IAM-AWS

• The Action element refers to the way IAM will react to a request.

The * character applies an element globally—as broadly as possible.

The Resource element refers to the third‐party identities that will be allowed to access the account.

The Effect element refers to the anticipated resource state after a request is granted.

Any application running on the instance that is using the role will be denied access immediately.

The application continues to use that role until the EC2 server is shut down.

The application will have the access until the session is alive.

The application will continue to have access.

There would be no easy way to control resource usage by project or class.

There would be no effective limits on the effect of an action, making it more likely for unintended and unwanted consequences to result.

Since root has full permissions over your account resources, an account compromise at the hands of hackers would be catastrophic.

It would make it difficult to track which account user is responsible for specific actions.

Create an Admin IAM account for them and provide them with credentials

Share your Access Key with the vendor

Build an IAM policy for your vendor

Create an IAM role and map it to your vendor AWS Account

Grant permission to the developers to access IAM account

Attach S3 Full access policy to developer IAM account

Create a Customer managed policy for the S3 bucket. Attach the policy to IAM account

Attach S3 Full access AWS managed policy to the Developer Group

The policy cannot be rolled back, you need to rewrite the policy

Set the default version of customer managed policy to the older version

Delete the update to the policy, this will revert the permissions

Use an AWS-managed policy

Under IAM role, you can retrieve the lost Access Key

Provide Access Key from another IAM account

Redeploy the QA application, and the key will be restored

Inactivate the older key and generate a new key which should be updated in the QA environment

Reduce the size of the instances based on the utilization of resources in each account

Create Roles for other accounts and provide access for resources in your account to effectively use the resources

Use AWS Resource Access Manager to build up shared resources for the two AWS accounts

Merge both the accounts into one and identify the overlapping resources

aws iam get‐access‐key‐used –access‐key‐id <key_ID>

aws iam ‐‐get‐access‐key‐last‐used access‐key‐id <key_ID>

aws iam get‐access‐key‐last‐used access‐last‐key‐id <key_ID>

aws iam get‐access‐key‐last‐used ‐‐access‐key‐id <key_ID>

Reach out to the IAM user with administrative access to change to complex password

Set up a password policy for all the IAM user

Ask root user to change password for all IAM Admin accounts and then share password with IAM users

Set up password rotation policy