ACLOUDGURU

Question 1

Can you log into an IAM group?
How many groups can a user be a part of?
How many members can be in a group?
How many groups can you create per AWS account?
Are groups a true identity?
Can IAM policies or resource policies grant access to an IAM group?

Answer 1

IAM groups don’t have credentials and you cannot log into a group.
IAM user can be a member of 10 groups.
There is no limit to the number of members in a group.
Users by default have no permissions.
There is a soft limit of 300 groups per AWS account but this can be increased by support ticket.
User inherits policies from the group.
Groups are not true identities->groups cannot be referenced in an IAM policy because they don’t have an ARN.
IAM policies or resource policies cannot grant access to an IAM group.

Question 2

What happens when you restart an EC2 instance vs when you stop and start an EC2 instance?

Answer 2

If an EC2 instance is restarted it remains to the specific host. If AWS stops the EC2 instance and then it is restarted(or if you do) it moves to a different host. They all remain in the same availability zone however.
You can migrate EC2 instances to a different availability zone using snapshots and AMIs

Question 3

Can you attach an IAM role to a running EC2 instance?

Answer 3

Yes.

Question 4

What do IAM roles do?

Answer 4

IAM roles allow you to delegate access to users or services that normally don’t have access to your organization’s AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don’t have to share long-term credentials or define permissions for each entity that requires access to a resource.

Question 5

What are the challenges resolved by Delegated access using IAM roles?

Answer 5

Granting applications that run on Amazon EC2 instances access to AWS resources
To grant applications on an Amazon EC2 instance access to AWS resources, developers might distribute their credentials to each instance. Applications can then use those credentials to access resources such as Amazon S3 buckets or Amazon DynamoDB data. However, distributing long-term credentials to each instance is challenging to manage and a potential security risk. The video above describes how to use roles to address this security concern in more detail.

Cross-account access
To control or manage access to resources, such as isolating a development environment from a production environment, you might have multiple AWS accounts. However, in some cases, users from one account might need to access resources in the other account. For example, a user from the development environment might require access to the production environment to promote an update. Therefore, users must have credentials for each account, but managing multiple credentials for multiple accounts makes identity management difficult. Using an IAM role can simplify this. See the Trend Micro case study to see cross account access in action.
Granting permissions to AWS services
Before AWS services can perform actions for you, you must grant them permissions to do so. You can use IAM roles to grant permissions for AWS services to call other AWS services on your behalf, or create and manage AWS resources for you in your account. AWS services such as Amazon Lex also offer service-linked roles that are predefined and can be assumed only by that specific service.

Question 6

What is an IAM role?

Answer 6

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.

Question 7

How do I assume an IAM role?

Answer 7

You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words, AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML). These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.

Question 8

What problems do IAM roles solve?

Answer 8

IAM roles allow you to delegate access with defined permissions to trusted entities without having to share long-term access keys. You can use IAM roles to delegate access to IAM users managed within your account, to IAM users under a different AWS account, or to an AWS service such as EC2.

Question 9

How many IAM roles can I assume?

How are IAM roles managed?

Answer 9

You can create and manage IAM roles via the IAM APIs, AWS CLI, or IAM console, which gives you a point-and-click, web-based interface.

Question 10

What is the difference between an IAM role and an IAM user?

Answer 10

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

Question 11

When should I use an IAM user, IAM group, or IAM role?

Can I add an IAM role to an IAM group?

Answer 11

Not at this time.

Question 12

Q: How many policies can I attach to an IAM role?

Answer 12

For inline policies: You can add as many inline policies as you want to a user, role, or group, but the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following limits:
User policy size cannot exceed 2,048 characters.
Role policy size cannot exceed 10,240 characters.
Group policy size cannot exceed 5,120 characters.
For managed policies: You can add up to 10 managed policies to a user, role, or group. The size of each managed policy cannot exceed 6,144 characters.

Question 13

How many IAM roles can I create?

Answer 13

You are limited to 1,000 IAM roles under your AWS account. If you need more roles, submit the IAM limit increase request form with your use case, and we will consider your request.

Question 14

What is a shared responsibility?

Answer 14

Encryption

Question 15

What happens when you don’t give a user permissions manually?

Answer 15

A user by default has zero permissions and can’t access anything.

Question 16

What are the two ways an object lock provides ways to manage object retention?

Answer 16

Retention period — Specifies a fixed period of time during which an object remains locked. During this period, your object is WORM-protected and can’t be overwritten or deleted. For more information, see Retention periods

Legal hold — Provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods. For more information, see Legal holds.

Question 17

What are the two retention modes for S3 object lock

Answer 17

In governance mode, users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.
In compliance mode, a protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can’t be changed, and its retention period can’t be shortened. Compliance mode helps ensure that an object version can’t be overwritten or deleted for the duration of the retention period.

Question 18

What can object locks be applied across?

Answer 18

Individual objects and across the whole bucket.

Question 19

What are the types of encryption?

Answer 19

Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit using Secure Socket Layer/Transport Layer Security (SSL/TLS) or client-side encryption. You have the following options for protecting data at rest in Amazon S3:

Server-Side Encryption – Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects.

To configure server-side encryption:
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Server-Side Encryption with KMS keys Stored in AWS Key Management Service (SSE-KMS)
Server-Side Encryption with Customer-Provided Keys (SSE-C)
Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

Question 20

How do you enforce server side encryption?

Answer 20

Via the console or the bucket policy(A bucket policy can deny all PUT requests that don’t include the x-amz-server-side-encryption parameter in the request header)

Question 21

1. What is an S3 prefix?

2. How does a prefix help in performance?

Answer 21

1. The folders within a bucket: /folder1/subfolder2
2. You can achieve a high number of requests: 3500 PUT/COPY/POST/DELETE and 5500 GET/HEAD requests per second per prefix. The more the number of prefixes, the faster. (2 requests->11000 requests).

Question 22

What gets called when you upload and download a file in S3 when using KMS?

Answer 22

When you upload a file you call the generatedatakey in the KMS API and when you download a file you call the decrypt in the KMS API

Question 23

What are the KMS limits when it comes to S3?

Answer 23

Although its region specific, you can hit 5500, 10000 or 30000 requests per second. Uploading and downloading count towards KMS quota and you cannot request a quota increase. This is why S3 encryption is more feasible.

Question 24

What is the difference between ENI, EN(ENA, VF) and EFA(incomplete)

Answer 24

1. Always pick ENA over VF cus its modern and faster

Question 25

What are the different types of partition placement groups?(incomplete)

Answer 25

1. A cluster placement group can’t span multiple AZ whereas a spread placement group and a partition placement group can.
2. Only certain types of instances can be launched into a placement group(compute optimised GPU, memory optimised, storage optimised)

Question 26

Where do you use spot instances?

Answer 26

Big data, containerised workloads, CI/CD, high performance computing, and other test and development workloads