Advanced IAM

Question 1

What does ARN stand for?

Answer 1

Amazon Resource Name

Question 2

What is the component syntax of an ARN?

Answer 2

• All ARNs begin with **arn:partition:service:region:account\_id:**
  
  • If not applicable, section is empty (so you can see ::)
• And end with a resource
  
  • resource
  • resource_type/resource
  • resource_type/resource/qualifier
  • resource_type/resource:qualifier
  • resource_type:resource
  • resource_type:resource:qualifier

Question 3

What are the major differences between the two types of IAM Policies?

Answer 3

• Identity Policies
  
  • attached to an IAM user, group, or role
  • specify what an identity can do
• Resource policies
  
  • attached to a resource
  • specify who can do what to the resource

Question 4

Do IAM policies take effect upon creation?

Answer 4

No. An IAM Policy has no effect until it is attached to a resource or role.

Question 5

What is the basic format of an IAM policy document?

Answer 5

• Version # (YYYY-MM-DD)
• List of statements, each individual statement enclosed in {}
  
  • Each statement matches an AWS API Request​​​
  • Each statement has an Effect, either allow or deny
  • Each statement has A list of Actions with the effect, of the form *servicename:ActionName*
  • Each statement has a Resource the Action is against (in ARN form)
  • Idea: (Allow/Deny) Resource to do Actions

Question 6

What is an AWS API Request?

Answer 6

Any action you can perform against AWS

Question 7

If an IAM policy does not explicitly allow an API action, might it still be implicitly allowed?

Answer 7

No

If an action is not explicitly allowed, it is implicitly denied

Question 8

In general, how does AWS reconcile multiple attached policies to the same user or resource?

Answer 8

AWS joins all applicable policies

Question 9

Suppose your IAM user has 2 policies, one of which explicitly denies access to all S3 buckets, the other of which explicitly allows access to a specific S3 bucket. Will this user be allowed to access to the specific S3 bucket?

Answer 9

No

An explicit deny overrides anything else in any other policy

Question 10

What is the purpose of AWS Permission Boundaries?

Answer 10

• The idea is to prevent priviledge escalation or unnecessarily overbroad permissions
• Controls maximum permissions an IAM policy can grant

Question 11

What are some use cases for AWS Permission Boundaries?

Answer 11

• Developers creating roles for Lambda functions
• Application owners creating roles for EC2 instances
• Administrators creating ad hoc users

Question 12

In the context of IAM, what does RAM stand for?

Answer 12

Resource Access Manager

Question 13

What is the general use case of AWS Resource Access Management?

Answer 13

• Resource Sharing between accounts
• can be between individual accounts or within accounts in AWS Organizations

Question 14

Which AWS Resources can I share using AWS Resource Access Management?

Answer 14

• App Mesh
• Aurora
• CodeBuild
• EC2
• EC2 Image Builder
• License Manager
• Resource Groups
• Route53

Question 15

What does SSO stand for?

Answer 15

Single Sign-On

Question 16

What does SAML stand for?

Answer 16

Security Assertion Markup Language

Question 17

What are the general use cases for AWS SSO?

Answer 17

• Centrally manage access to AWS Resources
• Using existing identities to log in to AWS
• Governing account-level permissions
• SAML

Question 18

Suppose you have a fleet of EC2 instances, all joined to the same active directory domain. Do you need to manage the credentials on the individual EC2 instances?

Answer 18

No

AWS Directory Service provides SSO to any domain-joined EC2 instance

Question 19

What is the purpose of AWS Directory Service?

Answer 19

Connecting AWS resources with on-premises AD

Question 20

When using AWS Managed Microsoft AD, who is responsible for ensuring multi-AZ deployment?

Answer 20

AWS

Question 21

What does AD stand for?

Answer 21

Active Directory

Question 22

What is Active Directory?

Answer 22

• On-premises directory service
• Uses a Hierarchical database of users, groups, computers, organized in trees and forests
• You apply group policies to help you manage users and devices on a network

Question 23

What is the key feature of AWS Managed Microsoft AD?

Answer 23

AD Domain Controllers – to which you have exclusive access– running Windows Server that are reachable by applications in your VPCs,

Question 24

How does AWS Managed Microsoft AD ensure high availability?

Answer 24

• You get 2 DCs by default,
• You can also add DCs for additional HA and Performance

Question 25

When using AWS Managed Microsoft AD, who is responsible for backup operations?

Answer 25

**AWS**

Question 26

When using AWS Managed Microsoft AD, who is responsible for ensuring you are on the most up-to-date version of the software?

Answer 26

**AWS**

Question 27

When using AWS Managed Microsoft AD, who is responsible for scaling out domain controllers?

Answer 27

**You**

Question 28

When using AWS Managed Microsoft AD, who is responsible for maintaining users, groups, and group policy objects?

Answer 28

**You**

Question 29

Suppose you want to extend existing AD to your on-premises infrastructure. What tool might you use to do this?

Answer 29

**AD Trust**

Question 30

When using AWS Managed Microsoft AD, who is responsible for any identity federation?

Answer 30

**You**

Question 31

When using AWS Managed Microsoft AD, who is responsible for dealing with certificate authorities?

Answer 31

**You**

Question 32

What is **AWS Simple AD**?

Answer 32

A standalone managed directory in the cloud used for Basic AD features

Question 33

Does AWS Simple AD support trusts?

Answer 33

**No**

Question 34

How many users can a small Simple AD handle?

Answer 34

**up to 500**

Question 35

How many users can a large Simple AD handle?

Answer 35

**Up to 5000**

Question 36

Does Simple AD allow you to join with on-premises AD?

Answer 36

**No, Simple AD does _not_ support trusts**

Question 37

What is **AD Connector**?

Answer 37

* AD Connector is a **directory gateway (proxy) for on-premises AD**

Question 38

What is **AWS Cloud Directory**?

Answer 38

* A _fully-managed_ **directory-based** **store** _for developers_ * Used in applications that implement org charts, course catalogs, device registries

Question 39

What are **Amazon Cognito User Pools**?

Answer 39

* Managed User directory for SaaS Applications * sign-up and sign-in for web / mobile * typically used with **social media identities**

Question 40

What does **SaaS** stand for?

Answer 40

**S**oftware **A**s **A** **S**ervice

Question 41

What are the key benefits of AD Connector?

Answer 41

* Avoid cacheing information in the cloud * Allow on-premises users to log in to AWS using AD * Join EC2 instances to your existing AD domain * Scale across multiple AD connectors