IAM & Organizations

Question 1

What does IAM stand for?

Answer 1

IAM just stands for identity access management and essentially it allows you to manage users and their level of access to the AWS console.

Question 2

What is the root account?

Answer 2

Well, this is just the email address you use to sign up for AWS. So the root account has full administrative access to AWS.

Question 3

If you’re asked in the exam how to go ahead and secure the root account?

Answer 3

Always remember to turn on multi-factor authentication.

Question 4

What is a best practice for assign user permissions?

Answer 4

To inherit permissions through groups.

Question 5

What is the principle of least privilege?

Answer 5

This is where you only assign a user the minimum amount of privileges they need to do their job.

Question 6

If you ever see a scenario question where it talks about making your username and password the same as when you log in the morning to your AWS account, what is that called?

Answer 6

That’s called federation–Active Directory Federation.

Question 7

True/False. IAM is universal and does not apply to regions.

Answer 7

True

Question 8

What are default user permissions?

Answer 8

Users do not have any permissions when their accounts are created.

Question 9

What is programmatic access?

Answer 9

Access key ID and secret access keys are used for programmatic access to the AWS console. You only get the view this information once and it is during creation.

Question 10

What is a best practice for IAM user accounts?

Answer 10

Enabling MFA and enabling a password rotation policy.

Question 11

What type of identity objects can be created in IAM?

Answer 11

IAM lets us create 3 different types of identity objects:
Users, Groups,Roles

Question 12

What are Users?

Answer 12

Identities which represent humans or applications that need access to our account.

Question 13

What are Groups?

Answer 13

Collection of related users e.g. development team, finance, or HR

Question 14

What are Roles?

Answer 14

Can be used by AWS services, or for granting external access to our account.

Question 15

How many access keys can a user have?

Answer 15

0-2

Question 16

What are ARNs?

Answer 16

Amazon Resource Names. ARNs uniquely identify AWS resources.

Question 17

Why do we use ARNs?

Answer 17

They are used when it’s necessary to unambiguously identify a resource across all of AWS such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.

Question 18

What is the format of an ARN?

Answer 18

arn:partition:service:region:account-id:resource-id

arn:partition:service:region:account-id:resource-type/resource-id

arn:partition:service:region:account-id:resource-type:resource-id

Question 19

What are the components of an ARN?

Answer 19

Partition
Service
Region
Account-id
Resource-type
Resource-id

Question 20

What is an ARN Partition?

Answer 20

A partition is a group of AWS Regions. Each AWS account is scoped to one partition.

Question 21

What is an ARN Service?

Answer 21

The service namespace that identifies the AWS product.

Question 22

What is an ARN Region?

Answer 22

The Region code, us-east-2 for example.

Question 23

What is an ARN Account ID?

Answer 23

The name of the AWS account that owns the resource (minus any hyphens).

Question 24

What is an ARN Resource Type?

Answer 24

The type of resource such as vpc for a virtual private cloud (VPC).

Question 25

What is an ARN Resource ID?

Answer 25

The resource identifier. This could be the name, ID, or resource path.

Question 26

What is AWS CloudTrail?

Answer 26

AWS CloudTrail monitors and records account activity across our AWS infrastructure.

This can help us to detect developer misconfigurations and malicious actors.

Question 27

What does CloudTrail log?

Answer 27

Where – Source IP Address
When – EventTime
Who – User, UserAgent
What – Region, Resource, Action

Question 28

True/False. It’s important to note that CloudTrail is a real-time service.

Answer 28

False. It’s important to note that CloudTrail is NOT a real-time service. It often takes several minutes for account activity to appear in CloudTrail.

Question 29

What is the max number of IAM Groups a User can have?

Answer 29

Users can be members of up to 10 IAM Groups.

Question 30

What is the hardlimit for the max number of users in a Group?

Answer 30

There isn’t a hard limit for the number of users in a particular group (except indirectly a limit of 5,000 because of 5,000 being the maximum number of IAM users in a single AWS account).

Question 31

How many Groups can an AWS Account have?

Answer 31

An account can have up to 300 groups (though this number can sometimes be increased by contacting AWS support).

Question 32

True/False. Groups can be nested.

Answer 32

False. Groups cannot be nested.

Question 33

How many types of policies can be attached to an IAM role?

Answer 33

Trust Policy — Controls which identities can assume that role.
Permissions Policy — Controls which actions and resources the role can use.

Question 34

What is an IAM Policy?

Answer 34

A policy is an object in AWS that can be associated with an identity or resource to define their permissions.

Question 35

What is an Identity-based policy in IAM?

Answer 35

Identity-based policies are attached to an IAM user, group, or role. These policies let you specify what that identity can do (its permissions).

Question 36

How can Policies be created?

Answer 36

Policies can be be specified using policy documents created using JSON.

Question 37

True/False. It’s important to note that the precedence for permissions is deny-allow-deny.

Answer 37

True. This precedence is important for when permission effects clash.

For example, if an explicit deny clashes with an explicit allow, the deny will take precedence.

If an explicit allow clashes with an implicit deny, however, then the allow would take precendence.

Question 38

True/False. When setting permissions for identities in AWS we can use AWS managed policies, customer managed policies, or inline policies.

Answer 38

True.

Question 39

What is an AWS Managed Policy?

Answer 39

An AWS managed policy is a standalone policy that is created and administered by AWS.

In this context, standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name.

Question 40

What is the benefit of AWS managed policies? What is a downside?

Answer 40

The benefit of AWS managed policies is that they are designed to provide permissions for many common use cases.

The downside is that they cannot be customized.

Question 41

What are Customer Managed Policies?

Answer 41

Standalone policies that you administer in your own AWS account are referred to as customer managed policies.

By attaching the policy to an entity, we give that entity the permissions that are defined in the policy.

Question 42

What are Inline Policies?

Answer 42

Inline policies are policies that are embedded in an IAM identity.

Question 43

What is an AWS Organization?

Answer 43

AWS Organizations is a global service that allows us to manage multiple AWS accounts.

Question 44

What is the main benefit of using AWS Organizations?

Answer 44

The main benefit of using AWS Organizations is that it offers consolidated billing and we can enjoy price benefits from aggregated usage (volume discounts).

Question 45

What are Organization Units?

Answer 45

Organization Units are a group of AWS accounts within an organization. One Organization Unit can contain other Organizations Units — thus creating a hierarchy.

Question 46

What are SCPs?

Answer 46

Service Control Policies (SCPs) are a type of policy used inside of organizations to manage permissions in one’s organization. Permissions aren’t actually granted by SCPs. What SCPs offer instead is a type of guardrail on the actions that an account’s administrator can delegate to IAM users and roles inside of the affected accounts.

Question 47

True/False. In essence, what an account is actually able to do is the intersection between what is allowed by the SCP and what is allowed by the IAM/resource-based policies.

Answer 47

True.