IAM

Question 1

What does IAM stand for?

Answer 1

Identity and Access Management

Question 2

Name

4 IAM Key Components

Answer 2

• Users
• Groups
• Roles
• Policies

Question 3

Is IAM a Regional Service?

Answer 3

No, IAM is a Global Service.

Meaning it is available in every Region

Question 4

Define

Root Account

Answer 4

The default account for an organization.

Question 5

What should you use the Root Account for?

Answer 5

Setting up the AWS Account

Should not be shared or used for anything else.

Question 6

Define

Users

Answer 6

People within your organization that receive permissions

Question 7

Define

Groups

Answer 7

A way of defining similar permissions for multiple users

Different ways Users can be Grouped

Question 8

What can be added to a Group?

Answer 8

Only Users

You can’t add another Group to a Group

Question 9

Can a User belong to multiple Groups?

Answer 9

Yes

Question 10

Does a User have to have a Group?

Answer 10

No

Question 11

Define

Policies

Answer 11

JSON documents the define permissions for a certain User or Group

Ex. Policy JSON

Question 12

Define

Least Privilege Principle

Answer 12

A User/Group should recevie the minimum permissions possible to perform their function

Question 13

Name

3 Elements of a Policy JSON

Answer 13

• Version policy language version
• Id identifier for the policy
• Statement one or more permissions to be granted

Question 14

Name

6 Elements of a Policy JSON Statement

Answer 14

• Sid indentifier for the statement
• Effect whether the statement allows or denies access
• Principal account/user/role to which this policy is applied
• Action list of actions this policy allows or denies
• Resource list of resources to which the actions applied to
• Condition conditions for when this policy if in effect

Question 15

Define

Sid

Policy JSON Statment Element

Answer 15

Identifier of the statement

Ex:
"Sid": "1"

Question 16

Define

Effect

Policy JSON Statment Element

Answer 16

Whether the Statement allows or denies access.
Values are “Allow”, “Deny”

Ex.
"Effect": "Allow" or "Effect: "Deny"

Question 17

Define

Principal

Policy JSON Statment Element

Answer 17

Account/User/Role to which this policy is applied to.

Ex.
"Principal": { "AWS": ["arn:aws:iam::12345678901:root"] }

Question 18

Define

Action

Policy JSON Statment Element

Answer 18

List of actions this policy allows or denies

Ex.
"Action": [ "s3:GetObject", "s3:PutObject" ]

Question 19

Define

Resource

Policy JSON Statment Element

Answer 19

List of resources to which the actions are applied to

Ex.
"Resource": [ "arn:aws:s3:::mybucket/*" ]

Question 20

Define

Condition

Policy JSON Statment Element

Answer 20

Conditions for when this policy is in effect

Ex.
"Condition" : { "StringEquals" : { "aws:username" : "johndoe" } }

Question 21

Which Policy JSON Elements are optional?

Answer 21

• Id
• Sid
• Condition

Question 22

Define

IAM Password Policy

Answer 22

Specific requirments defined by the Root user for User passwords.

Question 23

Name

5 Possible restrictions set by Password Policy

Answer 23

• Minimum length
• Specific Character Types
• Users can change their passwords
• Expiration
• Password Re-Use

Question 24

Name

4 Character Types that can be required by the Password Policy

Answer 24

• Uppercase
• Lowercase
• Numbers
• Non-Alphanumeric

Question 25

# Define MFA

Answer 25

Multi-Factor Authentication combines a password you know with a device you own | If your password is stolen, the account is not compromised

Question 26

# Name 4 Authorized MFA devices for AWS Accounts

Answer 26

* **Virtual MFA** application that stores tokens for authentication * **Universal 2nd Factor (U2F) Security Key** physical device with a single security key (USB) * **Hardware Key Fob** Physical device with a display that has a random changing token * **Hardware Key Fob for AWS GovCloud** US Government use

Question 27

# Name 3 Ways a User can Access AWS

Answer 27

* **AWS Management Console** protected by password + MFA * **AWS Command Line Interface (CLI)** protected by access keys * **AWS Software Development Kit (SDK)** protected by access keys

Question 28

# Define Access Key

Answer 28

A Long-term credential for an IAM User, used to sign requests to the AWS CLI or SDK

Question 29

# Name 2 Parts of an Access Key

Answer 29

* Access Key ID * Secret Access Key

Question 30

How are Access Keys generated?

Answer 30

Through the AWS Management Console

Question 31

Who manages Access Keys?

Answer 31

The User manages their own Access Keys.

Question 32

# Define AWS CLI

Answer 32

Command line tool that enables a user to interact with AWS services from their local shell | Direct alternative to the AWS Management Console

Question 33

# Define AWS Software Development Kit (SDK)

Answer 33

Language-specific APIs that enable a user to access and manage AWS services programmatically | Emebedded within your application

Question 34

# Name 5 Environments Supported by AWS SDK

Answer 34

* Web * Cloud * Mobile * IoT * Gaming

Question 35

# Define IAM Role

Answer 35

A set of Permissions assigned to an AWS Service to perform actions on your behalf

Question 36

# Name 2 IAM Security Tools

Answer 36

* **IAM Credentials Report** (account-level) * **IAM Access Advisor** (user-level)

Question 37

# Define IAM Credentials Report

Answer 37

Lists all your account's users and the status of their various credentials

Question 38

# Define IAM Access Advisor

Answer 38

Shows the service permissions granted to a user and when those services were last accessed | Useful for revising IAM Policies