IAM

Question 1

What is IAM

Answer 1

Amazon Identity Access Management is a web service that helps you securely control access to AWS resources.

Question 2

Authentication vs Authorization

Answer 2

Authentication - Able to sign in

Authorization - Access to resources.

Question 3

Consistency type of IAM

Answer 3

Eventually consistent.

Question 4

You access IAM via:

Answer 4

1. AWS Management Console
2. AWS Command Line Tools
3. AWS SDKs
4. IAM HTTPS API

Question 5

When you use the ________, you must include code to digitally sign requests using your credentials

Answer 5

HTTPS API

Question 6

What are IAM Resources

Answer 6

1. User
2. Group
3. Role
4. Identity Provider Objects

Question 7

Can you add/delete/modify IAM resources?

Answer 7

With given permissions, yes

Question 8

What are Identity Provider Objects?

Answer 8

If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account.

Question 9

What are IAM Identities?

Answer 9

IAM resource objects that are used to identify and group such as users, groups and roles.

Question 10

You attach policies to _______

Answer 10

IAM identities.

Question 11

What are IAM Entities?

Answer 11

IAM Resource objects that AWS use for authentication such as users and roles.

Question 12

What is a principal

Answer 12

A principal is a person or applicaion that uses AWS root user, an IAM User or an IAM role to sign in and make requests to AWS.

Question 13

Principals include users such as _______ and _________

Answer 13

Federated users and assumed roles.

Question 14

AWS users and roles, that are used to authenticate are called as _________

Answer 14

IAM entities

Question 15

Out of users, groups and roles, you don’t use this for authentication.

Answer 15

Groups

Question 16

_________ are used for AWS authentication?

Answer 16

IAM Entities.

Question 17

What information does a request from principal to AWS resource include?

Answer 17

1. Actions or operations.
2. Resources
3. Principal
4. Environment Data
5. Resource Data

Question 18

AWS gathers the information from request into a ________ which is used to authorize the request

Answer 18

Request context

Question 19

To authenticate a principal from the API or AWS CLI, you must provide your ________ and __________

Answer 19

access key and secret key.

Question 20

Most policies are stored in AWS as ___________

Answer 20

JSON documents

Question 21

__________ specify the permissions for principal entities

Answer 21

Policies

Question 22

To provide your users with permissions to access the AWS resources in their own account, you need only _________.

Answer 22

identity-based policies

Question 23

Resource-based policies are popular for ___________

Answer 23

granting cross-account access

Question 24

When does AWS Denies a request?

Answer 24

1. Explicit Deny

2. Denied by default

Question 25

What is Explicit Deny?

Answer 25

If a single permissions policy includes a denied action, AWS denies the entire request and stops evaluating.

Question 26

What is Denied by default

Answer 26

AWS property that by default, all requests are denied.

Question 27

When does AWS Accepts a request?

Answer 27

If the action is allowed in the permissions policy, with no other policy denying it

Question 28

An _________ in any policy overrides any allows.

Answer 28

explicit deny

Question 29

If one or more of ________ policy types exists, they must all allow the request. Otherwise, it is ___________

Answer 29

1. Organizations’ SCP (Service Control Policies)
2. IAM Permissions boundary
3. Session Policy
   Implicitly denied

Question 30

What is Organizations’ SCP

Answer 30

AWS Organizations service control policy (SCP) defines the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.

Question 31

What is IAM Permission boundary

Answer 31

IAM Permission Boundary for AWS Entities is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to IAM entity. It does not grant permissions.

Question 32

An entity’s permissions boundary allows it to perform only the actions that are allowed by _______________

Answer 32

identity-based policies and its permissions boundaries.

Question 33

What is a Session Policy

Answer 33

A session policy is an inline permissions policy which users pass in the session when they assume the role.

Question 34

What is Federating existing users

Answer 34

If the users in your organization already have a way to be authenticated, such as by signing in to your corporate network, you don’t have to create separate IAM users for them. Instead, you can federate those user identities into AWS.

Question 35

How to Federate users when you have identities in your corporate directory that is compatible with Security Assertion Markup Language 2.0 (SAML2.0)

Answer 35

If your corporate directory is compatible with SAML 2.0, you can configure your corporate directory to provide single-sign on (SSO) access to the AWS Management Console for your users.

Question 36

How to Federate users when you have identities in your corporate directory that is NOT compatible with Security Assertion Markup Language 2.0 (SAML2.0)

Answer 36

If your corporate directory is not compatible with SAML 2.0, you can create an identity broker application to provide single-sign on (SSO) access to the AWS Management Console for your users.

Question 37

How to Federate users when you have identities if your corporate directory is Microsoft Active Directory?

Answer 37

If your corporate directory is Microsoft Active Directory, you can use AWS Directory Service to establish trust between your corporate directory and your AWS account.

Question 38

What are principal entities?

Answer 38

A principal entity is a person or application that is authenticated using an IAM entity (user or role)

Question 39

_________ is often referred to as authorization.

Answer 39

Access management

Question 40

You manage access in AWS by _________

Answer 40

creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.

Question 41

What is a policy?

Answer 41

A policy is an AWS Object that , when associated to a

Question 42

_______ in the policies determine whether the request is allowed or denied.

Answer 42

Permissions

Question 43

IAM users are ________ in the service.

Answer 43

identities

Question 44

You give permissions to a user by creating an ________, which is a policy that is attached to the user or a group to which the user belongs

Answer 44

identity-based policy

Question 45

You can organize IAM users into _______

Answer 45

IAM groups

Question 46

________ don’t have permanent identities in your AWS account the way that IAM users do.

Answer 46

Federated users

Question 47

To assign permissions to federated users, you can create an entity referred to as a ______ and define permissions for that

Answer 47

role

Question 48

What are Identity-based policies

Answer 48

Identity-based policies are permissions policies (managed or inline) that you attach to an IAM identity, such as an IAM user, group, or role. They grant permissions to an identity.

Question 49

What are Resource-based policies

Answer 49

Resource-based policies are permissions policies (inline) that you attach to a resource such as an Amazon S3 bucket (bucket policies) or an IAM role trust policy. Resource-based policies grant permissions to the principal that is specified in the policy.

Question 50

What actions does Identity-based policies control

Answer 50

Identity-based policies control what actions the identity can perform, on which resources, and under what conditions

Question 51

What actions does Resource-based policies control

Answer 51

Resource-based policies control what actions a specified principal can perform on that resource and under what conditions.

Question 52

Identity-based policies can be further categorized:

Answer 52

1. Managed Policies

2. Inline Policies

Question 53

What are Managed Policies?

Answer 53

Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account.

Question 54

Types of Managed Policies:

Answer 54

1. AWS Managed Policies

2. Customer Managed Policies

Question 55

What are AWS Managed Policies

Answer 55

Managed policies that are created and managed by AWS

Question 56

What are Customer managed policies

Answer 56

Managed policies that you create and manage in your AWS account

Question 57

What are Inline Policies?

Answer 57

Policies that you create and manage and that are embedded directly into a single user, group, or role. There is a strict 1:1 relationship between the entity and the policy.

Question 58

Resource-based policies are _______ policies, and there are no______ policies.

Answer 58

inline policies; managed resource-based

Question 59

To enable cross-account access, you can specify an entire account or IAM entities in another account as the ______in a resource-based policy.

Answer 59

principal

Question 60

The IAM service supports only one type of resource-based policy called a_____ , which is attached to an IAM ____

Answer 60

role trust policy; role

Question 61

IAM role is both _________ and ___________

Answer 61

an identity and a resource

Question 62

______ define which principal entities (accounts, users, roles, and federated users) can assume the role.

Answer 62

Trust policies

Question 63

ABAC Full form

Answer 63

Attribute-based access control (ABAC)

Question 64

What is ABAC for AWS?

Answer 64

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes.

Question 65

In AWS ABAC, these attributes are called _______

Answer 65

tags

Question 66

How ABAC Policies allow operations?

Answer 66

The ABAC policies can be designed to allow operations when the principal’s tag matches the resource tag.

Question 67

RBAC Stands for

Answer 67

role-based access control

Question 68

The traditional authorization model used in IAM is called _________

Answer 68

role-based access control (RBAC).

Question 69

______ defines permissions based on a person’s job function, known outside of AWS as a _____.

Answer 69

RBAC ; role

Question 70

What is disadvantage to using the traditional RBAC model

Answer 70

The disadvantage to using the traditional RBAC model is that when employees add new resources, you must update policies to allow access to those resources.

Question 71

Advantages of ABAC model over RBAC model

Answer 71

1. ABAC Permissions scale with innovation.
2. ABAC requires fewer permissions
3. Using ABAC, teams can change quickly
   4, Granular permissions are possible with ABAC
4. Use employee attributes (metadata on tags) from your corporate directory with ABAC

Question 72

How ABAC permissions scale with innovation

Answer 72

It’s no longer necessary for an administrator to update existing policies to allow access to new resources - rather new resources are updated with tags.

Question 73

AWS enables temporary access through _______ with your corporate directory.

Answer 73

identity federation

Question 74

Each IAM user is associated with ______ AWS accounts

Answer 74

only one

Question 75

To change a user’s name or path, you must use the __________ . There is no option in the ______to rename a user

Answer 75

AWS CLI, Tools for Windows PowerShell, or AWS API; Console

Question 76

IAM __________ reviews your AWS________ and generates a policy template that contains the permissions that have been used by the entity in your specified date range.

Answer 76

Access Analyzer; CloudTrail logs

Question 77

________ are long-term credentials for an IAM user or the AWS account root user.

Answer 77

Access keys

Question 78

You can have a maximum of ____ access keys.

Answer 78

two

Question 79

The account password policy does not apply to the _______ credentials.

Answer 79

root user

Question 80

What is a credential report

Answer 80

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices.

Question 81

A role does not have ________ credentials

Answer 81

standard long-term

Question 82

When you assume a role, it provides you with __________ for your role session.

Answer 82

temporary security credentials

Question 83

An IAM role has some similarities to an ______

Answer 83

IAM user

Question 84

Instead of being uniquely associated with one person, a role is intended to be ___________

Answer 84

assumable by anyone who needs it

Question 85

What is AWS service role

Answer 85

A role that a service assumes to perform actions on your behalf

Question 86

You must define a _____ for the service to assume.

Answer 86

role

Question 87

Service roles provide access only within your account and cannot be used to grant _______

Answer 87

access to services in other accounts.

Question 88

________ is a special type of service role that an application running on an Amazon EC2 instance can assume to perform actions in your account

Answer 88

AWS service role for an EC2 instance

Question 89

AWS service role for an EC2 instance is assigned when ___________

Answer 89

EC2 instance is launched.

Question 90

With AWS Service role for an EC2 instance, an application can __________

Answer 90

retrieve temporary security credentials to perform actions that the role allows.

Question 91

What is AWS service-linked role

Answer 91

A unique type of service role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.

Question 92

service role vs service-linked role

Answer 92

Service role- You must define the role a service must assume (dev, admin etc)
Service-linked role- service-linked roles are pre-defined by the service.

Question 93

Role chaining

Answer 93

Role chaining occurs when you use a role to assume a second role through AWS CLI or API

Question 94

Role chaining example

Answer 94

1. User1 assumes Role-A and Role-B
2. Role-A assumes Role-B
3. User1 assumes Role-A by using User1’s long term credentials and Role-A returns Role-A short term credentials.
4. To engage in role-chaining. User1 uses Role-A’s short -term credentials to assume Role-B

Question 95

How do a user enable/engage role-chaining when assuming a role?

Answer 95

When a user assumes a role, the user can pass the session tag and set the tag to ‘Transitive’. These transitive session tags are passed to all subsequent sessions in a role chain.

Question 96

Role chaining limits you AWS CLI or API role session to _______

Answer 96

Maximum of one hour.

Question 97

What happens if you assume a role using role chaining and provide DurationSeconds Parameter value to greater than one hour?

Answer 97

The operation fails.

Question 98

What is delegation?

Answer 98

The granting of permissions to someone to allow access to resources that you control.

Question 99

Delegation involves setting up __________

Answer 99

Trust between two accounts.

Question 100

In delegation, the trusted and trusting accounts can any one of the following:

Answer 100

1. Both belong to the same account
2. Both belong to same organization
3. Two accounts owned by two different organizations.

Question 101

To delegate permissions to access a resource, you need to setup a IAM role in trusting account with _________ and __________ policies attached.

Answer 101

Permission policy and trust policy

Question 102

What is permission policy?

Answer 102

Permission policy grants the user of the role the needed permissions to carryout the intended tasks on the resource.

Question 103

What is trust policy?

Answer 103

Trusted policy defines which trusted account members are allowed to assume the role

Question 104

When you create a trust policy, you cannot specify * as a ____________

Answer 104

principal.

Question 105

__________ policy is attached to the trusting account and _____ policy is attached to the trusted account

Answer 105

Trust policy, Permissions policy

Question 106

How does delegation happen once the role is ready to be assumed.

Answer 106

The user assuming a role, temporarily gives up their permissions and instead takes on the permissions from their role. When the user exits and stops using the role, the original permissions are restored.

Question 107

In delegation, __________ parameter helps with the secure use of roles between accounts that are not controlled by the same organizations

Answer 107

externalID

Question 108

Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with ____________

Answer 108

OpenID Connect (OIDC)

Question 109

A role trust policy is a required _____________ that is attached to a role in IAM

Answer 109

resource-based policy

Question 110

________ are the primary way to grant cross-account access.

However, some AWS services allow you to attach a ______ directly to a resource and are called ____________, and you can use them to grant principals in another AWS account access to the resource.

Answer 110

Roles
Policy
resource-based policies

Question 111

With a resource that is accessed through a ___________, the principal still works in the trusted account and does not have to give up his or her permissions to receive the role permissions.

Answer 111

resource-based policy

Question 112

You can use the_________ to create and provide trusted users with temporary security credentials that can control access to your AWS resources.

Answer 112

AWS Security Token Service (AWS STS)

Question 113

What are the advantages of using Temporary security credentials?

Answer 113

1. You don’t have to distribute or embed long-term security credentials within an application.
2. You can provide access to your aws resources to users without having to define an identity for them.
3. You don’t have to rotate or explicitly rotate the credentials as they expire automatically for a specific period.

Question 114

Temporary credentials are the basis for _______ and ________ identities

Answer 114

roles and identity federation.

Question 115

By default, AWS STS is a ____ service with a ______ at https://sts.amazonaws.com.

Answer 115

global; single endpoint

Question 116

Temporary credentials are useful in scenarios that involve ___________

Answer 116

identity federation, delegation, cross-account access, and IAM roles.

Question 117

AWS recommends using _______ AWS STS endpoints instead of the global endpoint to ____________

Answer 117

Regional; reduce latency, build in redundancy, and increase session token validity.

Question 118

IAM and AWS STS are integrated with AWS _____, a service that provides a record of actions taken by an IAM user or role.

Answer 118

CloudTrail

Question 119

If you create a trail, you can enable continuous delivery of CloudTrail events to an ________

Answer 119

Amazon S3 bucket.

Question 120

If you don’t configure a trail, you can still view the most recent events in the CloudTrail console in _________

Answer 120

Event history.

Question 121

Types of policies:

Answer 121

6 types of policies

1. Identity Based Policies
2. Resource based policies
3. Permissions boundaries
4. Organizations’ SCP - Service Control Policy
5. ACLs
6. Session Policies

Question 122

Permissions boundaries do not define the maximum permissions that a _________ can grant to an entity.

Answer 122

resource-based policy

Question 123

What are ACLs?

Answer 123

ACLs control which principals in other accounts can access the resource to which the ACL is attached.

Question 124

ACLs are similar to _________ policies

Answer 124

resource-based

Question 125

____________ are the only policy type that does not use the JSON policy document structure.

Answer 125

ACLs

Question 126

When are ACLs used?

Answer 126

ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account.

Question 127

What are session policies?

Answer 127

Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit permissions for a created session, but do not grant permissions.

Question 128

Session policies limit the permissions that the___________ grant to the session.

Answer 128

role or user’s identity-based policies