IAM

Question 1

What is an IAM policy?

Answer 1

A policy defines permissions that you can assign to a user, group, role or resource

Question 2

What is the resource in an IAM policy?

Answer 2

The resource is the AWS resource that the policy is taking affect for. For example, if you want to create access to an S3 bucket, the resource would be the specified bucket you want to access

Question 3

True or False: An AWS Account is a colelction of AWS Organizations

Answer 3

False. An AWS Organization is a collection of AWS Accounts

Question 4

What are Service Control Policies in AWS Organizations?

Answer 4

SCPs offer central control over the max available permissions for all accounts in an organization. They can be applied to an organization or an account and are used to restrict access

Question 5

True or False: A Service Control Policy defines what orgs and accounts can do

Answer 5

False. They should only be used to set LIMITS to what orgs and accs can do. They cannot grant permissions

Question 6

True or False: We can apply an Service Control Policy to the Management Account in the Root organization

Answer 6

False. Root account has full access, SCP does not change that

Question 7

We need to restrict certain actions within AWS based on criteria like IP addresses, resource tags, regions, etc. What can we do?

Answer 7

Add a condition on the IAM Policy

Question 8

True or False: When assuming a role, the user has to give up the original permissions

Answer 8

True

Question 9

What is an Identity-based policy?

Answer 9

It is a policy attached to a user, group of users or roles. These are different from a resource-based policy that is attached to an AWS resource

Question 10

What is an inline policy?

Answer 10

A policy that is attached directly to a user, group, role or resource. Resource-based policies are automatically inline policies

Question 11

What is a permission boundary?

Answer 11

It is a limitation of permissions on a managed policy. We can define all the permission that an entity MAY have, but not what it DOES have

Question 12

Does each Organization have a management account?

Answer 12

No. Only the root organization has the management (root) account

Question 13

What is AWS Identity Center?

Answer 13

It helps manage control of access to all of your AWS orgs and accounts

Question 14

We want to control access to SAML business applications, what AWS Service can we use?

Answer 14

AWS Identity Center

Question 15

What are the three AWS Directory Services

Answer 15

AWS Managed Microsoft AD, AD Connector, Simple AD

Question 16

We need to set up governance for multiple AWS accounts. What can we use?

Answer 16

AWS Control Tower

Question 17

You have 5 AWS Accounts that you manage using AWS Organizations. You want to restrict access to certain AWS services in each account. How should you do that?

Answer 17

AWS Organizations SCP