IAM, Accounts, and AWS Organizations

Question 1

IAM Policies

Answer 1

Grants or denies access to identities

Question 2

Policy Document

Answer 2

Written in JSON to tell what is allowed or denied.

Question 3

(T/F) An individual can have multiple IAM Policies

Answer 3

True

Question 4

SEAR

Answer 4

Statement ID, Effect, Action, Resource

Question 5

IAM Policy Document Statements

Answer 5

SEAR or SARE - Statement ID or SID (optional), ex. Full Access; Action can be very specific and then the service : and can be specific or * ex. Action: [“s3:&”]; Resource specifies the resources, can be specific or wildcard ex Resource: [“*”]; Effect is to either allow or deny

Question 6

DAD

Answer 6

Priority of IAM Policy Statements - Deny, Allow, Deny

Question 7

Priority of IAM Policy Statements

Answer 7

First is explicit deny. If a resource is denied, it cannot be accessed.
Second is explicit allow. If a resource is allowed and there is no explicit deny, it is allowed.
Third is implicit deny. If there is not statement allowing a service, it is denied implicitly.

Question 8

Two types of IAM Policies

Answer 8

Inline and Managed

Question 9

Inline Policy

Answer 9

applying JSON to each account individually. Not best practice. Got to make changes to each individual JSON policy. Usually used for special or exceptional allow or deny.

Question 10

Managed Policy

Answer 10

created as its own object and attach it to any policy that wants to gain those access rights. They are RESUABLE and LOW MANAGEMENT OVERHEAD

Question 11

Two types of Managed Policies

Answer 11

AWS Managed Policies and Custom Policies

Question 12

IAM Users

Answer 12

an identity used for anything requiring LONG-TERM AWS access e.g. HUMANS, APPLICATIONS or SERVICE ACCOUNTS

Question 13

Authenticated Identity

Answer 13

U&P and Access Keys (services); proves identity

Question 14

Authorization

Answer 14

IAM checking the authentication and allowing or denying access

Question 15

Exam Alert: (T/F) Internet scale apps and large organizations with more than 5,000 users should use IAM Users.

Answer 15

False. 5,000 IAM users PER ACCOUNT; IAM User can be a member of 10 GROUPS; This has design impacts – remember the limits for the exam which may discuss large organizations or Internet scale apps that have more than 5,000 users then IAM will not be the right choice.

Question 16

IAM Groups

Answer 16

containers for USERS; solely for organizing users

Question 17

(T/F) You can log into a group

Answer 17

False. You CANNOT log into a group – no credentials, etc.

Question 18

(T/F) An IAM user can only be a member of one IAM Group.

Answer 18

False. An IAM user can be a member of multiple IAM Groups

Question 19

IAM Group Policies

Answer 19

Two kinds of Group Policies both Inline or Managed and have permissions from each group plus whatever permissions for the user.

Question 20

(T/F) There isn’t a built in all users group in IAM

Answer 20

True. There isn’t a built in all users group in IAM – you can create one but it isn’t native.

Question 21

(T/F) There is no nesting in groups

Answer 21

True. You can not nest one group inside another group.

Question 22

Total groups per account

Answer 22

300 Groups per accounts but can be increased with support tickets

Question 23

Reference Policy

Answer 23

controls access to a specific resource and allows or denies identities to that resource; reference through ARN

Question 24

(T/’F) Groups are a true identity of a user

Answer 24

False. Groups are NOT a TRUE IDENTITY. They can’t be referenced as a PRINCIPAL in a resource policy.

Question 25

IAM Roles

Answer 25

exists in AWS account. Best suited for an unknown number or multiple principals. Can be internal or external.

Question 26

(T/F) IAM roles are ASSUMED. YOU BECOME that role.

Answer 26

IAM roles are ASSUMED. YOU BECOME that role. Generally short term. Think about a mobile app that gains access through a role and become an identity in an AWS account for a short period of time.

Question 27

Two types of policies attached to IAM Roles

Answer 27

Trust policy and permissions policy

Question 28

Trust Policies

Answer 28

says what identities can access that role – reference identities in the same account or services and can reference other identities in other AWS accounts, even anonymous, or SSO via Google, Facebook, etc.

Question 29

Permissions Policy

Answer 29

says what can be accessed.

Question 30

(T/F) Roles cannot be accessed with Resource Policies

Answer 30

False

Question 31

STS

Answer 31

Secure Toke Service – sts:AssumeRole – know that roles are involved. Works with Temporary Security Credentials

Question 32

When to use IAM Roles

Answer 32

All through Permissions Policy;
- AWS Lambda functions known as a Lambda Execution Role so you don’t need to hardcode permission (access keys);
- out of the usual situations (emergencies) think third-party help desk; adding AWS into an on-prem environment – EXISTING IDENTITIES through SSO or go above the 5000 user limit;
- application with 1,000,000 of users that may need to access DynamoDB (ride sharing app) – Web identity Federation; cross AWS account

Question 33

Web identity Federation

Answer 33

uses IAM roles to access certain services and allows for SSO through Google, Facebook, etc. – NO AWS CREDENTIALS on the APP, uses EXISTING customer LOGINS, scales to 1,000,000,000’s of accounts and beyond

Question 34

ID Federation

Answer 34

small number of roles to manage and/or external

Question 35

(T/F) External accounts can be used in AWS directly

Answer 35

False

Question 36

Break Glass Situations

Answer 36

emergency situations

Question 37

Function Invocation or Execution

Answer 37

running a Lambda function

Question 38

Service Linked role

Answer 38

IAM role linked to a SPECIFIC AWS SERVICE; PREDEFINED by a SERVICE; providing permissions that a SERVICE needs to interact with OTHER AWS SERVICES on your behalf; SERVICE might create/delete the role or allow YOU to during the SETUP or within IAM

Question 39

(T/F) You can’t delete the service linked role until it’s no longer required

Answer 39

True

Question 40

Under Resource in the JSON

Answer 40

don’t try and guess the service-name of the resource, the FORMAT can differ and is CASE sensitive

Question 41

PassRole

Answer 41

gives the ability to implement role separation.

Question 42

AWS Organizations

Answer 42

Consolidated billing and identities of all accounts.

Question 43

Hierarchy Structure of AWS Accounts

Answer 43

take a standard AWS account and create an organization – this is MANAGEMENT (master) account – and invite other accounts into the organization and then those invited accounts are member accounts of the organization. Hierarchical. Consolidated Billing (single bill) to the payment account aka Management account. Consolidation of RESERVATIONS and VOLUME DISCOUNTS.

Question 44

Organization Root

Answer 44

Top of the Organization hierarchy. Container within an AWS organization that contain AWS accounts. Also contain other containers aka organization units or OUs. Organization root at the top and OUs underneath hierarchically.

Question 45

Standard AWS Account

Answer 45

An account not within an organization

Question 46

Service Control Policy (SCP)

Answer 46

restrict what AWS accounts can do in the AWS organization.

Question 47

(T/F) Creating a new account within AWS organizations requires no invite process.

Answer 47

True

Question 48

(T/F) Organizations need IAM users in each account

Answer 48

False. Organizations don’t need IAM users in each account as IAM roles can be used to access other AWS accounts.

Question 49

Role Switch

Answer 49

federation on-prem identities switch into other accounts in the organization and assuming the role.

Question 50

Exam question, the overlap between identity policies and SCP

Answer 50

If not allowed in IAM but allowed in SCP then won’t be allowed. If allowed in IAM but denied in SCP then not allowed. If allowed in IAM and allowed in SCP then allowed.

Question 51

Service Control Policy (SCP)

Answer 51

ACCOUNT PERMISSIONS BOUNDARIES AND LIMIT WHAT ACCOUNT CAN DO including ROOT USER in ORGANIZATIONS. DON’T GRANT PERMISSIONS – THEY LIMIT PERMISSIONS. ALLOW or DENY list. Follows DAD. You can’t restrict the root user, it will allows have full control of the account but SCP can restrict the account thereby restricting the root user.

Question 52

CloudWatch Logs

Answer 52

PUBLIC SERVICE; STORE, MONITOR, and ACCESS logging data; AWS INTEGRATIONS – EC2, Lambda, CloudTrail, and more; if no integration, need CLOUDWATCH AGENT; METRIC FILTER (create metrics from the logs)

Question 53

Log Stream

Answer 53

sequence of log events from the same source

Question 54

Log Group

Answer 54

container for log streams; define retention and permissions and applies to all streams in the container; metric filters resides here as well

Question 55

CloudTrail

Answer 55

REGIONAL service. Logs API calls/activities as a CLOUDTRAIL EVENT. Stores 90 days by default in EVENT HISTORY; enabled BY DEFAULT at no cost.

Question 56

Trail (CloudTrail)

Answer 56

To customize you need to create a TRAIIL. A trail can be configured for one region or all regions and can be stored in an S3 bucket indefinitely, you only pay for the space in the S3 bucket. CloudTrail can be integrated into CloudWatch logs with trails.

Question 57

(T/F) Logs in the region that they occurred in or log to US East 1 for global such as IAM STS CloudFront.

Answer 57

True

Question 58

Two types CloudTrail Events

Answer 58

MANAGEMENT (default) events and DATA (configured and $$) events.

Question 59

Exam alert, is CloudTrail in real time?

Answer 59

CloudTrail is NOT REAL-TIME, there is a delay (within 15 minutes generally).

Question 60

Service Catalog

Answer 60

DOCUMENT or DATABASE created by an IT team (service documentation); organized COLLECTION of PRODUCTS; KEY PRODUCT INFORMAIONT: owner, cost, requirements, support info, dependencies; defines approval of provisioning from IT and customer.

Question 61

AWS Service Catalog

Answer 61

SELF-SERVICE portal for end users; launch PREDEFINED PRODUCTS (ADMINS SET UP). Think of it like this, sales team needs to launch an EC2 instance but IT doesn’t want to give them the infrastructure capabilities with an AWS account so they set up AWS Service Catalog with CloudFormation and they can launch the instance that way. Build PRODUCTS into PORTFOLIOS.

Question 62

Admin role in Service Catalog

Answer 62

DEFINED PRODUCTS and PORTFOLIOS using CLOUDFORMATION TEMPLATES and SERVICE CATALOG CONFIGURATION then deploy PORTFOLIO to any service enabled regions. Service catalog users review PORTFOLIOS they have permissions on and LAUNCH PRODUCTS into service enabled regions. Service catalog, launches the infrastructure using DEFINED TEMPLATES. Service catalog users don’t need infrastructure permissions.

Question 63

Exam alert, see any question talk about a need for users or customers to release services with a tight infrastructure, think

Answer 63

Service Catalog

Question 64

Any exam questions about exploring cost or evaluate cost, also can give recommendations about reserved instance purchases

Answer 64

CostExplorer

Question 65

Cost anomaly shows in

Answer 65

CostExplorer

Question 66

SAML

Answer 66

Security Assertion Markup Language – Open Standard used by idP e.g. MS ADFS. INDIRECTLY use on premises ID w/ AWS. Used when using an ENTERPRISE identity provider (not Google SSO for example). EXISTING identity management team. SINGLE SOURCE OF TRUTH MORE THAN 5000 users. Uses IAM ROLES and TEMP CREDENTIALS (12 hour window).

Question 67

(T/F) SAML cannot use enterprise credentials directly, they have to be exchanged for AWS credentials.

Answer 67

True

Question 68

SSO

Answer 68

Manage SSO Access – AWS ACCOUNTS and EXTERNAL APPLICATIONS. Flexible IDENTITY SOURCE system. There is a built-in identity store, AWS Managed AD, On-premises AD by TWO WAY TRUST or AD CONNECTORS, or SAML 2.0.

Question 69

(T/F) SSO is not preferred by AWS vs traditional workforce identity federation.

Answer 69

False

Question 70

Two phases of SSO

Answer 70

1.) Single Sign on; 2.) Provides centralized permissions management across accounts.

Question 71

Exam Alert: If it is web identities such as Facebook, Twitter, Google, it won’t use SSO.

Answer 71

If it is enterprise identities, it will be SSO.