AIM Basics Flashcards

Question 1

Q

What is AWS IAM?

Answer

A

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources
IAM is a Global service
IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

Question 2

Q

What are some IAM features?

Answer

A

Shared access to your AWS account
Granular permissions
Secure access to AWS resources for applications that run on Amazon EC2
Multi-factor authentication (MFA)
Identity federation - 3rd party authenticated providers
Identity assurance - AWS CloudTrail activity logs
PCI DSS Compliance
Integrated with many AWS services
Evenly Consistent - high availability by replicating data across multiple servers
Free to use

Question 3

Q

What is a federated identity user?

Answer

A

Federated Identity users are users authenticated with a 3rd party provider such as Facebook, Google, Instagram, etc.

Question 4

Q

What are the sign in options available for AWS?

Answer

A

Sign in with:
* AWS Management Console as a root user or IAM user
* AWS access portal as a user in IAM Identity Center
* Federated Identity user
* AWS Command Line Interface (CLI)
* Programmatic methods like SDK and API
* Sign in with AWS Builder ID - personal profile linked to AWS training

If you don’t use AWS tools, you must sign requests yourself such as sign-in API requests using AWS Signature Version 4

Question 5

Q

How are you authorized to access AWS resources?

Answer

A

You must be authenticated (sign in) to AWS
Authenticated users can access resource based on their permission policies
Federated Identity users will indirectly assuming a role

Question 6

Q

How does IAM work?

Answer

A

Principle makes an Authentication request
On successfully authentication, IAM performs Authorization
- IAM checks for Identity-based polices
- Other policies
- Resource-based policies
Check Actions (Console) OR Operations (CLI/API)
- EC2: RunInstance, StartInstance, StopInstance
- IAM Service: CreateUser, DeleteUser, GetUser
- S3: Create Bucket, DeleteBucket, ListBucket
Perform Actions on Resources

Question 7

Q

What is a Principle in AWS IAM?

Answer

A

A Principle is either a human identity (IAM User) or a collection of resources (IAM Role)
Principals include federated users and assumed roles

Question 8

Q

What is the best security best practices in IAM?

Answer

A

* Don’t use the root account except for AWS account setup
* One physical user = One AWS use
* Assign users to groups and assign permissions to groups
* Create a strong password policy
* Use and enforce the use of Multi Factor Authentication (MFA)
* Update access keys when needed for use cases that require long-term credentials
* Create and use Roles for giving permissions to AWS services
* Apply least-privilege permissions
* Use Access Keys for Programmatic Access (CLI / SDK)
* Audit permissions of your account using IAM Credentials Report & IAM Access Advisor
* Never share IAM users & Access Keys

Question 9

Q

What is attribute-based access control?

Answer

A

Attribute-based access control (ABAC) is an authorization strategy that lets you create fine-grained permissions based on user attributes, such as department, job role, and team name

Question 10

Q

What is the difference between Actions and Operations?

Answer

A

Actions and Operations the principle wants to perform on the resource
- CreateUser
- GetUser
- UpdateUser
- DeleteUser
Actions in AWS Management Console
Operations in AWS CLI or AWS API

Question 11

Q

What information is required to send a request to AWS?

Answer

A

Environment data - Information about the IP address, user agent, SSL enabled status
Principal - user or role
Actions (AWS Console) or operations (AWS CLI/API) - Requested actions to perform such as IAM:CreateUser
Resources - AWS Resource object upon
Resource data - Data to be updated

Question 12

Q

What is AWS Authorization?

Answer

A

Authorization are permission to access AWS resources
Mut be Authorized (allowed) to complete your request
By default: all requests are denied
Explicit Allow any permissions to override the default
If any of the follow exist, then they must all allow the request:
- Organizations SCP
- IAM permissions boundary
- session policy
An explicit deny in any policy overrides any allows

Question 13

Q

What is AWS Root User account?

Answer

A

The Root account is the master account used to manage all AWS Services.
We strongly recommend that you don’t use the root user for your everyday tasks
It should not be used or shared.

Question 14

Q

What are the steps to create a Root User account?

Answer

A

Sign up for an AWS account by visiting the AWS website and clicking on the “Create an AWS Account” button.
Provide the necessary information, such as email address, password, and billing information, to create your AWS account.
Amazon requires credit card authorization of $1.00 to verify the billing information.
Complete the identity verification process to activate your account.
Select a Support Plan
Log in to the AWS Management Console using your newly created credentials.
Consider setting up multi-factor authentication (MFA) for added security on your account.

Question 15

Q

What are the tasks that require root user account?

Answer

A

Change your account settings
Restore IAM user permissions
Activate IAM access to the Billing and Cost Management console
View certain tax invoices
Close your AWS account
Register as a seller in the Reserved Instance Marketplace
Configure an Amazon S3 bucket to enable MFA (multi-factor authentication).
Edit or delete an Amazon Simple Queue Service (Amazon SQS) resource policy that denies all principals
Edit or delete an Amazon Simple Storage Service (Amazon S3) bucket policy that denies all principals
Sign up for AWS GovCloud (US)

Question 16

Q

What can you do in IAM Dashboard?

Answer

A

Dashboard shows Security Recommendations for best practice
Create Users, Groups, & Roles
Create Permission Policies
Manage Single-Signon Identity Providers
Configure Account Settings
- Password Policy
- Security Token Service (STS) Region Endpoints
View Access Reports
- Access Analyzer
- Credential Report
- Organization Activity
- Service Control Polices (SCPs)

Question 17

Q

How do you create a new IAM User?

Answer

A

Access Users from the IAM Dashboard
Specify usename
Select User Access Type
- "Specify a user in IAM Identity Center" - For developers who need access to Access Keys
- "I want to create a IAM user" - Single Signon for organization users
Configure a console password
- Autogenerate password
- Custom password (IAM default password policy)
Option to select "Users must create a new password at next sign-in"
Configure user permission
- Add user to group (recommended)
- Copy permissions from another user
- Attach policies directly (Inline Policy)
Review and create

Question 18

Q

How do IAM user sign into AWS?

Answer

A

Root User will sign-in with their email and Password
We can simplify the Root account sign-in by creating an Alias to use instead of the email address
IAM users sign-in with their AWS Account ID, Username, and Password
All accounts must be configure with MFA for security purposes

Question 19

Q

How to configure IAM Password Policy?

Answer

A

Strong password = higher security for your account
Good password policy helps protect against brute force on your account
IAM Dashboard - Access management > Account Settings > Edit
Configure IAM Password Policy:
- Set minimum password length - default is 8 characters
- Password strength (default is any of the 3 combination):
  - An uppercase letter
  - A lowercase letter
  - One number
  - A non-alphanumeric character ! @ # $ % ^ & * ( ) _ + - (hyphen) = [ ] { } | ‘
- Other requirements:
  - Turn on password expiration
  - Password expiration require administrator reset
  - Allow users to change their own password
  - Prevent password reuse

Question 20

Q

What is Multi Factor Authentication (MFA)?

Answer

A

You want to protect your Root Accounts and IAM users
MFA = password you know + security device you own
Main benefit of MFA: If a password is stolen or hacked, the account is not compromised

Question 21

Q

How to Enable MFA on your computer or phone?

Answer

A

IAM Dashboard Conolse > Users > [user] > Security Credentials > Assign MFA device
Specify MFA device name
MFA device type > Authenticator app
Install and open Authenticator app
Scan QR code
Enter MFA code 1
Wait 30 seconds
Enter MFA code 2

Question 22

Q

What is TOTP Authentication?

Answer

A

Time-based one-time password (TOTP) algorithm and support multiple tokens on a single device
Available for MFA Authenticator app
Available providers:
- Google Authenticator (phone only)
- Twilio Authy (multi-device)
- Duo Mobile
- Microsoft Authenticator
- Symantec VIP

Question 23

Q

How to Enable MFA with a hardware security key?

Answer

A

IAM Dashboard Conolse > Users > [user] > Security Credentials > Assign MFA device
Specify MFA device name
MFA device type > Security Key
Connect your security key to your device via USB, Bluetooth, or NFC
Tab the security key

Question 24

Q

What is FIDO Security Key?

Answer

A

FIDO is a authentication protocol which uses Universal 2nd Factor (U2F) Security Key in performing MFA
Universal 2nd Factor (U2F) Security Key is an open authentication standard that enables internet users to securely access any number of online services
Hardware YubiKey is a USB Key Fob by Yubico (3rd Party)
Support multiple root accounts and IAM users using a single security key

Question 25

Q

How to Enable MFA with a hardware TOTTP Token?

Answer

A

IAM Dashboard Conolse > Users > [user] > Security Credentials > Assign MFA device
Specify MFA device name
MFA device type > Hardware TOTP token
Enter the Key Fob serial number
Enter MFA Code 1
Wait 30 seconds
Enter MFA Code 2

Question 26

Q

What is Hardware TOTTP Token?

Answer

A

6-digit numeric code based on time-based one-time password (TOTP) algorithm
Key Fob provided by Thales / Gemalto (3rd Party)
AWS GovCloud (US) Key Fob MFA Device is provided by SurePassID(3rd Party)

Question 27

Q

Can I use my U2F security key with multiple AWS accounts?

Answer

A

YES. AWS allows you to use the same U2F security key with several root and IAM users across multiple accounts.

Question 28

Q

Can I use virtual, hardware, or SMS MFA with multiple AWS accounts?

Answer

A

NO. The MFA device or mobile phone number associated to virtual, hardware, and SMS MFA is bound to an individual AWS identity (IAM user or root account).

Question 29

Q

How many MFA devices can a user have?

Answer

A

Each user can have a maximum of 8 MFA devices assigned.

Question 30

Q

How can MFA-enabled IAM users use AWS CLI?

Answer

A

MFA-enabled IAM users must call aws sts get-session-token API with their MFA code to create a temporary session:

     aws sts get-session-token \
     --serial-number arn-of-the-mfa-device \
	 --token-code code-from-token \
	 --duration-seconds 3600

Output:

  {
     "Credentials": {
          "SecretAccessKey": "secret-access-key",
	      "SessionToken": "temporary-session-token",
	      "Expiration": "expiration-date-time",
	      "AccessKeyId": "access-key-id"
     }
  }

Question 31

Q

How do you create a virtual MFA device with AWS CLI?

Answer

A

Use the CLI command: aws iam create-virtual-mfa-device

  aws iam create-virtual-mfa-device \
  --virtual-mfa-device-name BobsMFADevice \
  --outfile C:/QRCode.png \
  --bootstrap-method QRCodePNG

Output:

  {  "VirtualMFADevice": 
    {  "SerialNumber": "arn:aws:iam::210987654321:mfa/BobsMFADevice"
    } 
}

Question 32

Q

How do you create a virtual MFA device with AWS API?

Answer

A

Use CreateVirtualMFADevice to make an API call

 https://iam.amazonaws.com/?
			Action=CreateVirtualMFADevice
&VirtualMFADeviceName=ExampleName
&Version=2010-05-08
&AUTHPARAMS

Response information:
- XML format
- Base32 string seed
- Device serial number
- QR Code PNG image
- Metadata with RequestId

Question 33

Q

How do you assign a Virtual MFA device to a user with AWS CLI?

Answer

A

Use the CLI command: aws iam enable-mfa-device

  aws iam enable-mfa-device \
  --user-name Bob \
  --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice
  --authentication-code1 123455 \
  --authentication-code2 789012 \

Output:
None

Question 34

Q

How do you assign a Virtual MFA device to a user with AWS API?

Answer

A

Use EnableMFADevice to make an API call

      https://iam.amazonaws.com/?
			Action=EnableMFADevice
			&UserName=Bob
			&SerialNumber=R1234
			&AuthenticationCode1=234567
			&AuthenticationCode2=987654
			&Version=2010-05-08
			&AUTHPARAMS

Response information:
- XML format
- Metadata with RequestId

Question 35

Q

How do you unassign a Virtual MFA device to a user with AWS CLI?

Answer

A

Use the CLI command: aws iam deactivate-mfa-device

  aws iam deactivate-mfa-device \
  --user-name Bob \
  --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice

Output:
None

Question 36

Q

How do you unassign a Virtual MFA device to a user with AWS API?

Answer

A

Use DeactivateMFADevice to make an API call

      https://iam.amazonaws.com/?
			Action=DeactivateMFADevice
			&UserName=Bob
			&SerialNumber=R1234
			&Version=2010-05-08
			&AUTHPARAMS

Response information:
- XML format
- Metadata with RequestId

Question 37

Q

How do you list Virtual MFA devices with AWS CLI?

Answer

A

Use the CLI command: aws iam list-virtual-mfa-devices
```
  aws iam list-virtual-mfa-devices
```

Output:

  {
    "VirtualMFADevices": [
        {
            "SerialNumber": 
							"arn:aws:iam::123456789012:mfa/ExampleMFADevice"
          },
          {
              "SerialNumber": 
										"arn:aws:iam::123456789012:mfa/Fred"
           }
       ]
   }

Question 38

Q

How do you list Virtual MFA devices with AWS API?

Answer

A

Use ListVirtualMFADevices to make an API call

      https://iam.amazonaws.com/?
			Action=ListVirtualMFADevices
			&AssignmentStatus=Any
			&Version=2010-05-08
			&AUTHPARAMS

Response information:
- XML format
- VirtualMFADevices
  - Enable Date
  - Serial Number
  - User Information
- Metadata with RequestId

Question 39

Q

How do you resynchronize Virtual MFA devices with AWS CLI?

Answer

A

Use the CLI command: aws iam resync-mfa-device

  aws iam resync-mfa-device \
  --user-name Bob \
  --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \
  --authentication-code1 123456 \
  --authentication-code2 987654

Output:
None

Question 40

Q

How do you resynchronize Virtual MFA devices with AWS API?

Answer

A

Use ResyncMFADevice to make an API call

      https://iam.amazonaws.com/?
			Action=ResyncMFADevice
			&UserName=Bob
			&SerialNumber=R1234
			&AuthenticationCode1=234567
			&AuthenticationCode2=987654
			&Version=2010-05-08
			&AUTHPARAMS

Response information:
- XML format
- Metadata with RequestId

Question 41

Q

How do you delete a Virtual MFA devices with AWS CLI?

Answer

A

Use the CLI command: aws iam delete-virtual-mfa-device

  aws iam delete-virtual-mfa-device \
  --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \

Output:
None

Question 42

Q

How do you delete a Virtual MFA devices with AWS API?

Answer

A

Use DeleteVirtualMFADevice to make an API call

      https://iam.amazonaws.com/?
			Action=DeleteVirtualMFADevice
			&SerialNumber=arn:aws:iam::123456789012:mfa/ExampleName
			&Version=2010-05-08
			&AUTHPARAMS

Response information:
- XML format
- Metadata with RequestId

Question 43

Q

How are MFA Serial Number reference in AWS CLI?

Answer

A

MFA Serial number reference based on the device type:
* MFA hardware device: GAHT12345678
* IAM Virtual MFA: arn:aws:iam::123456789012:mfa/ExampleName

Question 44

Q

How do users access AWS IAM?

Answer

A

AWS Management Console: protected by password + MFA
AWS Command Line Interface (CLI): protected by access keys
AWS Software Development Kit (SDK): for code - protected by access keys
AWS IAM Query API (API): issue HTTPS requests directly to the AWS service

Question 45

Q

How an IAM user changes their own password?

Answer

A

AWS Console > choose your username (upper right nav bar), and then choose Security credentials > Update Console password

AWS CLI: aws iam change-password

Generate change-password.json file

       aws iam change-password \ 
--generate-cli-skeleton > change-password.json

Update change-password.json file with new password

    { "OldPassword": "3s0K_;xh4~8XXI", "NewPassword": "]35d/{pB9Fo9wJ" }

Upload the updated change-password.json file

   ```      aws iam change-password \ --cli-input-json file://change-password.json    ```

AWS API: ChangePassword

      
    https://iam.amazonaws.com/?Action=ChangePassword
    &OldPassword=U79}kgds4?
    &NewPassword=Lb0*1(9xpN
    &Version=2010-05-08
    &AUTHPARAMS

Question 46

Q

How can you permit users to manage their credentials and MFA settings?

Answer

A

IAM users must have sufficient permissions to create, view, and deactivate MFA devices assigned to them
You can permit IAM users to access My security credentials to manage their own MFA by creating custom policy provided by provided AWS IAM
Assign the policy to the User Groups
Users will be force to setup MFA for their account before they can access resources

Question 47

Q

What is IAM Users & Groups?

Answer

A

Users are people within your organization, and can be grouped
Groups only contain users, not other groups
Users don’t have to belong to a group, and user can belong to multiple groups

Question 48

Q

What are some features in IAM Users?

Answer

A

Manage Access Keys
Set Permission Polices
Assign user to Groups
Create Tags
Manage Security Credentials
View Access Advisor

Question 49

Q

What is the character limit for IAM Name and IDs?

Answer

A

Unique IDs: 128 characters, includes: User ID, Group ID, Role ID, Managed Policy ID, Server Certificate ID
Group Name, Policy Name: 128 characters
User Name, Role Name, Role Session Name: 64 characters
Switch Role: Path + RoleName can't exceed 64 characters

Question 50

Q

What are Access Keys?

Answer

A

Access Keys are generated through the AWS Console
Users manage their own access keys
Use access keys for long term access
Use access keys to send programmatic calls to AWS from the AWS CLI, AWS Tools for PowerShell, AWS SDKs, or direct AWS API calls.
IAM will prompt to acknowlege the recommendation of using AWS CloudShell and AWS CLI V2 for IAM Identity Center
You can have a maximum of two access keys (active or inactive) at a time.
Access Keys are secret, just like password.
- Access Key Id = username
- Secret Access Key = password
Never share you Access Keys

Question 51

Q

When to use Access Keys instead of IAM Roles?

Answer

A

Workloads that cannot use IAM Roles such as WordPress plugins
Third-party clients not hosted on AWS
AWS CodeCommit access
Amazon Keyspaces (for Apache Cassandra) access

Question 52

Q

What are the different types of AWS Policies?

Answer

A

Identity-based policies - JSON policy, control actions of an identity (users, groups, roles)
Resource-based policies - JSON policy, attach to a resource
Permissions boundaries - JSON policy, set the maximum permissions that an identity-based policy can grant to an IAM entity
Organizations SCPs - JSON policie, grouping and centrally managing the AWS accounts
Access control lists (ACLs) - Not JSON format, control which principals in another account can access a resource
Session policies - use pass as a parameter when you programmatically create a temporary session for a role or federated user

Question 53

Q

What are Identity-based policies?

Answer

A

Identity-based policies are JSON permission policies to control actions of an identity (users, groups, roles)
Further categorized:
- Inline Policies - directly assign to a single user, group, or role
- Managed Policies:
  - AWS managed policies - policies created and managed by AWS
  - Customer managed policies - policies created and managed by the customer

Question 54

Q

What are Resource-based policies?

Answer

A

Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket.
Resource-based policies are inline policies
There are no managed resource-based policies

Question 55

Q

How can you use Cross-Account Access?

Answer

A

Enable AWS Roles (Resource-based policies)
Specify the principle:
- if principle and resource are in the same account - no identity-based policy is required
- if principle and resource are in different accounts - an additional identity-based policy is required

Question 56

Q

What is IAM Permissions Boundary policies?

Answer

A

Sets of Identity-based policies to control the maximum permissions for Users or Roles
It limits the user's permissions but does not provide permissions on its own
Delegate permissions management tasks, such as user creation, to IAM users in your account
Enforce the delegatee to assign the same Permission Boundary for new users they created

Use Cases:

Enable developer to create roles with escalating their access
Require developers to create roles with a boundary

Pro tip: Require roles and managed polices start with a namespace

Question 57

Q

What is the best practice when using permissions boundaries?

Answer

A

Permissions boundaries use a managed IAM policy to restrict access
Policy cannot exceed 6,144 characters long
Can have up to 10 managed policies and 1 permissions boundary attached to an IAM role
Apply permissions boundaries to the IAM roles created by developers, rather than to the developers themselves

Question 58

Q

What are Service control policies (SCPs)?

Answer

A

A service for grouping and centrally managing the AWS accounts that the business owns
Once enabled it will enabled for all accounts
SCPs are JSON policies that specify the maximum permissions for an organizational unit (OU) as well as Account Root user
An explicit Deny in any of these policies overrides the Allow

Use Cases:

Restrict access to specific AWS Regions
Prevent your IAM Principals from deleting common resources
Restrict service actions to all IAM entities except a specific role

Pro tip: Push restrictions common amount accounts up to SCPs.

Question 59

Q

What are Access control lists (ACLs)?

Answer

A

Allow you to control which principals in another account can access a resource
Cannot be used to control access for a principal within the same account
Similar to Resource-based policies
Does not use the JSON policy document format
Example: Amazon S3, AWS WAF, and Amazon VPC

Question 60

Q

What are Session Policies?

Answer

A

Policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user
Permissions use both Identity-based and resource-based policy for access
An explicit deny in any of these policies overrides the allow

Question 61

Q

How can you perform a session policy for Federated Identity users?

Answer

A

Can provide access keys of the IAM user to programmatically call the GetFederationToken API operation
Must also pass session policies
Permission results:
intersection (Identity-based + Session policy)

Question 62

Q

How can you perform a session policy with resource-based policy?

Answer

A

Must specify the ARN of the user or role as a principal
Permission results:
All Resource-based policy + Intersection(Identity-based + Session policy) )

Question 63

Q

How can you perform a session policy with permissions boundary?

Answer

A

Set the maximum permissions for a user or role that is used to create a session
Permission results:
Intersection (Resource-based policy + Identity-based + Session policy)

Question 64

Q

What is the Role Session Duration?

Answer

A

IAM user - 15 minutes to 36 hours, 12 hours is the default
AWS account owners - maximum and default is 1 hour

Answer 65

A

Content’s can’t exceed 2,048 characters
Can pass a maximum of 10 managed policy when session is created
Can only pass one JSON document for a role or federated user

Answer 66

A

Authorization strategy that defines permissions based on attributes called Tags
Use PrincipalTag to indicate what principle tags are allowed to access the resource

Answer 67

A

IAM Principle Tags- Tag entities with access control attributes
IAM Session Tags - Tag sessions with access control attributes
Tags on AWS Resource - Tag resources with access control attributes
Tags on AWS IAM Polices - Control access based on tags
Tags on AWS Organization - Standardized tag names, value, and capitalization. Control allowable values, investigate difference.

Answer 68

A

Session tags must meet the tag key limit of 128 characters and the tag value limit of 256 characters
You can pass up to 50 session tags in a single session

Answer 69

A

All access requests start with DENY
If using Service Control Polices (CSPs) - CSP must Allow
if using Permission Boundaries - Permission Boundary must Allow
if same account access - Identity or Resource policy must Allow
if direct cross account access - Both Identity AND Resource Policy must Allow
if using session policy - Session AND Identity Policy must Allow

Answer 70

A

100,000 characters
Applies to assume-role-with-saml CLI or AssumeRoleWithSAML API operation

Answer 71

A

Affected by some policy types but not others
Cannot attach identity-based policies
Cannot set the permissions boundary
Affected by Service Control Policies (SCPs)
Can specify the root user as the principal in a resource-based policy or an Access Control List (ACL)

Answer 72

A

Inline: add directly to a single user, group, or role and maintain a strict one-to-one relationship
Policies Inheritance: Users inherit the policies within the group

Answer 73

A

Permissions are defined by policies attached to the user directly or through groups.
Users or Groups can be assigned JSON documents called policies
These policies define the permissions of the users
Apply the least privilege principle: don’t give more permissions than a user needs
Most policies are stored in AWS as JSON documents.

Answer 74

A

Version: policy language version, in the format: “2012 -10 - 17”
Id: an identifier for the policy (optional)
Statement: one or more individual statements (required)
- Sid: an identifier for the statement (optional)
- Effect: whether the statement allows or denies access (Allow, Deny)
- Principal: Account, User or Role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource: list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect (optional)

Answer 75

A

A logical OR will be applied across the statements
If multiple policies appy to a single request, AWS applies a logical OR accross all those policies when evaluating them

Answer 76

A

Access Level Groupings:
* Full: access to all actions within the specified access level classification
* Limited: access to one or more but not all actions within the specified access level classification
* None: no access
* (empty): IAM does not recognize this service

Access Level Classification:
* List: can list objects but cannot view the object’s content
* Read*: can read the object’s content
* Tagging: can change the objects’s tag
* However, CreateRole action allows tagging a role, but also Write access
* Write: can create, delete or modify object’s content
* Permissions Management: can modify the resource permission in the service
* Example: S3 actions PutBucketPolicy and DeleteBucketPolicy have Permissions Management access level
* It’s important to restrict or regularly monitor this type of policies

Answer 77

A

Inline Policies:
* User policy - can’t exceed 2,048 characters.
* Group policy - can’t exceed 5,120 characters.
* Role policy - can’t exceed 10,240 characters.

Managed Policies:
* All policies - can’t exceed 6,144 characters.

IAM doesn’t count white space when calculating the size of a policy against this limit.

Answer 78

A

Amazon Resource Names (ARNs) uniquely identify AWS resources in AWS JSON policies
Format:
- arn:partition:service:region:account-id:resource-id
- arn:partition:service:region:account-id:resource-type:resource-id
- partition:
  - aws - AWS Regions
  - aws-cn - China Regions
  - aws-us-gov - AWS GovCloud (US) Regions
- service - service namespace that identifies the AWS product
- region - Region code. For example, us-east-2 for US East (Ohio)
- account-id - ID of the AWS account
- resource-type - The resource type - For example, vpc for a virtual private cloud (VPC)
- resource-id - ID of the resource
ARN paths - forward slash (/), equals (=), comma (,), period (.), at (@), and hyphen (-).
Using wildcards in paths - “Resource”:”arn:aws:iam::123456789012:user/*”

Answer 79

A

IAM > Policies > Create Policy
Select Visual or JSON
Select Actions to generate CloudFormation template, optimize for readability or size
Select a service:
- Auto Sccaling
- CloudFront
- EC2
- IAM
- Lambda
- RDS
- S3
- SNS (Simple Notification Service)
Add Access Level Actions:
- List
- Read
- Write (create/update/delete)
- Permission Management (permission access actions such as CreatePolicy)
- Tagging (tagging actions)
Select Effect (Add/Deny)
Select Resource ARN:
- Access-Report
- Group
- Instance-Profile
- MFA
- OIDC-Provider
- Policy
- Role
- SAML-Provider
- Server-Certificate
- SMS-MFA
- User

Answer 80

A

Generate policies based on access activity
Require date/time period, trail logs and service Role

Answer 81

A

A user group is a collection of IAM users
Use groups to specify permissions for a collection of users
A user can be a member of up to 10 groups at a time

Answer 82

A

Tags are key-value pairs that you can add to AWS resources to help identify, organize, or search for resources.
A Tag Key (for example, CostCenter, Environment, Project, or Purpose)
An optional field known as a Tag Value (Omitting the tag value is the same as using an empty string)
Tag Keys and values requirements:
- case sensitive
- any combination of letters, numbers, spaces and _ . : / = + - @ symbols

Answer 83

A

Tag Key: 128 characters
Tag Value: 256 characters
Empty tag value has a length of 0 characters

Answer 84

A

Manage console access
Reset user password
Manage Access Keys
Use SSH public keys to authenticate access to AWS CodeCommit* repositories
Generate HTTPS Git credentials for AWS CodeCommit
Generate credentials for Amazon Keyspaces (for Apache Cassandra)
X.509 Signing certifications

Answer 85

A

CodeCommit is a secure, highly scalable, managed source control service that hosts private Git repositories
Designed to integrate with other AWS services
Access authentication with:
- SSH public keys - maximum of five SSH public keys (active or inactive) at a time
- Generate HTTS username & password credentials - maximum 2 sets (active or inactive) at a time

Answer 86

A

Amazon Keyspaces (for Apache Cassandra) is a scalable, highly available, and managed Apache Cassandra-compatible database service
Ways to generate access credentials:
- Users > Security Credentials
- AWS CLI > aws iam create-service-specific-credential
- AWS API > CreateServiceSpecificCredential

Answer 87

A

AWS server certicate is a X.509 v3 data structure that binds the public key in the certificate to the subject of the certificate.
An SSL/TLS certificate is signed by Certificate Authority (CA) and contains the name of the server, validaity period, public key and signature, etc…
Use Cases:
- Amazon API Gateway for custom domain name
- AWS CloudFormation - ACM certificates
- Amazon CloudFront to distribute website content delivery
- Code Signing for AWS IoT
- Elastic Beanstalk
- Elastic Load Balancing
Ways to create X.509 certificates:
- IAM User > Security Credentials - Maximum of 2 X.509 certificates (active or inactive) at a time
- AWS Certificate Manager (ACM)

Answer 88

A

IAM Roles are permission policies for services
An IAM Role is both an identity and a resource that supports resource-based policies - Must attach both a trust policy and an identity-based policy
It is associated with a service instead of an identity user
Users have permanent long-term credentials, but roles provide temporary credentials
Common roles:
- EC2 Instance Roles
- Lambda Function Roles
- Roles for CloudFormation

Answer 89

A

When the following situation occurs:
* Federated user access
* Temporary IAM user/role permissions
* Cross-account access - trusted principle from another AWS account
* Cross-service access
* Principal permissions - permission given to IAM user/role to access cross service resource
* Service role - delegate permission to assumes a service on your behalf (such as permission boundary)
* Service-linked role - type of service role that linked to another AWS service
* Applications running on Amazon EC2 - making AWS CLI or AWS API requests

Answer 90

A

Trust Policy - defined which principle can assume the role
Identity-based policies (inline and managed) - define permissions the user of the role to perform actions on the resource

Answer 91

A

IAM > Roles > Create Role
Select the Trusted Entity type
- AWS Service (EC2, Lambda)
- AWS Accounts
- Web Identity (federated user)
- SAML 2.0 Federation (corporate active directory)
- Custom Trust Policy
Provide Use Case for services to call on it’s behalf
Attach a permission policy
Set a permission boundary (optional)
Provide Role name and description
Add Tags (optional)

Answer 92

A

Authenticate your non AWS workloads and securely provide access to AWS services
Can configure existing Roles policies to Roles Anywhere
Create a Certificate Authority (CA) and Trust Anchor to establish trust between AWS and Certificate Authority (CA)

Answer 93

A

Administrator will provide you a link to access the Switch Role page which have Account ID and Role Name already filled
Sign in to AWS Console and access the username on the navbar and choose Switch Role > manually enter the Account ID and Role Name

Answer 94

A

You can switch to a role only after you sign in as an IAM user or a federated user.
If you launch an Amazon EC2 instance to run an application, the application can assume a role through its instance profile
You cannot switch to a role when you sign in as the AWS account root user
Only one set of permissions can be in effect at a time - cannot make use of his power-user privileges for your account if you’re switching roles to another account.
Switching roles using the AWS Management Console only works with accounts that do not require an ExternalId

Answer 95

A

Click on the role display name on the navbar and then choose “Back to YourName@YourAccountID”.

Answer 96

A

IAM Credentials Report (account-level)
- a report that lists all your account’s users and the status their various credentials
IAM Access Advisor (user-level)
- Shows the service permission granted to a user and when those services were last accessed
- You can use this information to revise your policy

Answer 97

A

Command line interface (CLI) is a tool allows you to interact with AWS services using commands
Direct access to the public APIs of AWS services
You can develop scripts to manage your resources
It’s open-source https://github.com/aws/aws-cli
Alternative to using AWS Management Console
Developed upon Python SDK (boto3)

Answer 98

A

Search for AWS CLI v2 on Windows
Download MSI install and install it
Open cmd line prompt
Run aws --version
The output will show if AWS CLI is installed: aws-cli/2.10.0 Python/3.11.2 Windows/10 exe/AMD64 prompt/off

Answer 99

A

Search for AWS CLI v2 on Mac OS
Download and install the PKG file
Select install for all users on this computer
Open a terminal on Mac
Run aws --version
The output will show if AWS CLI is installed: aws-cli/2.10.0 Python/3.11.2 Windows/10 exe/AMD64 prompt/off

Answer 100

A

Run the 3 commands sequentially:

$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
     
unzip awscliv2.zip
     
sudo ./aws/install

Answer 101

A

Ensure you’re using the most recent version of AWS CLI

Answer 102

A

512 characters

Answer 103

A

A browser-based CLI to manage AWS resources from a terminal in your browser
Use the same AWS Management Console login
1 GB of persistent storage
Import/export files

Answer 104

A

AWS Software Development Kit (AWS SDK)
Language-specific APIs (set of libraries)
Enables you to access and manage AWS services
programmatically
Embedded within your application
Supports:
- SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js,
  C++)
- Mobile SDKs (Android, iOS, …)
- IoT Device SDKs (Embedded C, Arduino, …)
Example: AWS CLI is built on AWS SDK for Python (boto3)

Examples:

We have to use the AWS SDK when coding against AWS Services such as DynamoDB

Answer 105

A

Break up policies by resource type due to limited JOSN document size
Avoid define multiple permissions in a single statement
Grant least privilege
Understand access level groupings
Use IAM Access Analyzer & CloudTrail to generate and validate user access information

Answer 106

A

AWS:

Infrastructure (global
network security)
Configuration and
vulnerability analysis
Compliance validation

You:

Users, Groups, Roles, Policies
management and monitoring
Enable MFA on all accounts
Rotate all your keys often
Use IAM tools to apply
appropriate permissions
Analyze access patterns &
review permissions

Answer 107

A

Root account must provide IAM user with AdministratorAccess to access Billing Information
Log on to our IAM User account
Go to My Account > My Billing Dashboards
Click on Budget > Create a Budget
Choose premade templates or customized your own template:
- Zero spending budget
- Monthly cost budget
- Daily savings Plans coverage budget
Add email recipients to be notified
Click Create Budget

Answer 108

A

Log onto Root account
Click My Account
Click Edit under IAM User and Role access to Billing Information
Check Activate IAM Access
Click Update

Answer 109

A

Users: mapped to a physical user, has a password for AWS Console
Groups: contains users only
Policies: JSON document that outlines permissions for users or groups
Roles: for EC2 instances or AWS services
Security: MFA + Password Policy
AWS CLI: manage your AWS services using the command-line
AWS SDK: manage your AWS services using a programming language
Access Keys: access AWS using the CLI or SDK
Audit: IAM Credential Reports & IAM Access Advisor