Security and Compliance – SOA-C02 Study Guide

This chapter covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam domain:

Domain 4: Security and Compliance

(For more information on the official AWS Certified SysOps Administrator – Associate [SOA-C02] exam topics, see the Introduction.)

Managing the security of your AWS account is critical to avoiding a compromised environment. In this chapter, you learn how to manage AWS accounts, including user accounts, group accounts, and roles. You also explore policies to ensure your accounts have the right access to AWS services and resources.

Key topics like access keys, MFA, and security best practices are also covered in this chapter. Finally, you learn how you can use the AWS Trusted Advisor to seek out security issues for your AWS account.

Account Management

This section covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam topics for Domain 4: Security and Compliance:

4.1 Implement and manage security and compliance policies

4.2 Implement data and infrastructure protection strategies

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

1. You have an application hosted on an EC2 instance that needs access to other resources in your AWS account. What IAM feature can you use to provide this access?

2. What is the default password length for AWS accounts?

Answers

1. Answer: A role.

2. Answer: Eight characters.

IAM Essentials

Part of managing accounts on AWS is to have a strong understanding of the different types of accounts provided by AWS Identity and Access Management (IAM). You should understand these account types and know which type of account to use in any given situation.

You also should be aware of other IAM components, such as policies, providers, and settings, which you can see on the IAM page shown in Figure 9.1.

FIGURE 9.1 IAM components

IAM Users

User accounts provide access to AWS resources and services. When you first access your AWS account, you use the root user account. This account has full access to perform all operations within the AWS account.

Not all individuals should have full access to all AWS operations. When you create an IAM user account, you should limit access based on the functions that the user should perform.

When you’re creating IAM user accounts, the Add User Wizard prompts you to provide information about the new account, including the following key user account attributes:

AWS credential type: If your user will use the AWS console only to perform tasks, select Password – AWS Management Console Access. If the user will access AWS via application programming interfaces (APIs), the command-line interface (CLI), software development kit (SDK), or another development tool, select Access Key – Programmatic Access to generate an access key ID and secret access key.

Permissions: This attribute allows you to determine what actions the IAM user can take. You can provide permissions by assigning the IAM user to a group, copying permissions from an existing user, or by using policies.

Tags: AWS IAM user accounts can be treated like other AWS resources in that you can apply tags to user accounts. This way, you can view or modify users with similar tags, making administering user accounts easier.