Ch6 IAM

Question 1

Which of the following methods will allow an application using an AWS SDK to be
authenticated as a principal to access AWS Cloud services? (Choose 2 answers)
A. Create an IAM user and store the user name and password for the user in the
application’s configuration.
B. Create an IAM user and store both parts of the access key for the user in the
application’s configuration.
C. Run the application on an Amazon EC2 instance with an assigned IAM role.
D. Make all the API calls over an SSL connection.

Answer 1

B, C. Programmatic access is authenticated with an access key, not with user
names/passwords. IAM roles provide a temporary security token to an application using
an SDK.

Question 2

Which of the following are found in an IAM policy? (Choose 2 answers)
A. Service Name
B. Region
C. Action
D. Password

Answer 2

A, C. IAM policies are independent of region, so no region is specified in the policy. IAM
policies are about authorization for an already-authenticated principal, so no password is
needed.

Question 3

Your AWS account administrator left your company today. The administrator had access
to the root user and a personal IAM administrator account. With these accounts, he
generated other IAM accounts and keys. Which of the following should you do today to
protect your AWS infrastructure? (Choose 4 answers)
A. Change the password and add MFA to the root user.
B. Put an IP restriction on the root user.
C. Rotate keys and change passwords for IAM accounts.
D. Delete all IAM accounts.
E. Delete the administrator’s personal IAM account.
F. Relaunch all Amazon EC2 instances with new roles.

Answer 3

A, B, C, E. Locking down your root user and all accounts to which the administrator had
access is the key here. Deleting all IAM accounts is not necessary, and it would cause
great disruption to your operations. Amazon EC2 roles use temporary security tokens, so
relaunching Amazon EC2 instances is not necessary.

Question 4

Which of the following actions can be authorized by IAM? (Choose 2 answers)
A. Installing ASP.NET on a Windows Server
B. Launching an Amazon Linux EC2 instance
C. Querying an Oracle database
D. Adding a message to an Amazon Simple Queue Service (Amazon SQS) queue

Answer 4

B, D. IAM controls access to AWS resources only. Installing ASP.NET will require
Windows operating system authorization, and querying an Oracle database will require
Oracle authorization.

Question 5

Which of the following are IAM security features? (Choose 2 answers)
A. Password policies
B. Amazon DynamoDB global secondary indexes
C. MFAD. Consolidated Billing

Answer 5

A, C. Amazon DynamoDB global secondary indexes are a performance feature of Amazon
DynamoDB; Consolidated Billing is an accounting feature allowing all bills to roll up
under a single account. While both are very valuable features, neither is a security
feature.

Question 6

Which of the following are benefits of using Amazon EC2 roles? (Choose 2 answers)
A. No policies are required.
B. Credentials do not need to be stored on the Amazon EC2 instance.
C. Key rotation is not necessary.
D. Integration with Active Directory is automatic.

Answer 6

B, C. Amazon EC2 roles must still be assigned a policy. Integration with Active Directory
involves integration between Active Directory and IAM via SAML.

Question 7

Which of the following are based on temporary security tokens? (Choose 2 answers)
A. Amazon EC2 roles
B. MFA
C. Root user
D. Federation

Answer 7

A, D. Amazon EC2 roles provide a temporary token to applications running on the
instance; federation maps policies to identities from other sources via temporary tokens.

Question 8

Your security team is very concerned about the vulnerability of the IAM administrator
user accounts (the accounts used to configure all IAM features and accounts). What
steps can be taken to lock down these accounts? (Choose 3 answers)
A. Add multi-factor authentication (MFA) to the accounts.
B. Limit logins to a particular U.S. state.
C. Implement a password policy on the AWS account.
D. Apply a source IP address condition to the policy that only grants permissions when
the user is on the corporate network.
E. Add a CAPTCHA test to the accounts.

Answer 8

A, C, D. Neither B nor E are features supported by IAM.

Question 9

You want to grant the individuals on your network team the ability to fully manipulate
Amazon EC2 instances. Which of the following accomplish this goal? (Choose 2
answers)
A. Create a new policy allowing EC2:* actions, and name the policy NetworkTeam.
B. Assign the managed policy, EC2FullAccess, to a group named NetworkTeam, and
assign all the team members’ IAM user accounts to that group.
C. Create a new policy that grants EC2:* actions on all resources, and assign that policy
to each individual’s IAM user account on the network team.
D. Create a NetworkTeam IAM group, and have each team member log in to the AWS
Management Console using the user name/password for the group.

Answer 9

B, C. Access requires an appropriate policy associated with a principal. Response A is
merely a policy with no principal, and response D is not a principal as IAM groups do not
have user names and passwords. Response B is the best solution; response C will also
work but it is much harder to manage.

Question 10

What is the format of an IAM policy?
A. XML
B. Key/value pairs
C. JSON
D. Tab-delimited text

Answer 10

C. An IAM policy is a JSON document.