IAM

Question 1

What is AWS Organisations?

Answer 1

A way to organize and manage multiple standard accounts within AWS
There is one single payer account or management account and multiple member accounts

Question 2

What are Service Control Policies?

Answer 2

They are top level policies that can be applied to OUs in an AWS Organization.
SCP permissions override Identity permissions and define the scope of what the ID perms are allowed

Question 3

What is CloudTrail

Answer 3

• enabled by default
• 90 day default events
• trails are how you customize CW logs
• only management plane events enabled by default
• data events need to enabled for an extra cost
• most services log to the same region they are in, some of them are global like IAM, STS, CF etc.
• trails can be enabled as “all region” to capture events from all AWS regions
• not real time, there is a delay in the logging

Question 4

What is the DENY/ALLOW/DENY rule

Answer 4

Explicit DENY wins
Explict Allow next
Implicit DENY next

Question 5

What is difference between Managed and Inline policies?

Answer 5

Inline - applying a policy to each identity individually, admin overhead: edit every account if a change is needed

Managed - single policy can be attached to multiple identities, reuseable, low mgmt overhead

Use Inline for exceptional cases, to block or add permissions to an identity

Question 6

Exam power up!

Answer 6

• only 5000 IAM users in a single account

- IAM users can be members of 10 groups

Question 7

Can groups be referenced as an identity in a policy?

Answer 7

NO!