IAM - Advanced

Question 1

What is the AWS Organisations service?

Answer 1

A global service that allows you to manage multiple AWS (“member”) accounts through a main account called the management account

Question 2

Can member accounts be part of more than 1 AWS organisation?

Answer 2

No

Question 3

What are 2 benefits of using an AWS organisation?

Answer 3

Consolidated billing and ability to share reserved instances/savings plans discounts across accounts
Send logs/CloudTrail to a central account

Question 4

What mechanism can be used to group accounts together with organisations??

Answer 4

Organisational units

Question 5

What are service control policies?

Answer 5

IAM policies that are applied to organisational units or accounts to restrict users and roles

Question 6

Is the management account beholden to service control policies?

Answer 6

No, it is above SCPs and IAM policies

Question 7

Are service control policies explicit allow or explicit deny?

Answer 7

Explicit allow - everything is denied by default

Question 8

What are IAM conditions?

Answer 8

Kind of like ‘if’ statements that can be used to increase the complexity of your IAM policies

Question 9

What is the difference between a resource-based policy and an IAM role for accessing resources?

Answer 9

A resource based policy is attached to the resource, the role has access to the resource and is inherited by the accessor.
When the accessor inherits the role, they lose their other permissions and only have access to the permissions associated with the role

Question 10

Are resource-based policies available for all services?

Answer 10

No

Question 11

EventBridge uses
a) resource-based policies
b) IAM roles
c) either - it depends on the service it links to
to get permissions on the target when it runs a rule

Answer 11

c) Either - it depends on the service it links to
For example Lambda, SNS, SQS it uses resource based, Kinesis Data Streams, EC2 auto scaling and ECS tasks it uses IAM roles

Question 12

What are IAM permission boundaries?

Answer 12

Boundaries that define the maximum permissions an IAM entity can get

Question 13

Which of users, roles and groups do IAM permission boundaries apply to?

Answer 13

Users and roles

Question 14

What operates at a higher level (priority) - permissions or permission boundaries?

Answer 14

Permission boundaries

Question 15

What is IAM Identity Centre?

Answer 15

The successor to AWS Single Sign-On, a single login for AWS accounts, business cloud applications, SAML2.0 applications etc.

Question 16

What is a permission set in IAM Identity Centre?

Answer 16

A way to define which users can access what applications and to what level.
Permission sets are assigned to groups of users

Question 17

What is the idea of attribute based access control?

Answer 17

The idea that you assign tags to users and then as they move around you change these tags and thus their associated permissions

Question 18

What are the 3 main AWS Directory offerings?

Answer 18

AWS Managed Microsoft Active Directory
Active Directory Connector
Simple Active Directory

Question 19

What is AWS Managed Microsoft AD?

Answer 19

An easy way to fully integrate with existing Microsoft AD on-premises with a two way trusting relationship where the local and cloud sides both trust each other and so can handle their respective requests in their respective environments.

Question 20

Which 2 AWS Directory offerings support MFA?

Answer 20

AWS Managed Microsoft AD and AD Connector

Question 21

What service would be used to set up and govern a secure and compliant multi-account AWS environment based on best practices?

Answer 21

AWS Control Tower

Question 22

What are the 2 types of guardrails for policy management?

Answer 22

Detective and preventative

Question 23

AWS Control Tower enables the automation of ______ ______ ______ using guardrails

Answer 23

AWS Control Tower enables the automation of ongoing policy management using guardrails