IAM Flashcards

1
Q

What security control provides visibility for inventory and history of config changes?

A

Config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What control allows you to see who is doing what, when, how, from where and what resources are affected?

A

CloudTrail - Audibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What security control provides controllability?

A

KMS, CloudHSm you get to control your keys and where to use them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What provides Agility and quickly update security rules and patches in a repeatable and auditable manner?

A

CloudFormation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What provides automation in helping deploy security updates?

A

OpsWorks, CodeDeploy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How are IAM roles typically used?

A

Assigned to services to access other services but can also be assumed by IAM users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the only thing power users don’t have access to?

A

IAM. They cannot make IAM changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the thing about customer managed poicies?

A

Exist only within 1 account, cannot share

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the size limits for IAM policies? Users, groups, roles

A

2kb for users, 5kb for groups, 10kb for roles. So don’t write overly long policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is IAM Credentials Report?

A

A CSV with a details of all users, password last used, changed, MFA, access keys last used, rotated, which service used it, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What IAM permissions do you need for Credential Report?

A

iam:GenerateCredentialReport and iam:GetCredentialReport

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is size limit of bucket policies?

A

20kb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How are bucket policies useful?

A

To deny access to individual buckets without messing with IAM policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What happens if If IAM policy for a user is set to only READ to S3 bucket, but S3 bucket policy is added to a specific bucket to give that user DELETE permissions

A

that user WILL be allowed to delete objects. S3 bucket policy ADDS to IAM policy here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What happens if If S3 bucket policy is set to “Deny all actions” for “All principals”,

A

nobody will be able to write or read to that bucket irrespective of IAM policies, not even root user. S3 bucket Deny All overrides everything here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What happens if S3 bucket policy is set to “Deny all actions” for “All principals” followed by an “Allow all actions” for a specific user,

A

that user will NOT be able to do anything on S3. Explicit Deny ALWAYS trumps everything else, whether it is defined in IAM policy or S3 bucket policy!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What happens if If an IAM policy has a “Deny read” for a bucket but one object inside that bucket is given Read access using S3 ACL

A

anyone WILL be able to access that object if using the S3 URL of the object (since the URL does not know anything about IAM users) but an IAM user will NOT be able to access it by clicking “Open” on console!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the conflict resolution method for s3? 3 steps

A
  1. Is there explicit deny anywhere? if so it’s denied
  2. If there is no explicit deny, is there any ALLOW anywhere. If yes allows (only in same account)
  3. If there is no explicit deny but no explicit allow either, it’s implict denied
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How can you enforce HTTPS-only on S3

A

adding a condition to bucket policy that Allows all first, followed by Deny with a Condition: Bool: “aws:SecureTransport”: false

20
Q

Is Cross Region Replication (CRR) is by default done over SS

A

Yes, do not need to set any bucket policies etc for it

21
Q

What does Cross Region Replication require?

A

both source and destination buckets have versioning enabled, and S3 should have permission to read and write objects on your behalf (using a policy in a role it creates)

22
Q

What happens if If OBJECT owner is not same as BUCKET owner

A

for CRR object owner needs to give bucket owner permission to read object using object ACL

23
Q

What does CRR require?

A

IAM role with permission to replicate objects in destination account

24
Q

What is possible in CRR configuration?

A

to change ownership of replica object to replica account owner → useful for putting CloudTrail logs to a secure account with locked down permissions ← Best Practice

25
Q

CRR replicates objects that are unencrypted, encrypted using SSE-S3, encrypted using SSE-KMS (but ONLY if you turn it on), object metadata, ACL updates, object tags, delete markers on current version

A

Yes

26
Q

What does CRR NOT replicate?

A

Older objects, objects encrypted with SSE-C, objects in source bucket where bucket owner does not have permission, specific versions of source objects (for security)

27
Q

What to keep in mind When restricting S3 to Cloudfront only using OAI

A

to “grant read permission to S3” in CF

28
Q

What’s the only region where CloudFront custom SSL certificates can be created?

A

us-east-1 only

29
Q

How to generate presigned S3 URL?

A

From CLI only:
aws s3 presign s3://<bucket>/filename --expires-in 300
Default expiry is 3600 sec</bucket>

30
Q

STS gives limited access to AWS using 3 methods

A
  1. AD federation, users dont need to be IAM users, it is based on their AD credentials
  2. Mobile app federation (FB/Google)
  3. OTher AWS accounts
31
Q

What is federation?

A

Federation is joining users from one domain (IAM) to another domain (AD)

32
Q

What allows joining (sts)

A

Identity broker allows this joining (STS), using Identities stored in Identity Stores (Goog/FB/AD)

33
Q

What does federation process look like?

A

** Federation Process: User logs in to Identity Broker who first authenticates them against LDAP directory (AD), then contacts STS using GetFederation (IAM needs to be setup in advance with permissions to be allowed in STS in response to GetFederation) who gives it a token with 4 values- access key, secret access key, token and duration which is returned to user. User logs in to S3 using token, S3 validates this token against IAM permissions and grants access

34
Q

What is Cognito used for?

A

Web identity federation - it acts as Identity Broker between app and Web ID providers

35
Q

How does Cognito work?

A

Web ID providers like Meta (formerly FB) give a web token to logged in users, user gives that to Cognito who in exchange gives temp credentials mapped to an IAM role to access AWS services

36
Q

What are User Pools in Cognito?

A

a directory of user logins, either directly created login-passwords or via Web ID providers like Goog/FB. Successful auth generates JSON Web Tokens (JWT)

37
Q

What are Identity pools in Cognito?

A

create unique identity for a user and generates temp credentials with which users can access other AWS services like S3/Dynamo etc. Identity pools exchange JWT tokens and give temp token with IAM role

38
Q

What is difference between user pools and identity pools?

A

User pools are for authentication (identity verification). Identity pools are for authorization (access control).

39
Q

How to set up Cognito user pool?

A

Setting up Cognito User Pool- 1) create an “app client” 2) configure it with callback URL (where do users go after they are signed in), “authorization code grant” (code to be used by backend to verify auth), “implicit grant” (JWT token), and all OAuth options (this gives access to make API calls and also verification by phone/email); 3) give a domain name, 4) customize UI with your logo/branding; Done

40
Q

What does Cognito also allow?

A

creating Groups with specific IAM roles and add users to that group

41
Q

What is difference between Glacier Archieve and Vault?

A

Archive = single or multiple files in zip/tar format; Vault = container storing 1 or more archives

42
Q

Are vault lock policies applied to individual archives or all archives within a vault?

A

All archieves within a vault

43
Q

How long do you have to change vault lock policy?

A

Get 24 hours to validate vault lock policy and abort if needed, after 24 hours CANNOT change the policy forever!

44
Q

Where do SCPs (Service Control Policies) apply to?

A

Organizational Units (OU) or individual account level

45
Q

Can OU be one account or also multiple?

A

Can also be one

46
Q

What do SCP rules apply to?

A

All accounts under an OU, including to root user of child accounts. Be careful not to lock them out