Summary and Quiz
Get a refresher of what you’ve learned in the Identity and Management Access chapter and take a short quiz to validate your knowledge.
We'll cover the following
Let’s look at some key takeaways from this section and then we’ll put our learnings to a test by attempting a quiz.
Summary
Here’s a summary of the key takeaways from this section:
IAM: IAM (Identity and Access Management) is a security and management service that provides external entities with secure access to AWS services or resources within the AWS account. It takes care of both authentication and authorization.
IAM policy: An IAM policy is a JSON document that allows us to define the scope of permissions of the principal entities. There are six types of IAM policies:
Identity-based policy
Resource-based policy
Permission boundary policy
Session policy
ACL
SCP
The circumstances determine the type of IAM policy to be used.
IAM user: An IAM user is an IAM resource we can use to provide long-term AWS console access to an external user. When using an AWS account for a longer period, the best practice is to create IAM user accounts for each operation unit. This helps us secure our root account and also prevents the user from performing any unwanted actions.
IAM roles: An IAM role is an IAM resource we can use to provide short-term AWS access to the requesting entity. IAM roles usually have both identity-based and resource-based policies attached to them that are used for authorization and authentication, respectively.
Restricting policies: Permission boundary policy and session policy allow us to set an upper bound on the permissions of IAM entities. Permission boundary policy can be used with both IAM users and IAM roles, whereas session policy is exclusively for the IAM role.
AWS Organizations: AWS Organizations allows us to manage multiple AWS accounts from a single point. It helps us consolidate billing for our AWS accounts and manage their maximum permissions from a single management account. For the latter part, it uses SCPs that are set using the management account.
IAM Identity Center: IAM Identity Center enables us to manage access of our workforce to our AWS accounts from a single point. It is also know as Single Sign-On (SSO) as it enables us to provide single sign-on to the requesting entities.
Amazon Cognito: Amazon Cognito simplifies user authentication and authorization for web and mobile apps, providing scalable user directories (User Pools) and secure access to AWS resources (Identity Pools).
Access Analyzer: Access Analyzer identifies unintended access to our AWS resources by continuously monitoring access permissions. It can also help us draft our IAM policies documents by alerting us of any loose ends or syntax errors within the policies.
Test your knowledge
Take a short quiz to validate that knowledge and to make sure we’ve not missed out on anything:
Get hands-on with 1400+ tech skills courses.