01 Accounts & Permissions

Question 1

Describe AWS Organisations.

Answer 1

AWS Organisations is a service that allows users to manage multiple AWS accounts in a hierarchical structure.

Question 2

Define the management account in AWS Organisations.

Answer 2

The management account is the account that created the organisation and can invite other existing accounts to join.

Question 3

How can existing accounts join an AWS Organisation?

Answer 3

Existing accounts can be invited to join an AWS Organisation, but they must agree to the invitation.

Question 4

What are member accounts in AWS Organisations?

Answer 4

Member accounts are accounts that are part of an organisation, which can be either invited existing accounts or newly created accounts.

Question 5

Describe the hierarchical structure of AWS Organisations.

Answer 5

The hierarchical structure includes an organisation root at the top level, with Organisation Units (OUs) as sub-groupings of accounts and other nested OUs.

Question 6

Explain consolidated billing in AWS Organisations.

Answer 6

Consolidated billing allows charges from all member accounts to be billed to the management account, pooling reservations and volume discounts across the organisation.

Question 7

What is the payer account in the context of AWS Organisations?

Answer 7

The payer account is another term for the management account, which handles the consolidated billing for all member accounts.

Question 8

How does consolidated billing affect billing methods in AWS Organisations?

Answer 8

Consolidated billing overrides any billing methods that were added to accounts before they joined the organisation.

Question 9

What is the best practice architectural pattern for AWS account management?

Answer 9

The best practice is to have a single AWS account for users to log into, using roles to perform actions in other accounts or to assume roles in those accounts.

Question 10

Define Service Control Policies (SCPs) in AWS Organisations.

Answer 10

Service Control Policies (SCPs) are a feature that restricts what actions an account can perform within AWS Organisations.

Question 11

How are Service Control Policies applied in AWS Organisations?

Answer 11

SCPs can be applied to the entire organisation, specific Organisation Units (OUs), or individual accounts, and they are enforced down the hierarchy.

Question 12

Describe how Service Control Policies (SCPs) affect AWS accounts and organizational units (OUs).

Answer 12

Applying an SCP to an OU affects all accounts and nested OUs within that OU.

Question 13

Do management accounts have restrictions imposed by SCPs?

Answer 13

Management accounts are not restricted by SCPs, but SCPs can still be applied to them.

Question 14

Define the role of SCPs in relation to the root account of an AWS account.

Answer 14

SCPs are the only way to constrain the root account of an AWS account.

Question 15

How can permissions be modeled in AWS?

Answer 15

Permissions can be modeled as either a deny-list or an allow-list.

Question 16

Explain the function of the managed FullAWSAccess SCP.

Answer 16

The FullAWSAccess SCP allows all actions and functions as a deny list, as other actions can be explicitly denied in other SCPs.

Question 17

What happens when the FullAWSAccess SCP is removed?

Answer 17

Removing the FullAWSAccess SCP causes permissions to be modeled as an allow-list, meaning actions will only be possible if they are explicitly allowed.

Question 18

Clarify the purpose of SCPs in AWS permissions management.

Answer 18

SCPs do not grant permissions to identities; they only constrain them.

Question 19

How can you block actions outside a specific AWS region using a policy?

Answer 19

You can use a policy that denies actions based on the requested region, specifying conditions to restrict access.

Question 20

Describe the function of the Security Token Service (STS) in AWS.

Answer 20

STS generates temporary credentials when the sts:AssumeRole call is made.

Question 21

What components make up STS credentials?

Answer 21

STS credentials consist of AccessKeyID, Expiration, SecretAccessKey, and SessionToken.

Question 22

How long do STS credentials typically last?

Answer 22

The duration of STS credentials defaults to 1 hour but can range from 15 minutes to 12 hours.

Question 23

What is the role of the trust policy in an IAM role?

Answer 23

The trust policy of an IAM role controls who can assume it via an STS session.

Question 24

Explain the significance of the SessionToken in STS credentials.

Answer 24

The SessionToken is a unique token that must be included in every request made with STS credentials.

Question 25

What does the identity’s ownership of credentials imply in AWS?

Answer 25

The identity does not own its credentials; they are temporary and managed by AWS.

Question 26

Describe the ownership of access keys in IAM roles.

Answer 26

In IAM roles, the access key and secret key are owned by the role itself.

Question 27

Define an inline policy in the context of IAM roles.

Answer 27

An inline policy is used to restrict permissions to be a subset of the role’s permissions.

Question 28

How do temporary credentials relate to IAM roles by default?

Answer 28

By default, temporary credentials have the same permissions as the IAM role.

Question 29

Explain how sessions can be requested in AWS.

Answer 29

Sessions can be requested either by an AWS identity, such as an AWS role, or by an external identity, such as using SAM.

Question 30

What happens if temporary credentials leak?

Answer 30

If temporary credentials leak, an inline condition can be added to the role with an explicit deny for all sessions created for the current time.

Question 31

Describe the condition statement used to revoke leaked credentials.

Answer 31

The condition statement to revoke leaked credentials is: “DateLessThan”: {“aws:TokenIssueTime”: “2014-05-07T23:47:00Z”}.

Question 32

How can you implement a condition statement in IAM?

Answer 32

A condition statement can be implemented via a button in the IAM Console.

Question 33

Define permission boundaries in AWS IAM.

Answer 33

Permission boundaries are used to constrain the permissions an identity can use, preventing users from creating users with higher privileges.

Question 34

Explain the relationship between resource policies and permission boundaries.

Answer 34

Resource policies are not affected by permission boundaries.

Question 35

What is the purpose of Resource Access Manager (RAM) in AWS?

Answer 35

Resource Access Manager (RAM) allows supported resources in one account to be shared with another account.

Question 36

Describe how resources are shared using RAM.

Answer 36

Resources are shared with a principal, which can be an organization, organizational unit (OU), or specific account.

Question 37

How are shared resources displayed in AWS?

Answer 37

Shared resources are visible in the AWS Console.

Question 38

What is notable about availability zone names in AWS accounts?

Answer 38

Availability zone names are rotated between accounts.

Question 39

Describe the importance of consistent naming when sharing resources.

Answer 39

Consistent naming, such as using availability zone IDs (e.g. use1-az2), helps in organizing and identifying resources effectively when sharing.

Question 40

Define the role of the owner account in resource sharing.

Answer 40

The owner account creates the resource share and retains full ownership of it, ensuring control over the shared resources.

Question 41

How must resource shares be accepted in a cross-account sharing scenario?

Answer 41

Resource shares must be accepted by the receiver unless the organization is configured to automatically share resources.

Question 42

Explain the requirements for cross-account access.

Answer 42

Cross-account access requires an ‘Allow’ permission from Account A (e.g. an identity policy) and an ‘Allow’ permission from Account B (e.g. a resource policy).