IAM, ACCOUNTS AND AWS ORGANISATIONS

Question 1

IAM Identity Policies

Answer 1

policy permissions that tell AWS what resources can or can’t be accessed using the identity

Question 2

What takes priority when reading a IAM Policy?

Answer 2

If you have a explicit Deny statement that Always takes president over an explicit allow

Question 3

What if there is No explicit deny or allow on an IAM Policy ?

Answer 3

the AWS resource are by default denied

Question 4

Inline policies

Answer 4

attached policies to an individual accounts

used for special or exceptional allow or Deny for managed policies

Question 5

Managed Policies

Answer 5

reusable low management overhead

Question 6

IAM Users

Answer 6

identity used for anything that requiring long-term AWS access ex. Humans, applications or service accounts

Question 7

What are Access Keys used for ?

Answer 7

Humans using CLI and applications

Question 8

IAM user account limit

Answer 8

5,000 IAM users per account

Question 9

Account Group limits

Answer 9

IAM users can be member of 10 groups

Question 10

IAM Groups

Answer 10

containers for IAM users

Question 11

Can IAM groups have policies attached to them ?

Answer 11

groups can have policies attached to them inline/managed

Question 12

cons of IAM Groups

Answer 12

• no nesting
• no built in All users group
• 200 groups per account (soft limit can be increased )
• not an identity

Question 13

What can’t you do with an IAM group that you can do with IAM user?

Answer 13

Groups can not be login to and as such are not a true identity so they can’t be references as a principal in a policy

Question 14

Principal

Answer 14

Physical person, application, device, or process which wants to authenticate with AWS

Question 15

IAM user vs IAM role

Answer 15

single principal

Long time usage

can have policies attached to the, Both Inline and manages

Question 16

IAM Role vs IAM User

Answer 16

Multiple principles internal or external

more than 5,000 users

generally used on a temporary basis

Has trust and permission policy

Question 17

Trust Policy

Answer 17

controls which identities can assume that role

Question 18

Permissions Policy

Answer 18

roles can be refences in resource policies

Question 19

What operation is done to allow IAM roles to function If an IAM role is created in the CLI?

Answer 19

Temporary security credentials are generated by

AWS secure token service called

STS:AssumeRole

If done in the UI the credentials are always add when creating the IAM role

if done in the UI the credentials have to be added to the IAM role before being able to use it with AWS resources

Question 20

Wayne is a worker at Galaxe who works at the help desk. Wayne is in the Help desk group and and as such he only has read access. But there are cases where he would need Read access What solution can you provide?

Answer 20

We can make an IAM role called emergency role where if situation is need Wayne can take on that role and gain write access.

Question 21

Company A has over 5,000 user under their existing Microsoft active directory. Those users need access to an S3 bucket contain essentials company resources. How could they access the resources? what would be your solution?

Answer 21

External accounts can’t be used but we can have those accounts take on IAM role when they need to access S3.

Question 22

AWS Organization

Answer 22

allows the management of multiple aws accounts from one AWS account called the management account

Question 23

AWS Organization Consolidated Billing

Answer 23

individual billing is removed from the member account of an organization and the management account is use

Question 24

How are you able to access member accounts in AWS organizations?

Answer 24

when your invited to AWS account into the organization you have to create the IAM role manually when creating an AWS account in the organization AWS creates the roll for you.

Question 25

What is the name of the role that AWS users when switching into another AWS account under the engagement account

Question 26

Service Control Policies

Answer 26

account permission boundaries

that limit what a account can do

they don’t grant any permission

Question 27

Can a SPC (service control policy ) restrict what a root user can do ?

Answer 27

no, root users themselves can never be restricted. SPC limits what an account can do and so indirectly impacts what a root user can do.

Question 28

FullAWSAccess

Answer 28

default policy that is applied when you enable service control policies (SPC)

Allows access to all AWS services

Question 29

Deny List Architecture (SPC)

Answer 29

By default all AWS services are allowed which would scale with AWS as new infrastructures are added

to deny a service you would have to create a Deny list

Question 30

Allow List Architecture (SPC)

Answer 30

where the default FullAwsAccess is deleted

all resources would then be denied

you would have to create a allows list to grant access to services

Question 31

Cloud Watch Logs

Answer 31

A public services that allows store, monitor and access logging data with aws intergrations

Question 32

Cloud Trail

Answer 32

Logs API actions that effect an AWS account

enabled by default for 90 days history

Question 33

Management Events

Answer 33

management events like creating an EC2 instance or VPC

Question 34

Data Events

Answer 34

resource operations performed on or in a resource like objects being added to S3

Question 35

What’s so special about IAM,STS,and CloudFront ?

Answer 35

They are global Service events they always log there events in us-east-1

Question 36

can cloud Trail log global events ?

Answer 36

yes but it needs to be enabled

Question 37

Trails

Answer 37

unit that used to configure a3 and CW logs

Question 38

AWS Security Token Service (AWS STS)

Answer 38

is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources.

Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.