IAM

Question 1

What does an IAM identity represent?

Answer 1

• User

- Role

Question 2

What is an IAM role?

Answer 2

An IAM role is an identity that can be temporarily assigned to an application, service, user, or group.

Question 3

Can users or applications without AWS accounts be authenticated and given temporary access to AWS resources?

Answer 3

Yes, through federation with an external service, such as Kerberos, AD, or LDAP.

Question 4

How are identities pricisely controlled to access specific AWS resources?

Answer 4

By attaching policies.

Question 5

What the two ways to attach IAM policies?

Answer 5

• To IAM identity (identity-based policy)

- To resource (resource-based policy)

Question 6

What does the IAM Policy look like?

Answer 6

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": ["*"]
}
]
}

Question 7

How does IAM Policy work?

Answer 7

• Any action that’s not explicited allowed by a policy will be denied.
• “Deny” policy always wins when there’s a conflict.

Question 8

What is a IAM group?

Answer 8

IAM group helps to manage policies for a group of IAM users.

Question 9

What happens when a trusted entity assumes a role?

Answer 9

AWS issues it a time-limited security token using the AWS Security Token Service (STS)?

Question 10

What are two important functions of Amazon Cognito?

Answer 10

• User pool (add user sign-up and sign-in to your application)
• Identity pool (give application users temporary, controlled access to other services in your AWS account)

Question 11

How to integrate with AD on-premise in AWS?

Answer 11

Use AWS Directory Service.

The goal is to apply Active Directory domains to compatible applications running in your VPC.

Question 12

What is AWS Organizations?

Answer 12

AWS Organizations can manage policy-based controls across multiple AWS accounts.

Question 13

What is AWS Secrets Manager?

Answer 13

AWS Secrets Manager manages passwords and 3rd party API keys and deliver them to applications on request.

The manager will even automatically take care of credential rotation.

Question 14

What is AWS CloudHSM?

Answer 14

CloudHSM provides a encryption-key management service that’s similar to AWS KMS, but can meet certain compliance requirements (e.g. FIBS 140-2).

Question 15

What is the best practice with AWS root account?

Answer 15

• Lock down root user

- Delegate day-to-day tasks to specially defined users

Question 16

What is the usage of X.509 certificate in the context of IAM?

Answer 16

X.509 certificate is used to encrypt SOAP requests, not authentication.

Question 17

Does IAM role use access key?

Answer 17

No, only IAM user and root user use.

Question 18

How AWS Organization organize accounts?

Answer 18

• Organization Root

- Organizational Unit (OU)

Question 19

What features does AWS Organization provide?

Answer 19

• Consolidated Billing

- Consolidation of reservations and volume discounts