AWS IAM: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
No edit summary |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 36: | Line 36: | ||
* Set permission guardrails. | * Set permission guardrails. | ||
* Use permission boundaries. | * Use permission boundaries. | ||
= Root account = | = Root account = | ||
| Line 45: | Line 46: | ||
* It is best not to use the root account for daily activities. | * It is best not to use the root account for daily activities. | ||
* Create another account that has admin rights. | * Create another account that has admin rights. | ||
= Users groups and Roles = | = Users groups and Roles = | ||
* Users - Individual | * Users - Individual identities. | ||
* Roles = provide | * Roles = provide temporary permissions. | ||
:* Useful for | :* Useful for temporary access to services | ||
* Groups - Logical collections of users. | * Groups - Logical collections of users. | ||
:* Simplify permission | :* Simplify permission management. | ||
= Security Token Service = | |||
This is a trusted intermediary that issues temporary security credentials. | |||
* Allows the implementation of least privilege. | |||
* Credentials can expire after a set period. | |||
* Can integrate with external IDPs. | |||
* Scales easily. | |||
= IAM Identity Center = | |||
This simplifies permissions across multiple AWS accounts. | |||
* AWS apps can seamlessly integrate into Identity center. | |||
* Creates an SSO experience. | |||
= Mitigation of issues = | |||
* Create a policy to rotate keys every 90 days. | |||
** Two sets of keys can be assigned per user. | |||
** This allows for overlap - use of old key for a short period. | |||
* Use GIT secrets | |||
** Prevents secret access keys from been added to code. | |||
** Secrets are flagged before been pused to GIT repo. | |||
** Enables the secret to be removed and stored in AWS Secrets manager by the developer. | |||
Latest revision as of 16:35, 9 February 2026
Study Guides > AWS Cybersecurity Notes > AWS IAM
IAM Introduction
- Polices rule books
- These define what actions are allowed and denied on resources.
IAM Supports MFA and Federation.
Common terms:
- Resources - Something inside the AWS account.
- Enteritis - Can be an IAM user or federated user.
- Identities - Used to identify who id doing something. These are users, groups and roles.
IAM Authentication Methods
- Username and Password
- Access Key and secret key
- Session token
Best Practices
- Humans should access AWS using an IDP - provides access with temporary credentials.
- Workloads use temporary credentials
- Require MFA
- Don't use root credentials for everyday tasks.
- Apply least privilege.
- Use AWS managed polices when possible.
- Use AWS access manager to generate least privilege polices
- Perform a regular review of IAM.
- Use conditions to restrict access.
- Set permission guardrails.
- Use permission boundaries.
Root account
- Risks often arrise from root account creditials.
- Improper storage of credientals (eg a text file)
- Once efiltrated the person with the credientals has full access.
- It is best not to use the root account for daily activities.
- Create another account that has admin rights.
Users groups and Roles
- Users - Individual identities.
- Roles = provide temporary permissions.
- Useful for temporary access to services
- Groups - Logical collections of users.
- Simplify permission management.
Security Token Service
This is a trusted intermediary that issues temporary security credentials.
- Allows the implementation of least privilege.
- Credentials can expire after a set period.
- Can integrate with external IDPs.
- Scales easily.
IAM Identity Center
This simplifies permissions across multiple AWS accounts.
- AWS apps can seamlessly integrate into Identity center.
- Creates an SSO experience.
Mitigation of issues
- Create a policy to rotate keys every 90 days.
- Two sets of keys can be assigned per user.
- This allows for overlap - use of old key for a short period.
- Use GIT secrets
- Prevents secret access keys from been added to code.
- Secrets are flagged before been pused to GIT repo.
- Enables the secret to be removed and stored in AWS Secrets manager by the developer.
