Section 2: IAM

Question 1

SAA - CO3

Answer 1

30% Domain 1: Design Secure Architectures

26% Domain 2: Design Resilient Architectures

24% Domain 3: Design High-Performing Architectures

20% - Domain 4: Design Cost-Optimized Architectures

Question 2

VPC Interface Endpoint vs VPC Gateway Endpoint

Answer 2

https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/

Question 3

Principal

Answer 3

A person or application that can make a request for an action or operation on an AWS resource

Question 4

AWS Global Accelerator

Answer 4

a service that improves the availability and performance of applications with local or global users. It provides static IP addresses that act as a fixed entry point to application endpoints in a single or multiple AWS Regions, such as Application Load Balancers, Network Load Balancers or EC2 instances.

https://digitalcloud.training/amazon-route-53/

Question 5

Policy

Answer 5

Define the PERMISSIONS for the IDENTITIES or RESOURCES they are associated.

Question 6

Role

Answer 6

Used for DELEGATION and are ASSUMED.

Question 7

Do you need to select a region with IAM?

Answer 7

No

Question 8

Trust Policy

Answer 8

Controls who can assume the role.

Question 9

AWS Security Token Service (STS)

Answer 9

Enables temporary, limited-privilege credentials to be used with identity federation / federated users, delegation, cross-account access, and IAM users / roles.

?Enables temporary, limited-privileges for IAM users and federated users. Users here and roles above from Lesson 25 - Quiz.

Question 10

AWS Security Token Service (STS) credentials include:

Answer 10

• AccessKeyId
• SecretAccessKey
• Expiration
• SessionToken

*Put in credentials file and make a profile, but they are temporary

Question 11

Federated User

Answer 11

A user outside AWS.

Question 12

Temporary credentials are used with:

Answer 12

Identity Federation
Delegation
Cross-Account Access
IAM Roles

Question 13

Identity-Based IAM Policies

Answer 13

JSON permissions policy documents that control what actions an identity can perform, on which resources, and under what conditions.

Question 14

Inline Policy

Answer 14

1:1 relationship with User, Group or Role

Lesson 18

Question 15

Managed Policy

Answer 15

AWS managed (cannot modify) or customer managed which can be attached to multiple entities (User, Group, Role).

Lesson 18

Question 16

Resource Policy

Answer 16

Attached to a resource; define permissions for a Principal accessing the resource.

JSON permissions policy documents that you attach to a resource such as an Amazon S3 bucket.

Example: ars:aws:iam::[accountId]:user/Eric

Grant the specified Principal (Eric) the permisson to perform specific actions on the resource.

Lesson 18, 20(review)

Question 17

IAM Role (construction hat)

Answer 17

Have a Trust Policy and a Permission Policy.

Lesson 18

Question 18

Trust Policy

Answer 18

Is an example of a Resource Policy.

Lesson 18

Question 19

Permissions Policy

Answer 19

Is an Identity Policy.

Lesson 18

Question 20

IAM Permissions Boundary

Answer 20

Sets the maximum permissions the entity (User or Role) can have.

Set the maximum permissions an Identity Policy can grant an IAM entity.

Lesson 19, 20

Question 21

Steps for Authorizing Request to AWS

Answer 21

1. AWS IAM authenticates the Principal that makes the request.
2. Request context (Actions, Resources, Principal, Environment data, Resource data) must be processed.
3. Identity and Resource Policies must be evaluated.
4. Then the Action will be allowed/denied.

Lesson 20

Question 22

Identity Policy

Answer 22

Attached to Users, Groups or Roles.

Lesson 20

Question 23

AWS Organizations Service Control Policies (SCP)

Answer 23

Specifies the maximum permissions for an Organization or OU.

Lesson 20

Question 24

AWS Organizations

Answer 24

A way to centrally manage multiple AWS accounts. And you can apply policies to those accounts, which determine the maximum available permission.

Lesson 20

Question 25

Session Policies

Answer 25

Used with the *AssumeRole API.

Lesson 20

Question 26

Determination Rules

Answer 26

1. By default, all requests are implicitly denied (though the root user has full access).
2. An explicit allow in an identity-based or resource-based policy overrides this default.
3. If a permissions boundary, Organization’s SCP, or session policy is present, it might override the allow with an implicit deny.
4. An implicit deny in any policy overrides any allows.

Lesson 20 (Evaluation Logic slide)

Question 27

Evaluation Logic

Answer 27

1. Deny evaluation (No)
2. Organizational SCP Yes)
3. Resource Policy (No)
4. IAM Permissions Boundaries (Yes)
5. Session Policies (Yes)
6. Identity Policy (Yes)

Lesson 20 (slide)

Question 28

IAM Policy Structure

Answer 28

JSON

Effect - Allow/Deny
Action - AWS API
Resource - arn
Condition - Control when policy in effect - {conditionName {key:value}}

Lesson 21

Question 29

IAM Best Practices

Answer 29

1. Lock away your AWS account root user access keys.
2. Create individual IAM users.
3. Use Groups to assign permissions to IAM Users.
4. Grant least privilege.
5. Get started using permissions with AWS Managed Policies.
6. Use customer managed policies instead of inline policies (assigning a policy directly to a user).
7. Use access levels to review IAM permissions.
8. Configure a strong password policy for your users.
9. Enable MFA.
10. Use Roles for applications that on EC2 instances.
11. Use Roles to delegate permissions.
12. Do not share access keys.
13. Rotate credentials regularly.
14. Remove unnecessary credentials.
15. Use policy conditions for extra security.
16. Monitor activity in your AWS account.

Lesson 23

Question 30

Group

Answer 30

• Collection if users and have policies attached to them.
• a group is not an identity and cannot be identified as a Principal in an IAM policy.
• use Groups to assign permissions to Users.
• use the principle of least privilege when assigning permissions.
• Groups cannot be nested (Groups within Groups).

Lesson 24

Question 31

IAM Cheat Sheet

Answer 31

link

Question 32

Root account best practices

Answer 32

• remove access keys
• set a complex
• enable MFA
• use IAM users for most operations.

Lesson Quiz