Udemy

Question 1

Which IAM approach aligns with AWS best practices and principle of least privilege?

Answer 1

IAM roles with permissions and assigned to IAM entity (user).

Question 2

What is the function of AWS App Mesh?

Answer 2

Application Level Networking (Service to Service Communication); End-to-End Visibility

Question 3

Which AWS Storage solution is POSIX (iSCSI) compatible?

Answer 3

AWS Storage Gateway Volume Gateway

Question 4

Does EFS support POSIX

Answer 4

No

Question 5

What is Fault Injection Service used for?

Answer 5

Experiments to improve application performance, observability and resilience. Helps determine recovery actions from failure scenarios.

Question 6

What is a role in IAM

Answer 6

A short term credential that grants authority (or denial) of activities.

Question 7

What is a policy?

Answer 7

Set of authorizations that can be assigned to a user or orle.

Question 8

What are the four types of policies?

Answer 8

AWS Managed, Customer Managed, Inline, and Resource Based

Question 9

What is the function of Access Advisor?

Answer 9

To see what is granted and when it was last accessed

Question 10

What is the function of Access Analyzer?

Answer 10

To check resources that are shared with an external entity (e.g. Cross Account Policy Conditions)

Question 11

What’s a key differential between IAM Role & Resource Based Policy in regard to cross-account access (re: permissions)?

Answer 11

If you assume a role, you give up your original permissions and take the permissions of the role. If you use a resource policy, the original principal doesn’t give up permissions.

Question 12

What are the two IAM areas that permission boundaries apply to?

Answer 12

Users and Roles

Question 13

What is a permission boundary?

Answer 13

Defines maximum permission an IAM entity can get

Question 14

What are two use cases for IAM Permission boundary?

Answer 14

Delegate responsibilities to non admins, allow developers to grant rights to themselves

Question 15

How does IAM Access Analyzer help decide if access is appropriate?

Answer 15

By defining a zone of trust and anything outside of that would be a finding/issue.

Question 16

What function inside IAM Access Analyzer can help write a policy and how does it make that suggestion?

Answer 16

IAM Access Analyzer Policy Generation which is built on activity based on CloudTrail

Question 17

What is STS and what is it’s function?

Answer 17

Security Token Service. Allows to get credentials/role for a period of time.

Question 18

What benefit does STS provide in terms of security?

Answer 18

You have to explicitly grant permissions to assume the role you want and the user has to actively switch. Can lockdown assuming role only if MFA is configured, etc.

Question 19

How would STS help/work in a Dev/Prod environment?

Answer 19

Devs would have an account in the DEV account but then be able to assume a role in the production account that provides less privleges; STS would return these temporary credentials.

Question 20

How can IAM access analyzer help govern your zone of trust?

Answer 20

Shows which resources are exposed and when they were last accessed.

Question 21

What is the “Confused Deputy” and how can you avoid it?

Answer 21

It’s essentially a man in the middle attach facilitated by the external account using the same role name; you can avoid it by using External ID secret.

Question 22

What is the aws:PrincipalTag in regard to IAM?

Answer 22

You can pass a tag with an API call to get a certain set of rights based on that tag via STS (e.g. Department=HR)

Question 23

Give five important APIS for STS (this is pure memorization)

Answer 23

AssumeRole
AssumeRolewithSAML
AssumeRoleWithWebIdentity [identity provider]
GetSessionToken (MFA/Root)
GetFederationToken (obtain temporary creds for federated user)

Question 24

What are six ways to do identity federation in AWS (pure memorization)?

Answer 24

SAML 2.0 [ADFS]
Custom Identity Broker
Web Identity Federation (w/o Cognito)
Web Identity Federation (w/ Cognito)
Web Identity Federation (IAM Policy)
SSO

Question 25

How does AD and AWS Directory Services interact?

Answer 25

They are both basically AD but one is onprem and one is at AWS (think of it as AWS Managed AD)

Question 26

AWS Managed Microsoft AD: does this allow trust relationships to your own onprem AD?

Answer 26

Yes.

Question 27

What are the three kinds of AD forest trust between AWS Managed AD and on-prem AD?

Answer 27

AWS -> OnPrem; OnPrem -> AWS; AWS <-> OnPrem

Question 28

Two benefits to AWS managed AD are: automated ______ and _________ (hint: DR)

Answer 28

Backups & Multi-region replication

Question 29

AD Connector: What is it?

Answer 29

Gateway Proxy to redirect AWS AD to onprem AD, but is basically useless if connection is down.

Question 30

What is the AWS service for AD called and when would you want to use it?

Answer 30

Simple AD with limited functionality; it can be small to large (5000-5000 users) it is compatible with MSFT AD but much simpler and smaller (lower cost/lower scale).

Question 31

SCPs do not affect _____________ roles.

Answer 31

Service-linked

Question 32

What is an SCP and how is it used?

Answer 32

Service Control Policy. Establishes rules/authorities at master/organizational level and that is propagated down other members of the organization.

Question 33

What is the IAM Policy Evaluation Order (pure memorization)?

Answer 33

Deny, Org SCP, Resource Based, Identity Based, IAM Permission Boundary, Session Policy

Question 34

What is the purpose of aws:TagKeys in an IAM policy?

Answer 34

To restrict or allow based on the presence or value of a particular tag.

Question 35

What’s the difference between “ForAllValues” and “ForAnyValue” and where might this apply.

Answer 35

These are conditional IAM policy statements. ForAll indicates that all key conditions need to be try. ForAny says that at least one must true.

Question 36

aws:RequestedRegion allows SCPs to do what?

Answer 36

Deny/Allow activity based on what region the user is using (e.g. only allow stuff to happen in us-east-1)

Question 37

What is IAM Identity Center and how might it be used?

Answer 37

Successor to AWS SSO; integrates with AD/Entry and can be used to do policy administration from an organizational level.

Question 38

What is ABAC?

Answer 38

Attribute Based Access Control. Essentially grants permissions based on user attributes.

Question 39

What is AWS Control Tower?

Answer 39

Old way of setting up and governing multi-account AWS environment. Can establish guardrails, etc.

Question 40

What is RAM and what is it used for?

Answer 40

Resource Access Manager (RAM). Share resources with other AWS accounts. Use with applications w/n same trust boundary or a high degree of interconnected applications. Used to avoid resource duplication;

Question 41

AWS prefers which two main identity methods to gain access to Console? ___________ & ___________

Answer 41

AWS SSO and Cognito

Question 42

What are the three Guardrail levels enforced by Control Tower?

Answer 42

Mandatory (required)
Strongly Recommended (based on best practices)
Elective (optional)

Question 43

What are two resources ARM cannot share?

Answer 43

Security groups and default VPC

Question 44

What are three examples of resources that ARM can manage (pure memorization) [there are a ton]? And which one is primarily shared (exam based question).

Answer 44

VPC subnets, AWSTransit Gateway and Route53. VPCs are commonly shared via RAM.

Question 45

What is a managed prefix list and why it might be used?

Answer 45

Resource Access Manager (RAM) related item that deals with having grouping different subnet prefixes that could be shared to different security groups or route tables. (example: Prefix A with 10.0.0.0/16; and 192.168.0.0/24)

Question 46

True/False: RAM can share Route 53 Outbound Resolver.

Answer 46

True

Question 47

Why would you use RAM to manage Route53 Outbound Rules?

Answer 47

Centrally Manage and share among different accounts

Question 48

Which of these is not supported for integration with IAM Identity Center? EC2 Windows, Business Cloud Apps (O365), EC2 Linux, SAML2.0

Answer 48

EC2 Linux

Question 49

What are two things CloudTrail logs?

Answer 49

History of events and API Calls

Question 50

What are Management Events in regard to CloudTrail?

Answer 50

Operations performed on resources

Question 51

S3 Object Activity and AWS Lambda Execution are what type of CloudTrail Event?

Answer 51

Data

Question 52

What function does CloudTrail Insights serve?

Answer 52

Creates a baseline of events and detects unusual activity/anomolies.

Question 53

What’s the default retention period of Cloud Trail and what should you do if you want to keep them longer?

Answer 53

90 days. Send them off to S3 to analyze with Athena

Question 54

What would you use this methodology for: CloudTrail -> CW Logs -> Metric Filters -> CW Alarm -> SNS

Answer 54

To leverage multiple AWS services to send an eMail when there is an unusual situation

Question 55

What is an Organizational CloudTrail?

Answer 55

Created in management account, children account send up to mgmt (consolidated trails)

Question 56

CloudTrail can take up to ____ minutes to get items delivered. If you want a faster reaction time, use:

Answer 56

15. EventBridge.

Question 57

What is another way to refer to encryption at AWS?

Answer 57

Key Management Service (KMS)

Question 58

What is the difference between symmetric (AES-256) and Aymmetric (RSA/ECC Key pairs)?

Answer 58

Symmetric is necessary for envelope encryption (data & key are both encrypted); asymmetric is using the public key (encrypt) and private key (decrypt); used for encryption outside AWS

Question 59

How often are AWS Managed keys rotated?

Answer 59

Once annually.

Question 60

What is an External Key Material Origin?

Answer 60

You import key material into the KMS key (you manage it). Can’t be used with Custom Key Store and key cannot be auto rotated.

Question 61

What is an HSM and why might you want to use it?

Answer 61

Hardware Security Module. Physical system that manages encryption/keys. If you need high security.

Question 62

True/False: Multi-Region Keys are global.

Answer 62

False. They are created in a primary and then replicated to the different regions.