IAM

Question 1

What does IAM stand for?

Answer 1

Identity Access Management

Question 2

Is IAM a global service?

Answer 2

Yes

Question 3

How is the root account created? Should it be used or shared?

Answer 3

The root account is created by default. It should NEVER be used or shared.

Question 4

What are users?

Answer 4

End users within an organization

Question 5

What are groups?

Answer 5

Groups are a collection of users

Question 6

Can groups contain other groups?

Answer 6

No

Question 7

Do users have to belong to a group?

Answer 7

No

Question 8

True/False: Users can only belong in one group

Answer 8

False, users can belong to multiple groups

Question 9

What are IAM policies?

Answer 9

IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API.

Question 10

Who can be assigned JSON documents aka ‘policies’?

Answer 10

Users and Groups

Question 11

What is the least privilege principle?

Answer 11

Don’t give more permissions than a user needs

Question 12

What does the IAM policy structure consist of?

Answer 12

Version, Id, and Statement

Question 13

What does the IAM policy statement consist of?

Answer 13

Sid, Effect, Principal, Action, Resource, Condition

Question 14

In AWS IAM policy statement, what does Sid stand for and what is it?

Answer 14

Sid = Statement ID
Sid is an identifier for the statement. Sid not always present.

Question 15

In AWS IAM policy statement, what does the Effect show?

Answer 15

the Effect shows whether the statement allows or denies access
(Allow, Deny)

Question 16

In AWS IAM policy statement, what does the principal show?

Answer 16

the account/user/role to which the policy is applied to

Question 17

In AWS IAM policy statement, what does the resource show?

Answer 17

the Resource shows a list of resources to which the actions applied to

Question 18

In AWS IAM policy statement, what does the Condition show?

Answer 18

the Condition shows the conditions for when the policy is in effect (optional…not always present in the statement)

Question 19

What are some requirements that you can add when setting up a password policy to create stronger passwords?

Answer 19

Set a min password length, require specific character types (i.e upper/lower case, numbers, non-alphanumeric), allow ALL IAM users to change their passwords, set a password expiration & require users to change it, prevent password re-use

Question 20

What does MFA stand for?

Answer 20

Multi-Factor Authentication

Question 21

Why should MFA be implemented?

Answer 21

To protect your Root Accounts and IAM users. Users who have access to your account can change configurations and/or delete resources

Question 22

How does MFA work?

Answer 22

MFA = password you know + security device you own

Question 23

What is the main benefit of an MFA?

Answer 23

If a password is stolen or hacked the account is not compromised

Question 24

What are the types of MFA devices?

Answer 24

virtual MFA device, universal 2nd factor (U2F) security key, hardware key fob mfa device, hardware key fob mfa device AWS GovCloud

Question 25

What are 2 types of virtual MFA devices?

Answer 25

Google authenticator (phone only) and Authy (mult-device)

Question 26

True/False Virtual MFA devices can support multiple tokens on a single device

Answer 26

True

Question 27

What is an example of a Universal 2nd Factor (U2F) Security Key?

Answer 27

YubiKey by Yubico (a third party vendor)

Question 28

True/False U2F’s such as YubiKey by Yubico can support multiple root and IAM users using a single security key

Answer 28

true

Question 29

What is an example of a hardware key fob mfa device?

Answer 29

Gemalto

Question 30

What is an example of a hardware key fob MFA device for AWS GovCloud (US)?

Answer 30

SurePassID

Question 31

How many options do you have to access AWS?

Answer 31

3

Question 32

How can you access AWS?

Answer 32

AWS Management Console (protected by password + MFA), AWS CLI (protected by access keys), AWS Software Developer Kit/SDK (for code: protected by access keys)

Question 33

Where are access keys generated?

Answer 33

through the AWS console

Question 34

Who manages users’ access keys?

Answer 34

Users manage their own access keys

Question 35

True/False Access keys should be shared

Answer 35

False

Question 36

True/False Access Key ID is similar to a username

Answer 36

True

Question 37

True/False The secret access key is similar to a password

Answer 37

True

Question 38

What is the AWS CLI?

Answer 38

a tool that enables you to interact with AWS services using commands in you command-line shell

Question 39

What does AWS Command Line Interface provide?

Answer 39

Direct access to the public APIs of AWS services and an alternative to the AWS Management console

Question 40

What is the AWS SDK?

Answer 40

AWS Software Development Kit. Enables you to access and manage AWS services programmatically.

Question 41

What does an IAM role do?

Answer 41

assign permissions to AWS services to perform actions on your behalf

Question 42

Give examples of common IAM roles?

Answer 42

EC2 Instance Roles, Lambda Function Roles, Roles for CloudFormation

Question 43

What are two IAM security tools?

Answer 43

IAM Credentials Report (account level), IAM Access Advisor (user level)

Question 44

What does a credential report show?

Answer 44

a report that lists all your account’s users and the status of their various credentials

Question 45

What does the IAM access advisor show?

Answer 45

the service permissions granted to a user and when those services were last accessed

Question 46

How can IAM access advisor be used?

Answer 46

to revise policies

Question 47

What are the AWS IAM best practices?

Answer 47

1.) don’t use the root user except for AWS account setup
2.) one physical user = one AWS user
3.) create a strong password policy
4.) use & enforce the use of MFA
5.) create & use roles for giving permissions to AWS services
6.) use access keys for programmatic access (CLI/SDK)
7.) audit permissions of your account with the IAM credentials report
8.) never share IAM users and Access Keys

Question 48

What is a policy?

Answer 48

a JSON doc that outlines permissions for users or groups