Bash, the Crucial Exams Chat Bot
AI Bot
Identity & Access Management Fundamentals (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
| Front | Back |
| Best practice for cross account access | Use roles with limited permissions and MFA and avoid sharing long term credentials |
| Describe the AWS policy evaluation logic | Step 1 Explicit deny wins Step 2 Explicit allow next Step 3 Otherwise implicit deny |
| Difference between managed policy and inline policy | Managed policies are standalone reusable objects Inline policies are embedded directly on a single principal or resource |
| Give an ABAC example | Granting access to S3 objects when the user's department tag matches the object's department tag |
| How do permission boundaries work | They cap the union of allowed permissions so a principal must have both identity policy allow and boundary allow to perform actions |
| How does IAM Access Analyzer work | It evaluates policies and resource configurations using automated reasoning to identify potential unintended access paths |
| How to audit IAM changes | Use AWS CloudTrail IAM Access Analyzer and configuration history to track policy and principal changes and detect anomalies |
| How to design least privilege for roles | Start with deny all then add specific allows test with real tasks and iterate by tightening permissions |
| What are session duration limits | Maximum time temporary credentials from AssumeRole remain valid and should be minimized for security |
| What is a permission boundary | A maximum permissions boundary that limits the effective permissions an IAM principal can have regardless of its policies |
| What is a resource based policy | A policy attached directly to a resource that specifies which principals can access that resource |
| What is a session policy | Policies passed during AssumeRole that further restrict the permissions of the temporary credentials |
| What is ABAC | Attribute Based Access Control that grants permissions based on attributes such as tags or user attributes instead of explicit resource lists |
| What is access key rotation best practice | Rotate and retire access keys regularly and prefer temporary credentials and roles instead of long term keys |
| What is an explicit deny | An explicit deny in any policy overrides any allow and immediately prevents access |
| What is an external ID and why use it | An identifier provided by the trusting account to prevent confused deputy attacks when third parties assume roles |
| What is an IAM group | A collection of IAM users used to assign the same managed policies to multiple users at once |
| What is an IAM role | A set of permissions that can be assumed by trusted principals and provides temporary credentials |
| What is an IAM user | An identity representing a person or service with long term credentials and policies that define permissions |
| What is an identity based policy | A policy attached to a principal such as a user group or role that grants permissions to act on resources |
| What is AssumeRole | An API that lets a principal assume a role and receive temporary credentials with the role permissions |
| What is AssumeRoleWithSAML | An API that lets SAML federated users assume a role using assertions from an identity provider |
| What is AWS IAM Access Analyzer | Tool that analyzes resource based policies and generates findings for potential external access including cross account risks |
| What is AWS STS | Security Token Service that issues temporary security credentials for federated access and cross account roles |
| What is cross account access | A pattern where principals from one AWS account access resources in another account typically via roles or resource based policies |
| What is federation in IAM | Allowing external identities such as corporate users or third party providers to access AWS without long term credentials |
| What is implicit deny | Any action not explicitly allowed is implicitly denied by default |
| What is least privilege | Granting only the minimum permissions required to perform a task and nothing more |
| What is policy simulator | Tool that tests and evaluates the effective permissions of a principal by simulating API calls |
| What is role trust policy | A policy attached to a role that defines which principals are allowed to assume the role |
| What is the Principal element in a resource policy | It specifies the AWS account user role or service that is allowed or denied access to the resource |
| Why use temporary credentials | Reduce risk of long term key compromise enforce session duration and apply session policies |
Covers IAM concepts and best practices: users, groups, roles, policies, permission boundaries, STS/federation, attribute-based access control (ABAC), cross-account access, IAM Access Analyzer, policy evaluation and least-privilege design patterns for SCS-C03.