01-AWS Basics

Question 1

At its core, what is an account?

Answer 1

A container for both identities (user, roles, groups) and AWS resources.

Question 2

What is required for each new AWS account?

Answer 2

Unique email address & payment method.

Question 3

What is an AWS account root user?

Answer 3

A root user that has full access over an account, the resources in the account, and this cannot be restricted.

Question 4

How do you secure the root account?

Answer 4

MFA

Question 5

What invoice model does AWS use?

Answer 5

Pay as you go as you only pay for the resources that you are.

Question 6

What service can be used for creating additional identities?

Answer 6

Identity and Access Management (IAM)

Question 7

What access does identities other than root start out with?

Answer 7

None. They have no access. You must explicitly grant permissions to each identity.

Question 8

How can AWS accounts act as a security boundary?

Answer 8

By creating different accounts for development, testing, production environments as well as accounts for different teams.

Question 9

What types of identities does IAM allow the creation of?

Answer 9

User, Roles, and Groups

Question 10

How is access handled in AWS accounts by default?

Answer 10

All access is denied unless explicitly granted.

Question 11

What are authentication factors?

Answer 11

Pieces of evidence used to prove your identity.

Question 12

What is single factor authentication?

Answer 12

One factor for authentication (e.g., your password)

Question 13

What is multi-factor authentication?

Answer 13

Two factor for authentication (e.g., your password and an MFA device)

Question 14

What are 4 common authentication factors?

Answer 14

knowledge (something you have, like a password), Possession (something you have like an MFA device), Inherence (something you are: fingerprint or face scan), Location (physical or network location).

Question 15

What type of MFA does AWS support

Answer 15

virtual device and physical devices, such as a fob.

Question 16

What authentication factor does AWS use by default?

Answer 16

single factor authentication

Question 17

Why is MFA a critical security feature for an AWS account?

Answer 17

It requires both something you know (password) and something you have (MFA device).

Question 18

What practice should you follow when providing access to necessary resources?

Answer 18

The practice of least privilege access where you only grant the permissions required to perform the task.

Question 19

What does IAM do?

Answer 19

Allows you to control who has access to your account and what they can do.

Question 20

Do all of your AWS account share an instance of IAM or do they have their own instance of IAM?

Answer 20

Each account has their own dedicated instance of IAM.

Question 21

How resilient is IAM?

Answer 21

It is globally resilient, meaning that your IAM data is secure across all AWS regions.

Question 22

Does IAM have any restrictions?

Answer 22

IAM can do almost anything in your account, but there are restrictions around billing control and account closure)

Question 23

What identity objects can you create in IAM?

Answer 23

IAM users, IAM Groups, and IAM Roles

Question 24

What are IAM users?

Answer 24

These typically represent humans or applications that need access to your AWS account or AWS resources.

Question 25

What are IAM Groups?

Answer 25

These are collections of related IAM users.

Question 26

What are IAM roles?

Answer 26

Used by AWS services or to grant external access to your account.

Question 27

What are IAM Policies?

Answer 27

These are objects or documents defining how you allow or deny permissions to services. These are typically attached to IAM users, groups, or roles.

Question 28

At a high level, what are the three main responsibilities of IAM?

Answer 28

Identity Provider (IdP)- Allows you to create, modify, an delete identities. -Authentication - Challenges identities to prove they are who they say they are typically through usernames and passwords. -Authorization - Determines whether authenticated users are allowed or denied access to resources based on policies attached to their identity.

Question 29

How much does IAM cost?

Answer 29

It is free. There are not costs for creating users, groups, or roles.

Question 30

Is IAM a global, region, or AZ based service?

Answer 30

It is a global service, meaning it is resilient across AWS regions.

Question 31

What identities in your account does IAM support?

Answer 31

local identities, but not external identities.

Question 32

Does IAM support Identity Federation and MFA?

Answer 32

Yes

Question 33

What are IAM access keys?

Answer 33

Long-term credentials available within AWS and used by IAM users.

Question 34

What are access skeys typically used for?

Answer 34

CLI

Question 35

Why are access keys called long-term credentials?

Answer 35

Because they do not regularly change or rotate automatically.

Question 36

How many sets of access keys can one IAM user have?

Answer 36

0-2

Question 37

What is the structure of an access key?

Answer 37

Access Key ID - This is the public part -Secret access Key - This is the private part

Question 38

How many times can you download your access keys?

Answer 38

Just once. You can view the Access Key ID anytime, but you can only download or view the Secret Access Key once right after its creation.

Question 39

How do access keys work?

Answer 39

The Access Key ID is like a username and the Secret Access Key is like a password.

Question 40

What happens if someone obtains your access keys?

Answer 40

They can act like you and your IAM user. It is crucial to security store access keys.

Question 41

What management features do IAM users have over their access keys?

Answer 41

Create, Delete, Make Access Keys active or inactive

Question 42

What state are access keys in, by default?

Answer 42

They are active.

Question 43

What should you do it your misplace the Secret Access Key or suspect that your access keys were leaked?

Answer 43

Delete it and create a new one from the console.

Question 44

What should you do after replacing your access key(s)?

Answer 44

Update your CLI config and any services using those keys.

Question 45

What can IAM users have 2 sets of Access Keys?

Answer 45

So they can rotate them. They can create a new set, updated where it is used, and then delete the old set. The term for this is “rotating access keys”.

Question 46

Who can use Access Keys?

Answer 46

IAM users and the root user. IAM roles cannot use them.