AWS - IAM quizlet

Terms in this set (20)

IAM
Identity Access Management
What is IAM?
Enables you to securely control access to AWS services and resources for your
users. Create and manage AWS users and groups and use permissions to allow and
deny their access to AWS resources.
What are some basic features of IAM?
1. Grant unique security credentials to users and groups to specify which AWS
service APIs and resources they can access.
2. Granularity to control a user's access to specific AWS services and resources
using permissions.
3. Create roles and assign permissions to them, allowing authenticated users or EC2
instances assume them
4. Assign a range of security credentials including passwords, key pairs, X.509
certificates, and multi-factor authentication (MFA), Leverage external identity
systems (federation).
5. Seamlessly integrated into AWS services
What access to AWS resources do users have granted to them when they are
created?
None. They have no access to anything.
What is Identity Federation?
Linking a person's electronic identity and attributes, stored across multiple distinct
identity management systems (Single Sign-on). Federated users can be granted
secure access to resources in your AWS account without having to create IAM
users.
Where can Federated Users come from?
From a corporate identity provider (Microsoft Active Directory or the AWS Directory
Service) or from a web identity provider, such as Amazon Cognito, Login with
Amazon, Facebook, Google or any OpenID Connect (OIDC) compatible provider.
What is the process to authenticate with AD?
1. Navigate to Active Directory Federation Service (ADFS) webserver,
2. Enter single sign-on credentials,
3. Browser receives a SAML assertion from AD server,
4. Browser posts the SAML assertion to the AWS SAML endpoint. The
AssumeRoleWithSAML API request is used to request temporary security
credentials,
5. User is then able to access the AWS console.
True or False. Custom password rotation policies can be configured in IAM?
True
How does IAM work with regards to regions?
IAM is universal and shared across ALL regions.
True or False. You should NOT set up multi-factor authentication for the root
account.
False. http://aws.amazon.com/iam/details/mfa/
True or False. You can view access keys more than once.
False. A secret access key is accessible only at the time you create it. If a secret
access key is lost, you must delete the access key for the associated user and
create a new key.
What is the purpose of the root user account?
It is created the first time you sign into your AWS account. It has complete,
unrestricted access to all resources in your AWS account, including billing
information and the ability to change your password.
What is an IAM User account?
Create individual IAM users within your account that correspond to people or
accounts within your organization. These are not separate accounts; they are users
within your account. Each one has its own password and keys, but NO permissions
when first created.
What permissions does the Power User policy give?
Allows access to all AWS services except management of users and groups w/in
IAM.
What is an Access Key ID and what is it used for?
Access Key ID and Secret Access keys are used to authenticate with AWS CLI, the
AWS SDKs, or the APIs for individual AWS services.
What is an IAM Group?
An IAM group is a collection of IAM Users. Use groups to specify permissions for a
collection of users.
What is an IAM Role?
An identity with permission policies that determine what the identity can and cannot
do in AWS. No credentials (password or access keys). Intended to be assumable by
anyone who needs it (ex. federated users or applications)
What is an IAM Policy?
Policy is a (JSON) document that explicitly lists permissions. Specify Actions,
Resources, and Effects.
What objects can an IAM Policy be attached to?
1. IAM user,
2. Group,
3. Role,
4. Resource
What is Security Access Markup Language (SAML)
XML-based, open standard data format for exchanging authentication and
authorization data between parties, particularly between an identity provider and a
service provider.

Terms in this set (15)

What types of identities can be managed with the IAM?

Users, groups and roles.
What can identities be associated with, to determine permitted actions?
Policies (usually by means of roles)
What are users?
Individuals
What is a group?
A group consists of a set of users and a set of permissions.
What is a role?
A set of permissions (policies). They can be assigned to AWS services/instances (or
to users?). It's a way to let an AWS service interact with another one.
Groups vs. roles?
- Groups associate users with permissions
- Roles are sets of permissions, that other services (not users?) can be assigned to.
To how many regions can a user belong?
Users are universal! They don't belong to a particular region!
When using active directory to authenticate to AWS what are the correct steps
performed?
1) The user navigates to ADFS (Active Directory Federation Services) webserver, 2)
The user enter in their single sign on credentials, 3) The user's web browser receives
a SAML assertion from the AD server, 4) The user's browser then posts the SAML
assertion to the AWS SAML end point for SAML and the AssumeRoleWithSAML API
request is used to request temporary security credentials. 5) The user is then able to
access the AWS Console.
What does SAML stands for?
Security Assertion Markup Language
What is an ADFS
Active Directory Federation Services, a software for Active Directory Federation.
What is the AWS sign-in endpoint for SAML?
https://signin.aws.amazon.com/saml
What is the name of the API call to request temporary security credentials from the
AWS platform when federating with Active Directory?
AssumeRoleWithSAML
What is the process to authenticate with a Web Identity Provider?
- Authenticate with your identity provider (for example, Facebook or Google) (not
with Amazon!)
- Get a WebIdentityToken (temporary security credentials)
- You call the the API "AssumeRoleWithWebIdentity" with that WebIdentityToken,
(for FB, the provider's token) and the ARN for the IAM role for federation with that
provider.
With that, you are granted a session token, and you can access your AWS resource.
The session token is valid for 1 hour by default.
What is the name of the API call to request temporary security credentials from the
AWS platform when federating with a Web Identity Provider?
AssumeRoleWithWebIdentity
Can I change roles in a running EC2 instance?
No, but you can change the permissions in the role and they will take effect almost
immediately. See https://aws.amazon.com/iam/faqs/

Terms in this set (71)

What is AWS Identity and Access Management (IAM)?

You can use AWS IAM to securely control individual and group access to your AWS
resources. You can create and manage user identities ("IAM users") and grant permissions for
those IAM users to access your resources. You can also grant permissions for users outside of
AWS (federated users).
What problems does IAM solve?
IAM enables you to:

Manage IAM users and their access: you can create users, assign users individual security
credentials, or request temporary security credentials to provide users access to AWS services
and resources. You can specify permissions to control which operations a user can perform.

Manage access for federated users: you can request security credentials with configurable
expirations for users who you manage in your corporate directory, allowing you to provide
your employees and applications secure access without creating an IAM user for them. You
can specify the permissions for these security credentials to control which operations a user
can perform.
What can an IAM user do?
A user can place requests to web services such as EC2 and S3. The AWS account holder can
permit a user to access any or all of the AWS services that have been integrated with IAM.
Any AWS resources created by a user are under control of and paid for by its AWS account.
A user cannot independently subscribe to AWS services or control resources.
How do IAM users call AWS services?
Users can make requests to AWS services using security credentials. Explicit permissions
govern a user's ability to call AWS services. By default, users have no ability to call service
APIs on behalf of the account.
How are IAM users managed?
IAM supports multiple methods to:
- Create, delete, and list IAM users
- Manage group membership
- Manage user security credentials
- Assign permissions
What is an IAM group?
A group is a collection of IAM users. Manage group membership as a simple list:
- Add users to or remove them from a group
- A user can belong to multiple groups
- Groups cannot belong to other groups
- Groups can be granted permissions using access control policies. This makes it easier to
manage permissions for a collection of users, rather than having to manage permissions for
each individual user
- Groups do not have security credentials, and cannot access web services directly; they exist
solely to make it easier to manage user permissions.
What kind of security credentials can IAM users have?
IAM users can have any combination of credentials that AWS supports, such as AWS access
key, X.509 certificate, SSH key, password for web logins, or an MFA device.
Can I enable and disable IAM user access?
Yes, you can enable and disable IAM user's access keys via the IAM APIs. If you disable the
access keys, the user cannot programmatically access AWS services.
Who is able to manage IAM users for an AWS account?
The AWS account holder can manage users, groups, security credentials, and permissions. In
addition, you may grant permissions to individual users to place calls to IAM APIs in order to
manage other users.
Can I structure IAM users in a hierarchical way, such as in LDAP?
Yes, you can organize users and groups under paths, similar to object paths in Amazon S3.
Can I define IAM users regionally?
Not initially. Users are global entries, like an AWS account is today. No region is required to
be specified when you define user permissions. Users can use AWS services in any
geographic region.
Can IAM users have individual EC2 SSH keys?
Not in the initial release. IAM does not affect EC2 SSH keys or Windows RDP certificates.
This means that although each user has separate credentials for accessing web service APIs,
they must share SSH keys that are common across the AWS account under which users have
been defined.
How are IAM user passwords set?
You can set the initial password for an IAM user. User passwords never appear in clear text
after the initial provisioning and are never displayed or returned via an API call.
Can I define a password policy for my IAM user's passwords?
Yes, you can enforce strong passwords by requiring minimum length or at least one number.
You can also enforce automatic password expiration, prevent re-use of old passwords, and
require a password reset upon the next AWS sign-in.
Can I set usage quotas on IAM users?
No, all limits are on the AWS account as a whole. You cannot limit what an individual user
can do (ex how many instances they can spin up).
What is an IAM role?
An IAM role is an IAM entity that defines a set of permissions for making AWS service
requests. IAM roles are not associated with a specific user or group. Instead, trusted entities
assume roles, such as IAM users, applications, or AWS services such as EC2.
What problems do IAM roles solve?
IAM roles allow you to delegate access with defined permissions to trusted entities without
having to share long-term access keys. You can use IAM roles to delegate access to IAM
users managed within you account, to IAM users under a different AWS account, or to an
AWS service such as EC2.
How do I assume an IAM role?
You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole
APIs (in other works, AssumeRole, AssumeRoleWithWebIdentity, and
AssumeRoleWithSAML). These APIs return a set of temporary security credentials that
applications can then use to sign requests to AWS service APIs.
How many IAM roles can I assume?
There is no limit to the number of IAM roles you can assume, but you can only act as one
IAM role when making requests to AWS services.
What is the difference between an IAM role and an IAM user?
An IAM user has permanent long-term credentials and is used to directly interact with AWS
services. An IAM role does not have any credentials and cannot make direct requests to AWS
services. IAM roles are meant to be assumed by authorized entities, such as IAM users,
applications, or an AWS service such as EC2.
When should I use an IAM user, IAM group, or IAM role?
IAM user: permanent, long-term credentials, used to directly act with AWS services
IAM group: management convenience to manage the same set of permissions for a set of
IAM users
IAM role: enable permissions to make AWS service requests

*Note: IAM roles can't make direct requests to AWS services, they are meant to be assumed
by authorized entities, such as IAM users, applications, or AWS services such as EC2.
Can I add an IAM role to an IAM group?
No, not at this time.
How many IAM roles can I create?
You are limited to 500 IAM roles under your account but you can request that limit to be
increased.
What is IAM roles for EC2 instances?
IAM roles for EC2 instances enables your application running on EC2 to make requests to
AWS services such as S3, SQS, and SNS without having to copy AWS access keys to every
instance.
What are the features of IAM roles for EC2 instances?
- AWS temporary security credentials to use when making requests from EC2 to AWS
services
- Automatic rotation of the AWS temporary security credentials
- Granular AWS service permissions for applications running on EC2
What problem does IAM roles for EC2 resolve?
They simply the management and deployment of AWS access keys to EC2 instances. Using
this feature, you associate an IAM role with an instance. Then you instance provides the
temporary security credentials to applications running on the instance, and the applications
can use these credentials to make requests securely.
Can I use the same IAM role on multiple EC2 instances?
Yes
Can I associate an IAM role with an already running EC2 instance?
Yes, you can assign a role to an EC2 instance that is already running.
Can I associate an IAM role with an Auto Scaling group?
Yes, you can add an IAM role as an additional parameter in an Auto Scaling launch
configuration and create an auto scaling group with that launch configuration.
Can I associate more than one IAM role with an EC2 instance?
No, you can only associate one IAM role with an EC2 instance and this limit of one role per
instance cannot be increased.
What happens if I delete an IAM role that is associated with a running EC2 instance?
Any application running on the instance that is using the role will be denied access
immediately.
Can I control with IAM roles an IAM user can associate with an EC2 instance?
Yes
Which permissions are required to launch EC2 instances with an IAM role?
- Permission to launch EC2 instances
- Permission to associate an IAM role with EC2 instances
Who can access the access keys on an EC2 instance?
Any local user on the instance can access the access keys associated with the IAM role.
How do I rotate the temporary security credentials on the EC2 instance?
The AWS temporary security credentials associated with an IAM role are automatically
rotated multiple times a day. New temporary security credentials are made available no later
than five minutes before the existing temporary security credentials expire.
Can I use IAM roles for EC2 instances with any instance type or AMI?
Yes. IAM roles for EC2 instances also with in VPC with spot and reserved instances.
What is a service-linked role?
A service-linked role is a type of role that links to an AWS service such that only the linked
service can assume that role. Using these roles, you can delegate permissions to AWS
services to create and manage AWS resources on your behalf.
Can I assume a service-linked role?
No. A service-linked role can be assumed only be the linked service. This is the reason why
the trust police of a service-linked role cannot be modified.
How can I delete a service-linked role?
You can delete a service-linked role from the linked service. Before you delete the role, the
linked service may require you to delete all the AWS resources that depend on the role. This
ensures that you do not inadvertently delete a role required for your AWS resources to
function properly.
How do IAM permissions work?
Access control policies are attached to users, groups, and roles to assign permissions to AWS
resources. By default, IAM users, groups, and roles have no permissions; users with
sufficient permissions must use a policy to grant the desired permissions.
What are managed policies?
Managed policies are IAM resources that express permissions using the IAM policy
language. You can create, edit, and manage separately from IAM users, groups, and roles to
which they are attached. After you attach a managed policy to multiple IAM users, groups, or
roles, you can update that policy in one place and the permissions automatically extend to all
attached entities. You can have both customer managed policies and AWS managed policies.
How do I assign commonly used permissions?
AWS provides a set of commonly used permissions that you can attach to users/groups/roles
in your account (AWS managed policies). You can also create your own policies (customer
managed policies).
How do group-based permissions work?
Use IAM groups to assign the same set of permissions to multiple IAM users. A user can also
have individual permissions assigned to them.
How are IAM policies evaluated in conjunction with S3, SqS, SNS, and KMS resource-based
policies?
IAM policies are evaluated together with the service's resource-based policies. When a policy
of any type grants access (without explicitly denying it), the action is allowed.
Can I use a managed policy as a resource-based policy?
No managed policies are only for IAM users, groups, and roles.
Can I grant permissions to access or change account-level information (ex. payment
instrument, contact email, billing history)
Yes, you can delegate the ability for an IAM user or a federated user to view AWS billing
data and modify AWS account information.
Who can create and manage access keys in an AWS account?
Only the AWS account owner can manage access keys for the root account. The account
owner and IAM users or roles that have been granted the necessary permissions can manage
access keys for IAM users.
Can I grant permissions to access AWS resources owned by another AWS account?
Yes. Using IAM roles, users and federated users can access resources in another AWS
account
What is the IAM policy simulator?
The IAM policy simulator is a tool to help you understand, test, and validate the effects of
your access control policies.
How does an IAM user sign-in?
An IAM user must sign in using their account's sign-in URL, which will direct them to a page
where they can enter their IAM username and password. The sign-in URL is located on the
dashboard of the IAM console and must be communicated to the user by the System
Administrator.
Do IAM users have to use the direct link?
IAM users must use the account-specific URL for first sign-in, Thereafter, the account-
specific URL is stored as a cookie in the user's browser. This allows a user to return to the
main AWS website and simply click Sign In to the Console.
Can IAM users sign in to other Amazon.com properties with their credentials?
No, the IAM user information only works at AWS
Can users SSH to EC2 instances using their AWS username and password?
No, user security credentials created with IAM are not supported for direct authentication to
customer EC2 instances. Managed EC2 SSH credentials is the customers responsibility
within the EC2 console.
What are temporary security credentials?
Temporary Security credentials consist of the AWS access key ID, secret access key, and
security token. Temporary security credentials are valid for a specific duration and for a
specific set of permissions. Temporary security credentials are sometimes simply referred to
as tokens. Tokens can be requested for IAM users or for federated users you manage in your
own corporate directory.
What are the benefits of temporary security credentials?
- Extending your internal user directories to enable federation to AWS. Enabling you to allow
your employees access to AWS without having to create an IAM user
- Request temporary security credentials for an unlimited number of federated users
- Configure the time period after which temporary security credentials expire
Can a temporary security credential be revoked prior to its expiration?
No but if you use an IAM user and not the root account for creating temporary security
credentials you can revoke permissions of the IAM user that issues the original call to request
it. This action almost immediately revokes privileges for all temporary security credentials
issues by that IAM user.
Can I reactivate or extend the expiration of temporary security credentials?
No. You should actively check the expiration and request a new token before the old one
expires. This rotation process is handled automatically with temporary security credentials
are used in roles for EC2 instances.
Can I use temporary security credentials to restrict access to a region or a subset of regions?
No. You cannot restrict the temporary security credentials to a particular region or subset of
regions, except the tokens from AWS GovCloud and Chine, which can only be used in the
respective regions from which they originated.
What is identity federation?
IAM supports identity federation for delegated access to the AWS Console or APIs. With
identity federation, external identities are granted secure access to resources in your AWS
account without having to create IAM users.
What are federated users?
Federated users (external identities) are users you manage outside of AWS in your corporate
directory, but to whom you grant access to your AWS account using temporary security
credentials. They differ from IAM users, which are created and maintained in your AWS
account.
Do you support SAML?
Yes, AWS supports SAML 2.0.
What SAML profiles does AWS support?
AWS single sign-on (SSO) endpoint supports IdP-initiated HTTP-POST binding WebSSO
SAML Profile. This enables a federated user to sign in to the AWS Management Console
using SAML assertion. A SAML assertion can also be used to request temporary security
credentials.
Can federated users access AWS APIs and/or AWS Management Console?
Yes, they can request temporary security credentials to provide them with secure access to
AWS.
How many federated users can I give access to the AWS management console?
There is no limit
What is web identity federation?
Web identity federation allows you to create AWS-powered mobile apps that use public
identity providers (google, facebook) for authentication. When web identity federation, you
have an easy way to integrate sign-in from public identity providers (IdPs) into your apps
without having to write and server-side code and without distributing long-term AWS
security credentials with the app.
How does identity federation using AWS Directory Service differ from using 3rd party
identity management solutions?
AWS Directory Service is a managed service, customers do not need to set up or manage
federation infrastructure, but rather need to create an AD connector directory to integrate with
their on-premises directory. AWS Directory Service only provides access to the AWS
Management Console, if you are interested in providing federated users access to AWS APIs,
use a 3rd party offering or deploy your own proxy server.
Does AWS Billing provide aggregated usage and cost breakdowns by user?
No, that is not currently supported.
Is billable user activity logged in AWS usage data?
No but this is planned for a future release.
Are IAM actions logged for auditing purposes?
Yes, you can log IAM actions, STS actions, and AWS Console sign-ins through CloudTrail.
Is there any distinction between people and software agents as AWS entities?
No, both of these entities are treated like users with security credentials and permissions.
However, people are the only ones to use a password in the console.
Do users work with the AWS Support Center and Trusted Advisor?
Yes, IAM users have the ability to create and modify support cases as well as use Trusted
Advisor.

Terms in this set (15)

Administrator Access
What level of access does the "root" account have?
Grant her Administrator access by adding her to the Administrators' group.
A new employee has just started work, and it is your job to give her administrator access to
the AWS console. You have given her a user name, an access key ID, a secret access key, and
you have generated a password for her. She is now able to log in to the AWS console, but she
is unable to interact with any AWS services. What should you do next?
Access to all AWS services except the management of groups and users within IAM.
Power User Access allows ________.
Enact a strong password policy: user passwords must be changed every 45 days, with each
password containing a combination of capital letters, lower case letters, numbers, and special
symbols.
You have created a new AWS account for your company, and you have also configured
multi-factor authentication on the root account. You are about to create your new users. What
strategy should you consider in order to ensure that there is good security on this account.
IAM allows you to setup biometric authentication, so that no passwords are required.
Which of the following is not a feature of IAM?
Set up an account using their company email address.
You have a client who is considering a move to AWS. In establishing a new account, what is
the first thing the company should do?
IAM allows you to manage users, groups, roles, and their corresponding level of access to the
AWS Platform.
Which statement best describes IAM?
You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair.
Instead, you must generate a password for the user, and supply the user with this password
and your organization's unique AWS console login URL.
You are a security administrator working for a hotel chain. You have a new member of staff
who has started as a systems administrator, and she will need full access to the AWS console.
You have created the user account and generated the access key id and the secret access key.
You have moved this user into the group where the other administrators are, and you have
provided the new user with their secret access key and their access key id. However, when
she tries to log in to the AWS console, she cannot. Why might that be?
Will be able to interact with AWS using their access key ID and secret access key using the
API, CLI, or the AWS SDKs.
When you create a new user, that user ________.
JSON
In what language are policy documents written?
Implement Multi-Factor Authentication for all accounts.
What is an additional way to secure the AWS accounts of both the root account and new
users alike?
No access to any AWS services.
What is the default level of access a newly created IAM User is granted?
Organizational Units
Which of the following is not a component of IAM?
You will need to configure Users and Policy Documents only once, as these are applied
globally.
You are a solutions architect working for a large engineering company who are moving from
a legacy infrastructure to AWS. You have configured the company's first AWS account and
you have set up IAM. Your company is based in Andorra, but there will be a small subsidiary
operating out of South Korea, so that office will need its own AWS environment. Which of
the following statements is true?
1. Create individual user accounts with minimum necessary rights and tell the staff to log in
to the console using the credentials provided.

2. Create a customized sign in link such as "yourcompany.signin.aws.amazon.com/console"

for your new users to use to sign in with.
You are a developer at a fast growing start up. Until now, you have used the root account to
log in to the AWS console. However, as you have taken on more staff, you will now need to
stop sharing the root account to prevent accidental damage to your AWS infrastructure. What
should you do so that everyone can access the AWS resources they need to do their jobs?
(Choose 2)

Terms in this set (121)

c
Which of the following is NOT an option to set a password policy in an IAM
a. The password must have at least one uppercase character
b. The password must have at least one alphanumeric character
c. The minimum length of the password should be between 8 and 128 chars
d. The minimum length of the password should be between 6 and 128 chars
d
The possible values of Effect element included within the statement of an IAM policy
are _________
a. Full and Null
b. Pass and Block
c. 1 and 0
d. Allow and Deny
b
Every user you create in the IAM system starts with __________
a. full permissions
b. no permissions
c. admin permissions
d. edit permissions
c
The information within an IAM policy is described through a series of ___________
a. name spaces
b. classes
c. elements
d. maros
b
What does the following policy for Amazon EC2 do?
{
"Statement":[{
"Effect":"Allow",
"Action":"ec2":Describe*,
"Resource":"*"
}]
}

a. Share an AMI within the account

b. Allow users to use actions that start with "Describe" over all the EC2 resources
c. Allow a group to only be able to describe run, stop, start and terminate instances
d. Share an AMI with a partner
d
Identify a correct statement with reference to deletion of IAM users
a. None of these is correct about deletion of IAM users
b. You cannot delete IAM users from your AWS account. You can only disable them
c. You cant delete IAM users from from AWS acount ant any time
d. You can delete IAM users from your AWS account if they quit the company
b
Which of the following credentials should an IAM user be provided to enable access
to both API access and management console?
a. User name, access key ID, secret access key and password (if created)
b. User name, password (if created), access key
c. None of these
d. User name and password
b
What is MFA-protected API access?
a. An optional process in activating a hardware MFA device
b. A feature that offers an extra layer of security by requiring users to authenticate
with an MFA device before they can use API you specify in a policy
c. The first mandatory process in activating MFA device
d. A way to request for a hardware MFA device
c
Which of the following services support(s) resource-based policies for the specified
resources
a. Amazon Glacier vaults
b. Amazon QS queues
c. All services listed support resource-based policies for the specified resources
d. Amazon SNS topics
c
Query API returns sensitive information such as security credentials. hence you must
use ________ for all your API requests
a. HTTP
b. FTP
c. HTTPS
d. UDP
c
By default, all requests receive a _______ in IAM except for requests that use the
AWS account root security credentials
a. default accept
b. default read-write permission
c. default deny
d. default read-only permissions
a
The GetSession token provides enhanced security because
a. It uses temporary credentials
b. It does not use hash tags
c. It does not use secret access keys
d. It has inbuilt security tokens
c
if you prefer to use AWS through an existing programmatic interface, AWS offers
SDKs for
a. .NET
b. PHP
c. All of these
d. Ruby
c
Is it possible to create a S3 bucket accessible only by a certain IAM user, using the
policies in a CloiudFormation template?
a. S3 is not supported by CloudFormation
b. No, you can only create the S3 bucket but not the IAM users
c. Yes, all these resources can be created using a CloudFormation template
d. No, in the same template you can only create the S3 bucket and the relative policy
d
Which of the following is true of cross-account access in Amazon S3?
a. It refers to a web service that records AWS API calls for your account and delivers
log files to you
b. It refers to information that is checked for inetgrity but not encrypted
c. It refers to an easy-to-use online billing and account management service that
makes it easy for you to sell an Amazon EC2 AMI or an application built on Amazon
S3
d. It means granting access rights to a user(Who does not own the bucket) by
creating an AWS IAM role with permissions to access the objects
b
For security reasons, a token for an AWS accounts root identity is restricted to a
duration of _____ hour(s)
a. 4
b. 1
c. 2
d. 3
d
An alias in IAM must neither start or end with a _______
a. period (.)
b. character
c. number
d. hyphen (-)
c
The ________ element of an IAM policy can be used to specify a set of resources to
which the policy being defined should not be applied
a. NotID
b. NotPrincipal
c. NotResoucre
d. NotAction
d
If a single condition within an IAM policy includes multiple values for one key, it will
be evaluated using a logical ________
a. NOR
b. NAND
c. AND
d. OR
d
When using IAM what is the maximum number of MFA keys that a user can have ?
a. Unlimited
b. 10
c. 2
d. 1
c
A user has setup an application on EC2 which uses the IAM user access key and
secret access key to make secure calls to S3. The user wants to temporarily stop the
access to S3 for that IAM user. What should the root owner do?
a. Change the access key and secret access key for the users
b. Delete the IAM user
c. Disable the access keys for the IAM user
d. Stop the instance
c
Which of the following is the ARN condition operator that can be used with an IAM
policy to check the case-insensitive matching of the ARN?
a. ArnMatch
b. ArnCheck
c. ArnLike
d. ArnCase
d
What is the maximum length of a Path in IAM?
a. 256 chars
b. 64 chars
c. 16 chars
d. 512 chars
d
In IAM, which of the following is true of the temporary security credentials?
a. Once you issue temporary security credentials, they can be revoked only when
the vMFA device is used
b. Once you issue the temporary security credentials, they CAN be revoked
c. None of these are coorect
d. Once you issue the temporary security credentials, they CANNOT be revoked
c
If you use the IAM console to create and manage IAM roles , the _______
a. Instance profile for each role has to be created by you
b. instance profile is not needed at all
c. instance profile is managed for you
d. instance profile will be in the active state
b
The iam-groupmod command in the IAM lets you _______
a. Find the mod of the group
b. Change the groups name or path
c. Create a new group
d. Create a new group model
b
What is the maximum number of IAM roles per AWS account
a. 100
b. 250
c. 25
d. 150
b
You can use IAM policy to specify which RDS action a User in your AWS account
can use with RDS resources in general. Will you be able to specify a particular RDS
DB instance in the policy
a. Yes
b. No
c. Only for Microsoft SQL server
d. Only for Oracle server
a
Which of the following is a best security practice when you are using RDS?
a. Rotate the IAM credentials regularly
b. Reduce the number of IAM accounts who can access the Database
c. Assign a different IAM account to each team of the organization
d. Give an IAM account only to key people in your organization
d
With respect to MFA protection for federated users, identify the correct statement
a. None of these are correct
b. Federated users can be assigned an MFA device for use with AWS services, so
that they can access AWS resources controlled by MFA
c. Federated users can be assigned an MFA device for use with AWS services,
using an additional IAM policy for which they need to pay an additional cost
d. Federated users cannot be assigned an MFA device for use with AWS services,
so they cannot access AWS resources controlled by MFA
d
A user is defining an IAM policy for the IAM user , which order should the user follow
in the policy statement for the elements?

a. Condition should always be last

b. Resource before action statement
c. Resource after action statement
d. There is no order followed by the IAM policy for elements
c
Which of the items below is a must to have an element as a part of the IAM policy ?
a. Condition
b. Version
c. Statement
d. ID
b
In Amazon IAM, what is the maximum length of role name
a. 1024 chars
b. 64 chars
c. 512 chars
d. 18 chars
a
In RDS, the tag value is an optimal string value of the tag. The string value can be
from ________ Unicode characters in length
a. 1 to 256
b. 1 to 128
c. 1 to 64
d. 1 to 512
b
In AWS IAM, which of the following predefined policy condition keys checks how
long ago (in seconds) the MFA validated security credentials making the request
were issued using mutli-factor authentication (MFA)
a. aws:MultiFactorAuthLst
b. aws:MultiFactorAuthAge
c. aws:MultiFactorAuthPrevious
d. aws:MultiFactorAuthOld
b
What is the maximum length for a certificate ID in AWS
a. 1024 chars
b. 128 chars
c. 512 chars
d. 256 chars
b
What is the default maximum number of Access keys per user?
a. 15
b. 2
c. 5
d. 10
b
Is it possible for an IAM group to interact directly with AWS
a. Yes, its possible
b. No, it is not possible
c. It depends on the kind of IAM group
d. It depends on the kind of AWS service
a
A ________ is an individual, system, or application that interacts with AWS
programatically
a. user
b. Permission
c. AWS account
d. Role
b
In IAM, a user can be a part of no more than _______ groups
a. 5
b. 10
c. 20
d. 30
b
When using an IAM role to grant permissions to applications running on EC2
instances, you use the Management console to create a role for EC2. The console
automatically creates a(n) _______ and gives it the same name as the role
a. role
b. instance profile
c. instance ID
d. princpal
a
In IAM, the size of the role policy cannot exceed _______
a. 10,240 char
b. 1280 char
c. 5120 char
d. 2048 char
c
You decide to hire a third party company called Coralbells Corp to monitor your AWS
account and help optimize costs. Coralbells corp should ensure that whenever it
assumes a role on behalf of a customer, it should always include that customer
external ID value in the
a. AccessRole element
b. SpecifyRole call
c. AssumeRole call
d. Ensure Role call
a
IAM users dont have permissions to create Temporary security credentials for
federated users and roles by default. In contrast, IAM usres can call ________
without the need of any special permissions
a. GetSessionToken
b. GetFederationToken
c. GetFedearationName
d. GetSessionName
c
in IAM what is the maximum number of Server certificates allowed per AWS account
a. 5
b. 100
c. 20
d. 50
c
When IAM creates a user, group or server certificate through the IAM API or CLI a(n)
_______ is returned to you so you can reference the newly created entity in future
operations
a. UTF-8 formatted code
b. value
c. unique ID
d. resource number
b
An organization is hosting an application as a apart if the free usage tier. The
organization wants to create IAM users for each of its 150 employee and they may
access AWS as part of free tier. What will you advise the organization?
a. Donot create more than 100 users as it will cost the organization
b. Create IAM users for each employee as it does not cost
c. The IAM is not available as a part of the free usage tier
d. Create IAM roles and give access based on the role since it will not cost the user
a
A cal to the GetSession Token or GetFederation Token STS returns a set of
temporary credentials. The credentials consists of a(n) _______ , an access key and
a secret access key.
a. security token
b. hash tag
c. reference to the access key ID
d. SSL certificate
d
Select the correct statement of secret access keys in AWS IAM
a. You cant reuse the secret access key
b. None of the these are correct
c. You can access the secret access key anytime
d. The secret access key is accessible only during the time you create it
b
Is there a limit to the number of IAM groups you can have associated to a single
AWS account?
a. Yes. You can have a maximum of 20 IAM user groups associated with a single
AWS account
b. Yes. You can have a maximum of 100 IAM users groups associated with a single
AWS account
c. No. You can associate as many IAM groups as you want with a single AWS
account
d. No there is no limit but all the IAM groups you want to associate must have the
same origin
d
What is the length of AWS account alias entity?
a. 3 to 255 chars
b. 3 to 511 chars
c. 3 to 31 chars
d. 3 to 63 chars
b
Is it mandatory to specify any Condition elements within an IAM policy statement?
a. Yes
b. No
c. Yes, this can be done only for certain versions of protocol server
d. Yes, this can be done only with CLI
d
The version element of an AWS IAM policy specify the ______ version
a. Security framework
b. AWS
c. Programming language
d. access policy language
d
Some AWS services (eg SQS, SNS) have a uniqueness requirement for the value of
the ID element. To comply with this requirement, the use of a ________ is
recommended
a. CPUID
b. SSID
c. Sub ID
d. UUID
b
Cloudacademy (with AWS account ID 111122223333) has created has created 50
IAM users for its organization's employees. What is the AWS console URL for these
associates?
a. https://signin.aws.amazon.com/111122223333/console
b. https://111122223333.aws.amazon.com/console
c. https://signin.aws.amazon.com/console
d. https://signin.aws.amazon.com/console/111122223333
d
In Amazon IAM, you can define up to ______ users and _____ groups
a. 500 , 50
b. 1000 , 100
c. 100 , 50
d. 5000 , 100
b
Consider that an organization has multiple AWS accounts that are to be billed.
Which of the following features is NOT offered by Amazon IAM in relation to the user
types and billing permissions for multiple accounts
a. Consolidated billing payer account owner
b. Multiple AWS Bill
c. Modify billing
d. Consolidated Billing linked account owner
b
In Amazon AWS, what is the length range for a login profile password?
a. 1 to 256 char
b. 1 to 128 char
c. 1 to 2048 char
d. 1 to 512 char
a
In Amazon IAM, user policy size cannot exceed, ______ chars
a. 2048
b. 512
c. 256
d. 128
b
The _____ is the IAM user or group to whom a particular policy is attached to
a. Resource
b. Principal
c. Requester
d. Counsellor
b
Bob is an IAM user who has access to the EC2 services. Admin an IAM user who
has access to all the AWS services including IAM. Can Bob change his password?
a. Yes, only from the AWS CLI
b. Yes, Provided Admin has given Bob access to change his password
c. No. The IAM user can never change the password
d. Yes, only from the AWS console
c
Which of the following statement is TRUE of IAM?
a. None of these
b. Users should create the API actions instead of using the 3rd-part tools to create
the user signing certificate
c. IAM doesn't have an API action to create signing certificates
d. IAM has its own API action to create signing certificates that rules out the usage of
3rd-party tools
a
Which of the following statements is true of IAM
a. Your AWS account ID is the same as your account number, but without hyphens
b. Your AWS account ID is the same as your account number but with hyphens
c. Your AWS account ID is the same as your account number, but with no
underscores
d. Your AWS account ID is the same as your account number but with underscores
c
In the AWS console, the ______ page displays invoices and detailed information
about charges and account activity, itemized by service and by usage type
a. Invoice
b. Subscription
c. Account Activity
d. Billing history
c
In AWS IAM, each policy is formatted as a _______ format
a. JQuery
b. AJAX
c. JSON
d. XML
d
When using an IAM policy to verify that MFA authentication has been completed by
a requester, you can use a(n) ______ MFA condition in a policy to verify that the
user did authenticate with MFA
a. Duration
b. Existence and Duration
c. Dependency and Configuration
d. Existence
d
Identify a true statement about the statement ID (SID) in IAM
a. You cannot use a SID value as a sub-ID for a policy document ID for services
provided by SQS and SNS
b. You cannot assign a SID value to each statement in a statement array
c. You can expose the SID in the IAM API
d. You cannot expose the SID in the IAM API
b
Using IAM , can you give permission based on Job functions?
a. No, you cannot grant permissions based on job functions as organizational groups
dont exist
b. Yes. You can for all job functions
c. No, you cannot grant permission for any job function
d. Yes, you can but not for all functions
b
To specify a resource in a policy statement in EC2, can you use its ARN ?
a. No you cant because EC2 is not related to ARN
b. Yes , you can
c. Yes, you can but only for hte resources that are not affected by the action
d. No, you cant because you cant specify a particular EC2 resource is an IAM policy
c
In regards to IAM, you can edit the user properties later, but you cannot use the
console to change the ______
a. password
b. access keys
c. user name
d. default group
a
What is the default maximum number of Login profiles per user ?
a. 1
b. 20
c. 10
d. 5
a
A root account onwer has given full access of his S3 bucket to one of the IAM users
using the bucket ACL. When the IAM user logs in to the AWS console, which action
can he perform?
a. It is not possible to give access to an IAM user using ACL
b. The IA user can perform all operations on the bucket using API/SDK
c. He can do all the operations on the bucket
d. He can just view the content of the bucket
a
For service that use only SSL, such as RDS and Route53, does the SecureTransport
Key have a meaning?
a. No
b. Yes, it has a meaning only for Route 53
c. Yes
d. Yes , it has a meaning only for RDS
a
In Amazon IAM, what is the length range for a login profile password?
a. 1 to 128 chars
b. 1 to 512 chars
c. 1 to 256 chars
d. 1 to 2048 chars
c
Cloud Academy has three AWS accounts. They have created separate IAM users
with each account. Cloud Academy wants a single IAM console URL such as
https://cloudacademy.signin.aws.amazon.com/console for all account users. Can this
be done?
a. Merge all the accounts with consolidated billing
d. Create the same account alias with each account ID
c. Is it not possible to have the same IAM account login URL for separate AWS
accounts
d. Create the S3 bucket with an alias name and use the redirect rule to forward
requests to various accounts
c
Cloud Academy (with account id 111122223333) has created 50 users for ts
organization employees. They want to make the AWS console login URL for all IAM
users at https://CloudAcademy.signin.aws.amazon.com/console/. How can this be
done?
a. For the AWS account, create an alias CloudAcademy for the IAM login
b. The user need to use the Route53 to map the CloudAcademy domain an IAM url
c. It is not possible to have capital letters as a part of the alias name
d. Create a bucket with the name CloudAcademy and map it with the IAM alias
b
The _____ element of an IAM policy is required and specifies whether you want the
statement to result in an allow or explicit deny.
a. Statement
b. Effect
c. Condition
d. Action
c
In Amazon IAM, what is the default maximum number of groups that a user can
belong to?
a. 100
b. 25
c. 10
d 50
c
What is the maximum number of Signing Certificates per user?
a. 15
b. 1
c. 2
d. 20
b
Can a user be associated with multiple AWS accounts?
a. Yes
b. No
c. Yes, but you need to manually enable it
d. Yes, but the accounts must be owned by the same organization
c
When you rename the server certificate within IAM, the unique ID for the server
certificate _________
a. will be reset
b. will be disabled
c. remains the same
d. will be renamed
d
The information within the IAM policy is described through a series of _________
a. macros
b. classes
c. namespaces
d. elements
b
In some services like ______ and SNS , the IAM policy element "ID" is a top-level
policy element, along with the "version" and "statement" elements that remain always
at the top-level
a. EMR
b. SQS
c. S3
d. Glacier
d
Which of the following statements is True in IAM
a. After signing a certificate has been uploaded, it can be retrieved, viewed and
reused since the certificate was secured using AWS security group
b. After signing a certificate has been uploaded, it can be retrieved and viewed, but it
cannot be reused
c. None of these are true
d. After signing a certificate has been uploaded, it cannot be retrieved, cannot be
viewed and it cannot be re-used
a
To create temporary security credentials for federated users and roles, by default
IAM users can call ____ with their own permissions and thereby create temporary
credentials for others
a. GetSessionToken
b. GetFederatedName
c. GetSessionName
d. GetFederatedToken
b
Fill in the blanks : In the AM polcy you can specify all the actions that SimpleDB
offers. Each action name must be prefixed with the ______
a. uppercase string sdb:
b. lowercase string sdb:
c. lowercase string amazonsdb:
d. lowercase string dbs:
d
Identify a true statement about the vMFA device:
a. only the vMFA device can be hosted with most VMFA applications
b. The QR code and secret configuration key generated by IAM can be reused
multiple times to configure a new MFA device for your account within 24 hrs
c. A vMFA provides the same level of security as a hardware MFA device
d. The QR code and secret configuration key generated by IAM are unique and
cannot be reused to configure a new MFA device for your account
a
In IAM, what is the maximum length of a path?
a. 512 chars
b. 256 chars
c. 64 chars
d. 1024 chars
c
What is the maximum number of characters allowed i a users password?
a. 64
b. 100
c. 128
d. unlimited
c
In IAM, what is the length range of a profile password?
a. 1 to 1024 chars
b. 1 to 512 chars
c. 1 to 128 chars
d. 1 to 256 chars
b
A user comes to you and wants access to CloudWatch but only wants to monitor a
specific LoadBalancer. Is it possible to give him access to a specific LoadBalancer?
a. No because you need to be sysadmin to access CloudWatch data
b. No because you cant use IAM to control access to CloudWatch data for specific
resources
c. Yes, any user can see all CloudWatch data and needs no access rights
d. Yes, you can use IAM to control access to CloudWatch data for specific resources
b
By default, temporary security credentials are valid for _____ hours/
a. 10
b. 12
c. 6
d. 2
b
If you use aws:SourceIp in one of the IAM policies and a request is made from one
of your EC2 instances, the instance's ______ IP address is evaluated to determine
whether access is allowed
a. private
b. public
c. protected
d. virtual
d
Identify a true statement about the Sid element?
a. It can be used to retrieve a particular statement within an IAM policy
b. It is the main element for a policy
c. It specifies whether a statement will result in an allow or explicit deny
d. It is an optional identifier you provide for a policy statement
a
In regards to IAM, select the correct statement
a. You can give your IAM users the ability to create temporary security credentials,
but users cannot use these credentials to access IAM or AWS STS
b. You can give your IAM users the ability to create temporary credentials. the user
can use these credentials to access the IAM as well as the AWS STS
c. You can give your IAM users the ability to create temporary security credentials,
but users cannot use these credentials to access IAM but they can use these to
access AWS STS
d. You can give your IAM users the ability to create temporary security credentials,
but users cannot use these credentials to access AWS STS but they can use these
to access IAM
a
An organization has enabled a strict password policy for its IAM users. The
organization is taking help from the IAM console to set the password policy. Which of
the below mentioned rules cannot be specified by the user as a part of the policy?
a. Do not allow the user to use the passwords from the last three password
b. Allow at least one non-alphanumeric password
c. Allow at least one lower case letter
d. Allow at last one number
a
Bob is an IAM user who has access to the EC2 services. Admin is an IAM user who
has access to all the AWS services including IAM. Can Bob change his password
a. Yes, provided Admin has given Bob access to change his password
b. Yes, only the AWS console
c. Yes, only from AWS CLI
d. No, the IAM user can never change the password
b
A root AWS account owner has created three IAM users. Bob, John and Michael.
Michael is an IAM administrator. Bob and John are not the superpower users, but
users with some pre-defined policies. John does not have access to modify his
password. Thus, he asks Bob to change his password. How can Bob change John's
password?
a. It is not possible that John cannot modify his password
b. Provided Michael has added Bob to a group, which has permissions to modify the
IAM passwords
c. Provided Bob is the manager of John
d. This statement is false. It should be Michael who changes the password for
Johnm
d
A user is part of a group which has a policy allowing him to just read-only access to
EC2. The user is part of another group which has full access to EC2. What happens
when the user tries to launch an instance?
a. It will fail since the user has just read-only access
b. It will not allow the user to add to the conflicting groups
c. It will allow or deny based on the group under which the user has logged into EC2
d. It will allow the user to launch the instance
c
Select the INcorrect statement about IAM
a. As the account onwer, you can grant users access to your AWS account billing
and usage information
b. As the account owner, you should create a password for each user who needs
access to the AWS management console
c. As the account owner, you should provide access to the users to read the posts
on the AWS discussion forum
d. As the Account owner, you need to provide permission for users with passwords
to access your AWS resources
a
True or False : In IAM, Amazon does not automatically update policies that refr to a
group whose name has recently changed , you must do it manually
a. True, in IAM, you should manually update policies that refer to a group whose
name has recently changed
b. True, in IAM, Amazon does not automatically update policies that refer to a group
whose name has recently changed, but it can be if the name contains alphanumeric
c. False, in IAM, Amazon automatically updates policies that refer to a group whose
name has recently changed
d. True in IAM, Amazon does not automatically update policies that refer toa group
whose name has recently changed, but it can be auomated with a 3rd party product
b
In regards to IAM, select the correct statement
a. None of these
b. When you use IAM API actions such as ListUsers and GetGroup which let you
paginate the results, you may need to call the action multiple times in order to get the
full list of users
c. When you use IAM API actions such as ListUsers and GetGroup which let you
paginate the results , you need to call the action twice in order to get the full list of
users
d. When you use IAM API actions such as ListUsers and GetGroup which let you
paginate the results , you need to call the action once in order to get the full list of
users
d
In the context of IAM roles for EC2, which of the following is NOT true about
delegating permission to make API requests?
a. You can have the application retrieve a set of temporary credentials and use them
b. You can specify the role when you launch your instances
c. You can define which API actions and resources the application use after
assuming the role
d. You cannot create an IAM role
a
Which of the following is used by RDS to control access to specific RDS DB
instances
a. Both the DB engine login and DB security groups
b. Only the DB engine login names
c. Only the DB security groups
d. Either the DB engine login or the DB security groups
d
If an IAM policy has multiple conditions or if a condition has multiple keys , its
boolean outcome will be calculated using a logical ________ operation
a. NOR
b. None
c. OR
d. AND
b
When using IAM policies , if there are multiple conditions or if there are multiple keys
in a single condition the conditions are evaluated using a logical _________
a. OR
b. AND
c. XOR
d. NOT
a
Which of the following is true while using an IAM role to grant permissions to
applications running on Amaon Ec2 instances
a. Only one role can be assigned to an EC2 instance at a time
b. All applications on the instance share the same role, but different permissions
c. All applications on the instance share multiple roles and permissions
d. Multiple roles are assigned to an EC2 instance at a time
a
An organization has three separate AWS accounts, one for each development,
testing and production. The organization wants the testing team to have access to
certain AWS resources in the production account. How can the organization achieve
this?
a. Create an IAM role with cross account access
b. Create an IAM user in a test account and allow it access to the production
environment with the IAM policy
c. Create the IAM user in the test account and allow it access to the production
environment with the IAM policy
d. Create the IAM users with cross account access
d
To create custom policies for IAM users, you must be logged in as account owner or
as ________ who's been granted permissions to manage policies for others
a. A normal user
b. Root account user
c. Account owner
d. IAM user
a
In the context of Amazon CloudFront what does the following policy for Amazon
CloudFront do?
{ "Version": "2012-10-17:'
"Statement" : [{
"Effect": "Allow",
"Action": ["cloudfront:*"],
"Resource": "*"
}]
}

a. It creates a policy that is attached to a group to give the group read an write
access to all of the CloudFront resoucres
b. It creates a policy that is attached to a group to give the group read access to all
of the CloudFront distribution
c. It creates a policy that is attached to a group to provide protected access to all of
the CloudFront distributions
d. It creates a policy that is attached to a group to a group to provide private access
to all of the CloudFront distributions
c
An organization has created 10 IAM users. The organization wants those users to
work independently and access AWS. Which of the options mentioned below is not a
possible solution?
a. Create the X.509 certificate for each user and provide them access to AWS CLI
b. Enable MFA for each IAM user and assign them the virtual MFA device to access
the console
c. Create the access key and secret access key for each user and provide access to
AWS using the console
d. Provide each user with the IAM login and password for the AWS console
c
A user had defined an IAM policy similar to the one given below on a bucket:
{
"Version": "2012-10-17",
"Statemen"; [{
"Effect":"Allow",
"Principal": {
"AWS":"arn:aws:iam::12112112:user/test"
}
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3::cloudacademy"
]
}
]
} what will this do

a. It will allow all the IAM users of the account ID 12112112 to perform
GetBucketLocation, ListBucket and GetObject on bucket CloudAcademy
b. It will result in the error saying invalid policy statement
c. Allows the user test to the AWS account ID 12112112 to perform
GetBucketLocation, List Bucket and GetObject on the bucket cloudacademy
d. it will create an IAM policy for the user test
c
True or False: There are no Amazon CloudFront resource ARN for you to use in an
IAM policy
a. False. CloudFront has its own Resource names to use in an IAM policy
b. False. All Amazon services have ARNs to use in an IAM policy
c. True, there are no such ARNs because you cannot specify the resources to
control access to
d. True, there are no such ARNs if your IAM policy is redundant
c
A sysadmin has created the below policy on the S3 bucket named CloudAcademy.
What does this policy define

"Statement:[{
"Sid":"Stmt1388811069831",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObjectAcl","s3:ListBucket"],
"Resource":["arn:aws:s3::cloudacademy]
}]

a. it will make the cloudacademy bucket as well as it objects as public

b. It will allow everyone to view the ACL of the bucket
c. It will make the cloudacademy bucket as public
d. It will give an error as no object is defined as part of the policy while the action
defines the rule about the object
b
In IAM what is the maximum number of Server certificates allowed per AWS account
a. 5
b. 20
c. 15
d. 10
a
IAMs policy evaluation logic follows several basic rules. Please select the incorrect
rule from the options given below
1. By default, all requests receive a default deny, except for requests that use AWS
account's root credentials
2. An explicit allow overrides any default denies
3. An explicit deny never overrides any allows
4. The order in which the policies are evaluated is not important

a. 3
b. 4
c. None
d. 1
c
Having setup a clients S3 bucket which contain videos ro make some money via
DevPay, you are now concerned that this data is not safe from unintended user
errors or application failure. To protect this S3 data from such accident failures, you
should
a. enable S3 RRS
b. access S3 via signed URL
c. enable S3 versioning
d. enable multi AZ archives and backup storage for content in S3 buckets
b
Identify a correct statement about IAM friendly names and paths
a. If a user and a group are given the same IAM path , the two are assigned different
account IDs
b. If you give a user and group the same path, the user is not automatically put in
that group
c. If you give a user and group the same path, the user is automatically put in that
group
d. If you are using the IAM API or AWS CLI to create IAM entities you cannot
optionally give the entity a path
c
In the AWS IAM , the version element specifies the policy language version. Which
of the following are currently the only allowed values?
a. 2011-10-17 , 2008-10-17
b. 2015-10-17 , 2014-10-17
c. 2012-10-17 , 2008-10-17
d. 2012-10-17 , 2009-10-17
c
Are you able to integrate a multi-factor token service with the AWS platform?
a. Yes using the AS MFA token devices to authenticate users on the AWS platfom
b. No you cannot integrate MFA token devices with the AWS platform
c. Yes you can integrate private MFA token devices to authenticate
d. IAM does not delete the group membership of which the user was a member
a
You have just taken over managing your company's AWS account. As one of your
first tasks, you are reviewing IAM groups and their associated permissions. You
notice that one of the groups has two conflicting permissions attached, one that
allows S3 access, and one that denies S3 access. If your goal is to allow members
of the group to have S3 access, what needs to be done?
a. You must remove the deny policy, as an deny policy will override an allow policy
b. Nothing, as the allow policy overrides the deny policy
c. You just need to add a second allow rule
d. You must delete and recreate the group and it's permisisons

Terms in this set (9)

Statement
formal definition of a single permission
Principal
An entity as defined in IAM; elements go into policies, and the details vary by service
Action
the activity, typically an API call the principal has permission to perform
Resource
the object the principal is requesting access to.
Conditions
Restrictions or details about the permission.
Keys
specific characteristics about a condition.
Requestor
The person who makes a call to an AWS service.
Evaluation
The process an AWS service uses to determine the permissions granted to a requestor.
Effect
The result of the evaluated policies, resulting in either allow or deny.

Terms in this set (8)

[IAM] What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely
control access to AWS resources. You use IAM to control who is authenticated (signed in)
and authorized (has permissions) to use resources.
[IAM] Critical Terms
- Users - End Users (think people)
- Groups - a collection of users under one set of permissions
- Roles - you create roles and can then assign them to AWS resources
- Policies - a document, that defines one/more permissions
[IAM] Is IAM region-oriented service or global?
It is global one. All data are spread among all the regions.
[IAM] What is root account?
It is simply the account created when first setup to your AWS account. It has complete
Admin access.
[IAM] Default permissions for new users?
New users have no permissions on creation.
[IAM] What are Access Key ID and Secret Key ID? Is this data stored anywhere?
These are like login & password for accessing AWS via CLI/to interact with AWS via API.
These data are shown to you only once.
[IAM] Is it possible to use multifactor authentication on your root account?
Yes, and it is strongly recommended.
[IAM] Does IAM has strictly defined password rotation policies for all the users?
No, you can create and customize you own password rotation policies.

Terms in this set (11)

IAM
Allows you to management users, groups, roles, and their corresponding access to
the AWS Platform
Power User Access
Allows access to all services except for management of groups and users within IAM
What level of access does the "root" account have?
Administrator Access
You are a solutions architect working for a large engineering company who are
moving their existing legacy hardware to AWS. You have configured their first AWS
account and you have set up IAM. Your company will be primarily based out of West
Germany, however they will have a small subsidiary operating out of South Korea
and you will need an AWS environment configured there as well. Which of the
following statements is true;
You will need to configure Users and Policy Groups only once, as they are applied
globally
You have a client who is considering moving to AWS services and do not yet have
an account. What is the first thing the company should do to set up an AWS
Account?
Set up an account using their company email address
You are a security administrator working for a hotel chain. You have a new member
of staff who has started as a systems administrator and they will need full access to
the AWS console. You have created the user account and generated the access key
id and the secret access key. You have moved this user into the group where the
other administrators are and you have provided the new user with their secret
access key and their access key id. However when they go to log in to the AWS
console, they cannot sign in. What could be the cause of this?
You cannot login to the console using a secret access key and a key access ID,
instead you must generate a password for the user, and supply the user with the
password as well the unique link to sign in to the AWS console
What is an additional way to secure IAM for both the root login and new users alike?
Implement multi-factor authentication for all accounts
By default when you create a new user in the IAM console, what level of access do
they have?
No access to all AWS services
In what language are policy documents written in?
JSON
Format for structuring ARN's (Amazon Resource Names: uniquely identify AWS
resources)
arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
Tasks that require you to sign in as the root user
Modify root user details. This include changing the root user's password.
Change your AWS support plan.
Change or delete your payment options.
View your account's billing information. For information about how to enable billing
access for IAM users see Activating Access to the Billing and Cost Management
Console
Close an AWS account.
Sign up for GovCloud.
Submit a Reverse DNS for Amazon EC2 request. The "this form" link on that page to
submit a request works only if you sign in with root creds.
Create a CloudFront key pair.
Create an AWS-created X.509 signing certificate. (You can still make self-created
certificates for IAM users.)
Transfer an Amazon Route 53 domain to another AWS account.
Change the Amazon EC2 setting for longer resource IDs. Changing the setting as
root affects all users and roles in the account. Changing as an IAM user or IAM role
affects only that user or role.
Submit a request to perform penetration testing on your AWS infrastructure.
Open an AWS Support case where you specify Regarding: Account and Billing
Support.
Request removal of the port 25 email throttle on your EC2 instance.

Terms in this set (2)

A company is building software on AWS that requires access to various AWS services.
Which configuration should be used to ensure that AWS credentials (i.e., Access Key
ID/Secret Access Key combination) are not compromised?

a.) Enable Multi-Factor Authentication for your AWS root account.

b.) Assign an IAM role to the Amazon EC2 instance.

c.) Store the AWS Access Key ID/Secret Access Key combination in software comments.

d.) Assign an IAM user to the Amazon EC2 Instance.

c.) Store the AWS Access Key ID/Secret Access Key combination in software comments.
A company is preparing to give AWS Management Console access to developers. Company
policy mandates identity federation and role-based access control. Roles are currently
assigned using groups in the corporate Active Directory. What combination of the following
will give developers access to the AWS console? (Select 2) Choose 2 answers

a.) AWS Directory Service AD Connector

b.) AWS Directory Service Simple AD

c.) AWS Identity and Access

Management groups

d.) AWS identity and Access Management roles

e.) AWS identity and Access Management users

a.) AWS Directory Service AD Connector
e.) AWS identity and Acce