IAM, ACCOUNTS AND AWS ORGANISATIONS

Question 1

Specifiy a list of resources to which the api actions apply

Answer 1

Resource

Question 2

Optional – specifies the preliminary rules under which the policy grants permissions

Answer 2

Condition

Question 3

List of actions or api that the policy allows or denies

Answer 3

Action

Question 4

Refers to an IAM Identity you define

Answer 4

Principle

Question 5

Only 2 possible values – allow, deny

Answer 5

Effect

Question 6

First priority when evaluating policy logic

Answer 6

Explicit Denies

Question 7

Second priority when evaluating policy logic

Answer 7

Explicit Allow

Question 8

Third priority when evaluating policy logic

Answer 8

Default Deny

Question 9

Remains unchanged even if you delete its associated IAM identity, It doesn’t have a strict one-to-one relationship to its associated IAM identity

Answer 9

Standalone Policy

Question 10

Will be automatically be deleted if you delete its associated identity, Has a strict one-to-one relationship to its associated IAM identity

Answer 10

Inline Policy

Question 11

Used for special or exceptional allows or denies

Answer 11

Inline Policies

Question 12

The identity used for anything requiring long-term AWS access usually only a single principal

Answer 12

IAM User

Question 13

Person or application that makes requests to IAM to interact with resources

Answer 13

Principal

Question 14

Process where principal proves their identity

Answer 14

Authenticate

Question 15

Uniquely identify resources within any AWS accounts

Answer 15

Amazon Resource Name (ARN)

Question 16

max iam users per account

Answer 16

5000

Question 17

max number of group iam users can be apart of

Answer 17

10

Question 18

containers used to make management of IAM users easier

Answer 18

Groups

Question 19

Limited to 300 per account but can be increased

Answer 19

IAM Groups

Question 20

Can groups be referenced as a principal in a policy?

Answer 20

No

Question 21

Used by an unknown number of principals on a temporary basis that represents the level of access in an AWS Account

Answer 21

IAM Role

Question 22

Generated by STS and given to identites that assume roles that act as access keys

Answer 22

Temporary Security Credentials

Question 23

Anything that is not an AWS Identity needs permissions should be given?

Answer 23

IAM Role

Question 24

Can external account be used in AWS directly?

Answer 24

No

Question 25

Using an external identity provider and giving the external identities roles to perform actions

Answer 25

ID Federation

Question 26

Predefined IAM Role that is linked to a specific AWS Service

Answer 26

Service-linked roles

Question 27

Product that allows large business to manage multiple accounts

Answer 27

AWS Organizations

Question 28

Account used to create an organization and receives the bill for all members apart of that organzation

Answer 28

Management Account

Question 29

Can the management account be restricted using SCP?

Answer 29

No

Question 30

Account permission boundaries that limit what the account (including root user) can do.

Answer 30

Service Control Policies

Question 31

Do service control policies grant permissions?

Answer 31

No just define what is and isnt allowed

Question 32

Solution If your identity store is not compatible with SAML 2.0

Answer 32

build a custom identity broker application