AWS CDA Study List - IAM

IAM

Basics

• System to control 
• identities (what they can do)
• resources (how can access them)
• Uses policies for controlling
• Supports identity federation
• You can integrate it with LDAP, AD, Facebook, Amazon -accounts
• AWS Cloudtrail can be used to monitor what has been done with IAM account
• Eventually consistent, causing changes to be applied immediately
• Supports groups

IAM users and groups

Basics

• User does not have any rights in the start
• IAM user is associated with one and only one AWS root account
• User can belong to maximum of 10 groups
• Groups can't be nested and can only have users within. Subgrouping is not possible.
• No default group for all users, can't make any policy which affects all users unless such group has been manually created (e.g no Active Directory Authenticated users). 
• IAM user cannot be renamed from AWS console. It needs to done from AWS CLI or SDK

IAM roles

Basics

• Role is granted is permissions to resources
• IAM users or group is then granted role
• Can be granted to services (EC2, S3..)
• Can be granted to SAML 2.0 compatible iDP federation tools (LDAP, AD..)
• Can be granted to external federation tools (Facebook, Amazon web-authentication..)
• Basic components are policies
• Trust policy (defines trust between resource owner and IAM user owner)
• Permissions policy (defines what role can do)
• AWS STS (Amazon Security Token Service) is used to grant temporary rights to access your AWS resources

IAM federation process flows

Key terms

• AssumeRoleWithSAML
• AssumeRoleWithWebIdentity
• SAML (Secure Assertion Markup Language)
• IdP (Identity Provider)
• LDAP authentication happens always first in SAML authentication
• Facebook etc. authentication happens first in Web Identity Federation
• SAML access point: https://signin.aws.amazon.com/saml

SAML 2.0-based Federation

SAML 2.0-based Federation -- Access to AWS Management Console

Custom Identity broker Federation

Following topics are exam questions collected through Internet and should be evaluated as so. Answers are mine and have been checked with answers collected through the internet, but might still be wrong.

IAM policy statements

Which of the following are correct statements with policy evaluation logic in AWS Identity and Access Management? Choose 2 answers
A. An explicit deny does not override an explicit allow
B. By default, all request are allowed
C. An explicit allow overrides default deny.
D. An explicit allow overrides an explicit deny
E. By default, all requests are denied

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
When a request is made, the AWS service decides whether a given request should be allowed or denied. The evaluation logic follows these rules:
By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.)

• An explicit allow overrides this default.
• An explicit deny overrides any allows.
• The order in which the policies are evaluated has no effect on the outcome of the evaluation. 

Policy templates

IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information

A. Read Only Access
B. Power User Access
C. AWS Cloud Formation Read Only Access
D. Administrator Access


Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html

"This procedure describes how to create an IAM group named Administrators, grant the group full permissions for all AWS services, and then create an administrative IAM user for yourself by adding the user to the Administrators group."

Service name

Which service enables AWS customers to manage users and permissions in AWS?
A. AWS Access Control Service (ACS)
B. AWS Identity and Access Management (IAM)
C. AWS Identity Manager (AIM)

Default permissions 

Every user you create in the IAM system starts with _________.
A. Partial permissions
B. Full permissions
C. No permissions

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html

"Every IAM user starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys. "

Group nesting

Groups can’t _____.
A. be nested more than 3 levels
B. be nested at all
C. be nested more than 4 levels
D. be nested more than 2 levels

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

"Groups can't be nested; they can contain only users, not other groups."

API access

When assessing an organization AWS use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers
A. Key pairs
B. Console passwords
C. Access keys
D. Signing certificates
E. Security Group memberships

Why?
http://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#key-pairs
"Key pairs consist of a public key and a private key. You use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront.". You can use key pair to access EC2 and query API.

http://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
"You use access keys to sign programmatic requests that you make to AWS if you use the AWS SDKs, REST, or Query APIs."

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
Other AWS services that use server certificates allow you to manage the server certificates directly with that service. Examples of these services include AWS OpsWorks and Amazon API Gateway.

Controlling users

An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?
A. The organization has to create a special password policy and attach it to each user
B. The root account owner has to use CLI which forces each IAM user to change their password on first login
C. By default each IAM user can modify their passwords
D. Root account owner can set the policy from the IAM console under the password policy screen

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
"You can set a password policy on your AWS account to specify complexity requirements and mandatory rotation periods for your IAM users' passwords. You can use a password policy to do these things:"

IAM roles with AWS resources

An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instanceid. In addition an x 509 certificates must Designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?

A. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
B. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
C. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
D. Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature (hat contains the specific instance-id.

Controlling several IAM users

An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level?
A. Use the IAM groups and add users as per their role to different groups and apply policy to group
B. The user can create a policy and apply it to multiple users in a single go with the AWS CLI
C. Add each user to the IAM role as per their organization role to achieve effective policy setup
D. Use the IAM role and implement access at the role level

Enforcing password policy

Your organization’s security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password. Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers
A. Configure multi-factor authentication for privileged IAM users
B. Create IAM users for privileged accounts
C. Implement identity federation between your organization’s identity provider leveraging the IAM Security Token Service
D. Enable the IAM single-use password policy option for privileged users

Securing AWS on IAM

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
A. Create individual IAM users for everyone in your organization
B. Configure MFA on the root account and for privileged IAM users
C. Assign IAM users and groups configured with policies granting least privilege access
D. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Topics

• Create individual IAM users
• Use groups to assign permissions to IAM users
• Grant least privilege
• Enable MFA for privileged users

IAM roles in different region

A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
A. Create a new IAM role and associated policies within the new region
B. Assign the existing IAM role to the Amazon EC2 instances in the new region
C. Copy the IAM role and associated policies to the new region and attach it to the instances
D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature

Why?
https://aws.amazon.com/iam/faqs/
Q: Can I define users regionally?
Not initially. Users are global entities, like an AWS account is today. No region is required to be specified when you define user permissions. Users can use AWS services in any geographic region.

IAM user and API calls

After creating a new IAM user which of the following must be done before they can successfully make API calls?
A. Add a password to the user.
B. Enable Multi-Factor Authentication for the user.
C. Assign a Password Policy to the user.
D. Create a set of Access Keys for the user

Wrong question about maximum group numbers

An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM?
A. One IAM user can be a part of a maximum of 5 groups (Refer link)
B. Organization can create 100 groups per AWS account
C. One AWS account can have a maximum of 5000 IAM users
D. One AWS account can have 250 roles

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
The following are the default maximums for IAM entities:
Groups a user can be a member of: 10

IAM groups

Within the IAM service a GROUP is regarded as a:
A. A collection of AWS accounts
B. It’s the group of EC2 machines that gain the permissions specified in the GROUP.
C. There’s no GROUP in IAM, but only USERS and RESOURCES.
D. A collection of users.

IAM group limits

Is there a limit to the number of groups you can have?
A. Yes for all users except root
B. No
C. Yes unless special permission granted
D. Yes for all users

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
The following are the default maximums for IAM entities:
Groups a user can be a member of: 10

IAM user deletion

When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.
A. FALSE
B. This is configurable
C. TRUE

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html
Deleting an IAM User (AWS Management Console)

When you use the AWS Management Console to delete an IAM user, IAM automatically deletes the following information for you:

The user
Any group memberships—that is, the user is removed from any IAM groups that the user was a member of
Any password associated with the user
Any access keys belonging to the user
All inline policies embedded in the user (policies that are applied to a user via group permissions are not affected)

MFA root account devices

What is the default maximum number of MFA devices in use per AWS account (at the root account level)?
A. 1
B. 5
C. 15
D. 10

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
"MFA devices in use by a AWS root account: 1"

Policy evaluation logic

IAM’s Policy Evaluation Logic always starts with a default ____________ for every request, except for those that use the AWS account’s root security credentials b
A. Permit
B. Deny
C. Cancel

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Controlling DynamoDB tables access with IAM users

An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DynamoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?
A. Define the group policy and add a condition which allows the access based on the IAM name
B. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
C. Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
D. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables

Controlling IAM console access

An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?
A. Create an IAM policy with the security group and use that security group for AWS console login
B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
C. Configure the EC2 instance security group which allows traffic only from the organization’s IP range
D. Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console

Using more than one policy

Can I attach more than one policy to a particular entity?
A. Yes always
B. Only if within GovCloud
C. No
D. Only if within VPC

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
"For inline policies: You can add as many inline policies as you want to a user, role, or group, but the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following limits:"

What is a policy

A __________ is a document that provides a formal statement of one or more
A. permissions.
B. policy
C. permission
D. Role
E. resource

What is a permission

A __________ is the concept of allowing (or disallowing) an entity such as a user, group, or role some type of access to one or more resources.
A. user
B. AWS Account
C. resource
D. permission

IAM case-sensitivity

True or False: When using IAM to control access to your RDS resources, the key names that can be used are case sensitive. For example, aws:CurrentTime is NOT equivalent to AWS:currenttime.
A. TRUE
B. FALSE

Why?
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.Conditions.html
"Note: Condition keys are case sensitive." but the key name should start with rds: for the question to be true.

Using IAM roles instead of Access Keys

A company is building software on EC2 that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
A. Enable Multi-Factor Authentication for your AWS root account.
B. Assign an IAM role to the Amazon EC2 instance.
C. Store the AWS Access Key ID/Secret Access Key combination in software comments.
D. Assign an IAM user to the Amazon EC2 Instance.

Using STS

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?
A. SAML-based Identity Federation
B. Cross-Account Access
C. AWS IAM users
D. Web Identity Federation


Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

"With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account."

Using corporate AD together with IAM

A company is preparing to give AWS Management Console access to developers. Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? (Select 2) Choose 2 answers
A. AWS Directory Service AD Connector
B. AWS Directory Service Simple AD
C. AWS Identity and Access Management groups
D. AWS identity and Access Management roles
E. AWS identity and Access Management users

Why?
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html
"AD Connector is a proxy service for connecting your on-premises Microsoft Active Directory to the AWS cloud without requiring complex directory synchronization or the cost and complexity of hosting a federation infrastructure."

Using cross-account access to group consolidated billing

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources what they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers
A. Use AWS Consolidated Billing and disable AWS root account access for the child accounts.
B. Enable IAM cross-account access for all corporate IT administrators in each child account.
C. Create separate VPCs for each division within the corporate IT AWS account.
D. Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account.
E. Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket.

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
"In this tutorial, you will learn how to use a role to delegate access to resources that are in different AWS accounts that you own (Production and Development). You'll share resources in one account with users in a different account. By setting up cross-account access in this way, you don't need to create individual IAM users in each account, and users don't have to sign out of one account and sign into another in order to access resources that are in different AWS accounts. "

http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html
"You can use the Consolidated Billing feature to consolidate payment for multiple Amazon Web Services (AWS) accounts or multiple Amazon International Services Pvt. Ltd (AISPL) accounts within your organization by designating one of them to be the payer account. With Consolidated Billing, you can see a combined view of AWS charges incurred by all accounts, as well as get a cost report for each individual account associated with your payer account."

IAM roles and EC2 instance default roles

Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers)
A. Create an IAM Role that allows write access to the DynamoDB table
B. Add an IAM Role to a running EC2 instance.
C. Create an IAM User that allows write access to the DynamoDB table.
D. Add an IAM User to a running EC2 instance.
E. Launch an EC2 Instance with the IAM Role included in the launch configuration


Why? 
A. Correct, needed to access wanted DynamoDB table.
B. Not possible to add IAM role to running EC2 instance.
C. Possible, but this couldn't be added to EC2 instance.
D. Not possible to add IAM user to running EC2 instance.
E. Correct. IAM role can only be attached during EC2 launch configuration.

LDAP and IAM, what technique is used?

Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP
C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
"To request temporary security credentials, you can use the AWS STS API actions."

Using Cross-account access to control multiple environments

You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.
A. Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
B. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
C. Create IAM users in the Master account. Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access
D. Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html
Granting access to resources in one account to a trusted principal in a different account is often referred to as cross-account access. Roles are the primary way to grant cross-account access.

A. This speaks of having full Admin on Master account instead of Dev and Test
B. Vague and missing creating roles on Dev and Test. Speaks of only one role, not roles.
C. Correct. Because we want Master account to access resources on Dev and Test, we must grant full admin permissions in Dev and Test accounts.
D. Not possible. Cross-account access is needed and granting roles is usually done with roles

Using IAM roles with EC2 -instances

You have an application running on an EC2 Instance which will allow users to download files from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?

A. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
B. Create a IAM user for the application with permissions that allow list access to the S3 bucket. Launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
C. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
D. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.

Why?
A. You want to use Roles, not access keys as roles are more flexible
B. Launching an instance with IAM user is not possible
C. Correct. Most flexible way and does not store access keys on EC2.
D: Uses IAM user instead of IAM roles. Not flexible.

Using IAM for millions of users on mobile

You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S3 bucket. Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3. You want to configure security to handle potentially millions of users in the most secure manner possible. What should your server-side application do when a new user registers on the photo-sharing mobile application?

A. Create a set of long-term credentials using AWS Security Token Service with appropriate permissions. Store these credentials in the mobile app and use them to access Amazon S3.
B. Record the user’s information in Amazon RDS and create a role in IAM with appropriate permissions. When the user uses their mobile app, create temporary credentials using the AWS Security Token Service ‘AssumeRole’ function. Store these credentials in the mobile app’s memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app.
C. Record the user’s information In Amazon DynamoDB. When the user uses their mobile app create temporary credentials using AWS Security Token Service with appropriate permissions. Store these credentials in the mobile app’s memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app.
D. Create IAM user. Assign appropriate permissions to the IAM user. Generate an access key and secret key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
D. Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user Generate an access Key and secret Key for the IAM user, store them In the mobile app and use these credentials to access Amazon S3.

Why?
Key terms here are Security Token Service (STS) and short lived / temporary credentials. Second point comes RDS speaks of 'AssumeRole' -function. Speaking of whether NoSQL or SQL is better for this, is beyond my thinking. DynamoDB would cost more due to write and read throughput and it would be easier users in SQL at least for me.

Using IAM for together with IDP

Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed. Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary. You don’t want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console. Which option below will meet the needs for your NOC members?

A. Use OAuth 2 0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console.
B. Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console.
C. Use your on-premises SAML 2.O-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.
D. Use your on-premises SAML 2.0-compliant identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console

Why?
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
"This specific use of SAML differs from the more general one illustrated at About SAML 2.0-based Federation because this workflow opens the AWS Management Console on behalf of the user. This requires the use of the AWS SSO endpoint instead of directly calling the AssumeRoleWithSAML API. "
C. This option is the only one which speaks of corporate SAML IdP together with SSO -endpoint.

Using IAM together with CloudFormation

An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage when creating the CloudFormation template. Which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials?

A. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
B. Use the Parameter section in the Cloud Formation template to have the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table.
C. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance.
D. Create an identity and Access Management user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.

Using IAM roles to restrict third-party accesses

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise’s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?
A. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
B. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider.
C. Create an IAM role for cross-account access that allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
D. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARM to the SaaS provider to use when launching their application instances.

Using IAM together with roles and web identity federation

Company B is launching a new game app for mobile devices. Users will log into the game using their existing social media account to streamline data capture. Company B would like to directly save player data and scoring information from the mobile app to a DynamoDB table named ScoreData When a user saves their game the progress data will be stored to the GameState S3 bucket. What is the best approach for storing data to DynamoDB and S3?
A. Use an EC2 Instance that is launched with an EC2 role providing access to the ScoreData DynamoDB table and the GameState S3 bucket that communicates with the mobile app via web services.
B. Use temporary security credentials that assume a role providing access to the ScoreData DynamoDB table and the GameState S3 bucket using Web Identity Federation
C. Use Login with Amazon allowing users to sign in with an Amazon account providing the mobile app with access to the ScoreData DynamoDB table and the GameState S3 bucket.
D. Use an IAM user with access credentials assigned a role providing access to the ScoreData DynamoDB table and the GameState S3 bucket for distribution with the mobile app.

IAM roles on multiple resources

A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
A. The user should attach an IAM role with DynamoDB access to the EC2 instance
B. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
C. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
D. The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials

IAM role best practices

A user has created a mobile application which makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
A. User should create a separate IAM user for each mobile application and provide DynamoDB access with it
B. User should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2 and route all calls from the mobile through EC2
C. The application should use an IAM role with Web Identity Federation which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook
D. Create an IAM Role with DynamoDB access and attach it with the mobile application

Using IAM roles together with corporate authentication services

You are managing the AWS account of a big organization. The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees. Which of the below mentioned options is the best possible solution in this case?
A. The user should create a separate IAM user for each employee and provide access to them as per the policy
B. The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2 instance and setup AWS authentication on that server
C. The user should create IAM groups as per the organization’s departments and add each user to the group for better access control
D. Attach an IAM role with the organization’s authentication service to authorize each user for various AWS services

Using IAM on new setup

Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring more hardware. The outcome was that all employees would be granted access to use Amazon S3 for storage of their personal documents. Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? (Choose 3 Answers)
A. Setting up a federation proxy or identity provider
B. Using AWS Security Token Service to generate temporary tokens
C. Tagging each folder in the bucket
D. Configuring IAM role
E. Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket



After creating a new IAM user which of the following must be done before they can successfully make API calls?

A. Add a password to the user.
B. Enable Multi-Factor Authentication for the user.
C. Assign a Password Policy to the user.
D. Create a set of Access Keys for the user.

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers

A. Use AWS Consolidated Billing and disable AWS root account access for the child accounts.

B. Enable IAM cross-account access for all corporate IT administrators in each child account.

C. Create separate VPCs for each division within the corporate IT AWS account.

D. Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account.

E. Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket.

A company is preparing to give AWS Management Console access to developers Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? (Select 2) Choose 2 answers

A. AWS Directory Service AD Connector

B. AWS Directory Service Simple AD

C. AWS Identity and Access Management groups

D. AWS identity and Access Management roles

E. AWS identity and Access Management users

Why? Same has been on CDA questions, company already has AD and groups with users

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?

A. SAML-based Identity Federation
B. Cross-Account Access
C. AWS Identity and Access Management roles
D. Web Identity Federation

Why? You can use Web Identity Federation together with OpenID Connect-compatible identity provider.


A company is building software on EC2 that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?

A. Enable Multi-Factor Authentication for your AWS root account.
B. Assign an IAM role to the Amazon EC2 instance.
C. Store the AWS Access Key ID/Secret Access Key combination in software comments.
D. Assign an IAM user to the Amazon EC2 Instance.

Why? Ruling out C and D, which use either IAM user or storing hard-coded data in comments.

Company B is launching a new game app for mobile devices. Users will log into the game using their existing social media account to streamline data capture. Company B would like to directly save player data and scoring information from the mobile app to a DynamoDS table named Score Data When a user saves their game the progress data will be stored to the Game state S3 bucket. what is the best approach for storing data to DynamoDB and S3?

A. Use an EC2 Instance that is launched with an EC2 role providing access to the Score Data DynamoDB table and the GameState S3 bucket that communicates with the mobile app via web services.
B. Use temporary security credentials that assume a role providing access to the Score Data DynamoDB table and the Game State S3 bucket using web identity federation.
C. Use Login with Amazon allowing users to sign in with an Amazon account providing the mobile app with access to the Score Data DynamoDB table and the Game State S3 bucket.
D. Use an IAM user with access credentials assigned a role providing access to the Score Data DynamoDB table and the Game State S3 bucket for distribution with the mobile app.

Why? B option uses web identity federation, which is best suitable option for this scenario

A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an iPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space (S3) keyspace specific to that user. Which two approaches can satisfy these objectives? (Choose 2 answers)

A. Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials. The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket.

B. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then cails the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket.

C. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.

D. The application authenticates against LDAP the application then calls the AWS Identity and Access Management (IAM) Security service to log in to IAM using the LDAP credentials. The application can use the IAM temporary credentials to access the appropriate S3 bucket.

E. The application authenticates against IAM Security Token Service using the LDAP credentials. The application uses those temporary AWS security credentials to access the appropriate S3 bucket.

Why? The order is always LDAP -> STS before anything related to IAM. You can rule out A and E straight away. B is ruled out by getting IAM role before using STS.


Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed. Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary. You don’t want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console. Which option below will meet the needs for your NOC members?

A. Use OAuth 2.0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console.
B. Use Web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console.
C. Use your on-premises SAML 2 O-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.
D. Use your on-premises SAML2.0-compliant identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console.


Why? http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
"This specific use of SAML differs from the more general one illustrated at About SAML 2.0-based Federation because this workflow opens the AWS Management Console on behalf of the user. This requires the use of the AWS SSO endpoint instead of directly calling the AssumeRoleWithSAML API. "
C. This option is the only one which speaks of corporate SAML IdP together with SSO -endpoint.


Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring more hardware. The outcome was that all employees would be granted access to use Amazon S3 for storage of their personal documents. Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? (Choose 3 Answers)

A. Setting up a federation proxy or identity provider
B. Using AWS Security Token Service to generate temporary tokens
C. Tagging each folder in the bucket
D. Configuring IAM role
E. Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket

Why? You can rule out C and E, which leaves the correct answers.

Can you create IAM security credentials for existing users?

A. Yes, existing users can have security credentials associated with their account.
B. No, IAM requires that all users who have credentials set up are not existing users
C. No, security credentials are created within GROUPS, and then users are associated to GROUPS at a later time.
D. Yes, but only IAM credentials, not ordinary security credentials.

Why? https://aws.amazon.com/iam/faqs/ "Q: What kinds of security credentials can IAM users have?: IAM users can have any combination of credentials that AWS supports, such as an AWS access key, X.509 certificate, SSH key, password for web app logins, or an MFA device. This allows users to interact with AWS in any manner that makes sense for them. An employee might have both an AWS access key and a password; a software system might have only an AWS access key to make programmatic calls; IAM users might have a private SSH key to access AWS CodeCommit repositories; and an outside contractor might have only an X.509 certificate to use the EC2 command-line interface. For details, see Temporary Security Credentials in the IAM documentation."


Which of the following cannot be used in Amazon EC2 to control who has access to specific Amazon EC2 instances?

A. Security Groups
B. IAM System
C. SSH keys
D. Windows passwords

Why? By ruling out C and D, A and B are left. As http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html states following "You can use IAM to control how other users use resources in your AWS account, and you can use security groups to control access to your Amazon EC2 instances."

A____________ is an individual, system, or application that interacts with AWS programmatically.

A. user
B. AWS Account
C. Group
D. Role

Why? https://aws.amazon.com/iam/faqs/ "Q: Can I enable and disable user access?: Yes. You can enable and disable an IAM user's access keys via the IAM APIs, AWS CLI, or IAM console. If you disable the access keys, the user cannot programmatically access AWS services."


Is there a method in the IAM system to allow or deny access to a specific instance?

A. Only for VPC based instances
B. Yes
C. No

Why? http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UseCases.html
"Amazon EC2 uses SSH keys, Windows passwords, and security groups to control who has access to the operating system of specific Amazon EC2 instances. There's no method in the IAM system to allow or deny access to the operating system of a specific instance."

Through which of the following interfaces is AWS Identity and Access Management available?
A) AWS Management Console
B) Command line interface (CLI)
C) IAM Query API
D) Existing libraries

A. Only through Command line interface (CLI)
B. A, B and C
C. A and C
D. All of the above

Why? http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html#intro-accessing

Is there a limit to how many groups a user can be in?

A. Yes for all users
B. Yes for all users except root
C. No
D. Yes unless special permission granted

Why? http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html

Can a ‘user’ be associated with multiple AWS accounts?

A. No
B. Yes

Why? http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html "Each IAM user is associated with one and only one AWS account."

Groups can’t _____.

A. be nested more than 3 levels
B. be nested at all
C. be nested more than 4 levels
D. be nested more than 2 levels

Why? http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html "Groups can't be nested; they can contain only users, not other groups."

Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?

A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.

Why? SAML is "the" standard, but actual technique behind the integration is using STS (Security Token Service) to issue those short lived AWS credentials (min. 15min & max. 60min).