Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS SAA3 > IAM > Flashcards

IAM Flashcards

1
Q

An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below-mentioned statements is not true with respect to the limitations of IAM?

  • One IAM user can be a part of a maximum of 5 groups
  • Organization can create 100 groups per AWS account
  • One AWS account can have a maximum of 5000 IAM users
  • One AWS account can have 250 roles
A
  • One IAM user can be a part of a maximum of 5 groups
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You need to set up a security certificate for a cIient’s e-commerce website as it will use the HTTPS protocol. Which of the below AWS services do you need to access to manage your SSL server certificate?

A. AWS Directory Service
B. AWS Identity & Access Management
C. AWS CIoudFormation
D. Amazon Route 53

A

B. AWS Identity & Access Management

AWS Identity and Access Management (IAM) is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS.
All your SSL server certificates are managed by AWS Identity and Access management (IAM). Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingServerCerts.htm|

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Within the IAM service a GROUP is regarded as a:

  • A collection of AWS accounts
  • It’s the group of EC2 machines that gain the permissions specified in the GROUP.
  • There’s no GROUP in IAM, but only USERS and RESOURCES.
  • A collection of users.
A
  • A collection of users.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In an IAM Policy, what does “Version”: “2012-10-17” do?

  • It is the version date the policy was last edited
  • It is the version date the policy was created
  • It is the version date of policy language
  • This is internal use only by Amazon, and only used when a policy is made by the IAM policy generator
A
  • It is the version date of policy language

The version statement is the version (though the version is denoted in date form) of the policy language for IAM. There are only 2 options currently, 2008-10-17 (the default) and 2012-10-17. If the version is not defined, IAM will use the 2008 version which does not include the more advanced language options such as policy variables. It is recommended to always state the latest version in your policies for all the latest features of the IAM language.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the default maximum number of MFA devices in use per AWS account (at the root account level)?

1
20
12

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which service enables AWS customers to manage users and permissions in AWS?

  • AWS Access Control Service (ACS)
  • AWS Identity and Access Management (IAM)
  • AWS Identity Manager (AIM)
A
  • AWS Identity and Access Management (IAM)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the following policy for Amazon EC2 do?
{
“Statement”:[{
“Effect”:”AI|ow”, “Action”:”ec2:Describe”, “Resource”:”” II

}

A. Allow users to use actions that start with “Describe” over all the EC2 resources.
B. Share an AMI with a partner
C. Share an AMI within the account
D. Allow a group to only be able to describe, run, stop, start, and terminate instances

A

A. Allow users to use actions that start with “Describe” over all the EC2 resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You log in to IAM on your AWS console and notice the following message. “Delete your root access keys.” Why do you think IAM is requesting this?

A. Because the root access keys will expire as soon as you log out.
B. Because the root access keys expire after 1 week.
C. Because the root access keys are the same for all users.
D. Because they provide unrestricted access to your AWS resource

A

D. Because they provide unrestricted access to your AWS resource

In AWS an access key is required in order to sign requests that you make using the command-line interface (CLI), using the AWS SDKs, or using direct API calls. Anyone who has the access key for your root account has unrestricted access to all the resources in your account, including billing information. One of the best ways to protect your account is to not have an access key for your root account. We recommend that unless you must have a root access key (this is very rare), that you do not generate one. Instead, AWS best practice is to create one or more AWS Identity and Access Management (IAM) users, give them the necessary permissions, and use IAM users for everyday interaction with AWS.
Reference: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.htmI#root-password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.

FALSE
This is configurable
TRUE

A

TRUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x.509 certificate that contains the specific instanceid. In addition an x.509 certificates must be designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?

  • Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
  • Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
  • Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
  • Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature that contains the specific instance-id.
A
  • Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What happens to the security permissions of a tenant when an IAM role is granted? (Select two)

  • tenant inherits only permissions assigned to the IAM role temporarily
  • add security permissions of the IAM role to existing permissions
  • previous security permissions are no longer in effect
  • previous security permissions are deleted unless reconfigured
  • tenant inherits only read permissions assigned to the IAM role
A
  • tenant inherits only permissions assigned to the IAM role temporarily
  • previous security permissions are no longer in effect
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You are setting up some IAM user policies and have also become aware that some services support resource-based permissions, which let you attach policies to the service’s resources instead of to IAM users or groups. Which of the below statements is true in regards to resource-level permissions?

A. All services support resource-level permissions for all actions.
B. Resource-level permissions are supported by Amazon CIoudFront
C. All services support resource-level permissions only for some actions.
D. Some services support resource-level permissions only for some action

A

D. Some services support resource-level permissions only for some action

AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.
In addition to supporting IAM user policies, some services support resource-based permissions, which let you attach policies to the service’s resources instead of to IAM users or groups. Resource-based permissions are supported by Amazon S3, Amazon SNS, and Amazon SQS.
The resource-level permissions service supports IAM policies in which you can specify individual resources using Amazon Resource Names (ARNs) in the poIicy’s Resource element.
Some services support resource-level permissions only for some actions.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information

  • Read Only Access
  • Power User Access
  • AWS Cloud Formation Read Only Access
  • Administrator Access
A
  • Administrator Access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When you assume an IAM role, which of the following occurs? (Select 2)

  • You are granted temporary permissions based on the policy attached to the IAM Role
  • You are granted admin rights for the account you assume the role in
  • Permissions granted to your IAM user account are temporarily removed
  • You are granted temporary permissions based on the policy attached to the IAM Role while retaining your current permissions
A
  • You are granted temporary permissions based on the policy attached to the IAM Role
  • Permissions granted to your IAM user account are temporarily removed

When you assume an IAM role, you are granted the permissions specified in that Role’s attached policies. Any current permissions granted via policy, whether attached to your IAM User Account, a Group your account is a member of, or another Role you were utilizing will be temporarily stripped away while the newly assumed Role is active. Once you return to your user account, you will lose the permissions granted by the role and your normal permissions will be restored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Every user you create in the IAM system starts with _________.

  • Partial permissions
  • Full permissions
  • No permissions
A
  • No permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You would like to create an IAM policy that allows an action to be performed between 2am and 3am every day and deny the action outside of that time. What would be the best way for this to be accomplished?

  • This can be accomplished directly within the policy condition: block by using the “TimeGreaterThan” and “TimeLessThan” condition statements
  • The policy condition: block would define a range for that day using “DateGreaterThan” and “DateLessThan” statements. A lambda function would run daily to update the policy to change the date within the condition statement
  • The policy condition: block would define a range for that day using “TimeGreaterThan” and “TimeLessThan” statements, and a lambda function would run daily to update the policy to change the date/time within the condition statement
  • This cannot be done
A
  • The policy condition: block would define a range for that day using “DateGreaterThan” and “DateLessThan” statements. A lambda function would run daily to update the policy to change the date within the condition statement

The answer is “The policy condition: block would define a range for that day using “DateGreaterThan” and “DateLessThan” statements. A lambda function would run daily to update the policy to change the date within the condition statement”. The condition block does not have a TimeGreaterThan or TimeLessThan statement. Only a DateGreaterThan and DateLessThan is supported. The date statement includes a time as well, but does not support a wildcard for the date. Because of this, the question at hand is not directly supported but could be accomplished with a Lambda function to modify the policy directly on a daily basis. This would restrict the actions to be THAT DAY and between the times stated. Then each day, the policy would be updated to reflect the new date.

17
Q

What statement correctly describes IAM architecture?

  • IAM security is unified per region and replicated based on requirements for an AWS tenant account
  • IAM security is defined per region for roles only on an AWS tenant account
  • IAM security is globally unified across the AWS cloud for an AWS tenant account
  • IAM security is defined separately per region and cross-region security enabled for an AWS tenant account
A
  • IAM security is globally unified across the AWS cloud for an AWS tenant account
18
Q

If you are to create an IAM policy with a statement that only allows the action to take place after a certain date, what element would I need to place statements within?

  • Within the Effect: element
  • Within the Action: element
  • Within the Condition: element
  • None – You cannot do this with IAM
A
  • Within the Condition: element

Conditions are what would restrict or allow actions within a specific timeframe

19
Q

Is there a limit to the number of groups you can have?

  • Yes for all users except root
  • No permissions
  • Yes unless special permission granted
  • Yes for all users
A

Yes for all users

20
Q

The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console.

  • Amazon RDS instance
  • AWS Integrity Management
  • AWS Identity and Access Management
  • Amazon EMR
A
  • AWS Identity and Access Management
21
Q

What two statements correctly describe how to add or modify IAM roles to a running EC2 instance?

  • attach an IAM role to an existing EC2 instance from the EC2 console
  • replace an IAM role attached to an existing EC2 instance from the EC2 console
  • attach an IAM role to the user account and relaunch the EC2 instance
  • add the EC2 instance to a group where the role is a member
A
  • attach an IAM role to an existing EC2 instance from the EC2 console
  • replace an IAM role attached to an existing EC2 instance from the EC2 console
22
Q

A company needs to deploy services to an AWS region that they have not previously used. The company currently has an AWS Identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?

  • Create a new IAM role and associated policies within the new region
  • Assign the existing IAM role to the Amazon EC2 instances in the new region
  • Copy the IAM role and associated policies to the new region and attach it to the instances
  • Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature
A
  • Assign the existing IAM role to the Amazon EC2 instances in the new region
23
Q

You are setting up a blog on AWS. In which of the following scenarios will you need AWS credentials? (Choose 3)

  • Sign in to the AWS management console to launch an Amazon EC2 instance
  • Sign in to the running instance to instance some software
  • Launch an Amazon RDS instance
  • Log into your blog’s content management system to write a blog post
  • Post pictures to your blog on Amazon S3
A
  • Sign in to the AWS management console to launch an Amazon EC2 instance
  • Launch an Amazon RDS instance
  • Post pictures to your blog on Amazon S3
24
Q

Groups can’t _____.

  • be nested more than 3 levels
  • be nested at all
  • be nested more than 4 levels
  • be nested more than 2 levels
A
  • be nested at all
25
Q

An IAM role contains what Policies? (Choose 2)

  • Permission Policy
  • Resource Policy
  • Trust Policy
  • AssumeRole policy
A
  • Permission Policy
  • Trust Policy

Each role has 2 polices. A Permission policy is going to define what the Role can or cannot do (Authorization). A Trust policy will define who/what can assume the role (Principal).

26
Q

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers

  • Create individual IAM users for everyone in your organization
  • Configure MFA on the root account and for privileged IAM users
  • Assign IAM users and groups configured with policies granting least privilege access
  • Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate
A
  • Configure MFA on the root account and for privileged IAM users
  • Assign IAM users and groups configured with policies granting least privilege access
27
Q

After creating a new IAM user which of the following must be done before they can successfully make API calls?

  • Add a password to the user.
  • Enable Multi-Factor Authentication for the user.
  • Assign a Password Policy to the user.
  • Create a set of Access Keys for the user
A

Create a set of Access Keys for the user

28
Q

An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level?

  • Use the IAM groups and add users as per their role to different groups and apply policy to group
  • The user can create a policy and apply it to multiple users in a single go with the AWS CLI
  • Add each user to the IAM role as per their organization role to achieve effective policy setup
  • Use the IAM role and implement access at the role level
A

Use the IAM groups and add users as per their role to different groups and apply policy to group

29
Q

What are the two policies for an IAM Role?

  • Trust & Execution
  • Invoke & Execution
  • Trust & Control
  • There is only one policy for a Role
A

Trust & Execution

Every Role has 2 policies associated; a Trust policy which defines who/what can assume the role, and an Execution policy which defines what the Role itself can do.

30
Q

What is the default maximum number of Access Keys per user?

A. 10
B. 15
C. 2
D. 20

A

C. 2

The default maximum number of Access Keys per user is 2.

Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.htmI

31
Q

When assessing an organization AWS use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers

  • Key pairs
  • Console passwords
  • Access keys
  • Signing certificates
  • Security Group memberships
A
  • Console passwords
  • Access keys
  • Signing certificates
32
Q

You have many AWS accounts being managed. You wish to address IAM users and credentials. How is IAM authentication and authorization managed across accounts?

  • You will create Active Directory Domain Controllers in each account and setup AD Federation Services (ADFS)
  • Configure IAM users and groups in each AWS account and keep them in sync via scripts/automation
  • Utilize cross-account roles, addressing the authorization factor, while authentication does not need to be performed each time
  • Utilize a 3rd party specializing in IAM management across accounts
A

Utilize cross-account roles, addressing the authorization factor, while authentication does not need to be performed each time

Cross-account roles fulfills the need for controls across accounts. These accounts could all be part of the same Organization or not; it does not impact the ability to work with cross-account roles. “You will create Active Directory Domain Controllers in each account and setup AD Federation Services (ADFS)” does not play a role into IAM and not a way to do this. Though technically speaking, “Configure IAM users and groups in each AWS account and keep them in sync via scripts/automation” works, its a management nightmare and each user would need to remember passwords and figure out a way to keep them in sync across accounts. “Configure IAM users and groups in each AWS account and keep them in sync via scripts/automation” would be considered an awful design. “Utilize a 3rd party specializing in IAM management across accounts” again could work, but an expense that may not be worth it since this is designed to be done natively via roles. Nothing special is needed for this.

33
Q

You are a Solutions Architect at X Company. One of your clients is expanding their operations into multiple AWS regions around the world. The client has requested some advice on how to leverage their existing AWS Identity and Access Management (IAM) configuration in other AWS regions. What advice would you give to your client?

  • IAM is a regional service and the client will need to copy the configuration items required across to other AWS regions
  • IAM is a global service and the client can use users, groups, roles, and policies in any AWS region
  • The client can use Amazon Cognito to create a single sign-on configuration across multiple AWS regions
  • The client will need to create a VPC peering configuration with each remote AWS region and then allow IAM access across regions
A

IAM is a global service and the client can use users, groups, roles, and policies in any AWS region

Explanation IAM is universal (global) and does not apply to regions so you will use the same IAM configuration no matter if you use one of all regions VPC peering is not required Amazon Cognito is used for authentication with web and mobile apps, it is not required to make IAM work across regions

34
Q

What does the following IAM policy do?

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Effect”: “Deny”,

“NotAction”: [

“dynamodb:List*”,

“dynamodb:Describe*”

],

“Resource”: “arn:aws:dynamodb:::table/mytable”

}

]

}

  • Allows all DynamoDB “List” and “Describe” actions to the table
  • Denies all DynamoDB “List” and “Describe” actions to the table
  • Denies all DynamoDB actions except all “List” and “Describe” actions to the table
  • Denies all AWS actions except all DynamoDB “List” and “Describe” actions to the table
A

Denies all AWS actions except all DynamoDB “List” and “Describe” actions to the table

Because this is a Deny statement, and the “NotAction” effect is called out, all AWS actions are denied EXCEPT all DynamoDB “List” actions and all DynamoDB “Describe” actions. “Allows all DynamoDB “List” and “Describe” actions to the table” is wrong because this statement is simply a deny7; however, no allows are present. If an action is not denied it does not mean its allowed. AWS requires an explicit allow statement for an action to be allowed. “Denies all DynamoDB “List” and “Describe” actions to the table” is wrong because of the “NotAction” statement; “Denies all DynamoDB “List” and “Describe” actions to the table” would be correct if “Action” were used instead of “NotAction”. “Denies all DynamoDB actions except all “List” and “Describe” actions to the table” is wrong because the Deny effect, coupled with “NotAction” means ALL AWS actions will be denied except the DynamoDB List and Describe actions. “Denies all DynamoDB actions except all “List” and “Describe” actions to the table” only mentions denying DynamoDB actions.

35
Q

An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?

  • The organization has to create a special password policy and attach it to each user
  • The root account owner has to use CLI which forces each IAM user to change their password on first login
  • By default each IAM user can modify their passwords
  • Root account owner can set the policy from the IAM console under the password policy screen
A
  • Root account owner can set the policy from the IAM console under the password policy screen
36
Q

Your organization’s security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password. Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers

  • Configure multi-factor authentication for privileged IAM users
  • Create IAM users for privileged accounts
  • Implement identity federation between your organization’s Identity provider leveraging the IAM Security Token Service
  • Enable the IAM single-use password policy option for privileged users
A
  • Configure multi-factor authentication for privileged IAM users
  • Create IAM users for privileged accounts
37
Q

You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.

A. Create IAM users in the Master account with full Admin permission
B. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
C. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
D. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
E. Link the accounts using Consolidated Billin
This will give IAM users in the Master account access to resources in the Dev and Test accounts

A

C. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.

Bucket Owner Granting Cross-account Permission to objects It Does Not Own
In this example scenario, you own a bucket and you have enabled other AWS accounts to upload objects. That is, your bucket can have objects that other AWS accounts own.
Now, suppose as a bucket owner, you need to grant cross-account permission on objects, regardless of who the owner is, to a user in another account. For example, that user could be a billing application that needs to access object metadata. There are two core issues:
The bucket owner has no permissions on those objects created by other AWS accounts. So for the bucket owner to grant permissions on objects it does not own, the object owner, the AWS account that created the objects, must first grant permission to the bucket owner. The bucket owner can then delegate those permissions.
Bucket owner account can delegate permissions to users in its own account but it cannot delegate permissions to other AWS accounts, because cross-account delegation is not supported.
In this scenario, the bucket owner can create an AWS Identity and Access Management (IAM) role with permission to access objects, and grant another AWS account permission to assume the role temporarily enabling it to access objects in the bucket.
Background: Cross-Account Permissions and Using IAM Roles
IAM roles enable several scenarios to delegate access to your resources, and cross-account access is
one of the key scenarios. In this example, the bucket owner, Account A, uses an IAM role to temporarily delegate object access cross-account to users in another AWS account, Account C. Each IAM role you create has two policies attached to it:
A trust policy identifying another AWS account that can assume the role.
An access policy defining what permissions-for example, s3:Get0bject-are allowed when someone assumes the role. For a list of permissions you can specify in a policy, see Specifying Permissions in a Policy.
The AWS account identified in the trust policy then grants its user permission to assume the role. The user can then do the following to access objects:
Assume the role and, in response, get temporary security credentials. Using the temporary security credentials, access the objects in the bucket.
For more information about IAM roles, go to Roles (Delegation and Federation) in IAM User Guide. The following is a summary of the walkthrough steps:
Account A administrator user attaches a bucket policy granting Account B conditional permission to upload objects.
Account A administrator creates an IAM role, establishing trust with Account C, so users in t hat account can access Account A. The access policy attached to the role limits what user in Account C can do when the user accesses Account A.
Account B administrator uploads an object to the bucket owned by Account A, granting full-control permission to the bucket owner.
Account C administrator creates a user and attaches a user policy that al lows the user to assume the role.
User in Account C first assumes the role, which returns the user temporary security credentials. Using those temporary credentials, the user then accesses objects in the bucket.
For this example, you need three accounts. The following tab Ie shows how we refer to these accounts and the administrator users in these accounts. Per IAM guidelines (see About Using an
Administrator User to Create Resources and Grant Permissions) we do not use the account root
credentials in this walkthrough. Instead, you create an administrator user in each account and use those credentials in creating resources and granting them permissions

38
Q

An organization has 500 employees. The organization wants to set up AWS access for each department. Which of the below mentioned options is a possible solution?

  • Create IAM roles based on the permission and assign users to each role
  • Create IAM users and provide individual permission to each
  • Create IAM groups based on the permission and assign IAM users to the groups
  • It is not possible to manage more than 100 IAM users with AWS
A

Create IAM groups based on the permission and assign IAM users to the groups

39
Q

What are three recommended best practices when configuring Identity and Access Management (IAM) security services?

  • Lock or delete your root access keys when not required
  • IAM groups are not recommended for storage security
  • create an IAM user with administrator privileges
  • share your password and/or access keys with members of your group only
  • delete any AWS account where the access keys are unknown
A
  • Lock or delete your root access keys when not required
  • create an IAM user with administrator privileges
  • delete any AWS account where the access keys are unknown

AWS SAA3 (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions