AWS Identity and Access Management (IAM) is used to define and control who can access which resources in an AWS environment. IAM concepts and how they provide security controls are a key part of the exam. Here are some key concepts:
Every new AWS account comes with a root user that has full access to all AWS services and all the resources in the account. As a best practice, it is recommended to do the following:
An IAM user is an entity designed to be associated with a single individual or application. It is used to allow access to AWS resources either through the AWS Management Console (providing a username and password) and/or programmatically (using an access key and a secret access key) from the command-line interface (CLI) or one of the AWS software development kits (SDKs). IAM users are given permissions either by being directly assigned IAM policies or by being assigned to an IAM user group.
MFA
The security of IAM users can be enhanced by enabling MFA. Users then must provide two forms of authentication. The first is identity credentials such as username/password or access key/secret access key. The second form takes the shape of a temporary six-digit numeric code. This can be provided by a hardware device, an application on a mobile device such as a smartphone or tablet, or sent by AWS to a mobile device as an SMS.
An IAM user group is a collection of IAM users. It cannot be used to access AWS services directly. Its main purpose—other than grouping related users together—is to assign the same permissions to all the users in the group.
Instead of granting permissions individually to users, it is recommended that you give permissions to a group, and then you add the users who need these permissions to the group. When a user should no longer have the permissions granted to the group, you simply remove them from the group. Managing permissions for users then becomes a lot easier.
As an example, think of a group representing a company’s software developers and another group representing its system administrators. Because each user in a group automatically inherits the permissions assigned to the group, it then becomes easier for an AWS administrator to maintain the permissions required by each group member (software developers or system admins, in the given example) at a group level rather than individually at a user level.
An IAM user can be assigned to multiple IAM user groups, in which case it inherits the permissions of all the user groups it is a member of.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
