Describe IAM
What is a primary function of IAM in AWS?
a. Creating and managing users and groups
b. Automatically scaling AWS resources
c. Providing secure VPN access to AWS
d. Deploying applications in the AWS Cloud
a. Creating and managing users and groups
You have a web application hosted on EC2 that makes GET and PUT requests for objects stored in Amazon Simple Storage Service (S3) using the SDK for PHP. As the security team completed the final review of your application for vulnerabilities, they noticed that your application uses hardcoded IAM access key and secret access key to gain access to AWS services. They recommend you leverage a more secure setup, which should use temporary credentials if possible.
Which of the following options can be used to address the given use case?
a. Use an IAM Instance Role.
b. Use environment variables.
c. Hardcode the credentials in the application code.
d. Use the SSM parameter store.
a.
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts. The AWS SDK will use the EC2 metadata service to obtain temporary credentials thanks to the IAM instance role. This is the most secure and common setup when deploying any kind of applications onto an EC2 instance.
A Developer has been entrusted with the job of securing certain S3 buckets that are shared by a large team of users. Last time, a bucket policy was changed, the bucket was erroneously available for everyone, outside the organization too. Which feature/service will help the developer?
a. IAM Access Analyzer
b. S3 Analytics
c. S3 Object Lock
d. Access Advisor feature on IAM console
a. IAM Access Analyzer
AWS IAM Access Analyzer is a feature that continuously monitors your AWS accounts for potential security risks by analyzing your IAM policies, identifying situations where external entities might have unnecessary access to your resources, and highlighting unused access within your organization, allowing you to refine permissions and enforce least privilege principles across your AWS environment.
Every user you create in the IAM systems starts with ________.
a. Full Permissions
b. No Permissions
c. Partial Permissions
d. a hope and a dream
b.
What is an IAM Policy?
a. A CSV file which contains a users Access Key and Secret Access Key
b. A file containing a user's private SSH key
c. The policy which determines how your AWS bill will be paid
d. A JSON document which defines one or more permissions
d. A JSON document which defines one or more permissions
Which statement best describes IAM?
a. IAM allows you to manage users' passwords only. AWS staff must create new users for your organization. This is done by raising a ticket.
b. IAM stands for Improvised Application Management, and it allows you to deploy and manage applications in the AWS Cloud.
c. IAM allows you to manage users, groups, and roles and their corresponding level of access to the AWS Platform.
d. IAM allows you to manage permissions for AWS resources only.
c. IAM allows you to manage users, groups, and roles and their corresponding level of access to the AWS Platform.
You are a solutions architect working for a large engineering company who are moving from a legacy infrastructure to AWS. You have configured the company's first AWS account and you have set up IAM. Your company is based in Andorra, but there will be a small subsidiary operating out of South Korea, so that office will need its own AWS environment. Which of the following statements is true?
a. You will need to configure your policy documents regionally, however your users are global.
b. You will need to configure Users and Policy Documents only once, as these are applied globally.
c. You will then need to configure Users and Policy Documents for each region respectively.
d. You will need to configure your users regionally, however your policy documents are global.
b. You will need to configure Users and Policy Documents only once, as these are applied globally.
Which of the following can you use to test that an IAM policy attached to a user, group or role works as expected?
a. IAM Policy Simulator
b. IAM Access Analyzer
c. Trusted Advisor
d. Lambda
a. IAM Policy Simulator
Which of the following is NOT a feature of IAM?
a. Identity federation for delegated access to the AWS Management Console or AWS APIs
b. Centralized control of your AWS account
c. Allows you to set up biometric authentication, so that no passwords are required
d. Fine-grained access control to AWS resources
c. Allows you to set up biometric authentication, so that no passwords are required
You have created a new AWS account for your company, and you have also configured multi-factor authentication on the root account. You are about to create your new users. What strategy should you consider in order to ensure that there is good security on this account.
a. Require users to only be able to log in using biometric authentication.
b. Give all users the same password so that if they forget their password they can just ask their co-workers.
c. Restrict login to the corporate network only.
d. Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols.
d.
Which of the following is not a component of IAM?
a. Roles
b. Users
c. Organizational Units
d. Groups
c. Organizational Units
Organization Units is part of AWS Organization.
Which is the best way to enable S3 read-access for an EC2 instance?
a. Configure a bucket policy which grants read-access based on the EC2 instance name
b. Create an IAM role with read-access to S3 and assign the role to the EC2 instance
c. Create a new IAM group and grant read access to S3. Store the group's credentials locally on the EC2 instance and configure your application to supply the credentials with each API request.
d. Create a new IAM role and grant read-access to S3. Store the role's credentials locally on the EC2 instance and configure your application to supply the credentials with each API request
b. Create an IAM role with read-access to S3 and assign the role to the EC2 instance
Which of the following actions can be authorized by IAM? (Choose 2 answers)
a. Installing ASP.NET on a Windows Server
b. Launching an Amazon Linux EC2 instance
c. Querying an Oracle database
d. Adding a message to an Amazon Simple Queue Service (Amazon SQS) queue
B, D.
IAM controls access to AWS resources only. Installing ASP.NET will require Windows operating system authorization, and querying an Oracle database will require Oracle authorization.
Two policies are attached to an IAM user. The first policy states that the user has explicitly been denied all access to EC2 instances. The second policy states that the user has been allowed permission for the EC2:Describe action.
When the user tries to use the Describe action on an EC2 instance using the CLI, what will be the output?
a. The order of the policy matters. If policy 1 is before 2, then the user is denied access. If policy 2 is before 1, then the user is allowed access.
b. The IAM user stands in an invalid state, because of conflicting policies.
c. The user will get access because it has an explicit allow.
d. The user will be denied access because one of the policies has an explicit deny on it.
d.
The user will be denied access because the policy has an explicit deny on it. Explicit denies always take precedence over allows in AWS IAM policies.
What kind of service is IAM?
a. Local - only applicable within a single organization
b. Temporary - only valid for a limited time period
c. Restricted - only for administrative tasks
d. Global - use it to create our users and assign them to groups
d. Global
Which of the following is NOT a use of IAM in AWS?
a. Providing secure VPN access to AWS
b. Assigning permissions to allow and deny access to AWS resources
c. Managing access to AWS services
d. Creating and managing users and groups
a. Providing secure VPN access to AWS
You have an application that will run on an Amazon Elastic Compute Cloud (Amazon EC2) instance. The application will make requests to Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB. Using best practices, what type of AWS Identity and Access Management (IAM) identity should you create for your application to access the identified services?
a. IAM role
b. IAM user
c. IAM group
d. IAM directory
a. IAM role
IAM groups are used to manage permissions for multiple users, not for applications. An IAM role is designed for granting permissions to applications running on EC2 instances, allowing them to access other AWS services securely.
Which IAM entity can you use to delegate access to other trusted entities such as IAM users, applications, or AWS services like EC2?
a. IAM Web Identity Federation
b. IAM User
c. IAM Group
d. IAM Role
d. IAM Role
Which of the following security credentials can only be created by the AWS Account root user?
a. IAM User passwords
b. EC2 Instance Key Pairs
c. IAM User Access Keys
d. CloudFront Key Pairs
d. CloudFront Key Pairs
CloudFront key pairs are used for creating signed URLs and signed cookies for private content in Amazon CloudFront. These key pairs can only be created by the AWS account root user. This is a security measure to ensure that the ability to create and manage these key pairs is tightly controlled.
Which of the following statements is NOT true?
a. AWS recommends that EC2 instances have credentials stored on them so that the instances can access other resources (such as S3 buckets).
b. AWS recommends IAM roles so that your applications can securely make API requests from your instances.
c. AWS offers EC2 Instance Connect, a convenient and robust solution for establishing connections to Linux instances through Secure Shell (SSH).
d. Control access to Amazon EC2 resources by setting up security groups.
a. AWS recommends that EC2 instances have credentials stored on them so that the instances can access other resources (such as S3 buckets).
(You can hard-code AWS access keys into your application or instances, but you’re faced with the added responsibility of distributing them to the instance securely and then the management headache of regularly rotating them. AWS doesn't recommend this practice.)
Which of the following are found in an IAM policy? (Choose 2 answers)
a. Service
b. Name
c. Region
d. Action
e. Password
a. Service, d. Action
b. Name: While IAM policies can have names, the name itself is not part of the policy document.
c. Region: IAM policies do not specify regions. They are global and apply to the AWS account as a whole.
e. Password: Passwords are not part of IAM policies. They are part of user credentials.
You want to grant the individuals on your network team the ability to fully manipulate Amazon EC2 instances. Which of the following accomplish this goal? (Choose 2 answers)
a. Create a new policy allowing EC2: actions, and name the policy NetworkTeam.
b. Assign the managed policy, EC2FullAccess, to a group named NetworkTeam, and assign all the team members' IAM user accounts to that group.
c. Create a new policy that grants EC2: actions on all resources, and assign that policy to each individual's IAM user account on the network team.
d. Create a NetworkTeam IAM group, and have each team member log in to the AWS Management Console using the user name/ password for the group.
B, C.
Access requires an appropriate policy associated with a principal. Response A is merely a policy with no principal, and response D is not a principal as IAM groups do not have user names and passwords. Response B is the best solution; response C will also work but it is much harder to manage.
What feature in AWS IAM provides insights into the specific AWS services that a user has been granted permissions to access?
a. IAM Policy Simulator
b. IAM Access Advisor
c. IAM Roles Overview
d. IAM Credential Report
b. IAM Access Advisor
IAM Roles Overview focuses on the roles assigned to users, not on the specific permissions granted. IAM Access Advisor, however, provides insights into the services a user can access based on their permissions, making it the correct choice.
The development team has just configured and attached the IAM policy needed to access AWS Billing and Cost Management for all users under the Finance department. But the users are unable to see AWS Billing and Cost Management service in the AWS. console. What could be the reason for this issue?
a. The users might have another policy that restricts them from accessing the Billing information
b. IAM user should be created under AWS Billing and Cost Management and not under AWS account to have access to Billing console.
c. You need to activate IAM user access to the AWS Billing and Cost Management console for all the users who need access
d. Only the root user has access to AWS Billing and Cost Management
c. You need to activate IAM user access to the AWS Billing and Cost Management console for all the users who need access
Even if the IAM policy is correctly configured and attached, IAM user access to the AWS Billing and Cost Management console is not enabled by default. This is a separate setting that needs to be activated. Without this activation, users will not be able to see or access the Billing and Cost Management service in the AWS console, regardless of their IAM policy permissions.
You need to ensure that an IAM user in your AWS account can only create, update, and delete objects in a specific S3 bucket named "example-bucket" but cannot delete the bucket itself or perform any other actions. Which of the following IAM policy statements would achieve this?
a. Allow all actions on the "example-bucket" and its objects.
b. Allow only the s3:PutObject, s3:DeleteObject, and s3:ListBucket actions on the "example-bucket" and its objects.
c. Allow only the s3:PutObject and s3:DeleteObject actions on the objects within the "example-bucket".
d. Allow only the s3:PutObject, s3:DeleteObject, and s3:DeleteBucket actions on the "example-bucket" and its objects.
c.
a. This option is too permissive as it allows all actions on the "example-bucket" and its objects, including actions that are not required.
b. This option includes the s3:ListBucket action, which is not necessary for creating, updating, and deleting objects.c. This option correctly specifies the necessary actions (s3:PutObject and s3:DeleteObject) and limits them to the objects within the "example-bucket", making it the correct answer.
d. This option includes the s3:DeleteBucket action, which is not required and would allow the user to delete the bucket itself, which is not desired.