what is a principal?

Principal is an entity in AWS that can perform actions and access resources.

what is the limit iam users per account?

5.000 IAM Users per AWS account

how many iam groups a iam user can be a member of?

10 IAM groups per IAM User

what is the format of arn?

• arn:partition:service:region:account-id:resource-id
• arn:partition:service:region:account-id:resource-type/resource-id
• arn:partition:service:region:account-id:resource-type:resource-id

👉

• 5 to 6 colon :
• region or/and account-id can be omitted.

what is iam group?

Containers for IAM Users.

what are the limits of iam group?

• No Nesting.
• Limit of 300 Groups.

can an iam group be used as a principle in a policy?

IAM Group is NOT a true identity, that

• can NOT be used as a Principle in a policy.
• don’t have credential to login with

what is trust policy in iam?

The trust policy defines

• which principals can assume the role, and
• under which conditions

See How to use trust policies with IAM roles | AWS Security Blog

what is service-linked role?

A service-linked role is

• a unique type of IAM role that is linked directly to an AWS service.
• predefined (by the service) to include all the permissions that the service requires (to call other AWS services on your behalf).

why use service-linked role?

A service-linked Role

• simplify the process of setting up a service because

  • you don’t have to manually add permissions for the service to complete actions on your behalf

• may be created

  • automatically (by the service)
  • manually using a wizard in the console
  • manually using IAM

See Create a service-linked role

aws organization and management account, which come first?

• First, you use a standard account to create an AWS Organization
• Then that standard account become the management account of the AWS Organization.

how to access an aws account in an aws organization?

1. Using username/password of that AWS account to access that AWS account using its root user
2. Using another account to switch role to that account’s IAM role OrganizationAccountAccessRole
3. Using the AWS access portal with corporation credentials (Google, Facebook…)

what does service control policies (scp) do?

SCP

• restricts permissions for

  • IAM users
  • IAM roles
  • including root user

  in member accounts.

• (do NOT grant permissions)

sgp - deny list strategy

With deny list strategy, all permissions are allowed unless explicitly denied.

This is the default behavior of AWS Organizations.

• By default, AWS Organizations attaches an AWS managed policy called FullAWSAccess to all roots, OUs, and accounts.
• You
  • leave the default FullAWSAccess policy in place (that allow “all”).
  • then attach additional policies that explicitly deny access to the unwanted services and actions.

sgp - allow list strategy

With allow list strategy, all permissions are denied unless explicitly allowed.

• By default, AWS Organizations attaches an AWS managed policy called FullAWSAccess to all roots, OUs, and accounts.
• You
  • remove the default FullAWSAccess policy
  • then attach additional policies that explicitly allow access to the wanted services and actions

can scp restrict management account?

can scp restrict root user?

SCP can un-directly control the member account’s root user (by control the account’s permission)

what is log event?

what is log stream?

what is log group?

what is cloudtrail event/trail?

how long is the default cloudtrail history?

in cloudtrail, what are management events / data events?

how to implement a central log store for aws organization?

is cloudtrail realtime?