M2 : IAM Assessment

There would be no easy way to control resource usage by project or class

There would be no effective limits on the effect of an action, making it more likely for unintended and unwanted consequences to result

Since root has full permissions over your account resources, an account compromise at the hands of hackers would be catastrophic

It would make it difficult to track which account user is responsible for specific actions

The Action element refers to the way IAM will react to a request

The * character applies an element globally—as broadly as possible

The Resource element refers to the third-party identities that will be allowed to access the account

The Effect element refers to the anticipated resource state after a request is granted

Never use the account to perform any administration operations

Enable multifactor authentication (MFA)

Assign a long and complex password

Delete all access keys

It enhances security by consolidating resources

It simplifies the management of user permissions

It allows for quicker response times to service interruptions

It simplifies locking down the root user

2000

3000

5000

4000

Change the password and MFA settings for the root account

Delete and re-create all existing IAM policies

Change he passwords for all your IAM users

Delete the former employee’s own IAM user (within the company account)

Action

Region

Effect

Resource

You cannot restrict a root user on an Organizational Unit account.

By deleting the root user

By creating and attaching a service control policy

By creating and attaching an IAM policy to the root user

OrganizationAccountAccessRole as the role.

The IAM role needs to be created in the linked member account.

A valid IAM user from the newly linked account.

Account ID of the member account.

The display name of the role that will be seen in the linked account.

Provide AWS resources with access to AWS services

Provide access to externally authenticated users

Switch roles to access resources in another AWS account (cross-account access)

Do not support providing access to third parties