AWS Security (IAM)

Question 1

What are the 4 steps to secure your AWS root account?

Answer 1

1. Enable multi-factor authentication on the root account.
2. Create an admin group for your administrators, and assign the appropriate permissions to this group.
3. Create user accounts for your administrators.
4. Add your users to the admin group.

Question 2

How do we control permissions using IAM?

Answer 2

We assign permissions using policy documents, which are made up of JSON (JavaScript Object Notation).

Question 3

Permissions are stored using what format?

Answer 3

JSON

Question 4

A policy document consists of what sections?

Answer 4

1. Version

2. Statement

Question 5

What kind of IAM Policy Documents are there?

Answer 5

Groups, Users & Roles

Question 6

Does IAM require the region to be selected?

Answer 6

No.

Question 7

What are the types of IAM Policies?

Answer 7

AWS Managed & Customer Managed

Question 8

In the policy document, typically what are the 3 sections under Statement?

Answer 8

Effect, Action and Resource

Question 9

What are the 3 building blocks for Identity & Access Management?

Answer 9

1. Users - a physical person
2. Groups - functions, such as administrators, developers, etc. Groups contain users.
3. Roles - internal usage within AWS

Question 10

It is best practice for users to ______ permissions from groups.

Answer 10

inherit

Question 11

What’s the best practice in regards to users and people?

Answer 11

1 user = 1 person.

Always work on the principle that one user equals one physical person. Never share user accounts across multiple people.

Question 12

Should you share user accounts across multiple people?

Answer 12

No. It is not considered best practice.

Question 13

What is the definition of “The Principal of Least Priviledge”?

Answer 13

Only assign a user the minimum amount of privileges they need to do their job.

Question 14

Where do you set password policy requirements?

Answer 14

Under “Account Settings” in IAM.

Question 15

When you create a user, what kind of permissions are they automatically granted?

Answer 15

A new user is created with NO PERMISSIONS by default.

Question 16

You can add an ______ ______ to establish a trust between SAML 2.0 and other services’ logins.

Answer 16

Identity provider

Question 17

What makes your windows login useable within AWS, using the Identity Provider using SAM?

Answer 17

Active Directory Federation

Question 18

What is the account that is created when you first set up your AWS accounts and which has complete access?

Answer 18

Root account

Question 19

What account should you secure as soon as possible AND not use to log in day to day?

Answer 19

Root account

Question 20

Are access key ID and secret access keys the same as usernames and passwords?

Answer 20

No. You cannot use the access key ID and secret access key to login to the console. You can use them to access AWS via the APIs and Command Line.

Question 21

What do you use to access the login to the console?

Answer 21

IAM user account

Question 22

What do you use to access AWS via the APIs and Command Line?

Answer 22

Access Key ID and Secret Access Key

Question 23

True or False: If you lose the access key ID and secret access key values, you can download the existing ones from the console as an administrator.

Answer 23

False.

You only get to view these once. You’ll have to regenerate them if you lose them. Save them in a secure location.

Question 24

You can use this to combine your existing user account with AWS. For example, Microsoft Active Directory credentials can be used if you setup this service.

Answer 24

IAM Federation

Question 25

What uses the SAML standard, which is Active Directory?

Answer 25

Identity Federation

Question 26

Always give your users the _____________ of access required to do their job.

Answer 26

minimum amount

Question 27

Create ________ and assign your users to them.

Answer 27

“1. Create IAM groups and assign your users to groups.

2. Group permissions are assigned using IAM policy documents.
3. Your users will automatically inherit the permissions of the group.”

Question 28

What is an IAM Role?

Answer 28

A role is an identity you can create in IAM that has specific permissions. A role is similar to a user, as it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

Question 29

True or False: A role is uniquely associated with one person.

Answer 29

False. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

Question 30

A role does/does not have the same standard long-term credentials the same way passwords or access keys do.

Answer 30

“Does not.

Instead, when you assume a role, it provides you with the temporary security credentials for your role session.”

Question 31

Roles can allow ______ access.

Answer 31

Cross-Account access. This allows one AWS account the ability to interact with resources in other AWS accounts.

Question 32

What other entities can assume a role?

Answer 32

People, AWS architecture, or other system-level accounts.

Question 33

When using roles, the preferred option is:

Answer 33

Roles are preferred from a security perspective.

Question 34

True or False: Always choose using roles over hard-coding your credentials.

Answer 34

True. Roles allow you to provide access without the use of access key IDs and secret access keys.

Question 35

Roles require / do not require the use of access key IDs and secret access keys.

Answer 35

DO NOT require

Question 36

How is a role’s permissions being controlled?

Answer 36

By using policies.

Question 37

Upon updating a policy attached to a role, it will take effect when?

Answer 37

Immediately