1. Introduction to AWS

Question 1

all the functionality of AWS is exposed through

Answer 1

APIs.

Every command in AWS is fundamentally an API request

Question 2

Management Console helps manage resources manually. Programmatic management of AWS resource is possible through

Answer 2

AWS CLI or AWS SDK. These help automate the management of resources on cloud.

Question 3

The AWS CLI and the SDK on the same server can share configuration settings (like credentials, region, profiles) through files like

Answer 3

~/.aws/config
~/.aws/credentials

Question 4

In comparison to IAM user, root user has the permissions to

Answer 4

• Change billing information
• Close AWS account

Question 5

an AWS managed policy that grants full access to all AWS services and resources.

Answer 5

Administrator Access
It essentially allows performing any action (“Action”: “”), on any resource (“Resource”: “”).
Its Amazon Resource Name (ARN) is arn:aws:iam::aws:policy/AdministratorAccess.

used by the initial administrator user created after setting up an AWS a

Question 6

As a separator when there is no explicit region, ARNs of AWS-managed policies have _, while ARNs of customer-managed policies have _

Answer 6

1. ::aws
2. ::123456789012 (account ID)

Question 7

In ARNs, when service is global (not region-specific), _ is used as separator in ARN.
When service is global (not region-specific) and is not account-specific, then _ is used as separator in ARN.

Answer 7

1. double colon (::)
2. triple colon (:::)

Example, AWS-managed IAM Policy apply globally (not region-specific). So, their ARNs include double colon as shown below:
arn:aws:iam::aws:policy/AdministratorAccess

Example, some global AWS services (like S3 or IAM) do not require a region or account ID, leading to extra colons. So, their ARNs include triple colon as shown below:
arn:aws:s3:::my-bucket-name
arn:aws:iam:::role/MyGlobalRole

Some AWS service-linked roles and global IAM roles may omit account id
* arn:aws:iam:::role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations
* arn:aws:iam:::role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig

Question 8

To log into the management console, an IAM user needs

Answer 8

• Console Sign-in URL
• User Name
• Password

Question 9

Access Keys of an IAM user are generated by root user.
(T/F)

Answer 9

True.

Go to Users Menu in IAM, select Security Credentials tab, click “Create Access Key” button.

On the final page, you will be given a chance to copy two values: the Access Key, which you can always obtain, and the Secret Access Key, which you will not see again

Question 10

The command “aws configure” initiates a series of prompts for 4 values. What are they?

Answer 10

1. Access Key ID
2. Secret Access Key
3. Default Region Name
4. Default Output Format (json)

Question 11

CLI command to confirm which identity/user the AWS CLI is currently operating as

Answer 11

aws iam get-user

You can also get the details specifically for the IAM user with specific name:
aws iam get-user –user-name my-application-user

The command returns a JSON object containing the user’s details.

Question 12

Command to configure CLI with named profiles

Answer 12

aws configure –profile developer

You will be prompted for the configuration values again. From then on, you may append –profile developer to any AWS CLI command to run it as this alternate user

Question 13

AWS tool to launch a CLI terminal window in your web browser

Answer 13

Cloud Shell

Question 14

CLI command format

Answer 14

CLI commands are invoked in the format aws service-name command, followed by any additional parameters or flags.

To see all services, use aws help and to see all commands for a service, use aws service-name help.

Question 15

list details of all S3 buckets in your account

Answer 15

aws s3 ls

Question 16

show details of all EC2 instances in your account

Answer 16

aws ec2 describe-instances

Question 17

What’s the purpose of signing the API request to AWS resource/service?

Answer 17

SDK/CLI signs any API request to add authentication information.

SDK/CLI uses your secret access key (which only you and AWS should know) to create a unique digital signature based on the entire request details (the action being called, parameters, timestamp, etc.)

This signature is sent along with your access key ID in the request

AWS receives the request, looks up the provided access key ID to find the associated secret key (which it stored when the key pair was created), and then independently calculates its own signature based on the request details it received.

Sign calculated by AWS must match sign sent with request to authenticate

Question 18

API request made through SDK/CLI uses _ for authentication and _ for authorization.

Answer 18

1. signature
2. IAM policy

Only after successful authentication does AWS proceed to the authorization step. AWS then checks the policies attached to that identity.

Question 19

if an api request from CLI/SDK has “access denied” error, then

Answer 19

the policy attached to the user does not authorize to perform action described in api request.

Question 20

Difference between “403 Forbidden” and “401 Unauthorized” response of an api request to AWS

Answer 20

• 403 Forbidden: indicates that the server understood the request but refuses to authorize it. This is a perfect fit for an authorization failure – AWS knows who you are (authentication succeeded), but your identity does not have the necessary permissions (authorization failed)
• 401 Unauthorized: indicates that authentication failed (the server doesn’t know who you are or your credentials were invalid).

Question 21

The SDK and CLI both automatically check several locations for configuration and credentials, when they are not explicitly provided in the code. These locations include

Answer 21

• environment variables
• programming language–specific parameter stores
• local files

Question 22

Best Practice for managing credentials automatically for code running on an AWS compute environment like EC2 or Lambda

Answer 22

Assign an IAM role to the environment (EC2/Lambda).

This enables the SDK to load the credentials automatically from the role and to refresh the credentials as they are automatically rotated.

Question 23

IAM roles provide temporary credentials for access to AWS compute environments. Give 3 examples.

Answer 23

1. EC2InstanceRole: Used for applications running on EC2 that need access to AWS services (e.g., S3, DynamoDB).
2. LambdaExecutionRole: Required for Lambda functions to interact with services like S3, DynamoDB, or SNS
3. ECSTaskRole: Allows ECS tasks to access AWS services securely

Question 24

temporary security credentials of an IAM role are issued by which AWS service?

Answer 24

AWS Security Token Service (STS)

Question 25

List 3 kinds of identities in IAM

Answer 25

1. User 2. Group 3. Role

Question 26

Every identity has a list of policies associated with it, each of which is used to _ api request made to AWS.

Answer 26

authorize | AWS evaluates policies associated with the identity making api request

Question 27

users who need the same kind of permissions, can be associated to a group. Then the _ assigned to group define the permissions applied to each member of the group.

Answer 27

**policies** IAM users within an IAM group inherit permissions from the policies attached to their group, plus any permissions from policies that are associated directly with that IAM user | An individual IAM user can be a member of many IAM groups

Question 28

# Clash of effects: In the case that multiple permissions policies apply to the same API action, any policy that has the effect _ will take precedence over any policy that has the effect _.

Answer 28

1. **deny** 2. **allow**

Question 29

_ defines which AWS account, IAM role, or IAM user is trusted to assume a role. Think of it as a set of rules that specifies **who can assume a role** and under what conditions.

Answer 29

Trust Policy | A trust policy is associated with a particular role

Question 30

_ is the entity (user, application, or service) that is allowed or denied access to a resource by a policy. It can be an AWS account, IAM user, IAM role, federated user, or an AWS service.

Answer 30

Principal

Question 31

_ answers who can assume this role and _ answers what action this role can perform once assumed.

Answer 31

1. Trust Policy 2. Permissions Policy Example of Trust policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` This policy means that the ec2.amazonaws.com service (i.e., EC2 instances) is trusted to assume this role. Example of Permissions policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::example-bucket/*" } ] } ``` This policy allows any principal assuming this role to perform any action (s3:*) on all objects within the example-bucket.

Question 32

short-term security credentials obtained from AWS Security Token (AWS STS) service are composed of

Answer 32

1. access key ID 2. secret access key 3. session token 4. expiration date

Question 33

While a user assumes a role, their permissions are limited to what the role can do; any permissions the user has directly attached or inherited from a group are _

Answer 33

not evaluated | you cannot nest IAM roles or add IAM roles to IAM groups

Question 34

process of the SDK proactively requesting and replacing the expiring temporary credentials with new ones from the _ service is what is called as "automatic rotation"

Answer 34

**metadata** The SDK automatically manages the lifecycle of these temporary keys by requesting new ones from the environment's metadata service before the current ones expire. | The metadata service talks to STS in the background.

Question 35

If a policy contains statement having "Action": "sts:AssumeRole", then the policy is

Answer 35

Trust policy

Question 36

If a policy contains statement having a specific "Principal", a specific "Resource" and an "Action" of specific AWS service different from STS, then the policy is

Answer 36

Resource-based Policy

Question 37

If a policy contains statement having no specific "Principal", then that policy is

Answer 37

IAM policy

Question 38

CLI command to attach a resource-based policy to an S3 bucket ?

Answer 38

**ws s3api put-bucket-policy** ``` { "Sid": "PublicReadGetObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*" } ```