S3/IAM

Question 1

What does S3 stand for?

Answer 1

Simple Storage Service

Question 2

What is S3 used for?

Answer 2

• S3 provides developers and IT teams with secure, durable, highly-scalable object storage.
• S3 allows the storage and retrieval of any amount of data from anywhere on the web.

Question 3

What type of storage does S3 use?

Answer 3

S3 uses object-based storage

Question 4

What is the maximum allowable storage you can have in S3 for a single object?

Answer 4

S3 files can be from 0 Bytes to 5TB

Question 5

What is the maximum allowable storage you can have in S3?

Answer 5

The total volume of data and number of objects you can store is unlimited

Question 6

What is IAM?

Answer 6

​

• AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.
• MANAGES
  
  • who is authenticated (signed in)
  • who is authorized (has permissions) to use resources.

Question 7

List the key features of IAM

Answer 7

• CENTRALIZED CONTROL of your account
• CUSTOM PASSWORD ROTATION POLICY
• EVENTUALLY CONSISTENT
• GRANULAR PERMISSIONS
• IDENTITY FEDERATION (Active Directory, Facebook, LinkedIn)
• IDENTITY INFO for assurance
• INTEGRATED with aws services
• MFA (multi-factor authentication)
• PCI DSS COMPLIANCE
• SECURE ACCESS to aws resources for apps on EC2
• SHARED ACCESS to your account
• TEMP ACCESS for users/devices and services where necessary

Question 8

How do you access IAM?

Answer 8

​

• AWS Management Console
• AWS Command Line Tools
• AWS SDKs

Question 9

What are IAM users?

Answer 9

IAM users are end users such as people, employees of an organzation, etc.

Question 10

What are IAM groups?

Answer 10

​

• IAM groups are collections of users
• Each user in a group inherits the permissions of the group

Question 11

What are IAM permission policies?

Answer 11

Permission policies:

• consist of Policy Documents,
• are formated as JSON,
• give permissions as to what a User/Group/Role is able to do.

Question 12

What are IAM roles?

Answer 12

An IAM role is an IAM identity that defines a set of permissions for making AWS service requests.

IAM roles are not associated with a specific user or group; instead, trusted identities assume roles (such as IAM users, applications or services such as EC2).

A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when a trusted identity assumes a role, it provides you with temporary security credentials for your role session.

Question 13

How are IAM roles and users similar?

Answer 13

An IAM role is similar to an IAM user, in that BOTH ARE

• an AWS identity with permission policies
• that determine what the identity can and cannot do in AWS.

Question 14

How are IAM roles and users different?

Answer 14

• A user is uniquely associated with one person.
• A role is intended to be assumable by anyone who needs it.

Question 15

What entities can use roles?

Answer 15

Roles can be used by the following:

• An IAM user in the same AWS account as the role
• An IAM user in a different AWS account than the role
• A web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2)
• An external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker.

Question 16

What is an AWS service role?

Answer 16

A role that a service assumes to perform actions in your account on your behalf.

Question 17

What is an AWS service role for an EC2 instance?

Answer 17

A special type of service role that an application running on an Amazon EC2 instance can assume to perform actions in your account.

Question 18

What is an AWS service-linked role?

Answer 18

• A unique type of service role that is linked directly to an AWS service.
• Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.

Question 19

What is role chaining?

Answer 19

Role chaining occurs when you use a role to assume a second role through the AWS CLI or API.

Question 20

What is role delegation?

Answer 20

The granting of permissions to someone to allow access to resources that you control.

Question 21

What is role federation?

Answer 21

The creation of a trust relationship between an external identity provider and AWS.

Question 22

What are federated users?

Answer 22

Federated users are existing identities from AWS Directory Service, your enterprise user directory, or a web identity provider.

Question 23

What is a trust policy?

Answer 23

A JSON policy document in which you define the principals that you trust to assume the role.

The principals that you can specify in the trust policy include

• users
• roles
• accounts
• services

Question 24

What is a permissions policy?

Answer 24

A permissions document in JSON format in which you define what actions and resources the role can use.

The document is written according to the rules of the IAM policy language.

Question 25

What is a permissions boundary?

Answer 25

An advanced feature in which you use policies to limit the maximum permissions that an identity-based policy can grant to a role.

You cannot apply a permissions boundary to a service-linked role

Question 26

What is a principal?

Answer 26

An entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role.

Question 27

What are the two ways to grant permissions to access a resource?

Answer 27

• You can attach a permissions policy to a user (directly, or indirectly through a group) or to a role.
• For those services that support resource-based policies, you can identify the principal in the Principal element of a policy attached to the resource.

Question 28

TRUE or FALSE?

IAM is universal, and does not apply to regions specifically.

Answer 28

TRUE

Question 29

How broad is the IAM namespace?

Answer 29

IAM has a global namespace

Question 30

What permissions does an IAM user have when first created?

Answer 30

A user has NO permissions when first created (least privileges)

Question 31

Which account is the root account in IAM?

Answer 31

The root account is the account created when you first set up your AWS account.

Question 32

What access does the root account have?

Answer 32

The root account has complete admin access

Question 33

What are the Access Key ID and Secret Access Key used for?

Answer 33

• Access Key ID and Secret Access Key are used for programmatic access (AWS APIs and CLI)
• Think of it as the username and password for programmatic access
• Cannot be used to log in to console.

Question 34

How are Access Key IDs and Secret Access Keys assigned?

Answer 34

• Access Key IDs and Secret Access Keys are assigned to new users upon creation
• You can only view them ONCE

Question 35

If you lose your AWS Access Key ID and Secret Access Key, how can you recover them?

Answer 35

You can’t.

You will need to generate a new pair from within the console (under My Security Credentials -> Access keys

Question 36

What are common use cases for EC2 Spot Instances?

Answer 36

• Batch jobs- Data analysis- Workloads resilient to failures

Question 37

When would you NOT use EC2 Spot Instances?

Answer 37

• Critical jobs- Databases

Question 38

What is the discount provided for using EC2 Spot Instances?

Answer 38

90%

Question 39

What is a Spot Block?

Answer 39

It’s a block on a spot instance for a specified time frame (1 to 6 hours) where the instance cannot be interrupted or reclaimed

Question 40

What is a Spot Fleet?

Answer 40

A set of Spot Instances, and optionally, on-demand instances.

Question 41

What are the various strategies available to allocate Spot Instances

Answer 41

• lowestPrice: from the pool with lowest price- diversified: distributed across all pools- capacityOptimized: pool w/optimal capacity