Identity and Access Management (AWS IAM)

Question 1

An AWS Service that manages access of AWS Users and Resources

Answer 1

Identity and Access Management (IAM)

Question 2

End Users who login into the console or interact with AWS resource programmatically

Answer 2

IAM Users

Question 3

This allows you to group your Users so they share permission levels of group (i.e Administrators, Developers, Auditors

Answer 3

IAM Groups

Question 4

This allows you to Associate permissions to a role and then assign this to a User or groups

Answer 4

IAM Role

Question 5

JSON documents which grants permissions for a specific user, group, or role to access service. Policies are attached to IAM Identities

Answer 5

IAM Policies

Question 6

This is a policy which is managed by AWS which you cannot edit. Managed policies are labeled with an orange bix

Answer 6

Managed Policies

Question 7

Policy created by the customer which is editable

Answer 7

Customer Managed Policies

Question 7

It is a Global Service that allows you to manage multiple AWS Accounts

Answer 7

AWS Organization

Question 8

What are two advantages of AWS Organization?

Answer 8

Consolidated Billing across all accounts
Pricing benefits from aggregated usage (volume discount for EC2 and S3, …)

Question 9

IAM Policies applied to OU or Accounts to Restrict users and Roles

Answer 9

Service Control Policies

Question 10

You can include this IAM Condition if you want to restrict the client IP

Answer 10

aws:SourceIp

Question 11

You can include this IAM Condition if you want to restrict the region the API calls are made to

Answer 11

aws:RequestedRegion

Question 12

You can include this IAM Condition if you want to restrict based on tags

Answer 12

ec2:ResourceTag

Question 13

You can include this IAM Condition if you want to force MFA

Answer 13

aws:MultiFactorAuthPresent

Question 13

IAM for s3
s3ListBucket permission applies to arn:aws:s3:::test which means it is a ____ permission while s3:GetObject, s3:PutObject,s3:DeleteObject applies to arn:aws:s3:::test/* which means it is a ___ permission

Answer 13

bucket level
object level

Question 14

This can be use in any resource policies to restrict access to accounts that are member of an AWS Organization

Answer 14

aws:PrincipalOrgID

Question 15

True or False:

When you assume a role (user, application or service), you give up your original permission and take the permission assigned to the role

Answer 15

TRUE

Question 16

True or False:
When using Resource-based Policy, the principal doesn’t have to give up his permission

Answer 16

True

Question 17

This enables One Login (single sign-on) for all your AWS Accounts in AWS Organization

Answer 17

AWS IAM Identity Center

Question 18

A company uses AWS Organization to manage multiple accounts for different departments. The Management account has an Amazon S3 bucket that contains project reports. The company wants to limit access to this S3 bucket to only users of accounts within the organization in AWS organizations.

Which solution meets these requirements with the LEAST amount of operational overhead?

Answer 18

Add the aws:PrincipalOrgID global condition key with a reference to the organization ID to the S3 bucket policy.

https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by