Advanced IAM (ACG)

Question 1

What is Web Identity Federation?

Answer 1

Simplifies authentication and authorization for web apps.

Users access AWS resources after authenticating with a web-based identity provider like Google or Facebook.

Question 2

What Amazon services provides web ID federation, including sign-up and sign-in functionality for your app and access for guest users?

Answer 2

Amazon Cognito

Question 3

What are user pools for?

Answer 3

Sign-up and sign-in functionality for mobile and web apps.

Question 4

What are identity pools for?

Answer 4

Provide temporary AWS credentials to AWS services such as S3 or DynamoDB.

Question 5

What is exchanged for AWS credentials when someone authenticates their Cognito user pool with a successful Facebook log in?

Answer 5

Facebook will send a JWT token or a JSON web token which is exchanged for AWS credentials. The credentials are mapped to an IAM role which provides access to AWS services.

Question 6

What is the AWS recommended approach for web ID federation for mobile apps?

Answer 6

Cognito

Question 7

What does Cognito use to send silent push notifications of user data updates to multiple devices?

Answer 7

Congnito Push Synchronization uses SNS so send a silent push notification of user data updates to multiple devices associated with a single user ID.

Question 8

What are AWS Managed Policies?

Answer 8

Includes AWS managed default policies like AmazonDynamoDBFullAccess or AmazonEC2ReadOnlyAccess.

Question 9

What is the difference between a Customer Managed Policy and an Inline Policy?

Answer 9

They are both created by you, but an inline policy only applies to a single user, group or role. Inline policies cannot be shared.

Question 10

In most cases, what is AWS recommendation for policies?

Answer 10

In most cases, AWS recommends using managed policies over inline policies.

Question 11

What is STS AssumeRoleWithWebIdentity?

Answer 11

Security Token Service API Call that returns temporary security credentials for authenticated users using a web ID provider like Google, Amazon or Facebook. Cognito does this automatically on your behalf.

Question 12

What are the identifiers your application code refers to for temporary AWS credentials?

Answer 12

Within AssumedRoleUser, the Arn and AssumedRoleId are the identifiers used to reference temporary credentials (not an IAM role or user).

Question 13

With STS, after the user has authenticated, what API call does the application make?

Answer 13

assume-role-with-web-identity

Question 14

Which IAM feature allows you to have your users Authenticate using Facebook, Google or Amazon?

Answer 14

Web Identity Federation

Question 15

Which Amazon Cognito component enables you to provide user temporary credentials to grant access only to allowed AWS services?

Answer 15

Identity Pools

Question 16

You are developing a new mobile application to share photos, which AWS technology can you use to ensure your users have a seamless experience across all their devices?

Answer 16

Cognito

Question 17

How can you allow a user from one AWS account to access and manage resources in another AWS account?

Answer 17

Configure cross-account access

Question 18

Amazon Cognito provides Web Identity Federation with which of the following features? (choose 3)

• Sign-up and sign-in to your applications
• Multi-Factor Authentication
• Single sign-on for Active Directory users
• Synchronization of user data across multiple device types

Answer 18

• Sign-up and sign-in to your applications
• Multi-Factor Authentication
• Synchronization of user data across multiple device types

Question 19

Which API call can be used to enable a user authenticated by Facebook to access your web application hosted in AWS?

Answer 19

STS assume-role-with-web-identity

Question 20

What does Cognito use to manage sign-up and sign-in functionality for mobile and web applications?

Answer 20

User Pools

Question 21

When using Web Identity Federation to allow a Facebook user to access an AWS service (such as an S3 bucket), what is the correct order of steps?

Answer 21

A user authenticates with Facebook first. They are then given an ID token by Facebook, which they can then trade for temporary security credentials.

Question 22

You are working on a mobile phone app for an online retailer that stores customer data in DynamoDB. You would like to allow new users to sign-up using their Facebook credentials. What is the recommended approach?

Answer 22

After the user has successfully logged in to Facebook and received an authentication token, Cognito should be used to exchange the token for temporary access to DynamoDB.

Question 23

Which of the following correctly describes an Inline Policy? (choose 2)

• It is embedded in a user, group or role
• The policy will be deleted if you delete the user, group or role it is associated with
• You cannot change the permissions defined in the policy
• It can be attached to multiple users and groups within your AWS account

Answer 23

• It is embedded in a user, group or role

- The policy will be deleted if you delete the user, group or role it is associated with

Question 24

Which policies are provided by AWS to allow you to easily assign IAM permissions to your users based on pre-defined common use cases?

Answer 24

AWS Managed Policy

Question 25

What allows users to use their social media account to gain temporary access to the AWS platform?

Answer 25

Web Identity Federation

Question 26

When would you use an Inline Policy over a Managed Policy?

Answer 26

To add permissions that are only ever intended to be used for a single user in your account

Question 27

Which is the best way to enable S3 read-access for an EC2 instance?

Answer 27

Create an IAM role with read-access to S3 and assign the role to the EC2 instance

Question 28

What can you use to test that an IAM policy attached to a user, group or role works as expected?

Answer 28

IAM Policy Simulator

Question 29

Which IAM entity can you use to delegate access to trusted entities such as IAM users, applications, or AWS services such as EC2?

Answer 29

IAM Role