Identity and Access Management (IAM) - Advanced

Question 1

An account management service that enables you to consolidate multiple AWS accounts into a single unit that you create and centrally manage

Answer 1

AWS Organizations

Question 2

A type of organization policy that you can use to manage permissions in your organization. This policy offers central control over the maximum available permissions for all accounts in your organization

Answer 2

Service Control Policies (SCPs)

Question 3

True/False: Object level permission arns end with /* to represent all sub-objects.

Answer 3

True - ex: “Resource”:”arn:aws:s3:::test/*”

Question 4

An advanced access management feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity

Answer 4

Permissions boundaries

Question 5

AWS Directory Service that lets you run Microsoft Active Directory (AD) as a managed service

Answer 5

AWS Managed Microsoft AD

Question 6

A directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud

Answer 6

Active Directory Connector

Question 7

A standalone managed directory that is powered by a Samba 4 Active Directory Compatible Server

Answer 7

Simple Active Directory

Question 8

AWS tool that orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center (successor to AWS Single Sign-On), to build a landing zone in less than an hour

Answer 8

AWS Control Tower

Question 9

AWS Control Tower guardrail that uses SCPs to prevent accounts from doing something

Answer 9

Preventive Guardrail

Question 10

AWS Control Tower guardrail that uses AWS Config to detect non-compliance

Answer 10

Detective Guardrail

Question 11

What IAM condition key can use to allow API calls from a specified AWS region?

Answer 11

aws:RequestedRegion

Question 12

This Resource Access Manager feature allows multiple AWS accounts to create their application resources into shared and centrally-managed Amazon Virtual Private Clouds (VPCs)

Answer 12

VPC sharing

Question 13

Active Directory service that should be used if you only need to allow your on-premises users to log in to AWS applications and services with their Active Directory credentials

Answer 13

Active Directory (AD) Connector

Question 14

Active Directory service that allows you to run directory-aware workloads in the AWS Cloud

Answer 14

AWS Managed Microsoft Active Directory (AD)

Question 15

The least expensive Active Directory service and your best choice if you have 5,000 or fewer users and don’t need the more advanced Microsoft Active Directory features such as trust relationships with other domains

Answer 15

Simple Active Directory

Question 16

True/False: A Service control policy must explicitly allow an action in order for it to be performed by an IAM user under that policy

Answer 16

True

Question 17

AWS Organizations feature that allows you to share resources across your AWS accounts, within your organization or organizational units (OUs), and with IAM roles and users for supported resource types

Answer 17

AWS Resource Access Manager

Question 18

Which is the only resource-based policy that the IAM service supports?

Answer 18

Role Trust Policy

Question 19

An IAM policy that defines which principal entities (accounts, users, roles, and federated users) can assume a role

Answer 19

Role Trust Policy