IAM

Question 1

IAM?

Answer 1

+ Identity and Access Management
+ It is a GLOBAl service in AWS.

(page 40)

Question 2

Root User?

Answer 2

The Principal User that is created by default with an account of AWS, has all rights to work with AIM and AWS.

(page 40)

Question 3

Users?

Answer 3

Logical entities that represent users in the organization, and must be created with the Root user.
They can whether or not be grouped.
They can whether or not belong to a group.

(page 40)

Question 4

Group?

Answer 4

A logical entity that only contains users.

page 40

Question 5

User or Groups?

Answer 5

Can be assigned permissions through a JSON Document called Policies.

(page 41)

Question 6

Policy?

Answer 6

Define the permission of users

(page 41)

Question 7

Least Privilege Principle?

Answer 7

Don’t GRANT more than the user needs, whith leastet permissions as possible.

(page 41)

Question 8

INLINE Policy?

Answer 8

A policy assigned to a User that has no group.

page 42

Question 9

Parts of Policy (JSON Doc)?

Answer 9

1. Version. Date of the policy
2. ID. Custom and unique name.
3. Statment. Individual statements of the policy

(page 43)

Question 10

Statement Policy?

Answer 10

1. SID. Id of the statement
2. Effect. How the policy works: Allow or Deny
3. Principal. account, user, or role to which this policy is applied.
4. Action. List of features in the service that the policy is in effect.
5. Resource. The list of resources (user or role) on which the policy is in effect.
6. Condition. Condition from where the policy is in effect.

(Page 43)

Question 11

IAM Password Policy?

Answer 11

Set of rule that defines how IAM password must be created and Handled.

(Page 44)

Question 12

MFA?

Answer 12

+ Multi-Factor Authentication
+ The mechanism which complements the password of an account with a security device

(Page 45)

Question 13

Virtual MFA Device?

Answer 13

Authenticate APP installed on a Mobile Device

Question 14

Security key?

Answer 14

Authenticate by touching a security hardware key

Question 15

Three way to access to AWS?

Answer 15

+ AWS Management Console.
+ AWS Command Line Interface (CLI)
+ SKK / API.

Question 16

In which access type is used Password and MFA?

Answer 16

AWS Management Console

Question 17

In which access type are used Secret Key?

Answer 17

AWS CLI and AWS SDKs?

Question 18

Of What are comformed Access Key?

Answer 18

1. Access Key ID that is like a Username.
2. Secret Access Key that use like a Password.

(Page 48)

Question 19

How to configure AWS CLI?

Answer 19

$ aws configure

Question 20

How to list all the IAM user iin AWS CLI?

Answer 20

$ aws iam list-users

Question 21

IAM Role Services?

Answer 21

+ Specifis permissions that can be asign to an entity like AWS Services
+ The credentials are temporary.

(Page 52)

Question 22

IAM Credential Repot and IAM Access Advisor are part of?

Answer 22

IAM Security Tools

Page 53

Question 23

Which is the level of IAM Credentials Report?

Answer 23

Account Level

Shows all the users and their status credentials

(Page 53)

Question 24

Which is the level of IAM Access Advisor?

Answer 24

User Level

Shows the detail of the user permissions and when the credential has been accessed.

(Page 53)

Question 25

Best Practices of IAM?

Answer 25

1. Don't Use Root User except for Setting Up. 2. One AWS Account = One Physical User 3. User Groups 4. User Strong Password Policies. 5. User Multi Factor Authentication (MFA) 6. Create Roles for AWS Services. 7. Create Access Permitions for CLI and SDK 8. Audit Permitions with IAM Credential Reports (Page 54)

Question 26

Shared Responsibility Model for IAM

Answer 26

AWS. Is responsibiliy of the infrastructure and its local security YOU: Are responsibility of applying all the best practicing. (Page 55)

Question 27

User?

Answer 27

A mapped physical User, has a passwor for AWS Console. | Page 56

Question 28

Groups?

Answer 28

Contains users. | Page 56

Question 29

Policies

Answer 29

Permissions for users and groups, on a JSON document. | Page 56

Question 30

Security?

Answer 30

Password Policy + MFA | Page 56

Question 31

AWS CLI?

Answer 31

Command Line Interface for AWS which use Access Key. | Page 56

Question 32

AWS SDK?

Answer 32

Sottware Developer Kit for manage AWS Services and uses Secret Keys. (Page 56)

Question 33

Secret Keys?

Answer 33

Access Key ID ~= ID Secret Access Key ~= Password (Page 56)

Question 34

Audit?

Answer 34

``` Credential Reports (Account Level) IAM Access Advisor (User Level) ``` (Page 56)

Question 35

Roles?

Answer 35

For EC2 instances or AWS Services | Page 56

Question 36

In this Policy, what is the function of the **Condition** element? ```json { "Version": "2012-10-17", "Id": "cd3ad3d9-2776-4ef1-a904-4c229d1642ee" "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::BUCKET-NAME", "Condition": {"StringLike": {"s3:prefix": [ "", "home/", "home/${aws:username}/" ] } ] } ```

Answer 36

Lets you specify conditions for when a policy is in effect ## Footnote https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html

Question 37

In this Policy, what is the function of the **Action** element? ```json { "Version": "2012-10-17", "Id": "cd3ad3d9-2776-4ef1-a904-4c229d1642ee" "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::BUCKET-NAME", "Condition": {"StringLike": {"s3:prefix": [ "", "home/", "home/${aws:username}/" ] } ] } ```

Answer 37

Define what services will be afected **Effect** element (Allow/Deny). | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elem

Question 38

In this Policy, what is the function of the **Effect** element? ```json { "Version": "2012-10-17", "Id": "cd3ad3d9-2776-4ef1-a904-4c229d1642ee" "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::BUCKET-NAME", "Condition": {"StringLike": {"s3:prefix": [ "", "home/", "home/${aws:username}/" ] } ] } ```

Answer 38

The Effect element is required and specifies whether the statement results in an allow or an explicit deny. Valid values for Effect are **Allow** and **Deny**. | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elem

Question 39

In this Policy, what is the function of the **Resource** element? ```json { "Version": "2012-10-17", "Id": "cd3ad3d9-2776-4ef1-a904-4c229d1642ee" "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::BUCKET-NAME", "Condition": {"StringLike": {"s3:prefix": [ "", "home/", "home/${aws:username}/" ] } ] } ```

Answer 39

he Resource element specifies the object or objects that the statement covers. | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elem

Question 40

What is the fucntion of **Principal**, in a statement Policy?

Answer 40

Use the **Principal** element in a resource-based JSON policy to specify the principal that is allowed or denied access to a resource. ```json "Principal": { "AWS": "arn:aws:iam::123456789012:root" } ``` | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elem