IAM, ACCOUNTS AND AWS ORGANISATIONS

Question 1

IAM Policies Priority? (The first is the higher)

Answer 1

1. Explicit DENY
2. Explicit ALLOW
3. Default DENY (Implicit)

Question 2

What are the types of IAM Policies?

Answer 2

1. Inline Policy
2. Managed Policy

Question 3

Does these 2 ARN overlap?
- arn:aws:s3:::catgifs
- arn:aws:s3:::catgifs/*

Answer 3

No. The first references a Bucket and the second the Objects in the bucket

Question 4

What are IAM users limits?

Answer 4

1. only 5000 IAM users/account
2. user can be a member of maximum 10 groups

Question 5

What are IAM Groups?

Answer 5

Are containers for Users. I cannot login into an IAM Group and they do not have credentials of their own.

Question 6

Is there a default all users IAM Group in AWS?

Answer 6

No

Question 7

Can you nest IAM Groups?

Answer 7

No

Question 8

Are there any IAM Group limits?

Answer 8

300 Groups/account (but can be increased w/ support ticket)

Question 9

Can IAM Groups be referenced as a principal in a policy? For example when applying a resource policy?

Answer 9

No. Groups are not a true identity.

Question 10

What are the IAM Roles Policies?

Answer 10

1. Trust Policy
2. Permissions Policy

Question 11

What is STS?

Answer 11

Secure Token Service

Question 12

What is a service-linked role?

Answer 12

1. IAM Role linked to an AWS service
2. You cannot delete the role until it’s no longer required

Question 13

What is AWS Organizations?

Answer 13

It helps managing larger numbers of AWS Accounts

Question 14

What is SCP?

Answer 14

Service Control Policies - that is a account permission boundary

Question 15

Can I attach a SCP to a Root Container of the Organization?

Answer 15

No. The SCP will never affect the Management account

Question 16

Can you apply a SCP to the account root user of the Root Container of the Organizations?

Answer 16

Yes. And it will also indirectly restrict the Root Container of the Organization

Question 17

Do SCP grant permissions?

Answer 17

No

Question 18

What is the default for SCP: Allow list or Deny list?

Answer 18

Deny list - which means that it will allow everything except what is defined in the Deny list

Question 19

What is CloudWatch Logs?

Answer 19

A Public Service. It allows to store, monitor and access logging data

Question 20

What is CloudTrail?

Answer 20

It is a product which logs API calls and account events

Question 21

For how long are CloudTrail Events stored by default in Event History?

Answer 21

90 days (no cost for 90 days of history) and no S3

Question 22

Is CloudTrail by default storing Management and Data events?

Answer 22

No. Only Management events.

Question 23

Is CloudTrail regional or global service?

Answer 23

Regional

Question 24

Where does CloudTrail logs data?

Answer 24

In the same region of the service or in us-east-1 if they are global services (IAM, STS, CloudFront)

Question 25

Is CloudTrail visible in realtime?

Answer 25

No, it takes 15min to see the logs

Question 26

What is Control Tower?

Answer 26

A quick and easy setup of multi-account environment

Question 27

What is IAM Identity Center?

Answer 27

SSO (Single-Sign-On)

Question 28

IMPORTANT: Study more Control Tower

Answer 28

Really!!