Exam/Practice Questions - Identity and Access Management (IAM)

Which of the following is not a feature of IAM? a. IAM allows you to setup biometric authentication, so that no passwords are required. b. IAM offers fine-grained access control to AWS resources. c. IAM offers centralized control of your AWS account. d. IAM integrates with existing active directory account allowing single sign-on.

a

You are a developer at a fast growing start up. Until now, you have used the root account to log in to the AWS console. However, as you have taken on more staff, you will now need to stop sharing the root account to prevent accidental damage to your AWS infrastructure. What should you do so that everyone can access the AWS resources they need to do their jobs? (Choose 2) a. Create individual user accounts with minimum necessary rights and tell the staff to log in to the console using the credentials provided. b. Give your users the root account credentials so that they can also sign in. c. Create a customized sign in link such as "yourcompany.signin.aws.amazon.com/console" for your new users to use to sign in with. d. Create an additional AWS root account for each new user.

a and c note that the IAM account signin URL is different from the Root account signin URL d. There is only one root account and this shouldn't be used on a regular basis.

What is an additional way to secure the AWS accounts of both the root account and new users alike? a. Implement Multi-Factor Authentication for all accounts. b. Store the access key id and secret access key of all users in a publicly accessible plain text document on S3 of which only you and members of your organization know the address to. c. Configure the AWS Console so that you can only log in to it from your internal network IP address range. d. Configure the AWS Console so that you can only log in to it from a specific IP Address range

a.

When you create a new user, that user ________. a. Will be able to interact with AWS using their access key ID and secret access key using the API, CLI, or the AWS SDKs. b. Will be able to log in to the console only after multi-factor authentication is enabled on their account. c. Will only be able to log in to the console in the region in which that user was created. d. Will be able to log in to the console anywhere in the world, using their access key ID and secret access key.

a. d. A secret key is not used in logging into the console.

To save administration headaches, Amazon recommends that you leave all security groups in web facing subnets open on port 22 to 0.0.0.0/0 CIDR. That way, you can connect wherever you are in the world. a. False b. True

a. See Security Whitepaper

A __________ is a document that provides a formal statement of one or more permissions. a. Group b. Policy c. Role d. User

b

Every user you create in the IAM systems starts with ________. a. Full Permissions b. No Permissions c. Partial Permissions

b

Using SAML (Security Assertion Markup Language 2.0), you can give your federated users single sign-on (SSO) access to the AWS Management Console. a. False b. True

b

A new employee has just started work, and it is your job to give her administrator access to the AWS console. You have given her a user name, an access key ID, a secret access key, and you have generated a password for her. She is now able to log in to the AWS console, but she is unable to interact with any AWS services. What should you do next? a. Ensure she is logging in to the AWS console from your corporate network and not the normal internet. b. Grant her Administrator access by adding her to the Administrators' group. c. Tell her to log out and try logging back in again. d. Require multi-factor authentication for her user account.

b.

Which statement best describes IAM? a. IAM stands for Improvised Application Management, and it allows you to deploy and manage applications in the AWS Cloud. b. IAM allows you to manage users, groups, roles, and their corresponding level of access to the AWS Platform. c. IAM allows you to manage users' passwords only. AWS staff must create new users for your organization. This is done by raising a ticket. d. IAM allows you to manage permissions for AWS resources only.

b.

You are a solutions architect working for a large engineering company who are moving from a legacy infrastructure to AWS. You have configured the company's first AWS account and you have set up IAM. Your company is based in Andorra, but there will be a small subsidiary operating out of South Korea, so that office will need its own AWS environment. Which of the following statements is true? a. You will need to configure your policy documents regionally, however your users are global. b. You will need to configure Users and Policy Documents only once, as these are applied globally. c. You will then need to configure Users and Policy Documents for each region respectively. d. You will need to configure your users regionally, however your policy documents are global.

b.

Power User Access allows ________. a. Full Access to all AWS services and resources. b. Access to all AWS services except the management of groups and users within IAM. c. Users to inspect the source code of the AWS platform d. Read Only access to all AWS services and resources.

b. See arn:aws:iam::aws:policy/PowerUserAccess

In what language are policy documents written? a. Node.js b. Python c. JSON d. Java

c.

Which of the following is not a component of IAM? a. Roles b. Users c. Organizational Units d. Groups

c. Organization Units is part of AWS Organization.

You are a security administrator working for a hotel chain. You have a new member of staff who has started as a systems administrator, and she will need full access to the AWS console. You have created the user account and generated the access key id and the secret access key. You have moved this user into the group where the other administrators are, and you have provided the new user with their secret access key and their access key id. However, when she tries to log in to the AWS console, she cannot. Why might that be? a. Your user is trying to log in from the AWS console from outside the corporate network. This is not possible. b. You have not yet activated multi-factor authentication for the user, so by default they will not be able to log in. c. You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair. Instead, you must generate a password for the user, and supply the user with this password and your organization's unique AWS console login URL. d. You have not applied the "log in from console" policy document to the user. You must apply this first so that they can log in.

c. The key id and secret access key are for logging in programmatically.

What is the default level of access a newly created IAM User is granted? a. Administrator access to all AWS services. b. Power user access to all AWS services. c. Read only access to all AWS services. d. No access to any AWS services.

d.

You have a client who is considering a move to AWS. In establishing a new account, what is the first thing the company should do? a. Set up an account using Cloud Search. b. Set up an account via SNS (Simple Notification Service) c. Set up an account via SQS (Simple Queue Service). d. Set up an account using their company email address.

d.

You have created a new AWS account for your company, and you have also configured multi-factor authentication on the root account. You are about to create your new users. What strategy should you consider in order to ensure that there is good security on this account. a. Require users to only be able to log in using biometric authentication. b. Give all users the same password so that if they forget their password they can just ask their co-workers. c. Restrict login to the corporate network only. d. Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols.

d.