Chapter 6: AWS Identity and Access Management (IAM)
- B, C. Programmatic access is authenticated with an access key, not with user names/passwords. IAM roles provide a temporary security token to an application using an SDK.
- AWS對外提供的云服務(wù)api訪問模式是通過AK來訪問的藻茂;
- AWS可以通過賦予角色的EC2集成sdk調(diào)用
- A, C. IAM policies are independent of region, so no region is specified in the policy. IAM policies are about authorization for an already-authenticated principal, so no password is needed.
- IAM policies是獨立于region的,所以不需要指定region。
- IAM policies是一個原則授權(quán)的規(guī)則益老,所以不需要密碼崩侠。
- IAM policies是要體現(xiàn)服務(wù)名稱和相關(guān)可操作的動作的溶浴;
- A, B, C, E. Locking down your root user and all accounts to which the administrator had access is the key here. Deleting all IAM accounts is not necessary, and it would cause great disruption to your operations. Amazon EC2 roles use temporary security tokens, so relaunching Amazon EC2 instances is not necessary.
- EC2用的是role這種臨時安全tokens落竹,重啟EC2解決不了安全問題务嫡;
- 當(dāng)主管離職了折晦,改變管理員賬號密碼钥星,加上mfa多重身份認(rèn)證,讓IAM用戶重置密碼满着、刪除管理員的私人iam賬戶谦炒,同時將服務(wù)器的root訪問區(qū)域限定IP(限定不了管理賬號的訪問區(qū)域哦)
- B, D. IAM controls access to AWS resources only. Installing ASP.NET will require Windows operating system authorization, and querying an Oracle database will require Oracle authorization.
- IAM是控制aws資源的訪問權(quán)限,啟動EC2和調(diào)用SQS是對AWS資源的調(diào)用风喇;
- 安裝asp.net需要有操作系統(tǒng)權(quán)限宁改,而查詢oracle是需要oracle數(shù)據(jù)庫的查詢權(quán)限,與aws無關(guān)魂莫;
- A, C. Amazon DynamoDB global secondary indexes are a performance feature of Amazon DynamoDB; Consolidated Billing is an accounting feature allowing all bills to roll up under a single account. While both are very valuable features, neither is a security feature.
- IAM的安全特權(quán)包括了 密碼的設(shè)置策略还蹲,MFA多重身份認(rèn)證策略;
- B, C. Amazon EC2 roles must still be assigned a policy. Integration with Active Directory involves integration between Active Directory and IAM via SAML.
- EC2 ROLE還是需要創(chuàng)建訪問的policy
- EC2 role只解決了授信證書不需要存儲在EC2上耙考,不需要重置IAM賬戶的key了
- A, D. Amazon EC2 roles provide a temporary token to applications running on the instance; federation maps policies to identities from other sources via temporary tokens.
- tokens被用于EC2 role和聯(lián)盟登陸
- A, C, D. Neither B nor E are features supported by IAM.
- 增加賬戶安全性的策略 MFA谜喊、密碼設(shè)置策略、限定用戶的訪問網(wǎng)絡(luò)來自于公司倦始;
- 官方:定義在哪些情況下您的 IAM 策略將允許訪問資源斗遏。例如,您可編寫條件來指定請求必須來自允許的 IP 地址范圍鞋邑。您還可以指定只允許在指定日期或時間范圍內(nèi)的請求诵次。您還可設(shè)置一些條件,如要求使用 SSL 或 MFA (Multi-Factor Authentication)炫狱。例如藻懒,您可要求用戶使用 MFA 設(shè)備進(jìn)行身份驗證,這樣才允許其終止某一 Amazon EC2 實例视译。
- B, C. Access requires an appropriate policy associated with a principal. Response A is merely a policy with no principal, and response D is not a principal as IAM groups do not have user names and passwords. Response B is the best solution; response C will also
work but it is much harder to manage.
- 一般讓員工管理EC2實例都是創(chuàng)建一個policy嬉荆,然后創(chuàng)建一個指定policy的組,將員工賬戶納入組中酷含”稍纾或者創(chuàng)建一個policy,一個個的授權(quán)給員工賬戶
- C. An IAM policy is a JSON document.
- IAM policy是通過json方式描述的椅亚;
知識點總結(jié)
Know the different principals in IAM. The three principals that can authenticate and interact with AWS resources are the root user, IAM users, and roles. The root user is associated with the actual AWS account and cannot be restricted in any way. IAM users are persistent identities that can be controlled through IAM. Roles allow people or processes the ability to operate temporarily with a different identity. People or processes assume a role by being granted a temporary security token that will expire after a specified period of time.
了解IAM的不同規(guī)范限番。有三種規(guī)范可以用來鑒權(quán)或者與AWS的resource進(jìn)行交互:root用戶、IAM users 和角色呀舔。
root user:root用戶是與AWS的實際賬戶綁定弥虐,沒有辦法從任何角度進(jìn)行限制扩灯。
IAM users:被持久化的身份,可以通過IAM進(jìn)行控制霜瘪;
Roles:允許人或者流程具備臨時操作權(quán)限的的一種身份珠插。人或者流程假定角色被賦予了一個臨時的安全令牌,并在一定的時間后過期颖对;
Know how principals are authenticated in IAM. When you log in to the AWS Management Console as an IAM user or root user, you use a user name/password combination. A program that accesses the API with an IAM user or root user uses a two-part access key. A temporary security token authenticates with an access key plus an additional session token unique to that temporary security token.
了解IAM的驗證規(guī)范捻撑。當(dāng)你登錄到AWS的管理控制臺作為一個IAM user或者一個root user,你可以是使用name/password來組合驗證缤底。
一個訪問API的程序顾患,可以通過一個IAM user或者root users使用一個兩段的access key完成。
一個臨時的安全認(rèn)證个唧,可以通過一個access key+一個session token進(jìn)行唯一性驗證江解;
Know the parts of a policy. A policy is a JSON document that defines one or more permissions to interact with AWS resources. Each permission includes the effect, service, action, and resource. It may also include one or more conditions. AWS makes many
predefined policies available as managed policies.了解策略的組成部分。一個策略是一個JSON文檔坑鱼,定義了一個或者多個與AWS 服務(wù)交互的權(quán)限膘流。每個權(quán)限包括 effect、service鲁沥、action、resource耕魄。他也許只包括一個或者多個條件画恰。AWS 提供了很多預(yù)先定義好的可用策略作為管理策略;
Know how a policy is associated with a principal. An authenticated principal is associated with zero to many policies. For an IAM user, these policies may be attached directly to the user account or attached to an IAM group of which the user account is a member. A temporary security token is associated with policies by assuming an IAM role.
了解一個策略是如何與規(guī)約關(guān)聯(lián)的吸奴。一個鑒權(quán)的規(guī)約可以與0-N個策略關(guān)聯(lián)允扇。對于一個IAM user ,這些策略也許可以直接與user account或者IAM group進(jìn)行關(guān)聯(lián)则奥。
一個臨時的安全證書可以通過IAM ROLE 與策略關(guān)聯(lián)考润;
Understand MFA. MFA increases the security of an AWS account by augmenting the password (something you know) with a rotating OTP from a small device (something you have), ensuring that anyone authenticating the account has both knowledge of the password and possession of the device. AWS supports both Gemalto hardware MFA devices and a number of virtual MFA apps.
理解MFA。MFA增加了AWS賬戶的安全性读处,通過一個你的設(shè)備顯示臨時密碼來增強密碼糊治,保證任何想通過賬戶鑒權(quán)的人必須知道密碼,同時擁有設(shè)備罚舱。AWS提供了Gemalto硬件和MFA設(shè)備和大量的虛擬MFA apps井辜。
Understand key rotation. To protect your AWS infrastructure, access keys should be rotated regularly. AWS allows two access keys to be valid simultaneously to make the rotation process straightforward: Generate a new access key, configure your application to use the new access key, test, disable the original access key, test, delete the original access key, and test again.
理解key循環(huán)。為了保護(hù)你的AWS架構(gòu)管闷,ak應(yīng)該周期性的改變粥脚。AWS允許兩個AK在AK重置的時候同時有效。
AK重置流程如下:生成一個新的AK包个,配置你的應(yīng)用使用新的AK刷允,測試,將原來的AK disable,測試树灶,刪除原來的ak纤怒,重新測試;
Understand IAM roles and federation. IAM roles are prepackaged sets of permissions that have no credentials. Principals can assume a role and then use the associated permissions. When a temporary security token is created, it assumes a role that defines the permissions assigned to the token. When an Amazon EC2 instance is associated with an IAM role, SDK calls acquire a temporary security token based on the role associated with the instance and use that token to access AWS resources. Roles are the basis for federating external IdPs with AWS. You configure an IAM IdP to interact with the external IdP, the authenticated identity from the IdP is mapped to a role, and a temporary security token is returned that has assumed that role. AWS supports both SAML and OIDC IdPs.
理解IAM ROLES和聯(lián)邦破托。IAM ROLE是一個預(yù)制了一系列的權(quán)限肪跋,同時不做授權(quán)。Principals可以設(shè)定一個角色土砂,同時將其與權(quán)限關(guān)聯(lián)州既。當(dāng)一個臨時的安全token被創(chuàng)建,他假定一個被定義權(quán)限的角色被賦予token萝映。當(dāng)一個EC2 instance與一個IAM role關(guān)聯(lián)吴叶,SDK可以調(diào)用一個臨時的安全token(已經(jīng)關(guān)聯(lián)了IAM ROLE),EC2可以使用這個token訪問AWS的資源序臂。
角色是外部聯(lián)盟IdPs的基礎(chǔ)蚌卤。你可以配置一個IAM IdP 去與外部的IdP交互,這個IdP身份在驗證被映射到角色奥秆,同時一個臨時的安全toke(被賦予role)被返回逊彭。AWS支持saml和OIDC idPs。
Know how to resolve conflicting permissions. Resolving multiple permissions is relatively straightforward. If an action on a resource has not been explicitly allowed by a policy, it is denied. If two policies contradict each other; that is, if one policy allows an action on a resource and another policy denies that action, the action is denied. While this sounds improbable, it may occur due to scope differences in a policy. One policy may expose an entire fleet of Amazon EC2 instances, and a second policy may explicitly lock down one particular instance.
了解如何解決權(quán)限沖突問題构订。解析多個權(quán)限相對直接侮叮。
如果action對于一個資源沒有顯式的聲明,他會被拒絕悼瘾。
如果兩個彼此沖突囊榜,一個策略是允許對資源操作,另外一個不允許亥宿,那么就是不允許卸勺。
上述動作很可能發(fā)生,當(dāng)一個policy暴露一系列EC2 instances烫扼,同時另外一個policy也許只是顯式的鎖定一個特別的insance曙求。
