Chapter 6: AWS Identity and Access Management (IAM)

Chapter 6: AWS Identity and Access Management (IAM)

1. B, C. Programmatic access is authenticated with an access key, not with user names/passwords. IAM roles provide a temporary security token to an application using an SDK.

• AWS对外提供的云服务api访问模式是通过AK来访问的；
• AWS可以通过赋予角色的EC2集成sdk调用

2. A, C. IAM policies are independent of region, so no region is specified in the policy. IAM policies are about authorization for an already-authenticated principal, so no password is needed.

• IAM policies是独立于region的，所以不需要指定region。
• IAM policies是一个原则授权的规则，所以不需要密码。
• IAM policies是要体现服务名称和相关可操作的动作的；

3. A, B, C, E. Locking down your root user and all accounts to which the administrator had access is the key here. Deleting all IAM accounts is not necessary, and it would cause great disruption to your operations. Amazon EC2 roles use temporary security tokens, so relaunching Amazon EC2 instances is not necessary.

• EC2用的是role这种临时安全tokens，重启EC2解决不了安全问题；
• 当主管离职了，改变管理员账号密码，加上mfa多重身份认证，让IAM用户重置密码、删除管理员的私人iam账户，同时将服务器的root访问区域限定IP（限定不了管理账号的访问区域哦）

4. B, D. IAM controls access to AWS resources only. Installing ASP.NET will require Windows operating system authorization, and querying an Oracle database will require Oracle authorization.

• IAM是控制aws资源的访问权限，启动EC2和调用SQS是对AWS资源的调用；
• 安装asp.net需要有操作系统权限，而查询oracle是需要oracle数据库的查询权限，与aws无关；

5. A, C. Amazon DynamoDB global secondary indexes are a performance feature of Amazon DynamoDB; Consolidated Billing is an accounting feature allowing all bills to roll up under a single account. While both are very valuable features, neither is a security feature.

• IAM的安全特权包括了 密码的设置策略，MFA多重身份认证策略；

6. B, C. Amazon EC2 roles must still be assigned a policy. Integration with Active Directory involves integration between Active Directory and IAM via SAML.

• EC2 ROLE还是需要创建访问的policy
• EC2 role只解决了授信证书不需要存储在EC2上，不需要重置IAM账户的key了

7. A, D. Amazon EC2 roles provide a temporary token to applications running on the instance; federation maps policies to identities from other sources via temporary tokens.

• tokens被用于EC2 role和联盟登陆

8. A, C, D. Neither B nor E are features supported by IAM.

• 增加账户安全性的策略 MFA、密码设置策略、限定用户的访问网络来自于公司；
• 官方：定义在哪些情况下您的 IAM 策略将允许访问资源。例如，您可编写条件来指定请求必须来自允许的 IP 地址范围。您还可以指定只允许在指定日期或时间范围内的请求。您还可设置一些条件，如要求使用 SSL 或 MFA (Multi-Factor Authentication)。例如，您可要求用户使用 MFA 设备进行身份验证，这样才允许其终止某一 Amazon EC2 实例。

9. B, C. Access requires an appropriate policy associated with a principal. Response A is merely a policy with no principal, and response D is not a principal as IAM groups do not have user names and passwords. Response B is the best solution; response C will also
   work but it is much harder to manage.

• 一般让员工管理EC2实例都是创建一个policy，然后创建一个指定policy的组，将员工账户纳入组中。或者创建一个policy，一个个的授权给员工账户

10. C. An IAM policy is a JSON document.

• IAM policy是通过json方式描述的；

知识点总结

• Know the different principals in IAM. The three principals that can authenticate and interact with AWS resources are the root user, IAM users, and roles. The root user is associated with the actual AWS account and cannot be restricted in any way. IAM users are persistent identities that can be controlled through IAM. Roles allow people or processes the ability to operate temporarily with a different identity. People or processes assume a role by being granted a temporary security token that will expire after a specified period of time.

• 了解IAM的不同规范。有三种规范可以用来鉴权或者与AWS的resource进行交互：root用户、IAM users 和角色。

• root user：root用户是与AWS的实际账户绑定，没有办法从任何角度进行限制。

• IAM users：被持久化的身份，可以通过IAM进行控制；

• Roles：允许人或者流程具备临时操作权限的的一种身份。人或者流程假定角色被赋予了一个临时的安全令牌，并在一定的时间后过期；

• Know how principals are authenticated in IAM. When you log in to the AWS Management Console as an IAM user or root user, you use a user name/password combination. A program that accesses the API with an IAM user or root user uses a two-part access key. A temporary security token authenticates with an access key plus an additional session token unique to that temporary security token.

• 了解IAM的验证规范。当你登录到AWS的管理控制台作为一个IAM user或者一个root user，你可以是使用name/password来组合验证。

• 一个访问API的程序，可以通过一个IAM user或者root users使用一个两段的access key完成。

• 一个临时的安全认证，可以通过一个access key+一个session token进行唯一性验证；

• Know the parts of a policy. A policy is a JSON document that defines one or more permissions to interact with AWS resources. Each permission includes the effect, service, action, and resource. It may also include one or more conditions. AWS makes many
  predefined policies available as managed policies.

• 了解策略的组成部分。一个策略是一个JSON文档，定义了一个或者多个与AWS 服务交互的权限。每个权限包括 effect、service、action、resource。他也许只包括一个或者多个条件。AWS 提供了很多预先定义好的可用策略作为管理策略；

• Know how a policy is associated with a principal. An authenticated principal is associated with zero to many policies. For an IAM user, these policies may be attached directly to the user account or attached to an IAM group of which the user account is a member. A temporary security token is associated with policies by assuming an IAM role.

• 了解一个策略是如何与规约关联的。一个鉴权的规约可以与0-N个策略关联。对于一个IAM user ，这些策略也许可以直接与user account或者IAM group进行关联。

• 一个临时的安全证书可以通过IAM ROLE 与策略关联；

• Understand MFA. MFA increases the security of an AWS account by augmenting the password (something you know) with a rotating OTP from a small device (something you have), ensuring that anyone authenticating the account has both knowledge of the password and possession of the device. AWS supports both Gemalto hardware MFA devices and a number of virtual MFA apps.

• 理解MFA。MFA增加了AWS账户的安全性，通过一个你的设备显示临时密码来增强密码，保证任何想通过账户鉴权的人必须知道密码，同时拥有设备。AWS提供了Gemalto硬件和MFA设备和大量的虚拟MFA apps。

• Understand key rotation. To protect your AWS infrastructure, access keys should be rotated regularly. AWS allows two access keys to be valid simultaneously to make the rotation process straightforward: Generate a new access key, configure your application to use the new access key, test, disable the original access key, test, delete the original access key, and test again.

• 理解key循环。为了保护你的AWS架构，ak应该周期性的改变。AWS允许两个AK在AK重置的时候同时有效。

• AK重置流程如下：生成一个新的AK，配置你的应用使用新的AK，测试，将原来的AK disable，测试，删除原来的ak，重新测试；

• Understand IAM roles and federation. IAM roles are prepackaged sets of permissions that have no credentials. Principals can assume a role and then use the associated permissions. When a temporary security token is created, it assumes a role that defines the permissions assigned to the token. When an Amazon EC2 instance is associated with an IAM role, SDK calls acquire a temporary security token based on the role associated with the instance and use that token to access AWS resources. Roles are the basis for federating external IdPs with AWS. You configure an IAM IdP to interact with the external IdP, the authenticated identity from the IdP is mapped to a role, and a temporary security token is returned that has assumed that role. AWS supports both SAML and OIDC IdPs.

• 理解IAM ROLES和联邦。IAM ROLE是一个预制了一系列的权限，同时不做授权。Principals可以设定一个角色，同时将其与权限关联。当一个临时的安全token被创建，他假定一个被定义权限的角色被赋予token。当一个EC2 instance与一个IAM role关联，SDK可以调用一个临时的安全token（已经关联了IAM ROLE），EC2可以使用这个token访问AWS的资源。

• 角色是外部联盟IdPs的基础。你可以配置一个IAM IdP 去与外部的IdP交互，这个IdP身份在验证被映射到角色，同时一个临时的安全toke（被赋予role）被返回。AWS支持saml和OIDC idPs。

• Know how to resolve conflicting permissions. Resolving multiple permissions is relatively straightforward. If an action on a resource has not been explicitly allowed by a policy, it is denied. If two policies contradict each other; that is, if one policy allows an action on a resource and another policy denies that action, the action is denied. While this sounds improbable, it may occur due to scope differences in a policy. One policy may expose an entire fleet of Amazon EC2 instances, and a second policy may explicitly lock down one particular instance.

• 了解如何解决权限冲突问题。解析多个权限相对直接。

• 如果action对于一个资源没有显式的声明，他会被拒绝。

• 如果两个彼此冲突，一个策略是允许对资源操作，另外一个不允许，那么就是不允许。

• 上述动作很可能发生，当一个policy暴露一系列EC2 instances，同时另外一个policy也许只是显式的锁定一个特别的insance。