IAM

Question 1

By default, all requests are implcitly allowed.

True or False?

Answer 1

False.

By default, all requests are implicitly denied. (Alternatively, by default, the AWS account root user has full access.)

Question 2

In simple terms. What is the Policy evaluation logic to determine whether a request is allowed or denied within an account?

Answer 2

1. Explicit DENY has top priority
2. Explicit ALLOW
3. Implicit DENY

Question 3

What are the types of identity-based policies?

Answer 3

1. Managed policies – Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. There are two types of managed policies:
   1a. AWS managed policies – Managed policies that are created and managed by AWS.
   1b. Customer managed policies – Managed policies that you create and manage in your AWS account. Customer managed policies provide more precise control over your policies than AWS managed policies.
2. Inline policies – Policies that you add directly to a single user, group, or role. Inline policies maintain a strict one-to-one relationship between a policy and an identity. They are deleted when you delete the identity.

Question 4

What are IAM users?

Answer 4

IAM Users are an identity used for anything requiring long-term AWS access e.g humans, apps or service accounts

Question 5

What is a principal?

Answer 5

Is an entity trying to access an AWS account (individual people, computers, services or a group of them)

Question 6

How can IAM authentication be achieved?

Answer 6

1. Through username and passwords (for individual people)

2. Access keys (apps, command line tools, etc.)

Question 7

How many IAM users per account you can have?

Answer 7

5,000 IAM users per account

Question 8

How many groups an IAM users can be a member of?

Answer 8

10 groups max per IAM user

Question 9

Can you log in to IAM Groups?

Answer 9

No. IAM groups have no credentials of their own

Question 10

Can an IAM user be member of multiple groups?

Answer 10

Yes

Question 11

Can you attach policies to IAM Groups?

Answer 11

Yes

Question 12

What type of policies can be attached to IAM groups?

Answer 12

Inline and Managed

Question 13

What is the limit of IAM users for a single IAM group?

Answer 13

There is no effective limit

Question 14

What is the name for the All-Users-Group inside IAM?

Answer 14

There is no built in All-Users-Group inside IAM

Question 15

How many nesting levels can you have in an IAM group?

Answer 15

There is no nesting available for IAM groups

Question 16

What is the amount of IAM groups limit per account?

Answer 16

300 groups per account (can be increased through support ticket)

Question 17

Can groups be referenced in a policy?

Answer 17

No. Groups are not a true identity. They cannot be referenced as a principal in a policy.

Question 18

What types of policies can be attached to an IAM role?

Answer 18

Trust Policy and Permissions Policy

Question 19

What is the function of the STS service?

Answer 19

AWS provides AWS Security Token Service (AWS STS) as a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate (federated users).

Question 20

What operation is used by STS to have a user assume a role and get the credentials?

Answer 20

sts:AssumeRole

Question 21

When to use IAM roles?

Answer 21

1. For AWS services
2. When temporary credentials are needed
3. When the number of principals is unknown or more than 5000
4. Emergency or unusual situations
5. Allow external identities access

Question 22

Can external accounts access AWS resources directly?

Answer 22

No

Question 23

What are AWS Organizations used for?

Answer 23

Allows large businesses to manage multiple AWS accounts with little management overhead. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.

Question 24

What is AWS SCP? What it is used for?

Answer 24

AWS Service Control Policies. Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines.

Question 25

Can you restrict the Management Account with an SCP?

Answer 25

No

Question 26

Do SCPs grant permissions?

Answer 26

No. SCPs only create boundaries/llimits for accounts permissions.

Question 27

What is Role Switching?

Answer 27

Assuming a Role in another AWS account to access that account via the console UI.