4. IAM + AWS CLI Flashcards
What error will you get if you try to ssh into an instance with a new keypair?
Permissions 0644 for ‘.pem’ are too open.
How do you fix new keypair permissions?
chmod 0400 .pem
What are the default security group traffic rules?
All inbound traffic is blocked by default. All outbound traffic is authorized by default.
One IAM Role per ___?
Application
If your application is not accessible (timeout), what is the cause?
Security group issue
If your application gives a “connection refused” error, what is the cause?
Application error or application is not launched
What credential types are supported by IAM for CodeCommit?
- Git credentials
- SSH Keys
- AWS Access Keys
What service should you use to “help identify the unused roles”?
Access Advisor feature on IAM console
To help identify the unused roles, IAM reports the last-used timestamp that represents when a role was last used to make an AWS request. Your security team can use this information to identify, analyze, and then confidently remove unused roles.
What service “helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity”?
IAM Access Analyzer
What service “provides you real-time guidance to help you provision your resources following AWS best practices on cost optimization, security, fault tolerance, service limits, and performance improvement”?
AWS Trusted Advisor
AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices on cost optimization, security, fault tolerance, service limits, and performance improvement.
What service “automatically assesses applications for exposure, vulnerabilities, and deviations from best practices”?
Amazon Inspector
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.
What type of policy should you use to “define which principal entities (accounts, users, roles, and federated users) can assume the role”
Trust policy
Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. An IAM role is both an identity and a resource that supports resource-based policies. For this reason, you must attach both a trust policy and an identity-based policy to an IAM role. The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role.
How do you grant a user access to the AWS Billing and Cost Management Service?
By default, IAM users do not have access to the AWS Billing and Cost Management console. You or your account administrator must grant users access. You can do this through the following steps:
- Activating IAM user access to the Billing and Cost Management console
- Attaching an IAM policy to your users
- Activate IAM user access for IAM policies to take effect (you only need to activate IAM user access once)
IAM Policies define what _____ can and cannot do.
IAM Policies define what Users, Groups, and Roles can and cannot do.
What “acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic”?
Security Groups
