Wiki.Quizz.vn - aws:security:iam

Wiki.Quizz.vn - aws:security:iam https://wiki.quizz.vn/ 2026-04-15T18:11:56+00:00 Wiki.Quizz.vn https://wiki.quizz.vn/ https://wiki.quizz.vn/lib/exe/fetch.php?media=wiki:dokuwiki.svg text/html 2025-12-28T06:42:42+00:00 Anonymous (anonymous@undisclosed.example.com) assume-role https://wiki.quizz.vn/doku.php?id=aws:security:iam:assume-role&rev=1766904162&do=diff AssumeRole What it is: An STS operation where a principal “switches into” a role and receives temporary credentials. What it’s for: * Cross-account access (Account A assumes role in Account B). * Service-to-service secure permission granting. text/html 2025-12-28T13:40:26+00:00 Anonymous (anonymous@undisclosed.example.com) best-practices https://wiki.quizz.vn/doku.php?id=aws:security:iam:best-practices&rev=1766929226&do=diff IAM Best Practices What it is: Recommended security practices for managing identities and permissions in AWS. What it’s for: * Reduce risk of account compromise. * Improve auditing and accountability. * Enforce least privilege. Top exam best practices: text/html 2025-12-28T06:37:45+00:00 Anonymous (anonymous@undisclosed.example.com) group https://wiki.quizz.vn/doku.php?id=aws:security:iam:group&rev=1766903865&do=diff IAM Group What it is: A collection of IAM users. What it’s for: * Attach policies once to the group; all users inherit the group permissions. * Make permission management simpler and consistent. Key ideas: * Groups contain users only (not roles). text/html 2025-12-28T06:40:52+00:00 Anonymous (anonymous@undisclosed.example.com) identity-based-policy https://wiki.quizz.vn/doku.php?id=aws:security:iam:identity-based-policy&rev=1766904052&do=diff Identity-based Policy What it is: A policy attached to an IAM user, group, or role. What it’s for: * Grant that identity permissions to call AWS APIs. Key ideas: * Most common in AWS. * Best practice: attach to roles for services. Hard words: text/html 2025-12-28T06:44:24+00:00 Anonymous (anonymous@undisclosed.example.com) instance-profile https://wiki.quizz.vn/doku.php?id=aws:security:iam:instance-profile&rev=1766904264&do=diff Instance Profile (EC2) What it is: A container that attaches an IAM Role to an EC2 instance. What it’s for: * Let EC2 get temporary credentials automatically (no access keys on disk). * Enable EC2 to call AWS services like S3/DynamoDB/SSM. text/html 2025-12-28T06:45:04+00:00 Anonymous (anonymous@undisclosed.example.com) least-privilege https://wiki.quizz.vn/doku.php?id=aws:security:iam:least-privilege&rev=1766904304&do=diff Least Privilege What it is: Security principle: grant only the permissions needed for the task—nothing more. What it’s for: * Reduce damage if credentials are compromised. * Improve security posture. How to apply: * Scope by action (read vs write). text/html 2025-12-28T06:44:43+00:00 Anonymous (anonymous@undisclosed.example.com) permission-boundary https://wiki.quizz.vn/doku.php?id=aws:security:iam:permission-boundary&rev=1766904283&do=diff Permission Boundary What it is: A policy that sets the maximum permissions an IAM role/user can have. What it’s for: * Delegate IAM creation safely (e.g., allow a team to create roles but not exceed a boundary). * Prevent privilege escalation. text/html 2025-12-28T06:41:46+00:00 Anonymous (anonymous@undisclosed.example.com) policy-evaluation https://wiki.quizz.vn/doku.php?id=aws:security:iam:policy-evaluation&rev=1766904106&do=diff Policy Evaluation (Allow/Deny logic) What it is: The rules AWS uses to decide whether a request is allowed. What it’s for: Predict and troubleshoot access problems. Decision rules (high-level): * Default is implicit deny (không ghi Allow thì coi như không được). text/html 2025-12-28T06:40:26+00:00 Anonymous (anonymous@undisclosed.example.com) policy https://wiki.quizz.vn/doku.php?id=aws:security:iam:policy&rev=1766904026&do=diff IAM Policy What it is: A JSON document that defines permissions. What it’s for: * Control access by specifying Actions, Resources, and optional Conditions. Core structure (conceptual): * Effect: Allow or Deny * Action: what API actions are permitted (e.g., s3:GetObject) text/html 2025-12-28T13:41:59+00:00 Anonymous (anonymous@undisclosed.example.com) privileged-users https://wiki.quizz.vn/doku.php?id=aws:security:iam:privileged-users&rev=1766929319&do=diff Privileged Users What it is: Users/roles with high permissions (admin, ability to create policies, manage keys, change security settings). What it’s for: * Identify high-risk identities that must be protected strongly. Best practice: * Require text/html 2025-12-28T06:41:18+00:00 Anonymous (anonymous@undisclosed.example.com) resource-based-policy https://wiki.quizz.vn/doku.php?id=aws:security:iam:resource-based-policy&rev=1766904078&do=diff Resource-based Policy What it is: A policy attached directly to a resource (e.g., S3 bucket policy, KMS key policy). What it’s for: * Grant permissions to principals (users/roles/accounts) on that resource. * Enable cross-account access without needing identity policy in the resource owner account (often combined). text/html 2025-12-28T06:38:09+00:00 Anonymous (anonymous@undisclosed.example.com) role https://wiki.quizz.vn/doku.php?id=aws:security:iam:role&rev=1766903889&do=diff IAM Role What it is: An AWS identity with permissions that can be assumed temporarily. What it’s for: * Give permissions to AWS services (EC2, Lambda, ECS, EKS) securely. * Enable cross-account access without sharing long-term keys. * Use temporary credentials from text/html 2025-12-28T07:39:08+00:00 Anonymous (anonymous@undisclosed.example.com) root-user-best-practices https://wiki.quizz.vn/doku.php?id=aws:security:iam:root-user-best-practices&rev=1766907548&do=diff Root User Best Practices What it is: The recommended security steps for protecting the AWS account root user. What it’s for: * Reduce the chance of account takeover. * Ensure only authorized people can perform sensitive account-level actions. text/html 2025-12-28T07:38:28+00:00 Anonymous (anonymous@undisclosed.example.com) root-user https://wiki.quizz.vn/doku.php?id=aws:security:iam:root-user&rev=1766907508&do=diff AWS Account Root User What it is: The special identity created when you first create an AWS account. It has full, unrestricted permissions in the account. What it’s for: * Perform a few account-level tasks that only the root user can do (rare use). text/html 2025-12-28T06:42:20+00:00 Anonymous (anonymous@undisclosed.example.com) sts https://wiki.quizz.vn/doku.php?id=aws:security:iam:sts&rev=1766904140&do=diff STS (Security Token Service) What it is: Service that issues temporary security credentials. What it’s for: * Let users/services assume roles and get temporary access. * Enable federation (login via external identity providers). * Support cross-account access. text/html 2025-12-28T06:39:32+00:00 Anonymous (anonymous@undisclosed.example.com) trust-policy https://wiki.quizz.vn/doku.php?id=aws:security:iam:trust-policy&rev=1766903972&do=diff Trust Policy What it is: A role policy that defines who/what can assume the role. What it’s for: * Control which principal (user/role/service) can call AssumeRole. Key ideas: * Trust policy is a kind of resource-based policy attached to the role itself. text/html 2025-12-28T07:43:46+00:00 Anonymous (anonymous@undisclosed.example.com) user https://wiki.quizz.vn/doku.php?id=aws:security:iam:user&rev=1766907826&do=diff IAM User What it is: An identity for a person or an application that needs direct AWS access. What it’s for: * Console login (username/password). * Programmatic access via access key (only when necessary). Key ideas: * Users can have: *