IAM-AWS-CLI

Question 1

The AWS ____ account is created by default and shouldn’t be used or shared.

Answer 1

root

Question 2

IAM groups only contain users, not other ____.

Answer 2

groups

Question 3

IAM users don’t have to belong to a group.
A user can belong to multiple groups.

Question 4

IAM users and groups can be assigned JSON documents called ____.
It assigns permissions using keywords Effect, Action, and Resource.

Answer 4

policies

Question 5

In AWS you apply the ____ principle: don’t give more permissions than a user needs.

Answer 5

least privlege

Question 6

An IAM ____ policy is one that is only attached to a user directly and not through a group.

Answer 6

inline

Question 7

The IAM Policy structure consists of:

Version: policy language version, always include “2012-10-17”:
Id: an identifier for the policy (optional)
Statement: one or more individual statements (required)

Answer 7

Question 8

An IAM policy statement consists of:

Sid: an identifier for the statement (optional)
Effect: whether the statement allows or denies (Allow, Deny)
Principal: account/user/role to which this policy applied to
Action: list of actions this policy allows or denies
Resource: list of resources to which the actions applied to
Condition: conditions for when this policy is in effect (optional)

Answer 8

Question 9

The main benefit of using ____ on your root and IAM user accounts is that if a password is stolen or hacked, the account is not compromised.

Answer 9

MFA

Question 10

MFA device options in AWS

Virtual MFA - such as Google Authenticator and Auth (phones only). Support multiple tokens on a single device
Universal 2nd Factor (U2F) Security Key: such as YubiKey. Support multiple root and IAM users using a single security key.
Hardware Key Fob
Hardware Key Fob for AWS GovCloud

Question 11

What are the three methods users can access AWS?

Answer 11

AWS Management Console (protected by password + MFA)
AWS Command Line Interface (CLI): protected by access keys
AWS Software Developer KIT (SDK): for code; protected by access keys

Access keys are generated through the AWS Console. Users manage their own access keys.

Question 12

The AWS ____ is a tool that enables you to interact with AWS services using commands in your command-line shell.
Provides direct access to the public APIs of AWS services.

Answer 12

CLI

Question 13

The AWS ____ is a set of language-specific APIs that enable you to access and manage AWS services programmatically by being embedded in your application.

Answer 13

SDK

Question 14

Some AWS services will need to perform actions on your behalf. In order to do this you will need to assign permissions to AWS services using IAM ____.

Answer 14

Roles

Some common roles:
EC2 Instance Roles
Lambda Function Roles
Roles for CloudFormation

Question 15

The ____ report lists all your account’s users and the status of their various credentials.

Answer 15

IAM Credentials (account-level)

Question 16

The ____ shows the service permissions granted to a user and when those services were last accessed.
Really good to analyze granular access permissions on a user.

Answer 16

IAM Access Advisor (user-level)
Note: this feature has been renamed to LAST ACCESSED

Question 17

IAM Guidelines & Best Practices

Don’t use the root account except for AWS account setup
One physical user = One AWS user
Assign users to groups and assign permissions to groups
Create a strong password policy
Use and enforce the use of MFA
Create and use Roles for giving permissions to AWS services
Use Access Keys for programmatic access (CLI/SDK)
Audit permissions of your account using IAM Credentials Report and IAM Access Advisor (Last Accessed)
Never share IAM users and access keys