Authentication and Authorization—AWS Identity and Access Management Flashcards
Which of the following is the greatest risk posed by using your AWS account root user for day‐to‐day operations?
There would be no easy way to control resource usage by project or class.
There would be no effective limits on the effect of an action, making it more likely for unintended and unwanted consequences to result.
Since root has full permissions over your account resources, an account compromise at the hands of hackers would be catastrophic.
It would make it difficult to track which account user is responsible for specific actions.
C. Although each of the other options represents possible concerns, none of them carries consequences as disastrous as the complete loss of control over your account.
You’re trying to create a custom IAM policy to more closely manage access to components in your application stack. Which of the following syntax‐related statements is a correct description of IAM policies?
The Action element refers to the way IAM will react to a request.
The * character applies an element globally—as broadly as possible.
The Resource element refers to the third‐party identities that will be allowed to access the account.
The Effect element refers to the anticipated resource state after a request is granted.
B. The * character does, indeed, represent global application. The Action element refers to the kind of action requested (list, create, etc.), the Resource element refers to the particular AWS account resource that’s the target of the policy, and the Effect element refers to the way IAM should react to a request.
Which of the following will—when executed on its own—prevent an IAM user with no existing policies from launching an EC2 instance? (Choose three.)
Attach no policies to the user.
Attach two policies to the user, with one policy permitting full EC2 access and the other permitting IAM password changes but denying EC2 access.
Attach a single policy permitting the user to create S3 buckets.
Attach the AdministratorAccess policy.
Associate an IAM action statement blocking all EC2 access to the user’s account.
A, B, C. Unless there’s a policy that explicitly allows an action, it will be denied. Therefore, a user with no policies or with a policy permitting S3 actions doesn’t permit EC2 instance permissions. Similarly, when two policies conflict, the more restrictive will be honored. The AdministratorAccess policy opens up nearly all AWS resources, including EC2. There’s no such thing as an IAM action statement.
Which of the following are important steps for securing IAM user accounts? (Choose two.)
Never use the account to perform any administration operations.
Enable multifactor authentication (MFA).
Assign a long and complex password.
Delete all access keys.
Insist that your users access AWS resources exclusively through the AWS CLI.
B, C. If you don’t perform any administration operations with regular IAM users, then there really is no point for them to exist. Similarly, without access keys, there’s a limit to what a user will be able to accomplish. Ideally, all users should use MFA and strong passwords. The AWS CLI is an important tool, but it isn’t necessarily the most secure.
To reduce your exposure to possible attacks, you’re auditing the active access keys associated with your account. Which of the following AWS CLI commands can tell you whether a specified access key is still being used?
aws iam get‐access‐key‐used –access‐key‐id <key_ID>
aws iam ‐‐get‐access‐key‐last‐used access‐key‐id <key_ID>
aws iam get‐access‐key‐last‐used access‐last‐key‐id <key_ID>
aws iam get‐access‐key‐last‐used ‐‐access‐key‐id <key_ID></key_ID></key_ID></key_ID></key_ID>
D. The top‐level command is iam, and the correct subcommand is get‐access‐key‐last‐used. The parameter is identified by ‐‐access‐last‐key‐id. Parameters (not subcommands) are always prefixed with ‐‐ characters.
You’re looking to reduce the complexity and tedium of AWS account administration. Which of the following is the greatest benefit of organizing your users into groups?
It enhances security by consolidating resources.
It simplifies the management of user permissions.
It allows for quicker response times to service interruptions.
It simplifies locking down the root user.
B. IAM groups are primarily about simplifying administration. It has no direct impact on resource usage or response times and only an indirect impact on locking down the root user.
During an audit of your authentication processes, you enumerate a number of identity types and want to know which of them might fit the category of “trusted identity” and require deeper investigation. Which of these is not considered a trusted entity in the context of IAM roles?
A web identity authenticating with Google
An identity coming through a SAML‐based federated provider
An identity using an X.509 certificate
A web identity authenticating with Amazon Cognito
C. X.509 certificates are used for encrypting SOAP requests, not authentication. The other choices are all valid identities within the context of an IAM role.
Your company is bidding for a contract with a U.S. government agency that demands any cryptography modules used on the project be compliant with government standards. Which of the following AWS services provides virtual hardware devices for managing encryption infrastructure that’s FIPS 140‐2 compliant?
AWS CloudHSM
AWS Key Management Service
AWS Security Token Service
AWS Secrets Manager
A. AWS CloudHSM provides encryption that’s FIPS 140‐2 compliant. Key Management Service manages encryption infrastructure but isn’t FIPS 140‐2 compliant. Security Token Service is used to issue tokens for valid IAM roles, and Secrets Manager handles secrets for third‐party services or databases.
Which of the following is the best tool for authenticating access to a VPC‐based Microsoft SharePoint farm?
Amazon Cognito
AWS Directory Service for Microsoft Active Directory
AWS Secrets Manager
AWS Key Management Service
B. AWS Directory Service for Microsoft Active Directory provides Active Directory authentication within a VPC environment. Amazon Cognito provides user administration for your applications. AWS Secrets Manager handles secrets for third‐party services or databases. AWS Key Management Service manages encryption infrastructure.
What is the function of Amazon Cognito identity pools?
Gives your application users temporary, controlled access to other services in your AWS account
Adds user sign‐up and sign‐in to your applications
Incorporates encryption infrastructure into your application lifecycle
Delivers up‐to‐date credentials to authenticate RDS database requests
A. Identity pools provide temporary access to defined AWS services to your application users. Sign‐up and sign‐in is managed through Cognito user pools. KMS and/or CloudHSM provide encryption infrastructure. Credential delivery to databases or third‐party applications is provided by AWS Secrets Manager.
An employee with access to the root user on your AWS account has just left your company. Since you can’t be 100 percent sure that the former employee won’t try to harm your company, which of the following steps should you take? (Choose three.)
Change the password and MFA settings for the root account.
Delete and re‐create all existing IAM policies.
Change the passwords for all your IAM users.
Delete the former employee’s own IAM user (within the company account).
Immediately rotate all account access keys.
A, D, E. Options A, D, and E are appropriate steps. Your IAM policies will be as effective as ever, even if outsiders know your policies. Since even an account’s root user would never have known other users’ passwords, there’s no reason to change them.
You need to create a custom IAM policy to give one of your developers limited access to your DynamoDB resources. Which of the following elements will not play any role in crafting an IAM policy?
Action
Region
Effect
Resource
B. IAM policies are global—they’re not restricted to any one region. Policies do, however, require an action (like create buckets), an effect (allow), and a resource (S3).
Which of the following are necessary steps for creating an IAM role? (Choose two.)
Define the action.
Select at least one policy.
Define a trusted entity.
Define the consumer application.
B, C. IAM roles require a defined trusted entity and at least one policy. However, the relevant actions are defined by the policies you choose, and roles themselves are uninterested in which applications use them.
Which of the following uses authentication based on AWS Security Token Service (STS) tokens?
Policies
Users
Groups
Roles
D. STS tokens are used as temporary credentials to external identities for resource access to IAM roles. Users and groups would not use tokens to authenticate, and policies are used to define the access a token will provide, not the recipient of the access.
What format must be used to write an IAM policy?
HTML
Key/value pairs
JSON
XML
C. Policies must be written in JSON format.
