Section 7: AWS CLI, SDK, IAM Roles & Policies

Question 1

What can you use to develop and perform AWS tasks from your local computer?

Answer 1

The CLI

The SDK

Question 2

What can you use to develop and perform AWS tasks from an EC2 instance?

Answer 2

The CLI
The SDK
The Instance Metadata Service for EC2

Question 3

How to configure the AWS CLI (default profile) on your local computer?

Answer 3

aws configure

Question 4

How to configure the AWS CLI (a specific profile) on your local computer?

Answer 4

aws configure –profile profileName

Question 5

What info do you have to provide when configuring the AWS CLI on your computer?

Answer 5

Access Key ID
Secret Access Key
Default Region Name
Default output format (leave to none by default)

Question 6

Where are the config/credentials files stored on Windows?

Answer 6

In the User/.aws folder

Question 7

How to configure the AWS CLI on an EC2 instance?

Answer 7

By assigning an AWS IAM role to the machine (or the ASG which will assign the role to the machine it creates)

Question 8

Can you do “aws configure” on an EC2 machine?

Answer 8

YOU SHOULD NEVER DO THAT! Your PERSONAL credentials should belongs on your PERSONAL compter

Question 9

How to define what actions an IAM Role can perform?

Answer 9

By assigning policies to the IAM Role

Question 10

How many roles can an EC2 instance have?

Answer 10

Only one

Question 11

What are inline policies?

Answer 11

Policies that are creatable “inline” inside a role. Those inline policies won’t be findable in the policies tab and won’t be attachable to other roles

Question 12

Should you use inline policies?

Answer 12

It’s better to avoid using inline policies, just to facilitate their management

Question 13

What visual tools can you use to generate policies? (2)

Answer 13

The visual editor integrated in “create policy” page

The AWS Policy Generator

Question 14

Is it possible to see what roles use a policy from the console, if so, how?

Answer 14

Yes, by looking at the “Policy usage” tab

Question 15

Can custom IAM policies have versions?

Answer 15

Yes, you can view them in the “Policy version” tab of a policy

Question 16

What does AWS STS stand for?

Answer 16

AWS Security Token Service

Question 17

How to test if an IAM role can perform a certain action?

Answer 17

Some CLI cmds can be tested using the –dry-run flag

You can use the AWS IAM Policy Simulator

Question 18

How to decode an encoded authorization message?

Answer 18

By running the following cmd:

aws sts decode-authorization-message –encoded-message XXXXXXXXXXXXXXXX

Question 19

How to run an AWS CLI command using a specific profile

Answer 19

By adding the following at the end of the command:

–profile profileName

Question 20

Can you attach IAM roles to on-premise servers?

Answer 20

No, you can only attach roles to AWS resources

Question 21

What is AWS EC2 Instance Metadata, and how to get it?

Answer 21

Info about the EC2 instance

By running
curl http://169.254.169.254/latest/meta-data
From the EC2 instance

Question 22

Can you retrieve IAM policies from the meta-data of an EC2 instance?

Answer 22

No

Question 23

Can you retrieve the IAM Role name from the meta data of an instance?

Answer 23

Yes

Question 24

What is the user data of an EC2 instance?

Answer 24

The launch script of the EC2 instance

Question 25

What to use if you want to perform actions on AWS directly from your applications?

Answer 25

Use the AWS SDK

Question 26

What do SDK stand for?

Answer 26

Software Development Kit

Question 27

What languages have an official AWS SDK?

Answer 27

Java
.NET
Node.JS
PHP
Python
Go
Ruby
C++

Question 28

What are the two other names of the AWS python SDK

Answer 28

boto3

botocore

Question 29

What does the AWS CLI uses under the hood?

Answer 29

The Python SDK (boto3)

Question 30

What region will be used when using the SDK without specifying a region?

Answer 30

us-east-1

Question 31

What is the default credential provider chain?

Answer 31

A way for the SDK to get the credentials to perform the actions it need to do.

Question 32

What does the default credential provider chain look for?

Answer 32

On your local PC: It looks for your credentials in ~/.aws/credentails
On an EC2 instance: It looks for Instance Profile Credentials using IAM Roles

It looks for environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

Question 33

Where should your credentials NEVER be?

Answer 33

In your code

In your commits

Question 34

What is exponentials backoff?

Answer 34

A mechanism which most SDKs implement so that if an API request fails, it is going to double the time it waits before retrying the same request.