A Cantrill - IAM, ACCOUNTS AND AWS ORGANISATIONS

Question 1

What is the order of priority for IAM permissions? (who can access what?)

Answer 1

1. Explicit DENY
2. Explicit ALLOW
3. Default DENY (Implicit)

Question 2

What IAM policy method is best practice? Managed or Inline Policy?

Answer 2

Managed policy is best practice

Question 3

What is a principal in IAM?

Answer 3

A person, service account or application

Question 4

What are the limits for number of IAM users per account?
What is the limit for number of groups that 1 User can be a part of?

Answer 4

-5,000 IAM users per account
-IAM user can be a member of 10 groups

Question 5

What is the best IAM strategy for very large organizations or “Internet scale applications”?

Answer 5

IAM Roles (not users) & Identity Federation

Question 6

What is the limit of groups in an account?

Answer 6

300 groups

Question 7

T or F: Groups are NOT a true identity. They CANNOT be referenced as a principal in a policy

Answer 7

True

Question 8

What are the two types of policies that can be attached to a IAM Role?

Answer 8

Trust Policy and Permissions policy

Question 9

What are the two types of policies that can be attached to a IAM User?

Answer 9

Inline policy and Managed policy

Question 10

In AWS organization, what are the types of accounts?

Answer 10

Management account (aka payer account), Member accounts,

Question 11

What is CloudTrail?

Answer 11

Logs API calls and account events.

It’s very often used to diagnose security or performance issues, or to provide quality account level traceability.

Question 12

How long are CloudTrail Events stored by default?

Answer 12

CloudTrail events are stored 90 days by default

Question 13

Where are Global services (IAM, STS, CloudFront) CloudTrail located?

Answer 13

US-East-1

Question 14

What are the two types of Cloudtrail events? And which one is NOT enabled by default?

Answer 14

Management and Data events.

Data events are NOT enabled by default

Question 15

-What is the feature of CloudTrail that allows you to store Events in a place other than CloudTrail Events ?

-And where can you store these Events?

Answer 15

-CloudWatch Trails

-S3 and CloudWatch Logs.

Question 16

Is CloudTrail a good use case for “realtime” events?

Answer 16

No CloudTrail is NOT a realtime service

Question 17

What is the typical delivery time of CloudTrail events?

Answer 17

Typically 15 minutes

Question 18

What is AWS Control Tower?

Answer 18

Ability to set up and govern Multi-Account environment that prescribes best practices.

Orchestrates several other AWS services such as Organizations, Service Catalog, and AWS IAM Identity Center, Cloud Formation, Config, etc.

Question 19

What is the multi-account environment in AWS Control Tower?

Answer 19

Landing Zone.

Question 20

What is a feature in Control Tower that can detect/mandate rules and standards across all accounts?

Answer 20

AWS Guard Rails.

Question 21

What are the three levels of Control Tower Guard Rails?

Answer 21

Mandatory, Strongly Suggested, Elective.

Question 22

What are the two services that Guard Rails uses that to make its rules?

Answer 22

AWS ORG SCPs - Preventative (stops you from doing things)
AWS Config - Detective (compliance checks)

Question 23

What is Account Factory?

Answer 23

Allows a user to create accounts but has guard rails and limits

Question 24

What account type is unaffected by SCPs?

Answer 24

Management account in AWS organizations.

Question 25

Does Cloudtrail have realtime processing capabilities?

Answer 25

No, amazon Cloudtrail does not have realtime processing.

Question 26

What needs to be done for logging in AWS to be encrypted?

Answer 26

Using Cloudtrail by default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE)