IAM

Question 1

What is Access Keys?

Answer 1

A pair of key consisting of the Access Key ID and the Secret Access Key.

While the ID is open (like a username) and shared, the Secret can only be downloaded once.

Question 2

Do the Access Keys expire?

Answer 2

No - but it is best practice to rotate keys

Question 3

How many Access Keys can a user have?

Answer 3

Two (doesn’t matter if active or inactive) - But you can always delete the keys

Question 4

What is best practice to remove a key?

Answer 4

First set the key inactive - check for any problems.

Then delete the key and create a new one

Question 5

What are the two “types” of policies and what are they attached/used for?

Answer 5

Identity policy: Given to a user or a group

Resource policy: Attached to a resource such as EC2

Question 6

Describe the Attributes of a policy statement

Answer 6

Sid: Statement ID - What is the purpose?

Effect: What does the policy do? Allow / Deny

Action: Scope for the effect in terms of rights

Resource: What part of AWS is affected? (Service, S3 Bucket, DynamoDB table etc.)

Condition: Under what conditions does the policy take effect

Question 7

What would dynamodb:Delete* do?

Answer 7

Access or denial of everything under :Delete

:DeleteBackup, :DeleteItem, :DeleteTable

Question 8

What would dynamodb:*Table do?

Answer 8

Access or denial of everything ending with Table, dynamodb:CreateGlobalTable e.g.

Question 9

What is the difference between and Permission and a Trust Policy?

Answer 9

Permission: Like a normal policy for a user, gives perssions to the role

Trust: Defines who can assume the role (EC2 e.g.)

Question 10

Is it possible to give a role to resources in another account?

Answer 10

Yes, using the account in the trust policy

Question 11

Can you restrict permissions to the Master Account in an AWS Organization?

Answer 11

No.

Only for Member Accounts or Organizational Units

Question 12

What are the ways to add an account into an AWS Organization?

Answer 12

Invite an existing account

Create a new account

Question 13

Which service control policy allows access to all AWS services within an attached member account?

Answer 13

FullAWSAccess

Question 14

Is the master account affected by a SCP set on the root?

Answer 14

No, the master account is not affected by a Service Control Policy.

AWS Organizations use Inverse Tree Architecture, which starts at the root and flows onto any member or organization unit below.

Question 15

How can you restrict a root user of an Organization Unit(!!) account?

Answer 15

By creating and attaching a service control policy

Question 16

How to distinguish policy item on bucket/object level?

Answer 16

With the *

bucket: s3::bucketname
object: s3::bucketname/*

Question 17

What does ec2:describe as an action do?

Answer 17

Gives read only access to the ec2 instances

Question 18

What are the four types of roles?

Answer 18

1. Service Roles (Allowing a service - EC2 e.g. - to access other services)
2. AWS Service-Linked roles (very speciific rules for example for the Amazon Lex Bot)
3. Cross Access Roles (Access for the trusted account to access the trusting account)
4. Identity Provider (Access for Web/SAML Identitiy Providers to access the services)

Question 19

What are the two types of policies?

Answer 19

Managed Policies (AWS managed & Customer managed)
Inline Policies (directly attached to a group or user)

Question 20

Can you change the role of a running EC2 instance?

Answer 20

No, there should be an AMI created and on launch the new role should be created

Question 21

Organisations:

What are the four main functions of AWS Organisations?

Answer 21

• Centrally Manage Policies accross multiple accounts
• Controll access to the services
• Automate Account Creations
• Consolidate Billing across accounts

Question 22

What are SCPs?

Answer 22

Service Control Policies
Created and managed in AWS Organisations, limit access across accounts.
Have precedence over IAM policies

Question 23

What is an Identity-based policy?

Answer 23

Identity-based policies are JSON permissions policy documents that control what actions an identity (users, groups of users, and roles) can perform, on which resources, and under what conditions.

There are AWS managed and Customer managed policies

It’s also possible to attach the policy directly as an inline policy

Question 24

What is a Resource-based policy?

Answer 24

Directly attached to the service (S3 Bucket, Dynamo DB table e.g.) direclty
With resource-based policies, you can specify who has access to the resource and what actions they can perform on it.

Question 25

What is a Permissions boundary? (Policy)

Answer 25

A permissions boundary is an advanced feature in which you set the maximum permissions that an identity-based policy can grant to an IAM entity.

Question 26

What is an Access control lists (ACLs)?

Answer 26

Access control lists (ACLs) are service policies that allow you to control which principals in another account can access a resource. ACLs cannot be used to control access for a principal within the same account

ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document format.

Question 27

What are IAM Condition keys?

Answer 27

Special permission control that can be used in Lambda.
Can be used for three different conditions:
- lambda:VpcIds - Allow/Deny a VPC
- lambda:SubnetIds - Allow/Deny a subnet
- lambda:SecurityGroupIds - Allow/Deny a Security Group

Question 28

IAM: Define the IAM User

Answer 28

Individual, system or application that interacts with the AWS ecosystem programmatically, through the console or CLI

Question 29

IAM: Define the root user

Answer 29

Only user with an email address als the username.

Cannot be restricted, therefore should not be used in production.

Question 30

IAM: What is a group?

Answer 30

Collections of users.
Cannot be nested (groups in groups)
Users can be in multiple groups

Question 31

IAM: When should a role be used?

Answer 31

When temporary access should be granted or the accessor should not be handed the credentials:

• EC2 instances, connecting to other services
• IAM users that have temporary elevated rights
• Federated / cross-account access