Skip to main content

IAM & AWS CLI

info

These were the topics I created flashcards for (Remnote) and would revise them using spaced repetition. The formatting is an export from Remnote.

  • IAM is a service at the {{global}} level
  • Root account
    • best practice: dont use root account, create user account and use that.
  • Groups
    • can only hold users, not {{other groups}}
    • users can be member of >1 group
    • easier to apply policies
  • Policies
    • helps with "least privilege" by granular control of permission
    • are in {{JSON}} format
    • structure โ†“
      • version
      • id (optional)
      • statement
        • SID
        • effect: allow / deny
        • principal: who?
        • resource: objects
    • in-line policyโ€•attached to single user
  • Password Policy
    • minimum length
    • character types (symbols, alphanumeric)
    • time between changes
    • reuse
  • MFA
    • something you know (password) + something you own (yubikey)
    • options โ†“
      • vMFA e.g. Google Authenticator, Authy
      • U2F - Universal Second Factor e.g. Yubikey
      • Hardware Key Fob
      • GovCloud Hardware Key Fob
  • Access to AWS Services
    • AWS Management Console (password + MFA)
    • AWS CLI (Access Keys)
      • Key ID ~ username
      • Secret ~ password
    • AWS SDK (Access Keys)
      • programmatic access to AWS Services
  • IAM Roles for Services
    • machine service accounts
    • attach policies
  • IAM Security Tools (Audit) โ†“
    • IAM Credentials Report (account-level)
    • IAM Access Advisor (user-level)
  • IAM Best Practice โ†“
    • root ~ only use for AWS Setup
    • one person = one AWS user
    • strong password policy
    • MFA
    • Access Keys for Programmatic access (CLI & SDK)
    • never share keys.