Lec 5: IAM

Question 1

How does virtualization contribute to the benefits of cloud computing?
A. Virtualization eliminates the need for internet connectivity.
B. Virtualization increases hardware resource costs.
C. Virtualization enables efficient utilization of physical hardware by creating multiple virtual instances on a single server.
D. Virtualization limits the scalability of cloud services.

Answer 1

C. Virtualization enables efficient utilization of physical hardware by creating multiple virtual instances on a single server.

Question 2

What is Amazon EC2 used for in AWS?
A. Managing DNS records for domains.
B. Storing and managing relational databases.
C. Scaling compute capacity and launching virtual servers in the cloud.
D. Sending and receiving emails.

Answer 2

C. Scaling compute capacity and launching virtual servers in the cloud.

Question 3

Which of the following is NOT correct about cloud computing?
A. On-demand self service
B. Broad network access
C. Resource pooling
D. Slow elasticity

Answer 3

D. Slow elasticity

Question 4

Which of the following best describes ARN?
A. a unique ID for AWS S3 buckets
B. a unique ID for AWS EC2 instances
C. a unique ID for AWS IAM users
D. a unique ID for any AWS resources

Answer 4

D. a unique ID for any AWS resources

Question 5

Which of the following is the main feature of EBS?
A. A cloud-based email service for sending and receiving messages.
B. A service for launching and managing virtual servers in the cloud.
C. A block storage service that provides persistent storage.
D. A service that manages domain names and translates them to IP addresses.

Answer 5

C. A block storage service that provides persistent storage.

Question 6

Which of the following statements are correct in cloud computing? (Select all that apply)
A. Cloud providers allow users to pay as they go.
B. Data centers are usually distributed globally.
C. Cloud computing is built upon data centers.
D. Cooling may not be needed for data centers.

Answer 6

A. Cloud providers allow users to pay as they go.
B. Data centers are usually distributed globally.
C. Cloud computing is built upon data centers.

Question 7

Which of the following are the main types of application architecture? (Select all that apply)
A. Monolithic architecture.
B. Client/Server architecture.
C. Three-tier architecture.
D. Cloud-based serverless architecture.

Answer 7

A. Monolithic architecture.
B. Client/Server architecture.
C. Three-tier architecture.
D. Cloud-based serverless architecture.

Question 8

Which of the following statements are correct? (Select all that apply)
A. Page tables translate virtual memory into physical memory in modern OS.
B. When translating a 32-bit virtual address, two levels of page tables are needed.
C. Ring 0 is the least privileged and Ring 3 is the most privileged.
D. The number of processes is much smaller than the number of physical CPUs.

Answer 8

A. Page tables translate virtual memory into physical memory in modern OS.
B. When translating a 32-bit virtual address, two levels of page tables are needed.

Question 9

1 import boto3
2 s3_resource = boto3.resource(‘s3’)
3 s3_resource.Object(‘bucket-mst’, ‘A2.txt’).copy_from(CopySource =’bucket-mst/A1.txt’)
4 s3_resource.Object(‘bucket-mst’, ‘A1.txt’).delete()

Read the python code snippet above. Explain Line 3 and Line4 and conclude what essential file operation has been performed.

Answer 9

Line 3 copies the object named ‘A1.txt’ from the ‘bucket-mst’ bucket to a new object named ‘A2.txt’ within the same bucket.

Line 4 deletes ‘A1.txt’ from the ‘bucket-mst’ bucket.

The operation is to rename the object from A1.txt to A2.txt.

Question 10

Read query and show its table output
aws dynamodb query \
–table-name MusicAlbum \
–key-condition-expression “Artist = :A1 or Artist = :A2” \
–expression-attribute-values ‘{“:A1”:{“S”:”Tom”}, “:A2”:{“S”:”Jerry”}}’

Answer 10

Outputs a table with Artist and Song, with Artist=Tom or Artist=Jerry

Question 11

Name 3 of the keys in a Policy. Explain their role. An example of a key is “Version” that specifies the version of the policy syntax and is normally “Version”: “2012-10-17”

Answer 11

Statement: represents a permission rule.

Effect: what the effect will be when a user requests the specific action—this can be eitherAlloworDeny.

Action: defines a set of resource operations a user/application is allowed (or denied) to perform.

Resource: specifies AWS resources for which a user is allowed or denied to take actions.

Question 12

Amazon DynamoDB: Maximum table throughput

Answer 12

By default, maximum table throughput does not apply and on-demand throughput is only limited by the default DynamoDB table quotas

Question 13

What is cybersecurity?

Answer 13

It is about the protection of digital information from unauthorised access, harm or misuse.

This is done by preserving the CIA triad of the information, i.e., Confidentiality, Integrity and Availability.

Question 14

What is confidentiality?

Answer 14

Confidentiality: keeps sensitive information private and ensures that only authorized individuals or entities have access to it.

Question 15

What is integrity?

Answer 15

Integrity: maintains the accuracy, consistency, and reliability of information.

Question 16

What is availability?

Answer 16

Availability: ensures that information such as services and data are accessible and operational for authorized users.

Question 17

CIA can be extended to include…

Answer 17

Authentication
Authorization
Non-Repudiation

Question 18

What is authentication?

Answer 18

Authentication: verifies the identity of a user, system, or entity trying to access a resource or system.

Question 19

What is authorization?

Answer 19

Authorization: determines what actions or resources an authenticated user or system is allowed to perform or access.

Question 20

What is non-repudiation?

Answer 20

Non-Repudiation: prevents individuals or entities from denying their involvement in a particular digital transaction.

Question 21

What is cryptography?

Answer 21

It is the practice and study of techniques for secure communication in the presence of adversaries or potential threats.

It is mainly about the use of mathematical algorithms to transform plain, readable data (i.e., plaintext) into an unintelligible data (i.e., ciphertext) and vise versa

Attacker exploits the insecure channel between Alice and Bob

Question 22

What is Caesar cipher?

Answer 22

Caesar cipher: an old-fashion substitution cipher where each letter in the plaintext is shifted a certain number of positions down the alphabet.

ROT3 (letter is shifted 3 times to the right/forward)
plaintext : HELLO
ciphertext : KHOOR

H > I > J > K
L > M > N > O

Question 23

What are examples of modern cryptography methods?

Answer 23

Symmetric key cryptography
Asymmetric key cryptography (public key cryptography)
Hash functions

Question 24

What is symmetric key cryptography?

Answer 24

Symmetric key cryptography: the same key is used for data transformation.

The transformation involves encryption and decryption:
Encryption: takes plaintext and converts it into ciphertext
Decryption: reverses the encryption process

Question 25

What are examples of symmetric key cryptography?

Answer 25

DES (insecure), 3DES (insecure), AES (AES-128, AES-192, AES-256)

Question 26

What are applications of symmetric key cryptography?

Answer 26

data (file, network packets) encryption (AES-256 used by S3)

Question 27

What is asymmetric key cryptography?

Answer 27

Asymmetric key cryptography: a pair of distinct keys is used for encryption and decryption.

Distinct keys: public key for encryption and private key for decryption

Question 28

What are examples of asymmetric key cryptography?

Answer 28

ECC, RSA

Question 29

What are applications of asymmetric key cryptography?

Answer 29

remote authentication (SSH communication)

Question 30

What is the method of hash functions?

Answer 30

Hash functions: take an input (e.g., a large block of text) and transform it into a fixed-size value (i.e., hash digest/checksum). The hash value serves as a ‘fingerprint’ of the input.

Question 31

What are examples of hash functions?

Answer 31

MD5 (insecure), SHA-1 (insecure), SHA-2 (e.g., SHA-256)

Question 32

Hash function: SHA256
What are the components of SHA256?

Answer 32

SHA256SUMS: contains a checksum/hash digest fortheiso image to verify the image’s integrity.
SHA256SUMS.gpg: contains a signature for the SHA256SUMS file to verify the image’s authenticity.

Question 33

What are the properties of hash functions?

Answer 33

The same message results in the same hash digest
Small changes to a message result in large changes to its hash digest

Question 34

What is hash collision?

Answer 34

While two different messages are very unlikely to generate the same hash, such a possibility still exists, so-called hash collision (e.g., MD5 and SHA-1)

Question 35

Why is hash collision possible?

Answer 35

Pigeonhole principle: if𝑛 items are put into 𝑚containers, with 𝑛 > 𝑚, then at least one container must contain more than one item.

Question 36

Which aspect of the CIA triad do the cryptography techniques below protect?
Symmetric key cryptography
Asymmetric key cryptography
Hash functions

Answer 36

Confidentiality
Integrity

Question 37

What is IAM?

Answer 37

Identity Access Management

It is a web service that helps us securely control access to AWS resources.

It is used to control who is authenticated (signed in) and authorized (has permissions) to use AWS resources.

Question 38

What is an IAM root user?

Answer 38

complete access to all AWS services and resources in the account

Question 39

What are the different types of IAM identity?

Answer 39

IAM user
IAM user group
IAM role

Question 40

What is an IAM user?

Answer 40

IAM user: an identity within a root user account that has specific permissions for a single person or application:

-Each user has an ARN:
—e.g., arn:aws:iam::489389878001:user/12345678@student.uwa.edu.au

Question 41

What is an IAM user group?

Answer 41

IAM user group: an identity that specifies a set of IAM users:

-Users within the same group are given the same set of permissions.
-Users can belong to different groups.
-Each group has an ARN, e.g., arn:aws:iam::489389878001:group/admins

Question 42

What is an IAM role?

Answer 42

IAM role: an identity that has specific permissions, similar to IAM user but not relevant to a specific person/application.

-Any users/applications can assume a role to complete a specific task.
—User case: an IAM role grants permissions to applications running on EC2 instances

-Each role has an ARN, e.g., arn:aws:iam:: 489389878001 :role/apps4ec2

Question 43

How does IAM work?

Answer 43

Step 1: Authenticate a principal.
Step 2: Authorize a principal.
Step 3: Take actions/operations on AWS resources.

Question 44

What is a principal?

Answer 44

Principal: a person or application that uses an IAM user, a root user, or an IAM role to sign in and make requests to AWS.Wh

Question 45

What are the main features of IAM?

Answer 45

Shared access to AWS root user account
-Grant other people permission to use resources in our root user account without having to share our password or access key.

Granular permissions
-Grant varying permissions to different individuals for specific resources.
–e.g., some users have complete access to specified EC2 instances while some have read-only access to specific S3 buckets.

Question 46

Describe IAM policies and permissions

Answer 46

Access permissions (authorization) are managed by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.

Note: IAM policies only define permissions for an action regardless of the method that we use to perform the action
–e.g., if a policy allows theGetUseraction, then a user with that policy can get user information with all three methods.

Question 47

What are the most frequently used policy types?

Answer 47

Identity-based policy
Resource-based policy
Permissions boundary

Question 48

What is an identity-based policy?

Answer 48

It controls what actions an identity can perform.

Managed policy: standalone identity-based policy that we can attach to multiple users, groups, and roles.
-AWS managed policy: created and managed by AWS
—full-access, power-user, partial-user
-Customer managed policy: created and managed by AWS users.

Inline policy: it maintains a strict one-to-one relationship between a policy and an identity. If the identity is deleted, the policy is deleted as well.

Question 49

What are the two types of identity-based policy?

Answer 49

Managed policy
Inline policy

Question 50

What are the two types of identity-based managed policy?

Answer 50

AWS managed policy
Customer managed policy

Question 51

What is a managed policy?

Answer 51

Managed policy: standalone identity-based policy that we can attach to multiple users, groups, and roles.

Question 52

What is an AWS managed policy?

Answer 52

AWS managed policy: managed policy created and managed by AWS

Question 53

What is an customer managed policy?

Answer 53

Customer managed policy: managed policy created and managed by AWS users.

Question 54

What is an inline policy?

Answer 54

Inline policy: it maintains a strict one-to-one relationship between a policy and an identity. If the identity is deleted, the policy is deleted as well.

Question 55

What are the types of AWS managed policy?

Answer 55

full-access managed policy
power-user managed policy
partial-usermanaged policy

Question 56

What is a full-access managed policy?

Answer 56

full-access managed policy: defines permissions for administrators by granting full access to services.

Question 57

What is a power-user managed policy?

Answer 57

power-user managed policy: provides full access to services and resources, but disallows managing users and groups, i.e., a subset of full-access managed policy.

Question 58

What is a partial-user managed policy?

Answer 58

partial-usermanaged policy: provides varying access to specific services, i.e., a subset of power-user managed policy.

Question 59

Structure of AWS managed policy: Policy AdministratorAccess

Answer 59

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “”,
“Resource”: “”
}
]
}

Version: indicates the language version of the policy language.
Statement: represents a permission rule.
Effect: what the effect will be when a user requests the specific action—this can be either’Allow’or’Deny’.
Action: defines a set of resource operations a user/application is allowed (or denied) to perform.
Resource: specifies AWS resources for which a user is allowed or denied to take actions. ARN is often used.

Question 60

Structure of AWS managed policy: Policy PowerUserAccess

Answer 60

Organizations: are a service that allows us to consolidate multiple AWS accounts into an organizational structure.

This policy allows all actions on all resources except those related to IAM, Organizations, and Account management. However, it explicitly allows three actions of ListRoles, DescribeOrganization and GetAccountInformation, providing limited access to any resource.

{
“Version”: “2012-10-17”,
“Statement”: [
{ “Effect”: “Allow”,
“NotAction”: [
“iam:”,
“organizations:”,
“account:”
],
“Resource”: “”
},
{ “Effect”: “Allow”,
“Action”: [
“iam:ListRoles”,
“organizations:DescribeOrganization”,
“account:GetAccountInformation”
],
“Resource”: “*”
}
]
}

Question 61

Structure of AWS managed policy: AWSCloudTrail_ReadOnlyAccess

Answer 61

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“cloudtrail:Get”,
“cloudtrail:Describe”,
“cloudtrail:List”,
],
“Resource”: “”
}
]
}

Question 62

What is CloudTrail?

Answer 62

CloudTrail is a service that provides visibility into user activity and resource usage.

Question 63

The DynamoDB-books-app policy is used by both roles. Is it shared?

Answer 63

No, each role has its own copy of the policy so it is not shared.

Question 64

What is a resource-based policy?

Answer 64

It specifies which principal has access to the resource and what actions they can perform on it, e.g., bucket policy.

Note: it is an inline policy.

Question 65

What is a permissions boundary?

Answer 65

It sets the maximum permissions that an identity-based policy can grant.

e.g., The permissions boundary is attached to an IAM user named Alice.
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:”,
“ec2:”
],
“Resource”: “*”
}
]
}

Question 66

Both policies are attached to Alice:

identity-based policy:
{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Action”: “iam:CreateUser”,
“Resource”: “*”
}
}

permissions boundary:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:”,
“ec2:”
],
“Resource”: “*”
}
]
}

Can Alice create a user?
Can Alice create S3 buckets and EC2 instances?

Answer 66

Both answers are NO.
Effective permissions are in the intersection of Identity-based policies and permissions boundaries.

Question 67

An organisation has 5 departments and has separated out each of the IAM users into separate groups using paths following the pattern companybucket/department1/, companybucket /department2/, companybucket /department3/* etc.

Their IAM account names follow the pattern user@department1.company.com, user@department2.company.com etc.

You are tasked with securing a bucket that contains a folder for each of 5 departments in an organisation. Only people within a department can write to their own folder. Everyone can read from all folders.

Discuss the principles that you would use to create a policy that would achieve this objective.

Write the policy as a JSON file that you would use.

Note: you can have individual statements for each department.

Answer 67

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::companybucket/”
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department1/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “@department1.company.com”
}
}
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department2/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “@department2.company.com”
}
}
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department3/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “@department3.company.com”
}
}
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department4/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “@department4.company.com”
}
}
},
{
“Effect”: “Allow”,
“Action”: “s3:PutObject”,
“Resource”: “arn:aws:s3:::companybucket/department5/”,
“Condition”: {
“StringLike”: {
“aws:userid”: “*@department5.company.com”
}
}
}
]
}