Module 8 Knowledge Check
Module 8 Knowledge Check
1. Which statement describes AWS Identity and Access Management (IAM) users?
Every IAM user for an account must have a unique name
Explanation: IAM usernames only need to be unique within an account
2. How can you grant the same level of permissions to multiple users within an account?
Apply an AWS IAM policy to IAM group
Explanation: By defining the permissions in an IAM policy and putting the users in a group, you can set the same level of permissions to all users in that group.
3. Which statements describe AWS IAM roles?
- They can be assumed by individuals, apps, and services
- They can provide temporary security credentials
Explanation: IAM roles only provide credentials after the individual, apps, or service has assumed the role.
4. Which statement describes a resource-based policy?
It is always an inline policy
Explanation: Inline policies are embedded directly into a single user, group, role, or resource.
5. How does AWS IAM evaluate a policy?
It checks for explicit deny statements before it checks for explicit allow statements
Explanation: IAM checks for explicit deny statements before it checks for explicit allow statements
6. A team of developers need access to several services and resource in a VPC for 9 months. How can you use AWS IAM to enable access for them?
Create an IAM user for each developer, put them al in an IAM group, and attach the required IAM policies to the IAM group.
Explanation: Attaching policies to groups applies the same access rules to all members of the group. It also automatically applies the access rules to new users that are added to the group and removes those access rules from users that are removed from the group.
7. How does identity federation increase security for an application that is built in AWS?
Users can use SSO to access the application through an existing authenticated identity.
Explanation: Authenticating users through a trusted identity broker and store eliminates the need to create, manage, and secure user accounts for the application within the application itself or in AWS.
8. Which services can you use to enable identity federation for your applications that are built in AWS?
AWS Security Token Service (STS) and Amazon Cognito
Explanation: AWS STS enable you to request temporary limited privilege credentials for users. Amazon Cognito enables you to add user sign-up, sign-in, and access control to your web and mobile applications. It supports identity federation with social identity providers.
9. What service helps you centrally manage billing, control access, compliance and security, and share resources across multiple AWS accounts?
AWS Organizations
Explanation: Using AWS Organizations, you can automate account creation, create group of account to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS account.
10. A technology company employees log in to their AWS account through AWS IAM users. They have administrator access and access to the root users. Which resource can prevent them from deleting AWS CloudTrail logs?
A service control policy (SCP) that is attached to the organizational Unit (OU)
Explanation: In AWS Organizations, applying an SCP to the OU can prevent employees from deleting the logs. The SCP cannot be overridden by any user (including root user) of the AWS accounts in the OU.
Akhir kata :