AWS

Question 1

What is an IAM role?

Answer 1

Entities you create and assign specific permissions to that are assumed by trusted identities such as workforce identities and applications to perform actions in AWS.

Question 2

What is an IAM policy?

Answer 2

A policy is an object in AWS that, when associated with an entity or resource or role, defines their permissions. Most policies are stored in AWS as JSON documents.

Question 3

What does IAM stand for?

Answer 3

AWS Identity and Access Management

Question 4

What is an IAM user?

Answer 4

An entity that you create in AWS representing the human user or workload or application that uses the IAM user to interact with AWS. A user in AWS consists of a name and credentials.

Question 5

What is a root user?

Answer 5

When you first create an Amazon Web Services (AWS) account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. The root user has special privileges like the ability to enable MFA or close the aws account.

Question 6

How can you identify an IAM user?

Answer 6

• a freindly name (e.g. John)
• An ARN (an Amazon Resource Name)
• a unique identifier

Question 7

How might an IAM role and IAM user interact?

Answer 7

You might assign a role with certain permissions to a user.

Question 8

How might an IAM user be used?

Answer 8

Typically, to identify a human. It can also be used to ID an application, but using an IAM role is more appropriate for enhanced security.

Question 9

Can you assign an IAM role to an IAM user?

Answer 9

Yes.

Question 10

What kinds of IAM policies are there?

Answer 10

1. Identity based policies
2. Resource based policies
3. Permissions boundaries
4. Organizations SCPs
5. Access control lists
6. Session policies.

Question 11

What are identity based IAM policies?

Answer 11

Identity-based policies are JSON permissions policy documents that control what actions an identity (users, groups of users, and roles) can perform, on which resources, and under what condition

Question 12

What are resource based IAM policies?

Answer 12

Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket. These policies grant the specified principal permission to perform specific actions on that resource and defines under what conditions this applies. Resource-based policies are inline policies

Question 13

What are IAM permissions boundaries?

Answer 13

A permissions boundary is an advanced feature in which you set the maximum permissions that an identity-based policy can grant to an IAM entity.

Question 14

What are service control policies?

Answer 14

SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU).

Question 15

What are access control lists?

Answer 15

Access control lists (ACLs) are service policies that allow you to control which principals in an account can access a resource.

They are more straightforward and less flexible than resource based policies, but they are easier to do .

They are largely deprecated and are limited: For example, you can grant permissions only to other AWS accounts; you cannot grant permissions to users in your account. You cannot grant conditional permissions, nor can you explicitly deny permissions. ACLs are suitable for specific scenarios. For example, if a bucket owner allows other AWS accounts to upload objects, permissions to these objects can only be managed using object ACL by the AWS account that owns the object.

Question 16

What are session policies?

Answer 16

Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user.

Question 17

What is a principal in AWS?

Answer 17

A principal is a human user or workload that can make a request for an action or operation on an AWS resource.

Question 18

What is a workload in AWS?

Answer 18

A workload is a collection of resources and code that delivers business value, such as a customer-facing application or a backend process.

Question 19

What is a federated identity?

Answer 19

A federated identity is a user that can access secure AWS account resources with external identities. External identities can come from a corporate identity store (such as LDAP or Windows Active Directory) or from a third party (such as Login in with Amazon, Facebook, or Google). Federated identities don’t sign in with the AWS Management Console or AWS access portal. The type of external identity in use determines how federated identities sign in.

Question 20

What is the .aws/credentials file for?

Answer 20

It is a plaintext file used to define the following values for services or profiles: aws_access_key_id, aws_secret_access_key, aws_session_token , aws_token expiration

Question 21

What is the .aws/config file for?

Answer 21

It is used to further specify settings for profiles or services, like region and output (specifies output format of any command issued under this profile)

Question 23

What is a control plane?

Answer 23

Control planes provide the administrative APIs used to create, read/describe, update, delete, and list (CRUDL) resources. For example, the following are all control plane actions: launching a new Amazon Elastic Compute Cloud (Amazon EC2) instance, creating an Amazon Simple Storage Service (Amazon S3) bucket, and describing an Amazon Simple Queue Service (Amazon SQS) queue. When you launch an EC2 instance, the control plane has to perform multiple tasks like finding a physical host with capacity, allocating the network interface(s), preparing an Amazon Elastic Block Store (Amazon EBS) volume, generating IAM credentials, adding the Security Group rules, and more. Control planes tend to be complicated orchestration and aggregation systems.

Question 24

Must you specify access policies on both the aws resource and the role?

Answer 24

It is not required, but it is safer.

Question 25

What is a data plane?

Answer 25

The data plane is what provides the primary function of the service. For example, the following are all parts of the data plane for each of the services involved: the running EC2 instance itself, reading and writing to an EBS volume, getting and putting objects in an S3 bucket, and Route 53 answering DNS queries and performing health checks.

Data planes are intentionally less complicated, with fewer moving parts compared to control planes, which usually implement a complex system of workflows, business logic, and databases.