IAM - Identity and Access Management

Question 1

People that within your organization that can be grouped

Answer 1

Users

Question 2

True or False: Groups can only contain users, not other groups

Answer 2

True

Question 3

True or False: Users must belong to a group

Answer 3

False

Question 4

Permissions assigned as a JSON document are called _________.

Answer 4

Policies

Question 5

What is the least privilege principle?

Answer 5

Only give a user the permissions that they need.

Question 6

What three main components make up a policy?

Answer 6

Version, ID, and Statement

Question 7

What does a statement consist of?

Answer 7

• Sid: an identifier for the statement (optional)
• Effect: whether the statement allows or denies access (allow, deny)
• Principal: account/user/role to which this policy applied to
• Action: list of actions this policy allows or denies
• Resource: list of resources to which the actions applied to
• Condition: conditions for when this policy is in effect (optional)

Question 8

What forms of MFA are options in AWS?

Answer 8

Virtual and Physical MFA Devices

Question 9

What physical MFA devices can be used with AWS?

Answer 9

• Universal 2nd Factor (U2F) Security Key (Physical device)
  
  • YubiKey by Yubico (3rd Party)
    
    • Support for multiple root and IAM users using a single security key
• Hardware Key Fob MFA Device
  
  • Gemalto MFA device

Question 10

What physical MFA device is offered for AWS GovCloud?

Answer 10

SurePassID

Question 11

What options do you have when accessing AWS?

Answer 11

AWS Management Console, AWS CLI, and AWS SDK

Question 12

What are access keys?

Answer 12

Access keys are made of a key ID and a secret that can be used like a username and password.

Question 13

What is the AWS CLI?

Answer 13

A tool that enables you to interact with AWS services using command in your command-line shell.

Question 14

What is the AWS SDK?

Answer 14

The AWS SDK is a software development kit that allows you to programmatically access and manage AWS services.

Question 15

What purpose do roles have when it comes to IAM?

Answer 15

Roles allow AWS services to perform actions on your behalf.

Question 16

What two security tools does AWS offer?

Answer 16

IAM Credentials Report, IAM Access Advisor

Question 17

What is the IAM Credentials Report?

Answer 17

A report that lists all of your account’s users and the status of their various credentials.

Question 18

What does the IAM Access Advisor do?

Answer 18

Access advisor shows the service permissions granted to a user and when those services were last accessed.

Question 19

What are some best practices of IAM?

Answer 19

• Don’t use the root account
• One physical user = One AWS user
• Assign users to groups and assign permissions to groups
• Create a strong password policy
• Use and enforce the use of MFA
• Create and use Roles for giving permissions to AWS services
• Use access keys for programmatic access (CLI/SDK)
• Audit permissions of your account with the IAM credentials report
• Never share IAM users & Access keys

Question 20

What is the shared responsibility model for IAM?

Answer 20

• AWS
  
  • Infrastructure (global network security)
  • Configuration and vulnerability analysis
  • Compliance Validation
• User (You)
  
  • Users, groups, roles, policies management and monitoring
  • Enable MFA on all accounts
  • Rotate all keys often
  • Use IAM tools to apply appropriate permissions
  • Analyze access patterns and review permissions