IAM

Question 1

Which policies are attached to IAM identities (Users, User groups, or Roles) and grant permissions to an identity?

Answer 1

Identity-based policies

Question 2

What types of identity-based policies are there?

Answer 2

• Managed policies (customer-managed, aws-managed)
• Inline policies

Question 3

What type of identity-based managed policy is created and administered by you?

Answer 3

Customer-managed policy

Question 4

What type of identity-based managed policy is created and managed by AWS?
Hint: it has an ARN that includes the policy name.

Answer 4

AWS-managed policy

Question 5

What type of identity-based policy is created for a single IAM identity (a user, group, or role)?
Hint: it maintains a one-to-one relationship with the identity and is deleted when the identity is deleted.

Answer 5

Inline policy

Question 6

Which policies are attached to resources (such as an S3 bucket or an IAM role trust policy) and grant permissions to the principal specified in the policy (principals can be in the same account as the resource or in other accounts)?

Answer 6

Resource-based policies

Question 7

Which policy type uses a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity, but does not grant permissions itself?

Answer 7

Permissions boundary

Question 8

Which policy type is used to limit the permissions that the role or user’s identity-based policies grant when using AWS CLI or AWS API to assume a role or a federated user, but does not grant permissions itself?

Answer 8

Session policy

Question 9

Which type of cross-account permissions policies, not utilizing the JSON policy document structure, are used to control which principals in other accounts can access the resource?

Answer 9

Access control lists (ACLs)

Question 10

Which type of policy is used to define the maximum permissions for account members of an organization or organizational unit (OU), limiting permissions that identity-based or resource-based policies grant to entities (users or roles) within the account, but does not grant permissions itself?

Answer 10

Service control policies (SCPs)

Question 11

In which order are the “Effect” rules (Allow, Deny) applied when AWS processes policy statements?

Answer 11

1. Explicit Deny (overrides all Allow effects)
2. Explicit Allow (provides access to the listed resources)
3. Implicit Deny (denies access by default)

Question 12

What identity types are in AWS IAM?

Answer 12

Users, User groups, and Roles

Question 13

Which identity type is used for long-term AWS access, representing an application, a person, or a service account?

Answer 13

User

Question 14

What is the limit on the number of IAM groups IAM users can be members of?

Answer 14

Each IAM user can be a member of a maximum of 10 groups

Question 15

What is the limit on the number of IAM users that can be created per account?

Answer 15

There is a limit of 5000 IAM users per account

Question 16

Which IAM identities specify a collection of IAM users, primarily focusing on policy management simplification for a large set of users?

Answer 16

User groups

Question 17

Which IAM identities cannot be used to sign in and do not support nesting?

Answer 17

User groups

Question 18

Which IAM identities cannot be referenced as principals in a resource-based policy?

Answer 18

User groups

Question 19

What is the default limit for IAM User groups per account, which can be increased with a support ticket?

Answer 19

300 User groups

Question 20

Which IAM identity is used to provide short-term access permissions to internal or external principals and can be referenced as principals in resource-based policies?

Answer 20

Role

Question 21

Which type of IAM policy defines which principals can assume the role and under which conditions?

Answer 21

Trust policy

Question 22

Which type of IAM policy defines the specific permissions and actions that the IAM identity is allowed or denied within AWS services and resources?

Answer 22

Permissions policy (IAM policy)

Question 23

Which two types of policies do IAM roles have attached?

Answer 23

Permissions policy and trust policy

Question 24

Which type of IAM role is associated directly with an AWS service and includes all the permissions required to call other AWS services on your behalf?

Answer 24

Service-linked role

Question 25

What is the precedence of the assumption of configuration settings by AWS tools?

Answer 25

1. Command line options (–profile, –region)
2. Environment variables
3. Assume role
4. Assume a role with a web identity
5. Credentials file (~/.aws/credentials)
6. Custom process
7. Configuration file (~/.aws/config)
8. Container credentials (ECS)
9. EC2 instance profile credentials

Question 25

What are the most common use cases for IAM roles?

Answer 25

• Service execution roles (e.g., Lambda, ECS)
• Identity federation
• Cross-account access

Question 26

Which string uniquely identifies an AWS resource?

Answer 26

Amazon Resource Name (ARN)

Question 27

What is the structure of Amazon Resource Name (ARN)?

Answer 27

The structure can vary based on the resource, but generally looks as follows:

• arn:partition:service:region:account-id:resource-id
• arn:partition:service:region:account-id:resource-type/resource-id
• arn:partition:service:region:account-id:resource-type:resource-id

S3 example:
- arn:aws:s3:::bucket-name
- arn:aws:s3:::bucket-name/*

EC2 example:
arn:aws:ec2:us-east-1:4575734578134:instance/i-054dsfg34gdsfg38

Question 28

How does IAM policy evaluation work, and what are its key components?

Answer 28

1. Explicit Deny: Allow = NEXT | Deny = STOP NEGATIVE
2. Service Control Policies (SCPs) of account that contains the identity: Not+Exists or Exists+Allow = NEXT | Exists+Deny = STOP NEGATIVE
3. Resource Policies: Allow = STOP POSITIVE | Deny = NEXT
4. Permissions Boundaries: Not+Exists or Exists+Allow = NEXT | Exists+Deny = STOP NEGATIVE
5. Session Policies: Not+Exists or Exists+Allow = NEXT | Exists+Deny = STOP NEGATIVE
6. Identity Policies: Explicit+Allow = STOP POSITIVE | Implicity+Deny = STOP NEGATIVE

Question 29

How are IAM policies evaluated in multi-account environments?

Answer 29

• Account A: Must allow access to Account B through an identity-based policy (e.g., permissions policy).
• Account B: Must allow access from Account A using a resource-based policy (e.g., bucket policy) or a role trust policy.