IAM, Accounts and AWS Organizations

Question 1

What is the maximum number of IAM users in an AWS account

Answer 1

5000

Question 2

Which of the following are features of IAM groups
- Admin groupings of IAM Users
- Can hold Identity Permissions
- Can be used to login (Access Keys)
- Can be used to login (Username and password)
- Can be nested

Answer 2

• Admin groupings of IAM Users
• Can hold Identity Permissions

Question 3

Within AWS policies, what is always a priority?

Answer 3

Explicit Deny

Question 4

What two policies are assigned to an IAM Role
- Permissions Policy
- Assumption Policy
- Resource Policy
- Trust Policy

Answer 4

• Permissions Policy
• Trust Policy

Question 5

Which of the following are true for IAM Roles
- Roles have associated Long Term Credentials (Access Keys)
- Roles can be assumed
- When assumed - temporary credentials are generated
- Roles can be logged into
- When an identity logs into a role - temporary credentials are generated

Answer 5

• Roles can be assumed
• When assumed - temporary credentials are generated

Question 6

What Three features are provided by AWS Organizations (pick all that apply)
- Consolidated billing
- Managed assistance for company and AWS account mergers
- AWS Account restrictions using SCP
- Account organisation via OU’s
- Protection against credential leaks
- Company ID reports

Answer 6

• Consolidated billing
• AWS Account restrictions using SCP
• Account organisation via OU’s

Question 7

What functionality is provided by CloudTrail
- Log Ingestion
- Metrics management
- Account Restrictions
- Account wide Auditing and API Logging

Answer 7

• Account wide Auditing and API Logging

Question 8

Is it possible to restrict what the Account Root User can do?
- Always
- Never
- If AWS Organisations are used
- If AWS Organizations are used .. but not the management account

Answer 8

• If AWS Organizations are used .. but not the management account

Question 9

What is Role Switching?
- Changing the permissions on an IAM Role
- Changing the TRUST on a Role
- Changing who can assume a Role
- Logging into a Role
- Assuming a role in another AWS account to access that account via the console UI

Answer 9

• Assuming a role in another AWS account to access that account via the console UI

Question 10

What are valid IAM Policy types (choose all that apply)
- AWS Managed Policy
- Customer Managed Policy
- Self-Managed Policy
- Inline Policies
- External Policies

Answer 10

• AWS Managed Policy
• Customer Managed Policy
• Inline Policies

Question 11

What are trust policies

Answer 11

The trust policy defines which principals can assume the role, and under which conditions.

Question 12

What are the 3 types of IAM identities

Answer 12

Users
Groups
Roles

Question 13

When is it usually a good idea to create IAM users

Answer 13

When you can picture one, named thing

Question 14

What are permissions policies

Answer 14

The permissions policy grants the user of the role the needed permissions to carry out the intended tasks on the resource.

Question 15

What are the permissions policies priorities

Answer 15

First: Explicit deny
Second: Explicit allow
Third: Default deny

Question 16

When should you use inline policies

Answer 16

For exceptions

Question 17

Can you log into IAM groups

Answer 17

No

Question 18

Do IAM groups have credentials

Answer 18

No

Question 19

Can groups be references as a principal in a policy

Answer 19

No

Question 20

Can groups be granted access by a resource policy

Answer 20

No

Question 21

Is there a builtin all-users group in IAM

Answer 21

No

Question 22

Can you do IAM group nesting

Answer 22

No

Question 23

Can you use external accounts/identities to access AWS resources?

Answer 23

No

Question 24

What kind of identity management should you use for a mobile app

Answer 24

Identity Federation

Question 25

Is a management account affected by SCPs

Answer 25

No

Question 26

What is a CloudTrail trail

Answer 26

A unit of config within the CloudTrail product

Question 27

Where does a CloudTrail trail log

Answer 27

It logs events for its region, or all regions if set (us-east-1)

Question 28

What is the default CloudTrail log price, and storage time?

Answer 28

Free, but only stores 90 days of data

Question 29

How can you use CloudWatch and S3 with Cloud Trails?

Answer 29

Using trails

Question 30

Is Cloud Trail logging real time?

Answer 30

No

Question 31

Can groups be applied group directly in a resource policy?

Answer 31

NO
* Groups can ONLY be used in IAM policies, not resource policies
* Use roles as a proxy when you need to grant group-based access in resource policies
* Remember the relationship: Groups → Roles → Resource Policies
* Bad eg. of group on a resource
```JSON{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::123456789012:group/Developers” // THIS WON’T WORK!
},
“Action”: [
“s3:GetObject”,
“s3:PutObject”
],
“Resource”: “arn:aws:s3:::example-bucket/”
}
]
}
~~~
* Good eg of group on a resource
~~~
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::123456789012:role/DevelopersRole” // CORRECT!
},
“Action”: [
“s3:GetObject”,
“s3:PutObject”
],
“Resource”: “arn:aws:s3:::example-bucket/”
}
]
}
~~~

Question 32

Permission boundaries set what?

Answer 32

Sets the maximum permissions an IAM entity (user or role) can have, regardless of the permissions granted by their standard policies.
Think of it like a container - no matter what permissions you grant inside the container, they cannot exceed its boundaries.
Key Concepts:
* Sets maximum allowed permissions (NOT granted permissions)
* Can be applied to IAM users and roles (not groups)
* Useful for delegation while maintaining control
* Evaluated alongside identity-based policies

Exam tips:
1. Boundaries don’t grant permissions by themselves
2. Both the permission policy AND boundary must allow an action
3. Can’t exceed boundaries even with resource-based policies
4. Useful for AWS Organizations to delegate admin tasks safely

```// Permission Boundary Policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:”,
“cloudwatch:”,
“ec2:Describe”
],
“Resource”: “”
}
]
}

// User’s Actual Permission Policy
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:”,
“rds:”, // This won’t work - outside boundary
“cloudwatch:”,
“ec2:Describe”,
“ec2:StartInstances” // This won’t work - outside boundary
],
“Resource”: “*”
}
]
}

Question 33

Can External accounts be used to access AWS resources directly? What do they use?

Answer 33

• No
• External accounts like AD, Google, Facebook, etc. must usea Identity Federation account, then must assume a role for access and use resources.
• Remember any business with >5000 accounts must assume a role

Question 34

What are some examples of when to use a role?

Answer 34

• Web ID Federation
• Cross Account Access
• Emergency Situations
• Corporate mergers
• Any thing needing more than 5000 accounts
• AWS serives that need to perform a task on a belhalf

Question 35

Describe a Service Linked Role?

Answer 35

• PassRole is NOT an API action - it’s a permission to pass a role to a service
• PassRole is crucial for security (prevents privilege escalation)
• Service-Linked Roles:
  1. * Are predefined by AWS
  2. Can only be assumed by the specified service
  3. Have permissions defined by AWS (you can’t modify them)
  4. Are automatically deleted when the service no longer needs them

Common example with Auto Scaling:
Auto Scaling needs to create/terminate EC2 instances
It uses a Service-Linked Role named “AWSServiceRoleForAutoScaling”
When you create an Auto Scaling group, you need PassRole permission to pass this role to Auto Scaling

Exam tips:

You can’t modify permissions in Service-Linked Roles
PassRole is crucial for security (prevents privilege escalation)
Services can only create Service-Linked Roles if they have permission
Some services create Service-Linked Roles automatically when you take certain actions

Question 36

Can you modify permissions in Service-Linked Roles?

Answer 36

• No
• Are predefined by AWS

Question 37

When is the root user on an account restricted?

Answer 37

• When an SCP is attached to the act
• Except the AWS Org MGMT Act

Question 38

How are SCPs inherited?

Answer 38

• Inheritance downward
  * Root -> Mgmt -> OU -> Nested OU -> INdividual Act
  * Attached individually

Question 39

Do SCPs grant permissiosn? Or grant permissions to users?

Answer 39

• NO
• SCP are boundaries, they define the limitsof what is/isn’t allowed in the account
• Identities must be granted permissions in the account to access resources

Question 40

What is the SCP default permissions?

Answer 40

Deny

Question 41

You use SCP in one of two ways?

Answer 41

Allow List vs. Deny List

Question 42

Explain SCP Allow vs. Deny?

Answer 42

• Use Block by Default, then add certain services = which is called an “Allow List”
• Use Allow by Default, then deny certain services = which is called an “Deny List”

Question 43

For SCPs, use Block by Default, then add certain services = which is called an?

Answer 43

“Allow List”

Question 44

For SCPs, Use Allow by Default, then deny certain services = which is called an ?

Answer 44

“Deny List”

Question 45

What is the defualt AWS Org SCP when a new account is created and SCP is enabled or attached?

Answer 45

• Default “Deny List”
• Use Allow by Default, then deny certain services
• FullAWSAccess

Question 46

AWS Deny list uses which AWS policy by default?

Answer 46

• FullAWSAccess
• You must attached any services you want to deny
• If FullAWSAccess, wasn’t attched, there would be no way to perform actions in the account
• As AWS expands servcies, servcies are atomattacly allowed

Question 47

What is the two part process to use SCP “Allow List”?

Answer 47

1. • Remove FullAWSAccess
2. Then add the service or resource

• “Allow List” cause more overhead

Question 48

In an AWS Act with SCP, what permissions are allowed?

Answer 48

• Only permissions within the SCP
• Only permissions within the Idenity Policies of the account