IAM and AWS CLI

Question 1

Is IAM region scoped?

Answer 1

No, it is a global service

Question 2

True or False: IAM groups may contain other groups.

Answer 2

False, they may only contain users

Question 3

What is the maximum number of groups a user can belong to?

Answer 3

Unlimited

Question 4

Permissions can be assigned to a user or group through a _ document called a _

Answer 4

A JSON document called a policy

Question 5

What are the 3 definitions that define an IAM policy?

Answer 5

1. The policy language version (2012-10-17)
2. Id (Optional)
3. Statements

Question 6

What are the 6 definitions that define an IAM policy?

Answer 6

1. Sid (Optional)
2. Effect (Allow/Deny)
3. Principle (Who the policy applies to - Only for resource based policies)
4. Action (Actions the policy allows/denys)
5. Resource (Resources to which the actions can be applied to)
6. Condition (Optional)

Question 7

What are two different ways to protect users from being compromised?

Answer 7

1. Password Policy
2. MFA Policy

Question 8

What are the different 4 MFA device options?

Answer 8

Virtual MFA (phones)
Universal 2nd Factor Security Key (U2F)
Hardware Key Fob MFA Device
AWS GovGloud Hardware Key

Question 9

What are the 3 different options to access AWS

Answer 9

1. AWS Management Console
2. AWS Command Line Interface (CLI)
3. AWS Software Developer Kit (SDK)

Question 10

What IAM feature is used to give permissions to AWS services to perform actions on your behalf?

Answer 10

IAM Roles

Question 11

What would you use to find information on user passwords, access credentials, MFA status, and last usage of credentials.

Answer 11

IAM Credential Report

Question 12

What tool would you use to review IAM policies and service usage of IAM identities?

Answer 12

IAM Access Advisor

Question 13

What are 8 best practices for IAM?

Answer 13

1. Don’t use the root account
2. One physical user = One AWS user
3. Assign users to groups and permissions to groups
4. Strong password policy
5. Enforce MFA
6. Use roles to assign permissions to AWS services
7. Use access keys for CLI/SDK access
8. Never share IAM users or access keys

Question 14

Which policies are typically required for same account vs cross acount access

Answer 14

Same account - Identity Based (Execution role)
Cross account - Resource Based