AWS Certified Solutions Architect Study Guide - Chapter 6
3. Which of the following will—when executed on its own—prevent an IAM user with no existing policies from launching an EC2 instance? (Choose three.) A. Attach no policies to the user. B. Attach two policies to the user with one policy permitting full EC2 access and the other permitting IAM password changes but denying EC2 access. C. Attach a single policy permitting the user to create S3 buckets. D. Attach the AdministratorAccess policy.
A, B, C. Unless there's a policy that explicitly allows an action, it will be denied. Therefore, a user with no policies or with a policy permitting S3 actions doesn't permit EC2 instance permissions. Similarly, when two policies conflict, the more restrictive will be honored. The AdministratorAccess policy opens up nearly all AWS resources, including EC2.
5. Whichof the following security credentials can be used for encrypting SOAP requests to AWS services? (Choose two.) A. X.509 certificates B. Access keys C. Passwords D. Key pairs
A, B. X.509 is the standard protocol for SOAP requests, but access keys are used for S3 and Amazon Mechanical Turk requests. Passwords are never used for encryption, just authentication, and key pairs are generally used only for EC2 instances or for authenticat-ing signed URLS for CloudFront distributions.
12. An employee with access to the root user on your AWS accounit has just,left your COM¬panY- Since you can t be 100 Percent sure that the former(Cernhopoosyeetew,v05)0 t try to harm your company, which of the following steps should you take) A. Change the password and MFA settings for the root account. B. Delete and re-create all existing IAM policies. C. Change the passwords for all your IAM users. D. Delete the former employee's own TAM user (within the company account).
A, D. You IAM policies will be as effective as ever, even if outsiders know your policies. Since even an account's root user would never have known other users' passwords, there's no reason to change them.
11. What is the function of Amazon Cognito identity pools? A. Give your application users temporary, controlled access to other services in your AWS account. B. Add user sign-up and sign-in to your applications. C. Incorporate encryption infrastructure into your application lifecycle. D. Deliver up-to-date credentials to authenticate RDS database requests.
A. Identity pools provide temporary access to defined AWS services to your application users. Sign-up and sign-in is managed through Cognito user pools. KMS and/or CloudHSM provide encryption infrastructure. And credential delivery to databases or third-party appli-cations is provided by AWS Secrets Manager.
9. Which of the following AWS services provides virtual hardware devices for managing encryption infrastructure that's FIPS 140-2 compliant? A. AWS CloudHSM B. AWS Key Management Service C. AWS Security Token Service D. AWS Secrets Manager
A. Key Management Service manages encryption infrastructure but isn't FIPS 140-2 com-pliant. Security Token Service is used to issue tokens for valid IAM roles. And Secrets Man-ager handles secrets for third-party services or databases.
20. Which of the following steps are part of the access key rotation process? (Choose three.) A. Monitor the use of your new keys. B. Monitor the use of old keys. C. Deactivate the old keys. D. Delete the old keys.
B, C, D. In this context, key usage monitoring is only useful to ensure that none of your applications is still using an old key that's set to be retired.
14. Which of the following are necessary steps for creatin an IAM role? (Choose two.) A. Define the action. B. Select at least one policy. C. Define a trusted entity. D. Define the consumer application.
B, C. IAM roles require a defined trusted entity and at least one policy. However, the rel¬evant actions are defined by the policies you choose, and roles themselves are uninterested in which applications use them.
4. Which of the following are important steps for securing IAM user accounts? (Choose two.) A. Never use the account to perform any administration operations. B. Enable multifactor authentication (MFA). C. Assign a long and complex password. D. Delete all access keys.
B, C. If you don't perform any administration operations with regular IAM users, then there really is no point for them to exist. Similarly, without access keys, there's a limit to what a user will be able to accomplish. Ideally, all users should use MFA and strong passwords.
17. If you need to allow a user full control over EC2 instance resources, which two of the following must be included in the policy you create? A. "Target": "ec2:*" B. "Action": "ec2:*" C. "Resource": llec2:*" D. "Effect": "Allow"
B, D. The correct Resource line would read "Resource" : """. There is no "Target" line in an IAM policy.
10. Which of the following is the best tool for authenticating access to a VPC-based MS Share-Point farm? A. Amazon Cognito B. AWS Directory Service for Microsoft Active Directory C. AWS Secrets Manager D. AWS Key Management Service
B. AWS Directory Service for Microsoft Active Directory provides Active Directory authen-tication within a VPC environment. Amazon Cognito provides user administration for your applications. AWS Secrets Manager handles secrets for third-party services or databases. AWS Key Management Service manages encryption infrastructure.
7. Which of the following is the greatest benefit of organizing your users into groups? A. It enhances security by consolidating resources. B. It simplifies the management of user permissions. C. It allows for quicker response times to service interruptions. D. It simplifies locking down the root user.
B. IAM groups are primarily about simplifying administration. It has no direct impact on resource usage or response times and only an indirect impact on locking down the root user.
13. Which of the following elements will not play any role in crafting an IAM policy? A. Action B. Region C. Effect D. Resource
B. IAM policies are global—they're not restricted to any one region. Policies do, however, require an action (like create buckets), an effect (allow), and a resource (S3).
2. Which of the following statements is a correct description of IAM policies? A. The Action element refers to the way IAM will react to a request. B. The * character applies an element globally—as broadly as possible. C. The Resource element refers to the third-party identities that will be allowed to access the account. D. The Effect element refers to the anticipated resource state after a request is granted.
B. The Action element refers to the kind of action requested (list, create, etc.), the Resource element refers to the particular AWS account resource that's the target of the policy, and the Effect element refers to the way IAM should react to a request.
18. What is the function of Amazon Cognito user pools? A. Give your application users temporary, controlled access to other services in your AWS account. B. Add user sign-up and sign-in to your applications. C. Incorporate encryption infrastructure into your application lifecycle. D. Deliver up-to-date credentials to authenticate RDS database requests
B. User pools provide sign-up and sign-in for your application's users. Temporary access to defined AWS services to your application users is provided by identity pools. KMS and/ or CloudHSM provide encryption infrastructure. And credential delivery to databases or third-party applications is provided by AWS Secrets Manager.
19. Which of the following best describe the "managed" part of AWS Managed Microsoft AD? (Choose two.) A. Integration with on-premises AD domains is possible. B. AD domain controllers are launched in two availability zones. C. Data is automatically replicated. D. Underlying AD software is automatically updated.
C, D. An AWS managed service takes care of all underlying infrastructure management for you. In this case, that will include data replication and software updates. On-premises integration and multi-AZ deployment are important infrastructure features, but they're not unique to "managed" services.
16. What format must be used to write an IAM policy? A. HTML B. Key/value pairs C. JSON D. XML l control over EC2 instance resources, which two of the
C. Policies must be written in JSON format.
1. Which of the following is the greatest risk posed by using your AWS account root user for day-to-day operation? A. There would be no easy way to control resource usage by project or class. B. There would be no effective limits on the effect of an action, making it more likely for unintended and unwanted consequences to result. C. Since root has full permissions over your account resources, an account compromise at the hands of hackers would be catastrophic. D. It would make it difficult to track which account user is responsible for specific actions.
C. While each of the other answers represents possible concerns, none of them carries con¬sequences as disastrous as the complete loss of control over your account.
8. Which of the following is not considered a trusted entity in the context of IAM roles? A. A web identity authenticating with Google B. An identity coming through a SAML-based federated provider C. An identity using an X.509 certificate D. A web identity authenticating with Amazon Cognito
C. X.509 certificates are used for encrypting SOAP requests, not authentication. The other choices are all valid identities within the context of an IAM role.
15. Which of the following uses authentication based on AWS Security Token Service (STS) tokens? A. Policies B. Users C. Groups D. Roles
D. STS tokens are used as temporary credentials to external identities for resource access to through IAM roles. Users and groups would not use tokens to authenticate, and roles are used to define the access a token will provide, not the recipient of the access.
6. Which of the following AWS CLI commands can tell you whether an access key is still A. aws lam get-access-key-used --access-key-id B. aws iam --get-access-key-last-used access-key-id C. aws i am get-access-key-last-used access-last-key-id D. aws iam get-access-key-last-used --access-key-id
D. The top-level command is i am, while the correct subcommmand is get-access-key-last-used. The parameter is identified by --access-last-key-id. Parameters (not subcommands) are always prefixed with -- characters.
