AWS Certification Preparation: AWS IAM Facts, Faqs, Summaries and Top 10 Questions and Answers Dump






AWS IAM Facts and summaries, AWS IAM Top 10 Questions and Answers Dump

Definition 1:

IAM is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources. IdM systems fall under the overarching umbrella of IT security and Data Management .

Definition 2:
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.




AWS IAM Facts and summaries

    1. You can use AWS IAM to securely control individual and group access to your AWS resources. You can create and manage user identities (“IAM users”) and grant permissions for those IAM users to access your resources. You can also grant permissions for users outside of AWS ( federated users).
    2. How do users call AWS services?
      Users can make requests to AWS services using security credentials. Explicit permissions govern a user’s ability to call AWS services. By default, users have no ability to call service APIs on behalf of the account.
    3. What kinds of security credentials can IAM users have?
      IAM users can have any combination of credentials that AWS supports, such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device.
    4. What is the access level for newly created regular users in AWS?
      Default deny to all resources and actions
      By default, all new AWS users lack ANY access to AWS resources with a default deny. That default deny doesn’t prevent an explicit allow to grant them access. Keep in mind that EXPLICT denys override explicit allows.

    5. What is identity federation?
      AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider (such as Microsoft Active Directory or from the AWS Directory Service) or from a web identity provider (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider).

    6. Does AWS IAM support SAML?
      Yes, AWS supports the Security Assertion Markup Language (SAML) 2.0.

    7. What SAML profiles does AWS support?
      The AWS single sign-on (SSO) endpoint supports the IdP-initiated HTTP-POST binding WebSSO SAML Profile. This enables a federated user to sign in to the AWS Management Console using a SAML assertion. A SAML assertion can also be used to request temporary security credentials using the AssumeRoleWithSAML API. For more information, see About SAML 2.0-Based Federation.
    8. Can a temporary security credential be revoked prior to its expiration?
      No. When requesting temporary credentials, we recommend the following:

      • When creating temporary security credentials, set the expiration to a value that is appropriate for your application.
      • Because root account permissions cannot be restricted, use an IAM user and not the root account for creating temporary security credentials. You can revoke permissions of the IAM user that issued the original call to request it. This action almost immediately revokes privileges for all temporary security credentials issued by that IAM user
    9. Can I reactivate or extend the expiration of temporary security credentials?
      No. It is a good practice to actively check the expiration and request a new temporary security credential before the old one expires. This rotation process is automatically managed for you when temporary security credentials are used in roles for EC2 instances.

    10. What does a policy look like?
      The following policy grants access to add, update, and delete objects from a specific folder, example_folder, in a specific bucket, example_bucket.
    11. What is the IAM policy simulator?
      The IAM policy simulator is a tool to help you understand, test, and validate the effects of your access control policies.
    12. What can the policy simulator be used for?
      You can use the policy simulator in several ways. You can test policy changes to ensure they have the desired effect before committing them to production. You can validate existing policies attached to users, groups, and roles to verify and troubleshoot permissions. You can also use the policy simulator to understand how IAM policies and resource-based policies work together to grant or deny access to AWS resources.
    13. Is there an authentication API to verify IAM user sign-ins?
      No. There is no programmatic way to verify user sign-ins.
    14. Can users SSH to EC2 instances using their AWS user name and password?
      No. User security credentials created with IAM are not supported for direct authentication to customer EC2 instances. Managing EC2 SSH credentials is the customer’s responsibility within the EC2 console.
    15. Are IAM actions logged for auditing purposes?
      Yes. You can log IAM actions, STS actions, and AWS Management Console sign-ins by activating AWS CloudTrail. To learn more about AWS logging, see AWS CloudTrail.
    16. What is AWS MFA?
      AWS multi-factor authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. You can enable AWS MFA for your AWS account and for individual AWS Identity and Access Management (IAM) users you create under your account.

    17. What problems does IAM solve?
      IAM makes it easy to provide multiple users secure access to your AWS resources. IAM enables you to:
      Manage IAM users and their access: You can create users in AWS’s identity management system, assign users individual security credentials (such as access keys, passwords, multi-factor authentication devices), or request temporary security credentials to provide users access to AWS services and resources. You can specify permissions to control which operations a user can perform.
      Manage access for federated users: You can request security credentials with configurable expirations for users who you manage in your corporate directory, allowing you to provide your employees and applications secure access to resources in your AWS account without creating an IAM user account for them. You specify the permissions for these security credentials to control which operations a user can perform.
    18. What is an IAM role?
      An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.
    19. What problems do IAM roles solve?
      IAM roles allow you to delegate access with defined permissions to trusted entities without having to share long-term access keys. You can use IAM roles to delegate access to IAM users managed within your account, to IAM users under a different AWS account, or to an AWS service such as EC2.

    Top
    Reference: AWS IAM Faqs




    AWS IAM Top 10 Questions and Answers Dump

    Q0: What are the main benefits of IAM groups? (Select two)

    • A. The ability to create custom permission policies.
    • B. Assigning IAM permission policies to more than one user at a time.
    • C. Easier user/policy management.
    • D. Allowing EC2 instances to gain access to S3.

    B. and C.

    An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user’s permissions, you can remove him or her from the old groups and add him or her to the appropriate new groups.Reference: IAM Groups

    Top

    Q1: You would like to use STS to allow end users to authenticate from third-party providers such as Facebook, Google, and Amazon. What is this type of authentication called?

    • A. Web Identity Federation
    • B. Enterprise Identity Federation
    • C. Cross-Account Access
    • D. Commercial Federation

    A.
    AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider (such as Microsoft Active Directory or from the AWS Directory Service) or from a web identity provider (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider).

    Reference:

    Top

    Q2:
    IAM Policies, at a minimum, contain what elements?

    • A. Id
    • B. Sid
    • C. Actions
    • D. Effects
    • E. Principals
    • F. Resources

    C. D. F.Reference: Policies and Permissions

    Top

    Q3: What are benefits of using AWS STS?

    • A. Grant access to AWS resources without having to create an IAM identity for them
    • B. Since credentials are temporary, you don’t have to rotate or revoke them
    • C. Temporary security credentials can be extended indefinitely
    • D. Temporary security credentials can be restricted to a specific region

    Top

    Q4: Your mobile application includes a photo-sharing service that is expecting tens of thousands of users at launch. You will leverage Amazon Simple Storage Service (S3) for storage of the user Images, and you must decide how to authenticate and authorize your users for access to these images. You also need to manage the storage of these images. Which two of the following approaches should you use? Choose two answers from the options below

    • A. Create an Amazon S3 bucket per user, and use your application to generate the S3 URL for the appropriate content.
    • B. Use AWS Identity and Access Management (IAM) user accounts as your application-level user database, and offload the burden of authentication from your application code.
    • C. Authenticate your users at the application level, and use AWS Security Token Service (STS)to grant token-based authorization to S3 objects.
    • D. Authenticate your users at the application level, and send an SMS token message to the user. Create an Amazon S3 bucket with the same name as the SMS message token, and move the user’s objects to that bucket.

    Answer- C
    The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). The token can then be used to grant access to the objects in S3.
    You can then provides access to the objects based on the key values generated via the user id.

    Reference: The AWS Security Token Service (STS)

    Top

    Q5: You’ve developed a Lambda function and are now in the process of debugging it. You add the necessary print statements in the code to assist in the debugging. You go to Cloudwatch logs , but you see no logs for the lambda function. Which of the following could be the underlying issue for this?

    • A. You’ve not enabled versioning for the Lambda function
    • B. The IAM Role assigned to the Lambda function does not have the necessary permission to create Logs
    • C. There is not enough memory assigned to the function
    • D. There is not enough time assigned to the function

    Answer: B
    “If your Lambda function code is executing, but you don’t see any log data being generated after several minutes, this could mean your execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs. For information about how to make sure that you have set up the execution role correctly to grant these permissions, see Manage Permissions: Using an IAM Role (Execution Role)”.

    Reference: Using Amazon CloudWatch

    Top

    Q6: Your application must write to an SQS queue. Your corporate security policies require that AWS credentials are always encrypted and are rotated at least once a week.
    How can you securely provide credentials that allow your application to write to the queue?

    • A. Have the application fetch an access key from an Amazon S3 bucket at run time.
    • B. Launch the application’s Amazon EC2 instance with an IAM role.
    • C. Encrypt an access key in the application source code.
    • D. Enroll the instance in an Active Directory domain and use AD authentication.

    Answer: B.
    IAM roles are based on temporary security tokens, so they are rotated automatically. Keys in the source code cannot be rotated (and are a very bad idea). It’s impossible to retrieve credentials from an S3 bucket if you don’t already have credentials for that bucket. Active Directory authorization will not grant access to AWS resources.
    Reference: AWS IAM FAQs

    Top

    Q65: A corporate web application is deployed within an Amazon VPC, and is connected to the corporate data center via IPSec VPN. The application must authenticate against the on-premise LDAP server. Once authenticated, logged-in users can only access an S3 keyspace specific to the user. Which of the solutions below meet these requirements? Choose two answers How would you authenticate to the application given these details? (Choose 2)

    • A. The application authenticates against LDAP, and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM Role. The application can use the temporary credentials to access the S3 keyspace.
    • B. Develop an identity broker which authenticates against LDAP, and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 keyspace
    • C. Develop an identity broker which authenticates against IAM Security Token Service to assume an IAM Role to get temporary AWS security credentials. The application calls the identity broker to get AWS temporary security credentials with access to the app
    • D. The application authenticates against LDAP. The application then calls the IAM Security Service to login to IAM using the LDAP credentials. The application can use the IAM temporary credentials to access the appropriate S3 bucket.

    Answer: A. and B.
    The question clearly says “authenticate against LDAP”. Temporary credentials come from STS. Federated user credentials come from the identity broker.
    Reference: IAM faqs

    Top

    Q7:
    A corporate web application is deployed within an Amazon VPC, and is connected to the corporate data center via IPSec VPN. The application must authenticate against the on-premise LDAP server. Once authenticated, logged-in users can only access an S3 keyspace specific to the user. Which of the solutions below meet these requirements? Choose two answers
    How would you authenticate to the application given these details? (Choose 2)

    • A. The application authenticates against LDAP, and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM Role. The application can use the temporary credentials to access the S3 keyspace.
    • B. Develop an identity broker which authenticates against LDAP, and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 keyspace
    • C. Develop an identity broker which authenticates against IAM Security Token Service to assume an IAM Role to get temporary AWS security credentials. The application calls the identity broker to get AWS temporary security credentials with access to the app
    • D. The application authenticates against LDAP. The application then calls the IAM Security Service to login to IAM using the LDAP credentials. The application can use the IAM temporary credentials to access the appropriate S3 bucket.

    Answer: A. and B.
    The question clearly says “authenticate against LDAP”. Temporary credentials come from STS. Federated user credentials come from the identity broker.
    Reference: AWA STS Faqs

    Top

    Q8:

    • A.
    • B.
    • C.
    • D.

    Reference:

    Top

    Q9:

    • A.
    • B.
    • C.
    • D.

    Reference:

    Top

    Q10:

    • A.
    • B.
    • C.
    • D.

    Reference:

    Top




    Other AWS Facts and Summaries and Questions/Answers Dump