Advanced Permissions & Accounts

Question 1

What happens when the (sts:AssumeRole*) is used?

Answer 1

It generates temporary credentials

Question 2

What do access keys contain?

Answer 2

Access Key ID and Secret Access Key

Question 3

What is Access Key ID?

Answer 3

Public Part

Question 4

What is Secret Access Key

Answer 4

Private Part

Question 5

What happens to temporary credentials?

Answer 5

They Expire

Question 6

Do temporary credentials belong to the identity?

Answer 6

No they dont

Question 7

How are temp credentials requested?

Answer 7

By an identity (AWS or External)

Question 8

Can you invalidate temporary credentials?

Answer 8

No, they expire when they expire

Question 9

What happens when you change permission policy?

Answer 9

It effects everyone

Question 10

So how do you revoke permissions?

Answer 10

Adding conditional element

Question 11

Denying access to anyone who assumed a role before an date and time is called what?

Answer 11

Conditional element

Question 12

Identifying how many statements make up a policy document is what part of breaking down a statement?

Answer 12

Part 1

Question 13

Breaking down the policy is the same regardless of what?

Answer 13

How short or long policy is

Question 14

A policy statement is either a?

Answer 14

A single or list of statments

Question 15

How can you tell if you have a single statement?

Answer 15

It has one or more curly braces

Question 16

How can you tell if you have a list of statements?

Answer 16

It has square brackets

Question 17

Identifying what a statement does is what part of breaking down a statement?

Answer 17

The 2nd part

Question 18

Every statement has an effect, what are they and in what order?

Answer 18

DENY/Allow/Default Deny

Question 19

What does Wildcard mean?

Answer 19

All objects & paths

Question 20

A statement in effect if certain conditions are met is what?

Answer 20

Conditional Block

Question 21

Deny Policies are normally accompanied by what? Since by default no effect is auto deny

Answer 21

An Allow policy

Question 22

What matches anything not listed inside its component

Answer 22

Any NOT operation

Question 23

What should you look for first on a policy?

Answer 23

Not Operations

Question 24

What effects the maximum number of permissions an IAM User or Role has?

Answer 24

Permissions Boundary

Question 25

What effects the maximum number of permissions an IAM User or Role can receive?

Answer 25

Permissions Boundary

Question 26

Any permissions outside the boundaries are what?

Answer 26

Not in effect

Question 27

IAM permissions Boundaries only impact what?

Answer 27

Identity Permissions

Question 28

If IAM Permissions Boundaries only Impact Identity Permissions, What policy applies in Full Effect?

Answer 28

Resource Policies

Question 29

What does AWS check for first when Evaluating Policy Logic?

Answer 29

Explicit Deny

Question 30

What comes after Explicit Deny in Policy Logic Evaluation?

Answer 30

SCPs

Question 31

What comes after SCPs in Policy Logic Evaluation?

Answer 31

Resource Policies

Question 32

What comes after Resource Policies in Policy Logic Evaluation?

Answer 32

Permission Boundaries

Question 33

What comes after Permission Boundaries in Policy Logic Evaluation?

Answer 33

Session Policies

Question 34

What comes after Session Policies in Policy Logic Evaluation?

Answer 34

Identity Policies

Question 35

What effect does Policy Evaluation Logic look for when moving through each policy in each step

Answer 35

Deny Allow Deny

Question 36

What allows you to share resources between AWS Accounts?

Answer 36

AWS Resource Access Manager

Question 37

Do products need to support Resource Access Manager? True or False

Answer 37

True

Question 38

Who does AWS Resource Access Manager share with?

Answer 38

Principals, Accounts, OUs or Organizations

Question 39

Shared Resources are what to accounts, principals. OUs and Organizations?

Answer 39

Visible and Accessed Natively in UI

Question 40

Are you charged for using ( RAM ) ?

Answer 40

No, only the service cost

Question 41

AZs Rotate physical locations and may not be same AZ as someone else.
True or False?

Answer 41

True

Question 42

Why is hard to coordinate resources between accounts in performance or HA perspective?

Answer 42

Because of AZ Rotation

Question 43

What do AZs use which is consistent across account and can be used for different accounts and shared infrastructure deployments?

Answer 43

AZ ID

Question 44

What does the 2 parts of example USE-AZ1 broken down tell you?

Answer 44

Region and AZ number

Question 45

What does the Owner do in AWS Resource Access Manager?

Answer 45

Create share and provide name

Question 46

Does the Owner of Resource Access Manager retain ownership?

Answer 46

Yes

Question 47

What principal does the Owner of RAM define to share with?

Answer 47

AWS Account or ORG

Question 48

What does enabling sharing in ORG within RAM do?

Answer 48

Automatically accept invite

Question 49

What do non org account in RAM have to do manually?

Answer 49

Accept Invites

Question 50

What does a created VPC in RAM provide to other accounts?

Answer 50

Shared Infrastructure Services

Question 51

VPC Owners create and manage the VPC & Subnets and then what?

Answer 51

Share to participants

Question 52

What cant Participants do within a VPC?

Answer 52

Provision but cant modify or delete

Question 53

What can’t VPC owners do within RAM if participant adds resources?

Answer 53

Modify or delete resources

Question 54

Some Resources in RAM can be shared with any account and some with org accounts only/

True or False?

Answer 54

True

Question 55

What defines how much of a thing you can use inside an AWS account?

Answer 55

AWS Service Quota

Question 56

Each service has a default region Quota

True or False

Answer 56

True

Question 57

Most service quota can’t be increased

True or False?

Answer 57

False

Question 58

Some services have a per account quota

True or False?

Answer 58

True

Question 59

Some services can’t increase quota because of?

Answer 59

Architecture impacts

Question 60

Higher increases in quota means?

Answer 60

more process and time needed

Question 61

How do you predefine service quotas that can be used as a template for other accounts?

Answer 61

Quota request template

Question 62

How does quota request template help?

Answer 62

Reduces admin overhead

Question 63

How do you set an alert that you are approaching your quota limit?

Answer 63

Using CloudWatch alarm

Question 64

Can you access service quota using the command line?

Answer 64

Yes

Question 65

Who owns an object that is uploaded to a bucket?

Answer 65

The account who uploaded

Question 66

What is the legacy method of S3?

Buckets are owned by the PROD account. Objects owned by account that PUTS object in bucket

Answer 66

ACL

Question 67

What grants account to external Identities.

Objects owned by account which PUTS; can use account IDS and IAM Users with resource policy

Answer 67

Bucket Policy

Question 68

Who owns the bucket and object when you assume Role with IAM and operate as an identity in that account?

Answer 68

The account owner