Advanced IAM Flashcards

1
Q

What does ARN stand for?

A

Amazon Resource Name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the component syntax of an ARN?

A
  • All ARNs begin with **arn:partition:service:region:account\_id:**
    • If not applicable, section is empty (so you can see ::)
  • And end with a resource
    • resource
    • resource_type/resource
    • resource_type/resource/qualifier
    • resource_type/resource:qualifier
    • resource_type:resource
    • resource_type:resource:qualifier
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the major differences between the two types of IAM Policies?

A
  • Identity Policies
    • attached to an IAM user, group, or role
    • specify what an identity can do
  • Resource policies
    • attached to a resource
    • specify who can do what to the resource
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Do IAM policies take effect upon creation?

A

No. An IAM Policy has no effect until it is attached to a resource or role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the basic format of an IAM policy document?

A
  • Version # (YYYY-MM-DD)
  • List of statements, each individual statement enclosed in {}
    • Each statement matches an AWS API Request​​​
    • Each statement has an Effect, either allow or deny
    • Each statement has A list of Actions with the effect, of the form *servicename:ActionName*
    • Each statement has a Resource the Action is against (in ARN form)
    • Idea: (Allow/Deny) Resource to do Actions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an AWS API Request?

A

Any action you can perform against AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

If an IAM policy does not explicitly allow an API action, might it still be implicitly allowed?

A

No

If an action is not explicitly allowed, it is implicitly denied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In general, how does AWS reconcile multiple attached policies to the same user or resource?

A

AWS joins all applicable policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Suppose your IAM user has 2 policies, one of which explicitly denies access to all S3 buckets, the other of which explicitly allows access to a specific S3 bucket. Will this user be allowed to access to the specific S3 bucket?

A

No

An explicit deny overrides anything else in any other policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the purpose of AWS Permission Boundaries?

A
  • The idea is to prevent priviledge escalation or unnecessarily overbroad permissions
  • Controls maximum permissions an IAM policy can grant
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some use cases for AWS Permission Boundaries?

A
  • Developers creating roles for Lambda functions
  • Application owners creating roles for EC2 instances
  • Administrators creating ad hoc users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In the context of IAM, what does RAM stand for?

A

Resource Access Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the general use case of AWS Resource Access Management?

A
  • Resource Sharing between accounts
  • can be between individual accounts or within accounts in AWS Organizations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which AWS Resources can I share using AWS Resource Access Management?

A
  • App Mesh
  • Aurora
  • CodeBuild
  • EC2
  • EC2 Image Builder
  • License Manager
  • Resource Groups
  • Route53
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does SSO stand for?

A

Single Sign-On

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does SAML stand for?

A

Security Assertion Markup Language

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the general use cases for AWS SSO?

A
  • Centrally manage access to AWS Resources
  • Using existing identities to log in to AWS
  • Governing account-level permissions
  • SAML
18
Q

Suppose you have a fleet of EC2 instances, all joined to the same active directory domain. Do you need to manage the credentials on the individual EC2 instances?

A

No

AWS Directory Service provides SSO to any domain-joined EC2 instance

19
Q

What is the purpose of AWS Directory Service?

A

Connecting AWS resources with on-premises AD

20
Q

When using AWS Managed Microsoft AD, who is responsible for ensuring multi-AZ deployment?

A

AWS

21
Q

What does AD stand for?

A

Active Directory

22
Q

What is Active Directory?

A
  • On-premises directory service
  • Uses a Hierarchical database of users, groups, computers, organized in trees and forests
  • You apply group policies to help you manage users and devices on a network
23
Q

What is the key feature of AWS Managed Microsoft AD?

A

AD Domain Controllers – to which you have exclusive access– running Windows Server that are reachable by applications in your VPCs,

24
Q

How does AWS Managed Microsoft AD ensure high availability?

A
  • You get 2 DCs by default,
  • You can also add DCs for additional HA and Performance
25
Q

When using AWS Managed Microsoft AD, who is responsible for backup operations?

A

AWS

26
Q

When using AWS Managed Microsoft AD, who is responsible for ensuring you are on the most up-to-date version of the software?

A

AWS

27
Q

When using AWS Managed Microsoft AD, who is responsible for scaling out domain controllers?

A

You

28
Q

When using AWS Managed Microsoft AD, who is responsible for maintaining users, groups, and group policy objects?

A

You

29
Q

Suppose you want to extend existing AD to your on-premises infrastructure. What tool might you use to do this?

A

AD Trust

30
Q

When using AWS Managed Microsoft AD, who is responsible for any identity federation?

A

You

31
Q

When using AWS Managed Microsoft AD, who is responsible for dealing with certificate authorities?

A

You

32
Q

What is AWS Simple AD?

A

A standalone managed directory in the cloud used for Basic AD features

33
Q

Does AWS Simple AD support trusts?

A

No

34
Q

How many users can a small Simple AD handle?

A

up to 500

35
Q

How many users can a large Simple AD handle?

A

Up to 5000

36
Q

Does Simple AD allow you to join with on-premises AD?

A

No, Simple AD does not support trusts

37
Q

What is AD Connector?

A
  • AD Connector is a directory gateway (proxy) for on-premises AD
38
Q

What is AWS Cloud Directory?

A
  • A fully-managed directory-based store for developers
  • Used in applications that implement org charts, course catalogs, device registries
39
Q

What are Amazon Cognito User Pools?

A
  • Managed User directory for SaaS Applications
  • sign-up and sign-in for web / mobile
  • typically used with social media identities
40
Q

What does SaaS stand for?

A

Software As A Service

41
Q

What are the key benefits of AD Connector?

A
  • Avoid cacheing information in the cloud
  • Allow on-premises users to log in to AWS using AD
  • Join EC2 instances to your existing AD domain
  • Scale across multiple AD connectors