IAM: Identity and Access Management

Question 1

What AWS service is used to create and manage permissions for users, groups, and roles?

Answer 1

Identity and Access Management (IAM)

Question 2

What are Identity Policies?

Answer 2

Identity Policies are rules that can be attached to an identity and grant or deny access to AWS resources.

Question 3

When Identity Policy statements overlap, which statement takes precedence?

Answer 3

Explicit denies have the highest priority, then explicit allows, then implicit denies.

Question 4

Why should you use a managed policy instead of an inline policy?

Answer 4

Managed policies are reusable, whereas inline policies have to be applied as lines of json to each individual identity. If you need to change part of that json, you would have to do it for each identity instead of just once in the managed policy.

Question 5

When should you use inline policies?

Answer 5

For special or exceptional allow or deny cases on a small set of users.

Question 6

What does an IAM user represent?

Answer 6

A human or application that needs to access resources within an AWS account.

Question 7

What does an IAM group represent?

Answer 7

A collection of users that need the same permissions.

Question 8

What does an IAM role represent?

Answer 8

A temporary grant of permissions to specified resources within an AWS account.

Question 9

What scope and level of resilience does IAM have?

Answer 9

IAM is a global service with global resilience.

Question 10

What type of credentials are used when accessing AWS resources via the command line interface (CLI)?

Answer 10

IAM Access Keys

Question 11

How many access keys can a single IAM user have?

Answer 11

Two.

Question 12

When can you download a secret access key for an IAM user?

Answer 12

Only when it is created.

Question 13

Are IAM access key mutable or immutable?

Answer 13

Immutable. A key cannot be changed; you must create a new key to replace it.

Question 14

What are the two types of credentials that can be used to authenticate an IAM user?

Answer 14

Username/password and access keys.

Question 15

What is the maximum number of IAM users an AWS account can have?

Answer 15

5,000.

Question 16

What is the maximum number of groups an IAM user can be a member of?

Answer 16

10.

Question 17

Can you log in as an IAM Group?

Answer 17

No.

Question 18

Are IAM Policies attached to IAM Users, IAM Groups, or both?

Answer 18

Both.

Question 19

Is there a default “All Users” group in IAM?

Answer 19

No.

Question 20

How many levels deep can IAM Groups be nested?

Answer 20

Zero. IAM Groups cannot be nested.

Question 21

What is the default limit for IAM Groups per AWS account?

Answer 21

300, but this can be increased by contacting AWS.

Question 22

What types of IAM stuctures can Resource Policies reference? IAM Users, IAM Groups, or IAM Roles?

Answer 22

IAM User and IAM Roles. A Resource Policy cannot reference an IAM Group. IAM Groups are not identities, they are just a collection of identities.

Question 23

What is the difference between an IAM User and an IAM Role?

Answer 23

An IAM User represents a single principle (a person or an application) that has certain access rights to resources. An IAM Role is an identity that can be assumed to temporarily grant access rights for a short period of time.

Question 24

What are the two types of policies that can be attached to an IAM Role?

Answer 24

A Trust Policy and a Permissions Policy.

The Trust Policy specifies what identities can assume the Role.

The Permissions Policy specifies what access to resources the Role has.

Question 25

What types of identities can be specified in a Trust Policy?

Answer 25

Identities in the AWS account (IAM Users, IAM Roles, and AWS Services), identities in other AWS accounts, anonymous identities, and federated identities from other identity providers (Facebook, Google, etc.)

Question 26

How would you provide user login for a mobile or web application that has millions of users?

Answer 26

By using federated or web identies and IAM Roles to grant access to the necessary AWS resources.

Question 27

What is a service-linked role?

Answer 27

An IAM Role linked to a specific AWS service. These are often auto-generated and cannot be deleted until they are no longer needed.

Question 28

What does the PassRole permission allow?

Answer 28

PassRole allows an identity to pass a Role to an AWS service even if the identity itself does not have access to that Role.

Question 29

If the “Principal” attribute appears as a statement in a policy, is the policy most likely an identity policy or a resource policy?

Answer 29

Resource policy. The “Principal” attribute will specify which indentities are effected by the statement.