AWS IAM Flashcards

Question 1

Q

What are the main logical components of AWS IAM?

Answer

A

Users, Groups, Roles, Permission Policies

Question 2

Q

Can a user assume a role in another account?

Answer

A

Yes, a user can assume a role in another account by calling assume-role using the CLI or using the Web console switch role function. With the CLI asume-role requires an –role-arn and a –role-service-name.

Question 3

Q

How can I enable a user from another account access to a resource in my account?

Answer

A

We will create a cross-account role the other account user will assume. The other account user will have to have a policy stating they can assume this role, for this you will need and ARN.

Question 4

Q

With an AWS IAM role can I have credentials for 30day?

Answer

A

No, the access keys expire from 15min to 12hrs depending on your configuration?

Question 5

Q

I have an application running on an EC2 instance, the EC2 instance has been given a role that enables access to S3, where can i get these access keys from?

Answer

A

You can get the keys from the metadata service 169.254.169.254.

Question 6

Q

I have a user in aws account A and what to give this user access to aws account b, how can i do this?

Answer

A

Create a cross-account role and user switch role in the user account.

Question 7

Q

I want to use a Web Identity Provider with my mobile application to access DynamoDB, how would this work?

Answer

A

Mobile app signs into IP
IP give mobile app a token
Mobile calls AsumeRoleWithEebIdentity with STS
STS validates token with IP
STS cheeks policy with AWS IAM
STS return security creds (temp access key and secret key) to mobile app

Question 8

Q

What are the creds returned by STS?

Answer

A

Access key and secret key

Question 9

Q

From an IAM perspective, what should I do with the root user first thing after setting up a new account?

Answer

A

Remove the access key.
Set an extremely secure password on the root user.
Do not use the root password only;y in emergencies
Enable MFA and lock away the security key.

Question 10

Q

From an IAM perspective is it better to assign permissions to individuals or groups?

Answer

A

Groups, they are easier to manage than the individual.

Question 11

Q

When assigning access to users, should I assign all access to all service to make it easy to manage and save time?

Answer

A

NO, you should implement the least privilege and only assign the levels of access required for the person to do their job.

Question 12

Q

As IAM best practice what should I do for passwords?

Answer

A

Implement a password policy for rotation and strength, reuse, etc.

Question 13

Q

When an application on an EC2 instance wants access to services in AWS, what is best practice?

Answer

A

Implement a role and assign to EC2 instance, only assign the service and actions required by the application.

Question 14

Q

If I have two accounts, do I share security creds between accounts?

Answer

A

No, you set up a role in other account and enable the user to assume the role.

Question 15

Q

For an AWS account, what are the 3 domains?

Answer

A

Authentication (IAM)
Billing
The authorisation (Permissions)

Question 16

Q

How can we restrict the blast radius in AWS?

Answer

A

You cna use an AWS account, the account is the billing, user authenticationa nd authorision.

Question 17

Q

What are the two wats a user can authenticate them self with AWS IAM?

Answer

A

User name & Password

- Access key & Secret key

Question 18

Q

How is a user given access to resources?

Answer

A

A user is given access through the assignment of policies to the user direct to the group the user is in.

Question 19

Q

What are the main parts of a user policy?

Answer

A

Effect: This is allow or deny
Action: s3:ListBucket”, Resource: “arn:aws:s3:::example_bucket
Condation

Question 20

Q

For a user based policy, what is its main purpose?

Answer

A

To allow or deny user access to a resource?

Question 21

Q

For a resource-based policy, what is the main purpose?

Answer

A

To allow or deny one or more users to the resource?

Question 22

Q

What are the main elements of a resource-based policy?

Answer

A

Effect: This is allow or deny
Action: s3:ListBucket”, Resource: “arn:aws:s3:::example_bucket
Principal : {“AWS”: [“arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root”]},
Condation

Question 23

Q

What is an AWS group?

Answer

A

It is an admin construct to group users into a single pool.

Question 24

Q

What is an inline policy?

Answer

A

It is a policy thet is directly attached to a user or a group.

Question 25

Q

Can you log in as a group?

Answer

A

No, a group is a logical construct.

Question 26

Q

What you create a user in AWS do they have any rights by default?

Question 27

Q

They is a DENY in a user policy, but there is also a ALLOW for the resource, what is the out come?

Question 28

Q

What is the limit of the number of users per AWS account?

Answer

A

5K, but using federation you can get around this.

Question 29

Q

Using a user policy, how would you enable access for s3 resource.

Answer

A

“Effect”: “Allow”
“Action”: “s3:”
“Resource”: “”

Question 30

Q

How are policies evaluated when you access a resource?

Answer

A

All policies are gathered to gether and evaluated as a group, this includes use and resource, if there is a DENY in th epolicies, then you will be delied access, if there is no allow in the policy you will be denyed access.

Question 31

Q

Can a user have multipal policies attached?

Question 32

Q

Can you have multipal statement in a access policy?

Question 33

Q

If I have a policy with two statements thet allow s3 access for all APIs, will I be able to access Ec2? and why?

Answer

A

No, as ther is a implicit deny

Question 34

Q

What are managed policies?

Answer

A

They are the native policies available to you by AWS that are managed by AWS.

Question 35

Q

What is a customer managed policy?

Answer

A

They are policies you create.

Question 36

Q

What is a condition on a policy statement?

Answer

A

It means the statement applies to provide the condition matches.

Question 37

Q

What are policy variables?

Answer

A

They are AWS variables that are available when creating policy documents.

Question 38

Q

I only want a bucket available between 1pm and 4pm daily, how can I achieve this?

Answer

A

You can set a condition in the policy.

Question 39

Q

Can I log into a role?

Answer

A

No, a role can be assumed by the users.

Question 40

Q

Can an Ec2 instance assume a role?

Answer

A

Yes, this way the EC2 instance can use the assumed role to access something s3.

Question 41

Q

I want a lambda function to access an s3 bucket, do I need a user

Answer

A

You need to assume a role that has a policy with permission to access the s3 bucket. There will also need it trust policy to allow the lamb to assume the role.

Question 42

Q

A role has two main parts, what are they?

Answer

A

Trust relationship, a policy.

- Permissions, a policy

Question 43

Q

What is the role trust policy 9 relationships)?

Answer

A

The trust relationship is a policy that you can use to enable accounts, or services assume a rile

Question 44

Q

What are the 4 trust relationships types for a role?

Answer

A

AWS Service (the service asumes a rile)
Account (3rd partsy can asume a role
Web identity
SAML

Question 45

Q

When you asume a role what are you doing?

Answer

A

You are geteing back key id, access key and security token form the STS server.

Question 46

Q

For a EC2 instance with a role, where dose the EC2 instance get the access keys, etc from?

Answer

A

When the EC2 instances asuesmes the asigned role, it gets an access key, etc from STS server and this is stored in the metadaat server. The reasoln Ec2 can sume the role is because role has a trust relation ship policy set up to allow this EC2 servoces asume the role.

Question 47

Q

Where in the metadata server is the security credentails for a ec2 instance stored?

Answer

A

https://169.254.169.254/latest/meta-data/iam/security-redentails/name of_vm

Question 48

Q

What service is used to give tempory credentails ?

Question 49

Q

When creating a cross account acess where you allow the user asume a role, what do you need to set up?

Answer

A

In the account to be asumed, you et up a rile with a trust policy to allow other account asume the role, you also set up ppermissions fo the role. In the accont you will asume the role from, you setup a plicy and asign to uses to enable the users asume the role.

Question 50

Q

Can you revoke tempory sesons (STS)?

Answer

A

No, they will only invalidate when tey expire, but you cna using revoke sesstion tab add a policy thet deny any session before a date/time

Question 51

Q

I wnat to assume a role fdrom another account when using the CLI, how is this possible?

Answer

A

CLI to asume a role in the other account
You receive back a access key, secret key and session key
Store in environment varables

Question 52

Q

I have two buckets one on accout A and one in account B, hiw cna I copy an objetc betwwen the buckets?

Answer

A

You can set up a bucket policy to allow the remote account access the bucke.

Question 53

Q

If using a buckety policy I grand a remote account access nto upload to a bucket, what is a potentail isse with the objects?

Answer

A

The owner of the object is the remote account and local accounts users will not have access to the objects?

Question 54

Q

Can you have two or more master accounts?

Answer

A

No, you can only have a single account.

Question 55

Q

What does AsumeRoleWithWebIdnetity do?

Answer

A

Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider

Question 56

Q

What does AssumeRoleWithSAML do?

Answer

A

Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.

Question 57

Q

When you use AsumeRoleWithWebIdnetity, what are the steps involved?

Answer

A

You log in to your identity provider, like Google.
You receive a barer token after the login
You call AWS with barer token and STS generates access key, secret key and session key and return to you.
You can then use these access keys, etc to make s cales to the AWS.

Question 58

Q

I need to use Google as an identity provider to allow my users to access the AWS console, how is this possible?

Answer

A

It is not, WebIdentity cannot be used to access the web console, you can only use it to access the API.

Question 59

Q

I am using SAML for web identity, I have logged in to AWS using SAML, I want to access the API, what do I need to do?

Answer

A

Call AssumeRoleWithSAML, this will give you a new Access key, etc and you can use to access AWS resources.

Question 60

Q

What are the types of policies used in AWS?

Answer

A

Orgnization polocies - Service control polocies (SCP)
Identity polocies
Resource polocies
Endpoint polocies
Security token
Permission boundry

Question 61

Q

If I enable services with service control policies, have i given permission to the services?

Answer

A

No, you have just enabled the use of these policies, a user or role still has to have permission through a resource of identity policy.

Question 62

Q

What will a service control policy with no allows in it do?

Answer

A

It will deny access to every resource in every account it is attached to.

Question 63

Q

If I have an allow S3 in the service control policy and I have allowed EC2 in permission boundary and I have allowed CodeCommit in permission policy for user X, what cna uses X access?

Answer

A

Nothing as there is no overlap between the policies.

Question 64

Q

I want to stop developers from turning off cloud trail or create IAM users or setup AWS Directory Services across my accounts, how can I do this?

Answer

A

You can use a service console policy

Answer 60

A

Use service control policies. For this policy we list the actions we want to all and attach a condition with string equals aws:requestedregion

Answer 61

A

Enables you to set the max permissions that an identity-policy can grant.

Answer 62

A

A user or a role.

Answer 63

A

Use permissions boundary.

Answer 64

A

It is where if these are not explicit deny then the allow takes effect if there is not a allow then the deny takes effect.

Answer 65

A

Org boundary
User & Role Boundry
User & Role Policies
Role policies
Permission

Answer 66

A

an instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.

Answer 67

A

You get back 3 elements from, you get,
-Session Key
- Acce3ss Key
- Secret
You can use these to then make further API calls to AWS under the account the role belongs to.

Answer 68

A

Session policies are used to restrict the permissions that you get when you assume a rile using AzureRole, AsumeRoleWithSAML and Assume RoleWithWebIdentity

Answer 69

A

It is a service thet when called return a tempory security token.

Answer 70

A

It is part of a role and is used to create a trust relationship between the role and another account, this account can assume the role.

Answer 71

A

AsumeRoleWithWebIdentity

Answer 72

A

You can assume a role using the AsumeRole API, as there is a trust relationship between the role and the calling account STS will return temp credentials, their creds can be used when calling the DynamoDB table.

Answer 73

A

AsumeRole: Used between AWS accounts
AsumeRole withWebIdentity: Used between federated web-based like OAuth
AsumeRoleWithSAML: Used between AWS and AD.

Answer 74

A

You are using web-based federation and will be using the AssumeRoleWithWebIdentity.

Answer 75

A

You can use web-based federation and the AssumeRoleWith WebIdentity and then use the return creds to make calls to the DynamoDB Table API.

Answer 76

A

It enables you to restrict what services a user can access, for example, you can allow access to S3 and even if the user has IAM permissions to EC2 they will not get access to EC2 as the IAM boundary will not all it.

Answer 77

A

The service control policy is applied at the org and account level to allow or deny access to services. The IAM Boundry is applied at the IAM user and role level.

Answer 78

A

You cna not use an IAMBoundry policy as it only operates at the user and role level. Use a service controle policy.

Answer 79

A

All related policies are collected and evaluate din one go, if there is a deny then thet service is denied if there is a allow then provided the user policy also enables the allow then access is granted.

Answer 80

A

> Org Bounderies (Service control policies)
> User Role Bounderies
> Role Policies
> Identity and Resource Policies

Answer 81

A

The role policy is attached to a role and enables deny -> Allow -> Deny. You can use it to restrict what services a person or system can access when assuming a role.

Answer 82

A

you can use role Policies, Role Boundaries or service control policies.

Answer 83

A

Set up,

aws identity provider
setup roles
setup rekient party

Answer 84

A

It is a global product.

Answer 85

A

Yes because service control policies do not apply outside the account.

Answer 86

A

Users
User groups
Roles

Answer 87

A

Identity policy

Answer 88

A

Identity-based policie
Resource-based policies,
Permissions boundaries,
Organizations SCPs,
ACLs
Session policies.

Answer 89

A

It is a policy attached to identities like a user, users group or a role. It is evaluated to allow or not allow access by identity.

Answer 90

A

It is a policy evaluated when a resource is accessed, it will allow or deny access to the resource.

Answer 91

A

Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.

Answer 92

A

Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal entity. ACLs cannot grant permissions to entities within the same account.

Answer 93

A

Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.

Answer 94

A

{
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Owner": "keith"
                }
            }
   }

Answer 95

A

The effect is weather to ‘Allow’ or ‘Deny’ based on policy

Answer 96

A

This will be the list of API call allows. Like S3.* means al S3 calls and * meas all API in AWS.

Answer 97

A

You can use the role as part of the switch role functionality to switch to the org account.

Answer 98

A

Create a cross-account role in the account you are switching to. With a trust relationship form the account, you are coming from.
Add a policy to assume role for the user in the from the account, this will be a policy like
{
“effect”:”Allow”,
“Action”:”sta:AssumeRole”,
“Resource”:”arn:aws:iam:11111111111:role/RoleName”
}

Answer 99

A

OpenID

- SAML

Answer 100

A

Permission policies

Trust relationship

Brainscape's Knowledge GenomeTM

AWS IAM Flashcards

Brainscape's Knowledge Genome^TM