IAM & AWS CLI

Question 1

What does IAM stand for?

Answer 1

Identity & Access Management

Question 2

Is IAM a regional or global service?

Answer 2

Global

Question 3

What is the root account?

Answer 3

It is created by default when you create an account and shouldn’t be used or shared (except to initially set up account)

Question 4

What are users in IAM?

Answer 4

One user represents one person within your organization, and can be grouped

Question 5

What are groups in IAM?

Answer 5

A group of users

Question 6

Do users have to belong to a group in IAM?

Answer 6

No (although it is best practice to assign users to groups)

Question 7

Can a user belong to multiple groups in IAM?

Answer 7

Yes

Question 8

Can a group in IAM contain other groups?

Answer 8

No, only users

Question 9

How are permissions handled in IAM?

Answer 9

Question 10

What is the least privilege principle?

Answer 10

Don’t give more permissions than a user needs

Question 11

How does policy inheritance work?

Answer 11

Question 12

What are the elements of an IAM policy?

Answer 12

Question 13

What can you define in an IAM password policy?

Answer 13

Question 14

What are two defense mechanisms to protect IAM users?

Answer 14

Password policies and multi-factor authentication (MFA)

Question 15

What should you add MFA (multi-factor authentication) to?

Answer 15

Root account and IAM users

Question 16

What is the main benefit of MFA (multi-factor authentication)?

Answer 16

Even if a password is stolen or hacked, the account is not compromised

Question 17

What MFA (multi-factor authentication) device options are available in AWS?

Answer 17

Virtual MFA device (e.g. Google Authenticator or Authy), which supports multiple tokens on the same device

Universal Second Factor (U2F) Security Key (e.g. physical device, like Yubikey), which supports multiple root and IAM users using a single security key

Other hardware security device, like hardware key fob MFA device (e.g. Gemalto) and hardware key fob MFA device for AWS GovCloud (US) (e.g. SurepassID)

Question 18

How can users access AWS?

Answer 18

Question 19

What are AWS access keys and how do you create them?

Answer 19

They are used to protect the AWS CLI and SDK and users manage their own keys

Access Key Id ~= username
Secret Access Key ~= password

Question 20

What is the AWS CLI?

Answer 20

Question 21

What is the AWS SDK?

Answer 21

Question 22

What is AWS CloudShell

Answer 22

A terminal within the AWS cloud that is free to use

Question 23

What happens to file stored in AWS CloudShell if you restart your shell?

Answer 23

The files remain

Question 24

What is an IAM service role?

Answer 24

Question 25

What security tools are provided in IAM?

Answer 25

Question 26

What tool shows all the permissions granted to a user and when they were last accessed?

Answer 26

IAM Access Advisor (user-level)

You can determine access that is no longer needed.

Question 27

What tool shows all of the account’s users and a status of their credentials?

Answer 27

IAM Credentials Report (account-level)

Question 28

What are the IAM best practices?

Answer 28

Question 29

IAM Summary

Answer 29