AWS Cloud Practitioner Essentials T2.3

Questions and Answers

Which feature differentiates AWS IAM Identity Center from AWS IAM?

• Used for managing access in a single account
• Allows for federated users via identity providers (correct)
• Integrates with AWS services only
• Provides fine-grained access control

In what scenario should one choose to use AWS IAM rather than AWS IAM Identity Center?

• For centralizing user access across multiple accounts
• To integrate with Microsoft Active Directory
• To simplify login processes for contractors
• When managing access within a single AWS account (correct)

What is the primary purpose of AWS Secrets Manager?

• Allow external identities access to AWS resources
• Manage user permissions across AWS accounts
• Enforce password policies on user accounts
• Store and rotate sensitive data like API keys (correct)

Which statement regarding Multi-Factor Authentication (MFA) is correct?

MFA adds a layer of protection to any user account (A)

What type of IAM user allows access using credentials from an external system?

Federated Identity (B)

What is NOT a task that can be performed by the root user?

Monitoring IAM user activity (B)

Which method is essential for protecting the root user account?

Enable MFA for the root account (D)

What is a key feature of AWS Identity and Access Management (IAM)?

It allows the creation of temporary access by granting roles. (C)

What is the Principle of Least Privilege?

Granting only necessary permissions for tasks (C)

When should an organization consider using IAM Identity Center?

For accommodating multiple AWS accounts in a single structure (D)

Which of the following actions is NOT a recommended practice for protecting the AWS root user account?

Use the root user for daily administrative tasks. (D)

Which storage solution is specifically designed to store configuration data and secrets?

AWS Systems Manager Parameter Store (B)

In the context of IAM, what does the principle of least privilege aim to achieve?

Limiting the permissions for users to only what is necessary. (A)

Which statement accurately describes the function of the AWS IAM Identity Center?

It allows centralized access control for multiple accounts with a single login. (D)

What could potentially happen if unauthorized access to the AWS root user account is achieved?

Resources might be deleted or modified at will. (D)

Which of the following best describes IAM policies?

Defines the rules for what actions are allowed or denied for users. (D)

What does federated identity support in AWS IAM Identity Center allow for?

Integration with external identity providers such as Microsoft Active Directory. (D)

Which aspect of using IAM reduces risks associated with user permissions?

Creating IAM users for day-to-day tasks. (B)

Why is it critical to store AWS root credentials securely?

To prevent unauthorized access to sensitive account features. (C)

What is a consequence of applying the principle of least privilege in an AWS environment?

Enhanced security by minimizing access to necessary permissions. (D)

Flashcards

IAM

AWS Identity and Access Management; controls access to AWS resources.

Root User

First AWS account, with full access to all services and resources.

Protect Root User

Use MFA, limit use, and keep credentials secure.

Least Privilege

Grant users only necessary permissions for their tasks.

IAM Users

Individual accounts for specific users.

IAM Groups

Collections of users.

IAM Roles

Temporary access for applications or users.

IAM Policies

Rules defining allowed/denied actions.

AWS Single Sign-On

Simplifies access to multiple AWS accounts with one login.

Multi-Factor Authentication (MFA)

Extra layer of security requiring multiple verification methods.

AWS IAM

Manages access to AWS resources within a single account.

AWS IAM Identity Center

Centralizes access across multiple AWS accounts/applications, using SSO.

Federated user

A user using credentials from an external identity provider like Active Directory.

Access Key

Used by applications/programs to access AWS services.

Password Policy

Enforces rules for user passwords in AWS.

AWS Secrets Manager

Stores and rotates sensitive AWS credentials securely.

Cross-Account IAM Role

Grants access between different AWS accounts without sharing credentials.

Study Notes

AWS Access Management Key Concepts

• IAM (Identity and Access Management): Manages access to AWS resources. Controls users, groups, roles, and policies. Crucial for authorizing access.

Protecting the AWS Root User Account

• Root User: The initial AWS account with full access.
• Risks of Unprotected Root User: Risk of resource deletion, billing changes, and account takeover.
• Best Practices:
  • Enable Multi-Factor Authentication (MFA).
  • Limit Root User use to essential tasks like account settings.
  • Securely store root credentials.
  • Create IAM users for everyday tasks.

Principle of Least Privilege

• Concept: Grant users and applications only necessary permissions, nothing more.
• Example: A developer needs read-only access to an S3 bucket; they shouldn't have delete/modify permission.
• Benefits: Reduces accidental/malicious changes. Improves security by limiting what users can do.

AWS IAM Identity Center (AWS Single Sign-On)

• Purpose: Simplifies access to multiple AWS accounts and applications with a single login.
• Key Features:
  • Centralized access control across accounts.
  • Federated identity support.
• IAM vs. IAM Identity Center: IAM manages a single account, while IAM Identity Center manages multiple accounts via SSO and external identity providers (e.g., Microsoft Active Directory).
• Use Cases:
  • IAM: Single account, fine-grained resource permissions.
  • IAM Identity Center: Multiple accounts, simplified logins, external identity integration.

Access Keys, Password Policies, and Credential Storage

• Access Keys: Used by applications to access AWS services.
• Password Policies: Enforce rules for user passwords (e.g., length, complexity, expiration).
• Credential Storage: Securely store sensitive credentials using tools like:
  • AWS Secrets Manager.
  • AWS Systems Manager Parameter Store.

Authentication Methods in AWS

• Methods:
  • MFA (Multi-Factor Authentication): Adds a second authentication layer (e.g., code to phone).
  • IAM Identity Center (SSO): Single sign-on for multiple AWS accounts/applications.
  • Cross-Account IAM Roles: Allow access between AWS accounts without sharing credentials.

Groups, Users, and Policies

• Groups: Collections of users with shared permissions (e.g., "Developers").
• Users: Individual accounts with unique access keys, passwords, and permissions.
• Policies: Define permissions.
  • Managed Policies: Predefined by AWS.
  • Custom Policies: Tailored to specific customer needs.

Tasks Requiring Root User Access

• Limited: Tasks like changing account email/password, closing account, and managing specific billing features.

Protecting the Root User Account (Summary)

• Enable MFA for root user: Extra security layer.
• Avoid sharing root credentials: Use IAM users for daily tasks.
• Monitor root user activity: Use AWS CloudTrail to log activity.

Types of Identity Management

• Standalone IAM Users: Separate user accounts.
• Federated Identity: Integrates with external systems (like corporate login).
• Service Roles: Allow AWS services to securely interact with each other.

Description

Dive into key concepts of AWS Identity and Access Management (IAM). This quiz covers the importance of protecting the root user account and the principle of least privilege in AWS. Test your knowledge on best practices and security measures essential for managing access to AWS resources.