01 Accounts & Permissions Flashcards

1
Q

Describe AWS Organisations.

A

AWS Organisations is a service that allows users to manage multiple AWS accounts in a hierarchical structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define the management account in AWS Organisations.

A

The management account is the account that created the organisation and can invite other existing accounts to join.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can existing accounts join an AWS Organisation?

A

Existing accounts can be invited to join an AWS Organisation, but they must agree to the invitation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are member accounts in AWS Organisations?

A

Member accounts are accounts that are part of an organisation, which can be either invited existing accounts or newly created accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe the hierarchical structure of AWS Organisations.

A

The hierarchical structure includes an organisation root at the top level, with Organisation Units (OUs) as sub-groupings of accounts and other nested OUs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain consolidated billing in AWS Organisations.

A

Consolidated billing allows charges from all member accounts to be billed to the management account, pooling reservations and volume discounts across the organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the payer account in the context of AWS Organisations?

A

The payer account is another term for the management account, which handles the consolidated billing for all member accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How does consolidated billing affect billing methods in AWS Organisations?

A

Consolidated billing overrides any billing methods that were added to accounts before they joined the organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the best practice architectural pattern for accessing AWS accounts?

A

The best practice is to have a single AWS account for users to log into, using roles to perform actions in other accounts or to assume roles in those accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define Service Control Policies (SCPs) in AWS Organisations.

A

Service Control Policies (SCPs) are a feature that restricts what actions an account can perform within AWS Organisations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How are Service Control Policies applied in AWS Organisations?

A

SCPs can be applied to the entire organisation, specific Organisation Units (OUs), or individual accounts, and they are enforced down the hierarchy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe how Service Control Policies (SCPs) affect AWS accounts and organizational units (OUs).

A

Applying an SCP to an OU affects all accounts and nested OUs within that OU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Do management accounts have restrictions imposed by SCPs?

A

Management accounts are not restricted by SCPs, but SCPs can still be applied to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define the role of SCPs in relation to the root account of an AWS account.

A

SCPs are the only way to constrain the root account of an AWS account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How can permissions be modeled in SCPs?

A

Permissions can be modeled as either a deny-list or an allow-list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explain the function of the managed FullAWSAccess SCP.

A

The FullAWSAccess SCP allows all actions and functions as a deny list, as other actions can be explicitly denied in other SCPs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What happens when the FullAWSAccess SCP is removed?

A

Removing the FullAWSAccess SCP causes permissions to be modeled as an allow-list, meaning actions will only be possible if they are explicitly allowed.

18
Q

Clarify the purpose of SCPs in AWS permissions management.

A

SCPs do not grant permissions to identities; they only constrain them.

19
Q

How can you block actions outside a specific AWS region using a policy?

A

You can use a policy that denies actions based on the requested region, specifying conditions to restrict access.

20
Q

Describe the function of the Security Token Service (STS) in AWS.

A

STS generates temporary credentials when the sts:AssumeRole call is made.

21
Q

What components make up STS credentials?

A

STS credentials consist of AccessKeyID, Expiration, SecretAccessKey, and SessionToken.

22
Q

How long do STS credentials typically last?

A

The duration of STS credentials defaults to 1 hour but can range from 15 minutes to 12 hours.

23
Q

What is the role of the trust policy in an IAM role?

A

The trust policy of an IAM role controls who can assume it via an STS session.

24
Q

Explain the significance of the SessionToken in STS credentials.

A

The SessionToken is a unique token that must be included in every request made with STS credentials.

25
Q

What does the identity’s ownership of credentials imply in AWS?

A

The identity does not own its credentials; they are temporary and managed by AWS.

26
Q

Describe the ownership of access keys in IAM roles.

A

In IAM roles, the access key and secret key are owned by the role itself.

27
Q

Define an inline policy in the context of STS.

A

An inline policy is used to restrict permissions to be a subset of the role’s permissions.

28
Q

How do temporary credentials relate to IAM roles by default?

A

By default, temporary credentials have the same permissions as the IAM role.

29
Q

Explain how sessions can be requested in AWS.

A

Sessions can be requested either by an AWS identity, such as an AWS role, or by an external identity, such as using SAM.

30
Q

What happens if temporary credentials leak?

A

If temporary credentials leak, an inline condition can be added to the role with an explicit deny for all sessions created for the current time.

31
Q

Describe the condition statement used to revoke leaked credentials.

A

The condition statement to revoke leaked credentials is: “DateLessThan”: {“aws:TokenIssueTime”: “2014-05-07T23:47:00Z”}.

32
Q

How can you implement a condition statement in IAM?

A

A condition statement can be implemented via a button in the IAM Console.

33
Q

Define permission boundaries in AWS IAM.

A

Permission boundaries are used to constrain the permissions an identity can use, preventing users from creating users with higher privileges.

34
Q

Explain the relationship between resource policies and permission boundaries.

A

Resource policies are not affected by permission boundaries.

35
Q

What is the purpose of Resource Access Manager (RAM) in AWS?

A

Resource Access Manager (RAM) allows supported resources in one account to be shared with another account.

36
Q

Describe how resources are shared using RAM.

A

Resources are shared with a principal, which can be an organization, organizational unit (OU), or specific account.

37
Q

How are shared resources displayed in AWS?

A

Shared resources are visible in the AWS Console.

38
Q

What is notable about availability zone names in AWS accounts?

A

Availability zone names are rotated between accounts.

39
Q

Describe the importance of consistent naming when sharing resources.

A

Consistent naming, such as using availability zone IDs (e.g. use1-az2), helps in organizing and identifying resources effectively when sharing.

40
Q

Define the role of the owner account in resource sharing.

A

The owner account creates the resource share and retains full ownership of it, ensuring control over the shared resources.

41
Q

How must resource shares be accepted in a cross-account sharing scenario?

A

Resource shares must be accepted by the receiver unless the organization is configured to automatically share resources.

42
Q

Explain the requirements for cross-account access.

A

Cross-account access requires an ‘Allow’ permission from Account A (e.g. an identity policy) and an ‘Allow’ permission from Account B (e.g. a resource policy).