Important Info

Question 1

IAM Principles must be authenticated to send requests (with few exceptions).

Answer 1

True

Question 2

How many individual user accounts can be created?

Answer 2

5000

Question 3

What is main reason to use groups?

Answer 3

Apply permissions to users using policies.

Question 4

How does user gain permissions in User Group?

Answer 4

By permissions applied to group via that policy.

Question 5

What are access keys used for?

Answer 5

Programmitic Access

Question 6

What are username & passwords used for?

Answer 6

Console access

Question 7

What are permissions boundaries attached to?

Answer 7

Users & Roles

Question 8

What do permission boundaries set?

Answer 8

Maximum permissions that entity can have

Question 9

What are Determination Rules for Policies?

Answer 9

1. Default: all requests are IMPLICITLY denied (though root user has full access)
2. An explicit allow in identity-based or resource-based policy overrides default.
3. If permissions boundary, Organizations SCP, or session policy present, might override allow with implicit deny.
4. Explicit deny in any policy overrides any allows.

Question 10

What are AWS IAM Best Practices

Answer 10

1. Require human users to use federation w/ an identity provider to access AWS using temp credentials.
2. Require workloads use temp credentials w/ IAM roles to access AWS.
3. Require multi-factor authentication (MFA).
4. Upate access keys regularly for use cases that require long-term credentials.
5. Safeguard root user credentials & don’t use them for everyday tasks.
6. Apply least-privilege permissions.
7. Start w/ AWS managed policies & move toward least-privilege permissions.
8. Use IAM Access Analyzer to generate least-privilege policies based on access activity.
9. Regularly review & remove unused users, roles, permissions, policies, & credentials.
10. Use conditions in IAM policies to further restrict access.
11. Verify public & cross account access to resources w/ IAM Access Analyzer.
12. Use IAM Access Analyzer to validate IAM policies to ensure secure & functional permissions.
13. Establish permissions guardrails across multiple accounts.
14. Use permissions boundaries to delegate permissions management w/in an account.

Question 11

Which element of an IAM policy document can be used to specify that a policy should take effect only if the caller is coming from a specific source IP address?

Answer 11

Condition

Question 12

Policy Evaluation Determination Rules

Answer 12

Determination Rules:
1. By default, all requests are implicitely denied
2. Explicit allow in identity-based or resource-based policy overrides this default.
3. If permissions boundary, Organizations SCP, or session policy present, it might override allow w/ implicit deny.
4. Explicit deny in any policy overrides any allows.

Question 13

True or False

Each AWS service has its own set of actions that describe tasks you can perform with that service.

Answer 13

TRUE

Question 14

What are IAM Best Practices

Answer 14

• Require human users to use federation w/ identity provider to access AWS using temporary credentials.
• Require workloads to use temporary credentials w/ IAM roles to access AWS.
• Require multi-factor authentication (MFA).
• Route access keys regularly for use cases that require long-term credentials.
• Rotate access keys regularly for use cases that require long-term credentials.
• Safeguard your root credentials & don’t use them for everyday tasks.
• Apply least-privilege permissions.
• Get started w/ AWS managed policies & move toward least privilege permissions.
• Use IAM Access Analyzer to generate least-privilege policies based on access activity.
• Regularly review & remove unused users, roles, permissions, policies, & credentials.
• Use conditions in IAM policies to further restrict access.
• Verify public & cross-account access to resources w/ IAM Access Analyzer.
• Use IAM Access Analyzer to validate IAM policies to ensure secure & functional permissions.
• Establish permission guardrails across multiple accounts.
• Use permissions boundaries to delegate permissions management w/in an account.

Question 15

Is a public IP Address a dynamic IP address?

Answer 15

Yes

Question 16

Is an Elastic IP Address a static IP Address

Answer 16

Yes

Question 17

Can both ENIs and EPIs be remapped to a different instance?

Answer 17

Yes

Question 18

What are Public IP Addresses?

Answer 18

• Released when instance is stopped.
• Used in Public Subnets.
• Chargeable
• Associated with private IP Address on instance.
• Cannot be moved between instances.

Question 19

What are Private IP Addresses

Answer 19

• Retained when instance is stopped.
• Used in Public & Private Subnets.

Question 20

What are Elastic IP Addresses

Answer 20

• Static Public address
• Chargeable
• Associated w/ private IP address on instance.
• Can be moved b/w instances & Elastic Network Adapters.

Question 21

Internet Gateway perform NAT (Network Address Translation)?

Answer 21

Yes

Question 22

NAT gateway is created in public subnet?

Answer 22

Yes

Question 23

The NAT gateway ID must be specified in private subnet RT

Answer 23

Yes

Question 24

Do NAT instances require source & destination checks to be disabled?

Answer 24

Yes

Question 25

What happens when you stop an EC2 instance?

Answer 25

- EBS backed instances only - No charge for stopped instances - EBS volumes remain attached (chargeable) - Data in RAM is lost - Instance is migrated to different host. - Private IPv4 & IPv6 addresses retained. - Public IPv4 addresses released - Associated Elastic IPs retained

Question 26

What happens to hibernating EC2 instances?

Answer 26

- Applies to supported AMIs - Contents of RAM saved to EBS volume - Must be enabled for hibernation when launched - Specific prerequisites apply - When started (after hibernation): - EBS root volume restored to previous state - RAM contents are reloaded - Processes that were previously running on instance are resumed. - Previously attached data volumes are reattached & instance retains its instance ID

Question 27

What happens when rebooting EC2 instances?

Answer 27

- Equivalent to OS reboot - DMS name & all IPv4 & IPv6 addresses are retained - Doesn't affect billing

Question 28

What happens when an EC2 instance retires?

Answer 28

- May retire if AWS finds **unfixable failure of underlying hardware that hosts instance**. - When it reaches its **scheduled** **retirement** **date**, stopped or terminated by AWS.

Question 29

What happens when you terminate an EC2 instance?

Answer 29

- Deletes EC2 instance - Cannot recover terminated instance - Root EBS volumes are deleted.

Question 30

What happens when an EC2 instance is recovered?

Answer 30

- CloudWatch can be used to monitor system status checks & recover instance if needed. - Applies if instance becomes impaired due to underlying hardware / platform issues. - Recovered instance is identical to original instance.

Question 31

What is AWS Nitro System?

Answer 31

- Underlying platform for next gen EC2 instances. - Support for many virtual & bare metal instance types. - Breaks functions into specialized hardware w/ Nitro Hypervisor

Question 32

What are specialized hardware in AWS Nitro System?

Answer 32

- Nitro cards for VPC - Nitro cards for EBS - Nitro for Instance Storage - Nitro card controller - Nitro security chip - Nitro hypervisor - Nitro Enclaves

Question 33

What are benefits of AWS Nitro System?

Answer 33

- Improves performance, security, & innovation. - Performance close to bare metal for virtualized instances - Elastic Network Adapter & Elastic Fabric Adapter - More bare metal instance types - Higher network performance (ex: 100 Gbps) - High Performance Computing (HPC) optimizations - Dense storage instances (ex: 60 TB)

Question 34

What are AWS Nitro Enclaves

Answer 34

- Isolated compute enviornments - Runs on isolated & hardened virtual machines. - No persistent storage, interactive access, or external networking. - Uses cryptographic attestation to make sure **only** authorized code is running. - Integrates w/ AWS Key Management Service (KMS) - Protect & securely process highly sensitive data such as: **Personally identifiable Information (PII)**, **Healthcare data**, **Financial Data**, **Intellectual Property data**