IAM

Question 1

Limit for IAM users?
Default permissions?

Answer 1

Up to 5000
none

Question 2

What is the root users username?
What permissions does the root user have?
Can the permissions be changed?

Answer 2

The email address the AWS account was created with
All permissions - full unrestricted access to AWS resources
Some permission can’t be changed

Question 3

What username can an IAM user provide when logging in?
How does the IAM user get permissions?

Answer 3

The friendly name/alias or their AWS account id
Permissions are obtained for IAM user either by assigning policies to the user or a group the user is in

Question 4

What are permissions boundaries?
What do they type of security attack to they prevent?

Answer 4

Permissions boundary sets the maximum permissions that a user or role can have

Privilege Escalation

Question 5

List the logic of policy evaluation performed by AWS?

Answer 5

Decision starts at deny
Evaluate all policies for explicit deny
Now we look for Allow in policies that include the principal:
Evaluate SCP if account is a member of an organization, if no Allow then deny
Evaluate Resource policies, if Allow this policy determines access
Evaluate Identity policies, if doesn’t exist deny or no Allow, then deny
Evaluate Permission Boundary, if doesn’t exist deny or no Allow, then deny
Is Principal a session principal, if no, Allow
If yes, Evaulate Session policy,
if doesn’t exist and this is a role session, Allow,
if doesn’t exist and not a role session, Deny
if does exist and there is an Allow, Allow
Otherwise deny

Question 6

What is included in the request context for request to an AWS resource?

Answer 6

Action
Resource
Principal
Environment data - IP, user agent, SSL status and date/time
Resource data

Question 7

List IAM policy types?

Answer 7

Identity based policies
Resource based policies
IAM permissions boundaries
AWS Organization service control policies
Session policies

Question 8

SCP

Answer 8

AWS Organization service control policies- specifies the maximum permissions for an account member of an organization or OU

Question 9

Session policies

Answer 9

used to evaluate request for resources when the AssumeRole* API actions are taken

Question 10

List the determination rules for policy evaluation

Answer 10

By default all request are implicitly denied (except root user)

An explicit allow in an identity or resource policy overrides the default

If a permissions boundary, SCP or session policy is present it might override an allow with a implicit deny

An explicity deny in any policy overrides any allows

Question 11

Indicate intersection or union of policies that include an Allow will result in an Allow for a permission?

Answer 11

Union of permissions allowed in resource and identity policies will result in an allow of all permissions

Intersection of allowed permissions in an identity and permission boundary will result in an allow

Intersection of allowed permissions in an identity and SCP will result in an allow

Question 12

What is the structure of the JSON for an IAM policy?

Whatis not required in an IAM policy?

Answer 12

Version (usually the date the policy was written)
Statement - list of statements

Statement includes
Effect - Allow or Deny
Action - list of resource actions
Resource - list of specific resource (e.g S3 bucket or RDS table, etc.)

Principal element is not required in the policy

Question 13

What are IAM best practices for temporary credentials?

Answer 13

Require human users to use federation with an identity provider to access AWS using temporary credentials

Require workloads to use temporary credentials with IAM roles to access AWS

Question 14

What are IAM best practices for IAM Access Analyzer?

Answer 14

Use IAM Access Analyzer to generate least-privilege policies based on access activity

Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions

Verify public and cross-account access to resources with IAM Access Analyzer

Question 15

What are IAM best practices for least privilege?

Answer 15

Apply least-privilege permissions

Get started with AWS managed policies and move toward least-privilege permissions

Use IAM Access Analyzer to generate least-privilege policies based on access activity

Use conditions in IAM policies to further restrict access

Question 16

What are IAM best practices for user and credential management?

Answer 16

Apply least-privilege permissions

Require human users to use federation with an identity provider to access AWS using temporary credentials - don’t use IAM users instead use identity provider or AWS Identity Center

Require multi-factor authentication (MFA)

Update (Rotate) access keys when needed for use cases that require long-term credentials

Follow best practices to protect your root user credentials

Regularly review and remove unused users, roles, permissions, policies, and credentials

Question 17

What are IAM best practices for account management?

Answer 17

Establish permissions guardrails across multiple accounts

Use permissions boundaries to delegate permissions management within an account

Verify public and cross-account access to resources with IAM Access Analyzer

Question 18

What are IAM best practices for policy management?

Answer 18

Get started with AWS managed policies and move toward least-privilege permissions

Use IAM Access Analyzer to generate least-privilege policies based on access activity

Regularly review and remove unused users, roles, permissions, policies, and credentials

Use conditions in IAM policies to further restrict access

Question 19

Can a group be the principal of an identity-based policy? If so, how. If not, why not, and how do you apply policy to group?

Answer 19

A group is not an identity and therefore can’t be identified as a principal in an identity policy

Use resource based policy instead of others that require principal

Question 20

Can you nest or create a group within a group?

Answer 20

No

Question 21

IAM Role

Answer 21

used to delegate permissions to resources for users and services

roles are created and then assumed by trusted entities

Question 22

STS

Answer 22

Security Token Service provides temporary credentials

Question 23

IAM/identity-based Policy

Answer 23

documents that define permissions and can be applied to users, groups and roles

written in JSON

Question 24

MFA Protected API Access

Answer 24

Used to enforce another authentication factor (MFA code) when accessing AWS resources

Enforced using the aws:MultiFactor AuthAge

“Condition”:{ “Null”: {“aws:MultiFactorAuthAge”: true }}

Question 25

AWS account root user

Answer 25

When you first create an Amazon Web Services (AWS) account, the email address and password you provide are the credentials for your root user, which has access to all AWS services and resources in the account.

A root user:

Has full access to all
AWS services

Cannot be
restricted in a single
account model

Should not be used
for day to day
interactions with
AWS

Question 26

Best practice for root user

Answer 26

Manage the account with the administrator user instead of the root user.

Secure your root user credentials

Use a strong root user password to help protect access

Secure your root user sign-in with multi-factor authentication (MFA)

Don’t create access keys for the root user

Use multi-person approval for root user sign-in wherever possible

Use a group email address for root user credentials

Restrict access to account recovery mechanisms

Secure your Organizations account root user credentials

Monitor access and usage

Question 27

AWS Identity and Access Management (IAM)

Answer 27

Use IAM to:
*
Create and manage
users, groups, and
roles.
*
Manage access to
AWS services and
resources.
*
Analyze access
controls.

Question 28

Principals

Answer 28

A principal is an entity that can request an action or operation on an AWS resource. IAM users and IAM roles are the most common principals that you work with

principal can also be an AWS service, such as Amazon Elastic Compute Cloud (Amazon EC2), a Security
Assertion Markup Language 2.0 (SAML 2.0) provider, or an identity provider (IdP).

Question 29

Resource-based policies

Answer 29

Attach inline policies to resources.

The most common examples of resource-based
policies are Amazon S3 bucket policies and IAM role trust policies.

Question 30

IAM permissions boundaries

Answer 30

AWS supports permissions boundaries for IAM entities (users or roles). Use IAM permissions boundaries to set the maximum permissions that an IAM entity can receive.

Question 31

AWS
Organizations provides these key features?

Answer 31

• Centralized management of all your AWS accounts
• Consolidated billing for all member accounts
• Hierarchical grouping of your accounts to meet your budgetary, security, or compliance needs
• Policies to centralize control over the AWS services and API actions that each account can access
• Policies to standardize tags across the resources in your organization's accounts
• Policies to control how AWS artificial intelligence (AI) and machine learning (ML) services can collect and
• store data
• Policies that configure automatic backups for the resources in your organization's accounts
• Integration and support for IAM
• Integration with other AWS services
• Global access
• Data replication that is eventually consistent
• No cost to use