Module 8: Securing the User and Application Access Flashcards
Which statement describes AWS Identity and Access Mgt (IAM) users?
- IAM users are used to control access to a specific AWS resource.
- IAM user names can represent a collection of individuals.
- Every IAM user for an account must have a unique name.
- Every IAM user name is unique across all AWS accounts.
- The answer is not “Every IAM user name is unique across all AWS accounts.” try the one above.
How can you grant the same level of permissions to multiple users within an account?
- Apply an AWS IAM policy to an IAM group
- Apply an AWS IAM policy to an IAM role.
- Create a resource-based policy.
- Create an organization in AWS Organizations.
Apply an AWS IAM policy to an IAM group.
Which two statements describe AWS IAM roles?
- They are uniquely associated to an individual.
- They can only be used by accounts associated to the person who creates the role.
- They can be assumed by individuals, applications, and services.
- They provide temporary security credentials.
- They provide permanent security credentials.
- They can be assumed by individuals, applications, and services.
- They provide temporary security credentials.
Which statement describes a resource-based policy?
- It can be applied to any AWS resource.
It can be an AWS managed policy.
It is attached to a user or group.
It is always an inline policy.
(the answer is not “ It can be an AWS managed policy…
AWS managed policies do not control access to specific resources. These policies are designed for common use cases, and apply to specific services.)
( the answer is not “it can be applied to any AWS resource”.
Examples of resources are Amazon S3 buckets, and Amazon SQS queues. Not all AWS services support resource-based policies)
How does AWS IAM evaluate a policy?
- It checks for explicit allow statements before it checks for explicit deny statements.
- It checks for explicit deny statement before it checks for explicit allow statements
- If there is no explicit deny statement or explicit allow statement, users will have access by default.
- An explicit deny statement does not override an explicit allow statement
- It checks for explicit deny statement before it checks for explicit allow statements
A team of developers needs access to several services and resources in a virtual private cloud (VPC) for 9 months. How can you use AWS IAM to enable access for them?
- Create a single IAM user for the developer team and attach the required IAM policies
-Create an IAM user for each developer, and attach the required IAM policies to the IAM group
- Create an IAM user for each developer, put them all in an IAM group, and attach the required IAM policies to the IAM group.
- Create a single IAM user for the developer team, place it in an IAM group, and attached the required IAM ploicies to the IAM group.
- Create an IAM user for each developer, put them all in an IAM group, and attach the required IAM policies to the IAM group.
How does identity federation increase security for an application that is built in Amazon Web Services (AWS)?
- Users can use single sign-on (SSO) to access the application through an existing authenticated identity.
- The application can synchronize users’ user names and passwords in AWS IAM with their social media accounts.
- The browser can establish a trust relationship with the application to bypass the need for mult-factor authentication (MFA).
- Users can use their AWS IAM accounts to log in to on-premises systems.
- Users can use single sign-on (SSO) to access the application through an existing authenticated identity.
( Authenticating users through a trusted identity broker and store eliminates the need to create, manage, and secure user accounts for the application within the application itself or in AWS.)
Which services can you use to enable identity federation for your applications that are built in Amazon Web Services (AWS)? (Select TWO.)
- AWS WAF
- AWS Key Management Service (AWS KMS)
- AWS Security Token Service (AWS STS)
- AWS CloudHSM
- Amazon Cognito
- AWS Security Token Service (AWS STS)
- Amazon Cognito
(AWS STS enables you to request temporary limited-privilege credentials for users. Amazon Cognito enables you to add user sign-up, sign-in, and access control to your web and mobile applications. It supports identity fedaration with social identity providers.)
What service helps you centrally manage billing; control access, compliance and security; and share resources across multiple Amazon Web Services (AWS) accounts?
- AWS IAM
- AWS Control Tower
- AWS Organizations
- Amazon Virtual Private Cloud peering
AWS Organizations
( Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs , and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts.
(The answer is not AWS Control Tower.
AWS Control Tower abstracts multiple AWS services to provide automated setup of a secure, well-architected environment. AWS Control Tower is best suited if you want an automated deployment of a multi-account environment that follows AWS best practices.)
A technology company’s employees log in to their AWS accounts through AWS IAM. They have admin access and access to the root users. Which resource can prevent them from deleting the AWS CloudTrail logs?
- An IAM policy that is attached to each IAM user.
- A service control policy (SCP) that is attached to the organizational unit (OU)
- An Amazon S3 bucket policy that is attached to to logging buckets
IAM users with administrative access can override the S3 bucket policies.
- A service control policy (SCP) that is attached to the organizational unit (OU)
( In AWS Organizations, applying an SCP to the OU can prevent employees from deleting the logs. The SCP cannot be overridden by any user (including the root user) of the AWS accounts in the OU.)
