pavan's blog

AWS-Day8-Assignment

Pavan Kumar Gudipati's photo
Pavan Kumar Gudipati
·

13 min read

  1. What is CloudTrail in AWS. Why is it used?

    Ans:

    AWS CloudTrail is a service provided by Amazon Web Services (AWS) that enables governance, compliance, operational auditing, and risk auditing of your AWS account. CloudTrail records API calls and related events for your AWS account, delivering a log of activities that have occurred within your AWS infrastructure.

    Who should use CloudTrail?

    Use CloudTrail if you need to audit activity, monitor security, or troubleshoot operational issues.

  2. What’s AWS IAM, and why is it used?

    Ans:

    AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

    IAM roles are of 4 types, primarily differentiated by who or what can assume the role:

    1. Service Role

    2. Service-Linked Role

    3. Role for Cross-Account Access

    4. Role for Identity Provider Access

      Why use IAM?

      Use IAM to manage and scale workload and workforce access securely supporting your agility and innovation in AWS.

  3. What are the key capabilities provided by AWS IAM?

    Ans:

    Features of IAM:

    To review, here are some of the main features of IAM:

    1. Shared access to the AWS account. The main feature of IAM is that it allows you to create separate usernames and passwords for individual users or resources and delegate access.

    2. Granular permissions. Restrictions can be applied to requests. For example, you can allow the user to download information, but deny the user the ability to update information through the policies.

    3. Multifactor authentication (MFA). IAM supports MFA, in which users provide their username and password plus a one-time password from their phone—a randomly generated number used as an additional authentication factor.

    4. Identity Federation. If the user is already authenticated, such as through a Facebook or Google account, IAM can be made to trust that authentication method and then allow access based on it. This can also be used to allow users to maintain just one password for both on-premises and cloud environment work.

    5. Free to use. There is no additional charge for IAM security. There is no additional charge for creating additional users, groups or policies.

    6. PCI DSS compliance. The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from major card schemes. IAM complies with this standard.

    7. Password policy. The IAM password policy allows you to reset a password or rotate passwords remotely. You can also set rules, such as how a user should pick a password or how many attempts a user may make to provide a password before being denied access.

  4. What are the different identities provided by IAM?

    Ans:

    IAM Identities:

    An IAM identity represents a user, user groups and roles, and can be authenticated and then authorized to perform actions in AWS. IAM identity can be associated with one or more policies.
    🧐 Policy is an object that, when associated with a user or user groups or roles, defines their permissions.

    🧐 IAM Users

    AWS IAM User is an entity that you create in the AWS account to represent the person that uses it to interact with AWS. It allows the account holder (user) to execute certain tasks in AWS. A user is made up of a name, password for the AWS Management Console and access keys to use with the API or CLI.

    🧐 IAM User groups

    The User group is a collection of IAM users. It lets you assign permissions for multiple users, which can make it easier to manage the permissions for those users. So, the users that require the same permissions can be grouped together. A user group can contain many users, and these users can also belong to multiple user groups. Changes made to a group are reflected to all users within that group.

    🧐 IAM Roles

    "An IAM role is an IAM identity that you can create in your account that has specific permissions." It is not uniquely associated with a single person; it can be used by anyone who needs it. A role does not have any security credentials l, i.e., username password or security key. It can be used to grant access to AWS resources, services IAM users, third parties, federated Users etc.

  5. What are the AWS account root user and admin user?

    Ans:

    1. AWS Account Root User:

      • The AWS account root user is the initial user account created when you sign up for an AWS account. This user has complete and unrestricted access to all AWS resources and services associated with the account.

      • Key characteristics of the root user:

        • It has full administrative privileges, including the ability to create, modify, or delete IAM users, roles, and policies.

        • It can access and manage all AWS resources in the account, create and manage billing information, and change the account's root user email address and password.

        • The root user credentials consist of an email address and password, and they should be protected and secured like any other critical credentials.

        • It's recommended not to use the root user for day-to-day tasks but instead to create IAM users with appropriate permissions.

    2. IAM Admin User (Administrator):

      • An IAM admin user is an IAM user with administrative privileges within an AWS account. This user can have the right to perform nearly all actions in AWS, but it's not the root user.

      • Key characteristics of an IAM admin user:

        • It is created within the AWS account as an IAM user and does not have the same level of unrestricted access as the root user.

        • The permissions of an IAM admin user are defined by IAM policies attached to the user. You can grant administrative permissions by attaching the AWS-managed policy "AdministratorAccess" or custom policies with similar permissions.

        • An IAM admin user does not have the ability to modify billing information, change the root user email address, or perform actions outside the permissions defined in their policies.

        • It's a best practice to use IAM admin users for day-to-day management and operations within AWS accounts, as they offer better security and accountability compared to the root user.

          In summary, the root user is the highest-level AWS account owner with unrestricted access, while an IAM admin user is a separate IAM user with administrative privileges within an AWS account. It's advisable to use IAM users with the necessary permissions and apply the principle of least privilege to minimize risks and improve security in AWS environments. The root user should be reserved for account-level tasks and emergency access only.

  6. What are some best practices for managing access to AWS resources?

    Ans:

    Managing access to AWS resources is a critical aspect of ensuring the security and compliance of your AWS environment. Here are some best practices for managing access effectively:

    1. Implement the Principle of Least Privilege (PoLP):

      • Only grant permissions that are necessary for users, roles, or services to perform their specific tasks. Avoid granting excessive permissions.

    2. Use IAM Roles for EC2 Instances and AWS Services:

      • Instead of using long-term access keys for EC2 instances or AWS services, assign IAM roles to instances and services. Roles provide temporary credentials and improve security.

    3. Regularly Review and Audit Permissions:

      • Periodically review IAM policies and permissions to ensure they are up to date-and aligned with business needs. Use the IAM Access Analyzer to help identify over-permissive policies.

    4. Enable Multi-Factor Authentication (MFA):

      • Require MFA for privileged IAM users. MFA adds an extra layer of security to user authentication.

    5. Use IAM Groups:

      • Group IAM users with similar access requirements together and apply policies to groups. This simplifies access management, especially in larger organizations.

    6. Avoid Hardcoding Credentials:

      • Avoid hardcoding AWS credentials (e.g., access keys) in application code. Instead, use IAM roles or AWS Secrets Manager to securely manage credentials.

    7. Implement Strong Password Policies:

      • Enforce password policies for IAM users, including complexity requirements and password rotation.

    8. Regularly Rotate Access Keys:

      • Periodically rotate access keys for IAM users and automate key rotation where possible. AWS Secrets Manager can help with this.

    9. Use AWS Identity Federation:

      • Integrate with identity providers (e.g., Active Directory, SAML, OpenID Connect) to federate identity management and provide single sign-on (SSO) capabilities.

    10. Monitor and Log Access Activity:

      • Enable AWS CloudTrail to capture API activity and AWS Config to monitor resource configuration changes. Use AWS CloudWatch for alerting on suspicious activity.

    11. Apply Resource-Based Policies Carefully:

      • When using resource-based policies (e.g., S3 bucket policies), be cautious and follow the principle of least privilege. Avoid making resources publicly accessible unless necessary.

    12. Regularly Rotate and Monitor Secrets:

      • For managing sensitive information, use AWS Secrets Manager to securely store and rotate secrets (e.g., database credentials) and set up automatic rotation where applicable.

    13. Enable AWS Organizations:

      • If you have multiple AWS accounts, use AWS Organizations to centralize billing and apply Service Control Policies (SCPs) for cross-account access controls.

    14. Test Permissions and Policies:

      • Use IAM Policy Simulator to test how policies work and to verify that permissions are correctly set up before applying them in production.

    15. Educate Users and Administrators:

      • Provide training and documentation to IAM users and administrators to ensure they understand best practices and security policies.

    16. Implement IAM Password Policies for Root Account:

      • Ensure the AWS root account has strong password policies in place and consider not using the root account for routine tasks.

    17. Automate Security and Compliance Checks:

      • Use AWS Config Rules, AWS Trusted Advisor, and third-party tools to automate security and compliance checks, and remediate issues automatically.

        By following these best practices, you can enhance the security and manageability of your AWS resources while minimizing the risk of security breaches and compliance violations. It's essential to continuously assess and improve your access management strategy as your AWS environment evolves.

  7. What are the key elements in the JSON schema of a policy?

    Ans:

    The JSON schema of an AWS Identity and Access Management (IAM) policy contains several key elements that define permissions and access control rules. Here are the primary components of an IAM policy in JSON format:

    1. Version (Optional):

      • Specifies the version of the IAM policy language. For example, "Version": "2012-10-17" is the most commonly used version.

    2. Statement (Required, Array):

      • Contains one or more statements and each statement defines a set of permissions.

      • Each statement has the following key elements:

        • Effect (Required):

          • Specifies whether the statement allows or denies access. It can have values "Allow" or "Deny".

        • Action (Required, Array or String):

          • Lists the specific AWS actions (API operations) that are allowed or denied. For example, "s3:GetObject" or "ec2:DescribeInstances".

          • It can be a single action or an array of actions.

        • Resource (Required, Array or String):

          • Specifies the AWS resources to which the actions apply, using Amazon Resource Names (ARNs). For example, an S3 bucket ARN or an IAM user ARN.

          • It can be a single resource or an array of resources.

        • Condition (Optional):

          • Provides additional conditions that must be met for the policy statement to be applied. Conditions are typically expressed as a set of key-value pairs.

            Here's a simplified example of an IAM policy JSON schema with one statement:

  8. What are AWS policies?

    Ans:

    In Amazon Web Services (AWS), policies are documents that define permissions and access control rules for AWS resources. AWS policies are used with AWS Identity and Access Management (IAM) to specify who has access to specific resources and what actions they can perform on those resources. Policies are a crucial component of AWS security and governance, allowing organizations to control and manage access to AWS services and resources.

    Policy Types:

    • Identity-Based Policies: These are attached to IAM users, groups, or roles to manage access for individual users or groups of users.

    • Resource-Based Policies: These are attached directly to AWS resources like S3 buckets, Lambda functions, and SNS topics, allowing you to control access to the resource itself.

    • Service Control Policies (SCP): These are used in AWS Organizations to set fine-grained permissions and restrictions across multiple AWS accounts in an organization.

    • Permission Boundaries: These are used in IAM to set the maximum permissions that can be granted to IAM entities (users or roles).

  9. What is AWS IAM Role, IAM User and IAM Policy?

    Ans:

    In Amazon Web Services (AWS), IAM (Identity and Access Management) plays a critical role in controlling access to AWS resources. IAM consists of several key components, including IAM roles, IAM users, and IAM policies, which serve different purposes in managing access to AWS services and resources:

    1. IAM User:

      • An IAM user represents an individual or entity that interacts with AWS services. Users can be human users (employees or administrators) or applications or services running on servers.

      • Each user has a unique set of security credentials (Access Key ID and Secret Access Key) that they use to authenticate themselves when interacting with AWS services programmatically or through the AWS Management Console.

      • IAM users are typically associated with IAM policies to grant them specific permissions to perform actions on AWS resources.

    2. IAM Role:

      • An IAM role is similar to a user but is not associated with a specific individual or service account. Instead, roles are assumed by entities (such as AWS services or EC2 instances) to obtain temporary security credentials.

      • IAM roles are often used to grant permissions to AWS services or resources in a secure and controlled manner. For example, an EC2 instance can assume an IAM role to access S3 buckets or other AWS resources without using long-term access keys.

      • Roles can have policies attached to them, specifying what actions and resources can be accessed when the role is assumed.

      • Roles can also be used for cross-account access, allowing entities in one AWS account to assume roles in another account.

    3. IAM Policy:

      • An IAM policy is a JSON document that defines permissions and access control rules. It specifies what actions are allowed or denied and on which AWS resources.

      • Policies can be attached to IAM users, groups, and roles, or directly to AWS resources (resource-based policies).

      • Policies have statements that determine the "Effect" (either "Allow" or "Deny"), the "Action" (specific AWS operations), and the "Resource" (the AWS resource affected by the policy).

      • Policies can also include optional conditions that further refine when the policy is applicable.

      • AWS provides managed policies, which are predefined policies for common use cases, and custom policies that you can create and tailor to your specific requirements.

        In summary:

        • IAM User represents an entity with long-term credentials (Access Key ID and Secret Access Key).

        • IAM Role is used to delegate permissions and can be assumed by AWS services or entities, providing temporary security credentials.

        • IAM Policy defines permissions and is attached to users, roles, or resources to specify what actions are allowed or denied on AWS resources.

          Together, IAM users, roles, and policies form the foundation of AWS identity and access management, allowing you to control and secure access to your AWS resources, following the principle of least privilege to ensure security and compliance.

  10. What happens with the below Policy?

    {

      "Statement":[{

      "Effect":"Allow",

        "Action":["s3:ListBucket","s3:GetObject","s3:GetObjectVersion"],

            "Resource":["arn:aws:s3:::my_bucket/","arn:aws:s3:::my_bucket"]

    }

      ],

     

     

      "Statement":[{

      "Effect":"Allow",

        "Action":["s3:ListAllMyBuckets"],

      "Resource":"",

      "Condition": {}

    }

      ]

    }

    Ans:

    The provided text is a JSON representation of an AWS Identity and Access Management (IAM) policy. This policy defines permissions for actions related to Amazon S3 (Simple Storage Service) buckets and objects.

    The "Effect" is set to "Allow," meaning that the specified actions are allowed.

    The "Action" field lists the actions that are allowed for the specified resources.

    The "Resource" field lists the ARNs (Amazon Resource Names) of the S3 bucket and objects to which these permissions apply. It allows listing the bucket, getting objects from the bucket, and listing all S3 buckets.

  11. Create a user-1 in Account#1 and a user-2 in Account-2. Connect to Account-2 using user-1 by assuming the role.

    Displaying image.png

    Displaying image.png

    Displaying image.png

AWS