IAM Flashcards
A Solutions Architect created a brand new IAM User with a default setting using AWS CLI. This is intended to be used to send API requests to Amazon S3, DynamoDB, Lambda, and other AWS resources of the company’s cloud infrastructure.
Which of the following must be done to allow the user to make API calls to the AWS resources?
1) Do nothing as the IAM User is already capable of sending API calls to your AWS resources.
2) Create a set of Access Keys for the user and attach the necessary permissions.
3) Enable Multi-Factor Authentication for the user.
4) Assign an IAM Policy to the user to allow it to send API calls.
2) Create a set of Access Keys for the user and attach the necessary permissions.
You can choose the credentials that are right for your IAM user. When you use the AWS Management Console to create a user, you must choose to include at least a console password or access keys. By default, a brand new IAM user created using the AWS CLI or AWS API has no credentials of any kind. You must create the type of credentials for an IAM user based on the needs of your user.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.
To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users. When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user.
The option that says: Do nothing as the IAM User is already capable of sending API calls to your AWS resources is incorrect because by default, a brand new IAM user created using the AWS CLI or AWS API has no credentials of any kind. Take note that in the scenario, you created the new IAM user using the AWS CLI and not via the AWS Management Console, where you must choose to at least include a console password or access keys when creating a new IAM user.
Enabling Multi-Factor Authentication for the user is incorrect because this will still not provide the required Access Keys needed to send API calls to your AWS resources. You have to grant the IAM user with Access Keys to meet the requirement.
Assigning an IAM Policy to the user to allow it to send API calls is incorrect because adding a new IAM policy to the new user will not grant the needed Access Keys needed to make API calls to the AWS resources.
A Solutions Architect is managing a company’s AWS account of approximately 300 IAM users. They have a new company policy that requires changing the associated permissions of all 100 IAM users that control the access to Amazon S3 buckets.
What will the Solutions Architect do to avoid the time-consuming task of applying the policy to each user?
1) Create a new IAM role and add each user to the IAM role.
2) Create a new S3 bucket access policy with unlimited access for each IAM user.
3) Create a new policy and apply it to multiple IAM users using a shell script.
4) Create a new IAM group and then add the users that require access to the S3 bucket. Afterwards, apply the policy to IAM group.
4) Create a new IAM group and then add the users that require access to the S3 bucket. Afterwards, apply the policy to IAM group.
In this scenario, the best option is to Create a new IAM group and then add the users that require access to the S3 bucket. Afterward, apply the policy to the IAM group. This will enable you to easily add, remove, and manage the users instead of manually adding a policy to each and every 100 IAM users.
Creating a new policy and applying it to multiple IAM users using a shell script is incorrect because you need a new IAM Group for this scenario and not assign a policy to each user via a shell script. This method can save you time but afterward, it will be difficult to manage all 100 users that are not contained in an IAM Group.
Creating a new S3 bucket access policy with unlimited access for each IAM user is incorrect because you need a new IAM Group and the method is also time-consuming.
Creating a new IAM role and adding each user to the IAM role is incorrect because you need to use an IAM Group and not an IAM role.
An Intelligence Agency developed a missile tracking application that is hosted on both development and production AWS accounts. The Intelligence agency’s junior developer only has access to the development account. She has received security clearance to access the agency’s production account but the access is only temporary and only write access to EC2 and S3 is allowed.
Which of the following allows you to issue short-lived access tokens that act as temporary security credentials to allow access to your AWS resources?
1) Use AWS Cognito to issue JSON Web Tokens (JWT)
2) All of the given options are correct.
3) Use AWS IAM Identity Center
4) Use AWS Security Token Service (STS)
4) Use AWS Security Token Service (STS)
AWS Security Token Service (STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.
In this diagram, IAM user Alice in the Dev account (the role-assuming account) needs to access the Prod account (the role-owning account). Here’s how it works:
Alice in the Dev account assumes an IAM role (WriteAccess) in the Prod account by calling AssumeRole.
STS returns a set of temporary security credentials.
Alice uses the temporary security credentials to access services and resources in the Prod account. Alice could, for example, make calls to Amazon S3 and Amazon EC2, which are granted by the WriteAccess role.
Using AWS Cognito to issue JSON Web Tokens (JWT) is incorrect because the Amazon Cognito service is primarily used for user authentication and not for providing access to your AWS resources. A JSON Web Token (JWT) is meant to be used for user authentication and session management.
Using AWS AWS IAM Identity Center is incorrect because this is simply a successor to the AWS Single Sign-On service that helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type, but not for generating tokens.
The option that says All of the above is incorrect as only STS has the ability to provide temporary security credentials.
A company has an application that continually sends encrypted documents to Amazon S3. The company requires that the configuration for data access is in line with their strict compliance standards. They should also be alerted if there is any risk of unauthorized access or suspicious access patterns.
Which step is needed to meet the requirements?
1) Use Amazon Rekognition to monitor and recognize patterns on S3.
2) Use Amazon Inspector to alert whenever a security violation is detected on S3.
3) Use AWS CloudTrail to monitor and detect access patterns on S3.
4) Use Amazon GuardDuty to monitor malicious activity on S3.
4) Use Amazon GuardDuty to monitor malicious activity on S3.
Amazon GuardDuty can generate findings based on suspicious activities such as requests coming from known malicious IP addresses, changing of bucket policies/ACLs to expose an S3 bucket publicly, or suspicious API call patterns that attempt to discover misconfigured bucket permissions.
To detect possibly malicious behavior, GuardDuty uses a combination of anomaly detection, machine learning, and continuously updated threat intelligence.
Hence, the correct answer is: Use Amazon GuardDuty to monitor malicious activity on S3.
The option that says: Use Amazon Rekognition to monitor and recognize patterns on S3 is incorrect because Amazon Rekognition is simply a service that can identify the objects, people, text, scenes, and activities on your images or videos, as well as detect any inappropriate content.
The option that says: Use AWS CloudTrail to monitor and detect access patterns on S3 is incorrect. While AWS CloudTrail can track API calls for your account, including calls made by the AWS Management Console, AWS SDKs, command line tools, and other AWS services, its primary function is not to monitor and detect access patterns on S3. It’s more about governance, compliance, operational auditing, and risk auditing.
The option that says: Use Amazon Inspector to alert whenever a security violation is detected on S3 is incorrect because Inspector is basically an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
A tech company that you are working for has undertaken a Total Cost Of Ownership (TCO) analysis evaluating the use of Amazon S3 versus acquiring more storage hardware. The result was that all 1200 employees would be granted access to use Amazon S3 for the storage of their personal documents.
Which of the following will you need to consider so you can set up a solution that incorporates a single sign-on feature from your corporate AD or LDAP directory and also restricts access for each individual user to a designated user folder in an S3 bucket? (Select TWO.)
1) Use 3rd party Single Sign-On solutions such as Atlassian Crowd, OKTA, OneLogin and many others.
2) Map each individual user to a designated user folder in S3 using Amazon WorkDocs to access their personal documents.
3) Set up a matching IAM user for each of the 1200 users in your corporate directory that needs access to a folder in the S3 bucket.
4) Set up a Federation proxy or an Identity provider, and use AWS Security Token Service to generate temporary tokens.
5) Configure an IAM role and an IAM Policy to access the bucket.
4) Set up a Federation proxy or an Identity provider, and use AWS Security Token
5) Service to generate temporary tokens.
Configure an IAM role and an IAM Policy to access the bucket.
The question refers to one of the common scenarios for temporary credentials in AWS. Temporary credentials are useful in scenarios that involve identity federation, delegation, cross-account access, and IAM roles. In this example, it is called enterprise identity federation, considering that you also need to set up a single sign-on (SSO) capability.
The correct answers are:
– Setup a Federation proxy or an Identity provider, and use AWS Security Token Service to generate temporary tokens
– Configure an IAM role and an IAM Policy to access the bucket.
In an enterprise identity federation, you can authenticate users in your organization’s network, and then provide those users access to AWS without creating new AWS identities for them and requiring them to sign in with a separate user name and password. This is known as the single sign-on (SSO) approach to temporary access. AWS STS supports open standards like Security Assertion Markup Language (SAML) 2.0, with which you can use Microsoft AD FS to leverage your Microsoft Active Directory. You can also use SAML 2.0 to manage your own solution for federating user identities.
Using 3rd party Single Sign-On solutions such as Atlassian Crowd, OKTA, OneLogin and many others is incorrect since you don’t have to use 3rd party solutions to provide the access. AWS already provides the necessary tools that you can use in this situation.
Mapping each individual user to a designated user folder in S3 using Amazon WorkDocs to access their personal documents is incorrect as there is no direct way of integrating Amazon S3 with Amazon WorkDocs for this particular scenario. Amazon WorkDocs is simply a fully managed, secure content creation, storage, and collaboration service. With Amazon WorkDocs, you can easily create, edit, and share content. And because it’s stored centrally on AWS, you can access it from anywhere on any device.
Setting up a matching IAM user for each of the 1200 users in your corporate directory that needs access to a folder in the S3 bucket is incorrect since creating that many IAM users would be unnecessary. Also, you want the account to integrate with your AD or LDAP directory, hence, IAM Users does not fit these criteria.
A company has multiple AWS sandbox accounts that are used by its development team. All developers must be given access to the contents of one of the main account’s S3 buckets. For security purposes, any personally identifiable information (PII) or financial data uploaded in the bucket must be continuously monitored and removed.
How can this be done at the lowest possible cost and with the least amount of configuration effort?
1) Add S3 read permission to the IAM policy of each IAM user from the sandbox accounts. Use Amazon Detective to discover personally identifiable information (PII) or financial data.
2) Generate a pre-signed URL for the objects on the S3 bucket. Use the Amazon S3 Storage Lens to discover personally identifiable information (PII) or financial data.
3) Configure cross-account replication on the S3 bucket. Integrate AWS Audit Manager with the S3 bucket to discover any personally identifiable information (PII) or financial data.
4) Create an S3 bucket policy that grants access from the sandbox accounts. Use Amazon Macie to discover personally identifiable information (PII) or financial data.
4) Create an S3 bucket policy that grants access from the sandbox accounts. Use Amazon Macie to discover personally identifiable information (PII) or financial data.
In Amazon S3, you can grant users in another AWS account (Account B) granular cross-account access to objects owned by your account (Account A). Depending on the type of access that you want to provide, use one of the following solutions to grant cross-account access to objects:
– AWS Identity and Access Management (IAM) policies and resource-based bucket policies ( for programmatic-only access to S3 bucket objects
– IAM policies and resource-based Access Control Lists (ACLs) for programmatic-only access to S3 bucket objects
– Cross-account IAM roles for programmatic and console access to S3 bucket objects.
Not all AWS services support resource-based policies. Therefore, you can use cross-account IAM roles to centralize permission management when providing cross-account access to multiple services. Using cross-account IAM roles simplifies provisioning cross-account access to S3 objects that are stored in multiple S3 buckets. As a result, you don’t need to manage multiple policies for S3 buckets. This method allows cross-account access to objects owned or uploaded by another AWS account or AWS services. If you don’t use cross-account IAM roles, then the object ACL must be modified.
In the scenario, the best approach to granting the developers access to the main account’s S3 bucket is by configuring the bucket policy to allow IAM users from different accounts to call the GetObject method. This is a neater and simpler solution than the rest because you control access from a single location without any additional costs.
Hence, the correct answer is: Create an S3 bucket policy that grants access from the sandbox accounts. Use Amazon Macie to discover personally identifiable information (PII) or financial data.
The option that says: Configure cross-account replication on the S3 bucket. Integrate AWS Audit Manager with the S3 bucket to discover any personally identifiable information (PII) or financial data is incorrect. This can work, but it is an inefficient way of solving the problem. The developers only need to access the S3 objects in another account; they do not need to own a copy of them. On top of that, replication incurs additional costs. In addition, the AWS Audit Manager simply helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. AWS Audit Manager is not capable of discovering personally identifiable information (PII) or financial data in your S3 bucket.
The option that says: Generate a pre-signed URL for the objects on the S3 bucket. Use the Amazon S3 Storage Lens to discover personally identifiable information (PII) or financial data is incorrect. Since objects shared using presigned URLs are time-limited, you’d have to regenerate the URL for each object every time it expires and resend the new link to the developers. This approach does not scale well and is not a good use for the S3 presigned URL. Moreover, the Amazon S3 Storage Lens feature just provides a single view of object storage usage and activity across your entire Amazon S3 storage.
The option that says: Add S3 read permission to the IAM policy of each IAM user from the sandbox accounts. Use Amazon Detective to discover personally identifiable information (PII) or financial data is incorrect. You would have to jump from one account to another to set this up. It works, but depending on the number of accounts and IAM users, it will entail a lot of configuration overhead. Although Amazon Detective is a security service, it does not have any capability to discover any PII or financial data in your S3 bucket. Its primary purpose is to analyze and visualize security data to rapidly get to the root cause of potential security issues.
A pharmaceutical company has resources hosted on both their on-premises network and in AWS cloud. They want all of their Software Architects to access resources on both environments using their on-premises credentials, which is stored in Active Directory.
In this scenario, which of the following can be used to fulfill this requirement?
1) Set up SAML 2.0-Based Federation by using a Web Identity Federation.
2) Use Amazon VPC
3) Set up SAML 2.0-Based Federation by using a Microsoft Active Directory Federation Service (AD FS).
4) Use IAM users
Since the company is using Microsoft Active Directory which implements Security Assertion Markup Language (SAML), you can set up a SAML-Based Federation for API Access to your AWS cloud. In this way, you can easily connect to AWS using the login credentials of your on-premises network.
AWS supports identity federation with SAML 2.0, an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP’s service instead of writing custom identity proxy code.
Before you can use SAML 2.0-based federation as described in the preceding scenario and diagram, you must configure your organization’s IdP and your AWS account to trust each other. The general process for configuring this trust is described in the following steps. Inside your organization, you must have an IdP that supports SAML 2.0, like Microsoft Active Directory Federation Service (AD FS, part of Windows Server), Shibboleth, or another compatible SAML 2.0 provider.
Hence, the correct answer is: Set up SAML 2.0-Based Federation by using a Microsoft Active Directory Federation Service (AD FS).
Setting up SAML 2.0-Based Federation by using a Web Identity Federation is incorrect because this is primarily used to let users sign in via a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google. It does not utilize Active Directory.
Using IAM users is incorrect because the situation requires you to use the existing credentials stored in their Active Directory, and not user accounts that will be generated by IAM.
Using Amazon VPC is incorrect because this only lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. This has nothing to do with user authentication or Active Directory.
A company needs to integrate the Lightweight Directory Access Protocol (LDAP) directory service from the on-premises data center to the AWS VPC using IAM. The identity store which is currently being used is not compatible with SAML.
Which of the following provides the most valid approach to implement the integration?
1) Develop an on-premises custom identity broker application and use STS to issue short-lived AWS credentials.
2) Use AWS Single Sign-On (SSO) service to enable single sign-on between AWS and your LDAP.
3) Use an IAM policy that references the LDAP identifiers and AWS credentials.
4) Use IAM roles to rotate the IAM credentials whenever LDAP credentials are updated.
1) Develop an on-premises custom identity broker application and use STS to issue short-lived AWS credentials.
If your identity store is not compatible with SAML 2.0 then you can build a custom identity broker application to perform a similar function. The broker application authenticates users, requests temporary credentials for users from AWS, and then provides them to the user to access AWS resources.
The application verifies that employees are signed into the existing corporate network’s identity and authentication system, which might use LDAP, Active Directory, or another system. The identity broker application then obtains temporary security credentials for the employees.
To get temporary security credentials, the identity broker application calls either AssumeRole or GetFederationToken to obtain temporary security credentials, depending on how you want to manage the policies for users and when the temporary credentials should expire. The call returns temporary security credentials consisting of an AWS access key ID, a secret access key, and a session token. The identity broker application makes these temporary security credentials available to the internal company application. The app can then use the temporary credentials to make calls to AWS directly. The app caches the credentials until they expire, and then requests a new set of temporary credentials.
Using an IAM policy that references the LDAP identifiers and AWS credentials is incorrect because using an IAM policy is not enough to integrate your LDAP service to IAM. You need to use SAML, STS, or a custom identity broker.
Using AWS Single Sign-On (SSO) service to enable single sign-on between AWS and your LDAP is incorrect because the scenario did not require SSO and in addition, the identity store that you are using is not SAML-compatible.
Using IAM roles to rotate the IAM credentials whenever LDAP credentials are updated is incorrect because manually rotating the IAM credentials is not an optimal solution to integrate your on-premises and VPC network. You need to use SAML, STS, or a custom identity broker.
What is a proper definition of an IAM Role?
1) IAM Users in multiple User Groups
2) An IAM entity that defines a password policy for IAM Users
3) An IAM entity that defines a set of permissions for making request to AWS services, and will be used by an AWS service
4) Permissions assigned to IAM Users to perform actions
3) An IAM entity that defines a set of permissions for making request to AWS services, and will be used by an AWS service
Some AWS services need to perform actions on your behalf. To do so, you assign permissions to AWS services with IAM Roles.
Which of the following is an IAM Security Tool?
1) IAM Credentials Report
2) IAM Root Account Manager
3) IAM Services Report
4) IAM Security Advisor
1) IAM Credentials Report
IAM Credentials report lists all your AWS Account’s IAM Users and the status of their various credentials.
Which answer is INCORRECT regarding IAM Users?
1) IAM Users can belong to multiple User Groups
2) IAM Users don’t have to belong to a User Group
3) IAM Policies can be attached directly to IAM Users
4) IAM Users access AWS services using root account credentials
4) IAM Users access AWS services using root account credentials
IAM Users access AWS services using their own credentials (username & password or Access Keys).
What are IAM Policies?
1) A set of policies that defines how AWS accounts interact with each other
2) JSON documents that defines a set of permissions for making requests to AWS services, and can be used by IAM Users, User Groups, and IAM Roles
3) A set of policies that define a password for IAM Users
4) A set of policies defined by AWS that show how customers interact with AWS
2) JSON documents that defines a set of permissions for making requests to AWS services, and can be used by IAM Users, User Groups, and IAM Roles
Which principle should you apply regarding IAM Permissions?
1) Grant most privilege
2) Grant more permissions if your employee asks you to
3) Grant least privilege
4) Restrict root account permissions
Grant least privilege
IAM User Groups can contain IAM Users and other User Groups.
1) True
2) False
False
A statement in an IAM Policy consists of?
Effect: Specifies whether the statement allows or denies access (e.g., “Allow” or “Deny”).
Action: Defines the specific actions that are allowed or denied (e.g., “s3:ListBucket”).
Resource: Identifies the AWS resources to which the actions apply (e.g., “arn:aws:s3:::example_bucket”).
Principal: (In resource-based policies) Specifies the entity that is allowed or denied access.
Condition: (Optional) Specifies conditions under which the policy is in effec
