IAM & S3

Question 1

What 4 features does IAM consist of?

Answer 1

1) USERS
2) GROUPS
3) ROLES
4) POLICIES

Question 2

What format are policies written in?

Answer 2

JSON (JavaScript Object Notation)

Question 3

What does IAM stand for?

Answer 3

Identity Access Management

Question 4

What is the root account of an IAM and what privileges does it have?

Answer 4

Email account used to sign up to the AWS console

Admin access

Question 5

What permissions do new users have when they are added to the AWS console?

Answer 5

None

Question 6

What are new users assigned when they are created?

Answer 6

Secret access ID and secret access key

Question 7

Can you use your secret access credentials to access the console?

Answer 7

No, this not the same as a username and password. The secret access key and password are used to access AWS via APIs and the CMD line

Question 8

What 2 security methods can you use to improve the security of your AWS user accounts?

Answer 8

1. Set up MFA

2. Use strict password policies

Question 9

Are S3 buckets private by default?

Answer 9

Yes

Question 10

What 2 methods can be used to secure an s3 bucket?

Answer 10

1. Bucket policies (apply to the whole bucket)

2. Access control lists (apply at the document level)

Question 11

What are the 5 key features of an S3 bucket?

Answer 11

1) Key
2) Value
3) Version ID
4) Metadata
5) Sub resources
a) Torrent
b) access control list

Question 12

How is encryption in transit achieved in S3?

Answer 12

SSL/TLS –> HTTPS

Stops man in the middle attacks

Question 13

Name 3 examples of encryption at rest in S3? (server side)

Answer 13

1) S3 managed keys –> SSE-S3
2) AWS key management service SSE-KMS
3) Sever side encryption with customer provided keys –> SSE-C

Question 14

What is cross regional replication?

Answer 14

The process of replicating the contents of a S3 buckets to another bucket in a different region/AZ

Question 15

What must be enabled to allow cross regional replication?

Answer 15

Versioning

Question 16

you create a bucket add a file and then turn on CRR… does the file get pushed to the destination bucket?

Answer 16

No, existing files will not be replicated automatically, but subsequent additions will be.

Question 17

Are delete markers replicated?

Answer 17

No

Question 18

What is a lifecycle policy?

Answer 18

A process to automate moving objects between different storage tiers

Question 19

Can a lifecycle policy be used with versioning?

Answer 19

Yes, a policy can be applied to current and previous versions

Question 20

What is transfer acceleration?

Answer 20

A way to increase speed and performance of file transfer using AWS’s dedicated backbone network

Question 21

What is Cloudfront?

Answer 21

AWSs content delivery network. Comprised of Origin (bucket, EC2, ELB) –> Edge locations(with cache) –> destination

Question 22

What is distribution?

Answer 22

A collection of Edge locations

Question 23

What is a snowball?

Answer 23

A large disc used to move data in and out of the cloud

Question 24

What is storage gateway?

Answer 24

A hybrid cloud storage solution that give you on-premise access to cloud storage solutions

Question 25

What are the 3 types of storage gateways?

Answer 25

1) File gateways
a) File gateway (Flat file NFS- network file system)
b) Volumes
i) Stored volumes
ii) Cached volumes
c) Gateway virtual tape library

Question 26

What is a power access user?

Answer 26

A power access user allows access to all AWS services except the management groups and the user within IAM

Question 27

How many buckets can you have per bucket by default?

Answer 27

100

Question 28

Which 2 features can be used to improve the security of an S3 bucket?

Answer 28

1) Signed URLs

2) Signed cookies

Question 29

What is the Puts limit for an S3 bucket?

Answer 29

3500 puts per second

Question 30

What is SAML and what does it do?

Answer 30

Security Assertion Markup Language

This is used to give your federated users single sign on (SSO) access to the AWS management console

Question 31

What 2 problems does AIM solve?

Answer 31

1) Manage users and their access e.g. access keys, passwords , MFA e.t.c or request temp security credentials to provide users access to AWS services and resources
2) Manage access for federated users- can request credentials with configurable expirations for users you manage in a corporate directory. You can provide AWS access without creating a IAM user account for them

Question 32

Can a user be a system or an application that requires access to AWS?

Answer 32

Yes as well as a federated user a user managed outside of AWS in your corporate directory

Question 33

What can a user do?

Answer 33

Can place requests such as to S3 or EC2

Question 34

Who is responsible for a user’s access to web service APIs?

Answer 34

AWS account holder

Question 35

By default, which service APIs can a user call?

Answer 35

None

Question 36

What are the 4 ways IAM users are managed?

Answer 36

1) Create and manage IAM users
2) Create and manage IAM groups
3) Manage users security credentials
4) Create and manage policies to grant access to AWS services and resources

Question 37

What is a group?

Answer 37

A collection of IAM users. You manage group membership as a simple list. e.g. Add or remove them from a group

Question 38

Can users belong to multiple groups?

Answer 38

Yes

Question 39

Can groups belong to other groups?

Answer 39

No

Question 40

Can policies be applied to groups?

Answer 40

Yes, applying policies to groups of users makes it easier to mange permissions that having to manage permissions for each individual user

Question 41

Can you disable user access?

Answer 41

Yes, you can enable and disable a users access keys via the IAM APIs, CLI or IAM console

Question 42

Who is able to manage users for an AWS account?

Answer 42

By default only the AWS account holder. However, you can grant permissions to an administrator users to manage users (recommended practice)

Question 43

How are MFA devices configured for IAM users?

Answer 43

The account holder can order multiple MFA devices. You can assign these to individual IAM users via the IAM API, CLI or IAM console

Question 44

Can IAM users have individual SSH keys?

Answer 44

No

Question 45

Do IAM user names have to be an email address?

Answer 45

No, it can be any string

Question 46

Can I define a password policy for my user’s passwords?

Answer 46

Yes. e.g. minium length or at least one number. You can also enforce automatic password expiration.

Question 47

What problem does an IAM role solve?

Answer 47

Allows you to delegate access with defined permissions without having to share long term access keys

Question 48

How many IAM roles can you assume?

Answer 48

There is no limit, but you can only act as one IAM role when you make a request to AWS services

Question 49

How many IAM roles can I create?

Answer 49

up to 1000 but this can be increased

Question 50

What is IAM roles for EC2 instances?

Answer 50

Enables your applications running on EC2 to make requests of AWS services such as S3, SQS and SNS without having to copy AWS access keys to every instance

Question 51

What are the features of IAM roles for EC2 instances?

Answer 51

1) AWS temporary security credentials to use when making request from running EC2 instances to AWS services
2) Automatic rotation of AWS temporary security credentials
3) Granular AWS service permissions for applications running on EC2 instances

Question 52

Can you apply the same role to multiple EC2 instances?

Answer 52

Yes

Question 53

What happens if you delete and IAM role that is associated with a running EC2 instance?

Answer 53

Any application running on the instance that is using the role will be denied access immediately