CloudAcademy: Knowledge Check: Security (SAA-C03) 1 of 2 Flashcards
Why is it recommended to apply permissions to the group instead of individual users when configuring IAM?
A. User access keys are sometimes faulty and must be reconfigured periodically.
B. Group access is less time-consuming to configure than user access.
C. Users who access resources programmatically are difficult to authenticate.
D. Group access is more secure than user access.
B. Group access is less time-consuming to configure than user access.
Explanation:
Group access is less time-consuming to configure than user access and for this reason, it is a recommended method for granting permission because multiple users can be granted permissions as part of a group. Group access is not more secure than user access, it is not difficult to authenticate users who access resources programmatically, and faulty user access keys that need to be reconfigured are not reasons for applying permissions to groups rather than users.
Which element of an AWS IAM policy can be set to either Allow or Deny?
A. condition
B. statement
C. effect
D. action
C. effect
Explanation:
Effect: This element can be set to either Allow or Deny, which either grants or restricts access to the actions defined in the statement.
AWS IAM can be defined by its ability to _____.
A. manage creation and control of encryption keys
B. provide hardware-based key storage for regulatory compliance
C. provision, manage, and deploy SSL/TLS certificates
D. manage, control, and govern authentication, authorization, and access control mechanisms of identities to your resources within your AWS account
D. manage, control, and govern authentication, authorization, and access control mechanisms of identities to your resources within your AWS account
Explanation:
Essentially, IAM can be defined by its ability to manage, control, and govern authentication, authorization, and access control mechanisms of identities to your resources within your AWS account.
In AWS IAM, the _____ shows you which services a user can access, based on their current permissions, and also the last time that these services were accessed.
A. Path Analyzer
B. Access Advisor
C. ARN
D. RDS Policy
B. Access Advisor
Explanation:
We will go back up to the top to Access Advisor; I just wanted to show you this quickly. So what this does is that it will basically show you which services this user can access based on their current permissions, and also the last time that these services were accessed.
Which of the following lists correctly represents the order in which IAM policies are evaluated whenever someone tries to access a resource within AWS?
A. identity-based, resource-based, Organizational Service Control, IAM permission boundaries
B. resource-based, IAM permission boundaries, identity-based, Organizational Service Control
C. IAM permission boundaries, Organizational Service Control, resource-based, identity-based
D. Organizational Service Control, resource-based, IAM permission boundaries, identity-based
D. Organizational Service Control, resource-based, IAM permission boundaries, identity-based
Explanation:
There is an order in which policies are evaluated, and the following list of policies are shown in the order of evaluation. So firstly, we have any Organizational Service Control policies, then any resource-based policies, then IAM permission boundaries, and then, finally, identity-based policies.
In AWS IAM, _____ allow(s) credentials external to AWS to be used as a means of authentication to your AWS resources.
A. Federated Access
B. STS
C. Multi-Factor Authentication
D. AWS Managed Policies
A. Federated Access
Explanation:
Federated Access allows credentials external to AWS to be used as a means of authentication to your AWS resources.
In AWS IAM, a(n) _____ policy is one that is embedded within the user object itself.
A. role
B. user
C. group
D. inline
D. inline
Explanation:
At the top of the Permissions tab, we can add an inline policy for this user. So if we do that, then that will be a policy that is embedded within the user object itself.
_____ used within AWS IAM are written as JSON documents and define what can and can’t be accessed.
A. Policies
B. Roles
C. Rules
D. User groups
A. Policies
Explanation:
Policies used within IAM are written as JSON documents, and these define what can and can’t be accessed.
What is the recommended last step in the sequence of steps to implement cross-account access using AWS IAM for a small company using two accounts?
A. Use AWS SSO create access for new AWS users
B. Test the configuration by switching to the new role.
C. Specify the permissions attached to the newly created role.
D. Create a role from within the trusted account.
B. Test the configuration by switching to the new role.
Explanation:
Let me break the process down. Firstly, you must create a role from within the trusting account, which would be the production account in our example. This is to establish a trust between the two accounts. This role will define the development account as a trusted entity. Next, you must specify the permissions attached to this newly created role, which the users in the development account would assume to carry out their required actions and tasks. Next, you must switch to the trusted account–in this scenario the development account–to grant permissions to your developers to allow them to assume the newly created role in the trusted account. Finally, you can test the configuration by switching to the role.
____ allows IAM users from one AWS account to access services within a different AWS account through the use of IAM roles.
A. Trusted account isolation
B. Cross-account access
C. Third-party authentication
D. Multi-factor authentication
B. Cross-account access
Explanation:
Let me quickly define what cross-account access is. Put simply, it allows IAM users from one AWS account to access services within a different AWS account through the use of IAM roles.
Which of the following describes IAM groups? (Choose 2 answers)
A. IAM groups are used for authentication
B. IAM groups have IAM policies assigned to them
C. IAM groups are shared by an unlimited number of users by default
D. IAM groups contain users
D. IAM groups contain users
B. IAM groups have IAM policies assigned to them
Explanation:
IAM Groups containing IAM Users will have IAM policies associated with them that will allow or explicitly deny access to AWS resources. These policies are either AWS Managed policies that can be selected from within IAM, or customer-managed policies that are created by you, the customer.
IAM Groups are objects much like user objects, however, they are not used in any authentication process, but they are used to authorize access to AWS resources through the use of AWS Policies.
Groups are normally created that relate to a specific requirement or job role and can contain many users; however, the number and size of IAM resources in an AWS account are limited.
In cross-account access, _____ allow users and other AWS services and applications to adopt a set of temporary IAM permissions to access AWS resources.
A. provisional access configurations
B. multi-factor authentications
C. IAM roles
D. firewalls
C. IAM roles
Explanation:
IAM roles allow users and other AWS services and applications to adopt a set of temporary IAM permissions to access AWS resources.
In AWS, _____ allows you to create a customer-managed IAM policy by selecting options from a series of dropdown boxes.
A. Policy Studio
B. Policy Maker
C. Policy Generator
D. Policy Config
C. Policy Generator
Explanation:
We can use the Policy Generator, and this allows you to create a customer-managed policy by selecting options from a series of dropdown boxes.
In AWS IAM, configuring _____ allows for an additional level of verification to be applied: namely, the user will have to enter a random six-digit number from a linked device after their usual password.
A. Multi-Factor Authentication
B. STS
C. Federated Access
D. AWS Managed Policies
A. Multi-Factor Authentication
Explanation:
Configuring MFA allows for an additional level of verification to be applied. The user will have to enter a random six-digit number from a linked MFA device after their usual password.
Which of the following statements about IAM policy evaluation in AWS is false?
A. By default, all access to a resource is denied.
B. If a single deny exists within any policy associated with the same principle against the same resource, then that deny will overrule any previous allow that might exist for the same resource and action.
C. Access to a resource is only allowed if an allow has been specified within a policy associated with the principle.
D. An explicit allow will always take precedence over a deny.
D. An explicit allow will always take precedence over a deny.
Explanation:
The rules for reviewing permissions across multiple policies in a single account are actually quite simple and can be summarized like this: by default, all access to a resource is denied. Access will only be allowed if an allow has been specified within a policy associated with the principle. If a single deny exists within any policy associated with the same principle against the same resource then that deny will overrule any previous allow that might exist for the same resource and action. So to reiterate, an explicit deny will always take precedence over an allow.
