IAM

Question 1

What security control provides visibility for inventory and history of config changes?

Answer 1

Config

Question 2

What control allows you to see who is doing what, when, how, from where and what resources are affected?

Answer 2

CloudTrail - Audibility

Question 3

What security control provides controllability?

Answer 3

KMS, CloudHSm you get to control your keys and where to use them

Question 4

What provides Agility and quickly update security rules and patches in a repeatable and auditable manner?

Answer 4

CloudFormation

Question 5

What provides automation in helping deploy security updates?

Answer 5

OpsWorks, CodeDeploy

Question 6

How are IAM roles typically used?

Answer 6

Assigned to services to access other services but can also be assumed by IAM users

Question 7

What is the only thing power users don’t have access to?

Answer 7

IAM. They cannot make IAM changes

Question 8

What is the thing about customer managed poicies?

Answer 8

Exist only within 1 account, cannot share

Question 9

What are the size limits for IAM policies? Users, groups, roles

Answer 9

2kb for users, 5kb for groups, 10kb for roles. So don’t write overly long policies

Question 10

What is IAM Credentials Report?

Answer 10

A CSV with a details of all users, password last used, changed, MFA, access keys last used, rotated, which service used it, etc.

Question 11

What IAM permissions do you need for Credential Report?

Answer 11

iam:GenerateCredentialReport and iam:GetCredentialReport

Question 12

What is size limit of bucket policies?

Answer 12

20kb

Question 13

How are bucket policies useful?

Answer 13

To deny access to individual buckets without messing with IAM policies

Question 14

What happens if If IAM policy for a user is set to only READ to S3 bucket, but S3 bucket policy is added to a specific bucket to give that user DELETE permissions

Answer 14

that user WILL be allowed to delete objects. S3 bucket policy ADDS to IAM policy here

Question 15

What happens if If S3 bucket policy is set to “Deny all actions” for “All principals”,

Answer 15

nobody will be able to write or read to that bucket irrespective of IAM policies, not even root user. S3 bucket Deny All overrides everything here

Question 16

What happens if S3 bucket policy is set to “Deny all actions” for “All principals” followed by an “Allow all actions” for a specific user,

Answer 16

that user will NOT be able to do anything on S3. Explicit Deny ALWAYS trumps everything else, whether it is defined in IAM policy or S3 bucket policy!

Question 17

What happens if If an IAM policy has a “Deny read” for a bucket but one object inside that bucket is given Read access using S3 ACL

Answer 17

anyone WILL be able to access that object if using the S3 URL of the object (since the URL does not know anything about IAM users) but an IAM user will NOT be able to access it by clicking “Open” on console!

Question 18

What is the conflict resolution method for s3? 3 steps

Answer 18

1. Is there explicit deny anywhere? if so it’s denied
2. If there is no explicit deny, is there any ALLOW anywhere. If yes allows (only in same account)
3. If there is no explicit deny but no explicit allow either, it’s implict denied

Question 19

How can you enforce HTTPS-only on S3

Answer 19

adding a condition to bucket policy that Allows all first, followed by Deny with a Condition: Bool: “aws:SecureTransport”: false

Question 20

Is Cross Region Replication (CRR) is by default done over SS

Answer 20

Yes, do not need to set any bucket policies etc for it

Question 21

What does Cross Region Replication require?

Answer 21

both source and destination buckets have versioning enabled, and S3 should have permission to read and write objects on your behalf (using a policy in a role it creates)

Question 22

What happens if If OBJECT owner is not same as BUCKET owner

Answer 22

for CRR object owner needs to give bucket owner permission to read object using object ACL

Question 23

What does CRR require?

Answer 23

IAM role with permission to replicate objects in destination account

Question 24

What is possible in CRR configuration?

Answer 24

to change ownership of replica object to replica account owner → useful for putting CloudTrail logs to a secure account with locked down permissions ← Best Practice

Question 25

CRR replicates objects that are unencrypted, encrypted using SSE-S3, encrypted using SSE-KMS (but ONLY if you turn it on), object metadata, ACL updates, object tags, delete markers on current version

Answer 25

Yes

Question 26

What does CRR NOT replicate?

Answer 26

Older objects, objects encrypted with SSE-C, objects in source bucket where bucket owner does not have permission, specific versions of source objects (for security)

Question 27

What to keep in mind When restricting S3 to Cloudfront only using OAI

Answer 27

to “grant read permission to S3” in CF

Question 28

What’s the only region where CloudFront custom SSL certificates can be created?

Answer 28

us-east-1 only

Question 29

How to generate presigned S3 URL?

Answer 29

From CLI only:
aws s3 presign s3://<bucket>/filename --expires-in 300
Default expiry is 3600 sec</bucket>

Question 30

STS gives limited access to AWS using 3 methods

Answer 30

1. AD federation, users dont need to be IAM users, it is based on their AD credentials
2. Mobile app federation (FB/Google)
3. OTher AWS accounts

Question 31

What is federation?

Answer 31

Federation is joining users from one domain (IAM) to another domain (AD)

Question 32

What allows joining (sts)

Answer 32

Identity broker allows this joining (STS), using Identities stored in Identity Stores (Goog/FB/AD)

Question 33

What does federation process look like?

Answer 33

** Federation Process: User logs in to Identity Broker who first authenticates them against LDAP directory (AD), then contacts STS using GetFederation (IAM needs to be setup in advance with permissions to be allowed in STS in response to GetFederation) who gives it a token with 4 values- access key, secret access key, token and duration which is returned to user. User logs in to S3 using token, S3 validates this token against IAM permissions and grants access

Question 34

What is Cognito used for?

Answer 34

Web identity federation - it acts as Identity Broker between app and Web ID providers

Question 35

How does Cognito work?

Answer 35

Web ID providers like Meta (formerly FB) give a web token to logged in users, user gives that to Cognito who in exchange gives temp credentials mapped to an IAM role to access AWS services

Question 36

What are User Pools in Cognito?

Answer 36

a directory of user logins, either directly created login-passwords or via Web ID providers like Goog/FB. Successful auth generates JSON Web Tokens (JWT)

Question 37

What are Identity pools in Cognito?

Answer 37

create unique identity for a user and generates temp credentials with which users can access other AWS services like S3/Dynamo etc. Identity pools exchange JWT tokens and give temp token with IAM role

Question 38

What is difference between user pools and identity pools?

Answer 38

User pools are for authentication (identity verification). Identity pools are for authorization (access control).

Question 39

How to set up Cognito user pool?

Answer 39

Setting up Cognito User Pool- 1) create an “app client” 2) configure it with callback URL (where do users go after they are signed in), “authorization code grant” (code to be used by backend to verify auth), “implicit grant” (JWT token), and all OAuth options (this gives access to make API calls and also verification by phone/email); 3) give a domain name, 4) customize UI with your logo/branding; Done

Question 40

What does Cognito also allow?

Answer 40

creating Groups with specific IAM roles and add users to that group

Question 41

What is difference between Glacier Archieve and Vault?

Answer 41

Archive = single or multiple files in zip/tar format; Vault = container storing 1 or more archives

Question 42

Are vault lock policies applied to individual archives or all archives within a vault?

Answer 42

All archieves within a vault

Question 43

How long do you have to change vault lock policy?

Answer 43

Get 24 hours to validate vault lock policy and abort if needed, after 24 hours CANNOT change the policy forever!

Question 44

Where do SCPs (Service Control Policies) apply to?

Answer 44

Organizational Units (OU) or individual account level

Question 45

Can OU be one account or also multiple?

Answer 45

Can also be one

Question 46

What do SCP rules apply to?

Answer 46

All accounts under an OU, including to root user of child accounts. Be careful not to lock them out