Core Fundamentals and AWS Accounts

Question 1

What is IAM?

Answer 1

A standard issue FREE (with limits) service is provided with each AWS account. Where users, groups, and roles are created and are given permissions. Own DB for IAM. 1 Globally resilient service. Any data is always secure across all regions. Own dedicated instance of IAM. IAM service has full trust and can do as much as ROOT USER. Enbles user Identity federation (IDF) and MFA.

Manage Identities - ID Provider (create and manage)
Authenticates (proves who you are)
Authorizes (allow or deny services within the account)

Question 2

What can the ROOT USER do in an AWS account?

Answer 2

Full control of the AWS account. Full control. Unrestricted. AWS Account and ROOT USER are kind of the same thing. Auto created. CANNOT be restricted.

Question 3

What permissions are automatically granted to new identities added to the account?

Answer 3

Least privilege principle. No permissions are given automatically. They must be explicitly given.

Question 4

What is an AWS account made up of?

Answer 4

A unique email address, payment method, users, groups, roles, and services being provided. It prevents things from getting out of the account and things getting into the account as well.

Question 5

Why would you want to avoid using the same AWS account for the entire business?

Answer 5

This creates a single point of failure. If that one account is compromised, all the business is compromised. You can split Dev, Prod, or Test into different accounts or even separate customer segments into separate accounts.

Question 6

When creating a new AWS account what options do you have for alternate contacts?

Answer 6

Billing, Operations, and Security

Question 7

What are the factors of identification?

Answer 7

Knowledge - Something you know
Possession - Something you have (device or app)
Inherent - Something you are (fingerprint, iris scan)
Location - Building, Corporate Network, VPN

Question 8

How is MFA implemented for AWS?

Answer 8

AWS creates a secret key and pairs that with your user account info like user name. Then, that information is stored in a QR Code. When that QR code is scanned with an app, the app will reach out to AWS to ensure that the key is correct and will pair itself to your account to give regenerated MFA codes that AWS can cross reference to ensure you are who you say you are.

Question 9

When setting up a budget, what template options do you have?

Answer 9

Free tier - Any spend at all
Monthly Spend - Define how much you can spend in one month
Daily Savings - Notifies when you fall below the defined target that you agree to use. Must spend!
Daily Reservation Utilization - Notifies when you fall below the defined target that you agree to use. Must use!

Question 10

What kind of objects can you create with IAM?

Answer 10

User - Identities (humans or apps) that need access to the account. Individual.
Group - a collection of related users
Role - used by AWS services or external users to grant access to an uncertain number of entities. Uncertain many.

Question 11

What is an IAM Policy?

Answer 11

Allows or denies access to AWS services. Do nothing, only define. Must be attached to a user group or role to take effect.

Question 12

If using best practices, what should the ROOT USER be used for?

Answer 12

Only for the initial creation and setup of the AWS account.

Question 13

How can you access an AWS account through the command line or APIs?

Answer 13

IAM Access Keys.

Question 14

What are long-term access keys?

Answer 14

These are authentication types which don’t change or rotate automatically.

Question 15

When creating an IAM user why would you want to omit a password?

Answer 15

If you intend to authenticate with this user through only access keys (API or command line)

Question 16

What are the parts of credentials?

Answer 16

Public piece and private piece. Username is public, password is private, MFA token is private.

Question 17

What is an access key?
Where are access keys created?
How many access keys can a user have?

Answer 17

An account can use an access key to access an AWS account via command line or API. They can be Created, deleted, made acitive/inactive.

Access keys are created in the security credentials for a logged in user.

A user can have 0-2 access keys.

Question 18

What are the parts of an access key?

Answer 18

The key ID which you can fetch from AWS at any point.
The secret key which you can NEVER access again after the point of creation. It must be stored securely at time of creation.

Question 19

What should you do if an access key is compromised?

Answer 19

Delete the access key, recreate an access key, and update all instances of connection via that access key.

Question 20

What is the process for rotating access keys?

Answer 20

Create a new access key, update all instances where the key is used, and make the old access key inactive/delete it.

Question 21

What are the best practices of working with access keys?

Answer 21

NEVER STORE IN PLAIN TEXT
DISABLE/DELETE WHEN NOT IN USE
Use the least privilege principle
Rotate keys regularly

Question 22

How do you configure multiple accounts on a single computer?

Answer 22

Use named credentials when configuring in the terminal:
aws configure –profile general