IAM

Question 1

IAM

Answer 1

Identity Access Management - Where you manage your AWS users and their access to AWS Accounts and Services.

Question 2

What are the common uses for IAM

Answer 2

To Manage

1. Users
2. Groups
3. IAM Access Policies
4. Roles

Question 3

What is the name of the default user when you create an AWS account?

Answer 3

“root” user

Question 4

What permissions does the “root” user have by default?

Answer 4

The root user has FULL administrative rights and access to every part of the account.

Question 5

What access do new users have upon creation?

Answer 5

By default, new users are created with No access to any AWS services (except the ability to login).

Question 6

IAM Setup (Best Practices)

Answer 6

Delete root access keys
Activate MFA
Create individual IAM users
Use groups to assign permissions.
Apply IAM Password Policy

Question 7

IAM Daily Best Practice

Answer 7

Login and Perform work as an IAM User

Question 8

Which policy overrules all other policies?

Answer 8

Deny All overrules any allow rules.

Question 9

Define - Admin, Power User, and Read Only Access

Answer 9

1. Full Access to All AWS Resources.
2. Admin without user/group management permissions.
3. Only view AWS resources.

Question 10

What is the Policy simulator?

Answer 10

Allows you to test policies to see if they provide expected behavior before applying to groups/users.

Question 11

How many policies can be attached to a user?

Answer 11

Unlimited.

Question 12

Can policies be attached to AWS resources / services?

Answer 12

No (roles).

Question 13

Best Practice - Should user credentials be stored or passed to an EC2 Instance?

Answer 13

No.

Question 14

Does an explicit deny overrule an explicit allow?

Answer 14

Yes.

Question 15

Benefits of Groups

Answer 15

1. Allow you to assign IAM permission policies to more than one user at a time. This allows for easier access management to AWS resources.

Question 16

Roles are applied to…

Answer 16

AWS resources / Services.

Question 17

How many roles can be assigned to an EC2 instance?

Answer 17

One at a time.

Question 18

Policies are attached to a role and the EC2 instance can assume that role. T/F

Answer 18

True

Question 19

STS

Answer 19

Security Token Service.
Temporary access to AWS resources.
Once expired they can no longer be utilized.

Question 20

What components are returned when utilizing a STS.

Answer 20

Security Token
An Access Key ID
A Secret Access Key

Question 21

What are the benefits of STS?

Answer 21

Temporary Access
Do not have to embed credentials in Resources / Application.
Can Grant access without an IAM account.
Do not have to manage, rotate or revoke.

Question 22

When should you use STS?

Answer 22

Identity Federation (AD)
Web Federation (Facebook, Google, etc.)
Roles for cross account access (prod/dev).
Roles for Amazon

Question 23

STS API Calls

Answer 23

AssumeRole
AssumeRoleWithWebIdentity
GetFederationToke
GetSessionToken

Question 24

What are API Access Keys

Answer 24

Are required to make programattic calls to AWS from CLI, Powershell, SDKs, Direct HTTP calls.

Question 25

What access method requires API Access Keys

Answer 25

CLI

Question 26

API Facts

Answer 26

Keys are available one time.
AWS will not regenerate the same set of keys.
API credentials have to associated with a USER.
Roles do not have API credentials.
In Console you can only see the Access Key ID
Must deactivate current API credentials before generating new ones.
NEVER store API keys on an EC2 instance.

Question 27

What default permissions does an IAM user have upon creation?

Answer 27

non-explicit “deny” for all AWS services.

Question 28

Attributes of IAM access credentials.

Answer 28

1. User received unique access credentials
2. Credentials should never be stored or passed to an EC2 instance.
3. Credentials should never be shared with others.

Question 29

Can an IAM user have multiple policies applied to their account?

Answer 29

Yes - users can have multiple policies applied to them directly or via a group.

Question 30

T/F - Explicit allow always override explicit deny IAM policies.

Answer 30

False - explicit deny always overrides an allow.

Question 31

T/F - MFA can be configured on a per user basis for login and resource access / actions.

Answer 31

True.

Question 32

What is the first user account created in an AWS environment?

Answer 32

1. Root user.

Question 33

What permissions does the root user have upon creation?

Answer 33

FULL Administrative rights.

Question 34

Root user best practices.

Answer 34

1. Do not use root access for daily work / administration.

2. Protect root account with MFA.

Question 35

IAM Groups

Answer 35

1. A Collection of users.
2. Easier management to AWS resources.
3. Allow permissions/policies to more than one user at a time.

Question 36

Account connection tools.

Answer 36

AWS Management Console
AWS CLI (Command Line Interface).

Question 37

IAM Policy

Answer 37

Permissions that can be assigned to users or groups that allow access to AWS resources.

Question 38

IAM Policy pre-built templates

Answer 38

1. Administrator Access - Full access to all AWS resources.
2. Power User Access - Admin access except cannot manage users/groups.
3. Read only Access - Only view AWS resources.

Question 39

T/F You cannot create custom policies.

Answer 39

False - policy generator or written from scratch (JSON).

Question 40

IAM Role

Answer 40

A role is something that another entity can “assume” and in doing so acquires the specific permissions defined by that role.