AWS Security and IAM

Questions and Answers

What is the primary focus of Section 1 of this module?

Securing a new AWS account

IAM users, groups, and roles

AWS shared responsibility model (correct)

AWS compliance programs

What will you be able to do after completing this module?

Develop a compliance program

Create a new AWS account

Recognize the shared responsibility model (correct)

Configure IAM using the AWS CLI

What type of activity is included in Section 1 of this module?

Knowledge check

Educator-led activity (correct)

Hands-on lab

Recorded IAM demo

What is the purpose of the knowledge check at the end of this module?

To test your understanding of the key concepts covered in this module

What is the focus of Section 2 of this module?

Recorded IAM demo

What is included at the end of Section 2 of this module?

Hands-on lab

What is the primary objective of this module?

To recognize the shared responsibility model

What is not covered in this module?

Configuring IAM using the AWS CLI

What is the primary function of an IAM policy?

To define permissions and access control

What type of policy is attached to an IAM entity?

Identity-based policy

What is an IAM entity?

An IAM user, IAM group, or IAM role

What does an IAM policy specify?

The actions that may or may not be performed by an entity

Can a single policy be attached to multiple entities?

Yes, a single policy can be attached to multiple entities

What is the purpose of a resource-based policy?

To attach a policy to an AWS resource

What does an IAM policy define?

The permissions that will be granted to an entity

What is an example of a policy attachment?

Attaching a policy to an S3 bucket to block requests from unapproved IP addresses

What is the primary purpose of IAM in an AWS account?

To provide secure access to AWS resources

What is an IAM user?

A person or application that can authenticate with an AWS account

What is the purpose of an IAM group?

To simplify specifying and managing permissions for multiple users

What is an IAM policy?

A document that defines permissions to determine what users can do in the AWS account

What is the main difference between an IAM user's security credentials and the AWS account root user security credentials?

The IAM user's credentials are not shared with other users

What is the primary benefit of using IAM groups?

To simplify specifying and managing permissions for multiple users

What is the primary purpose of an IAM role?

To grant temporary access to specific AWS resources

What can an IAM policy explicitly do?

Deny access to specific AWS resources

Why is it recommended to require multi-factor authentication for the account root user login and all other IAM user logins?

To enhance account security

What is the purpose of AWS CloudTrail?

To enable operational auditing on your account

What is the default retention period for basic AWS CloudTrail event history?

90 days

How can you view, filter, and search the last 90 days of events in AWS CloudTrail?

By logging in to the AWS Management Console and choosing the CloudTrail service

What is required to log in to an AWS account when MFA is enabled?

An MFA token

What is the purpose of creating a trail in AWS CloudTrail?

To enable logs beyond 90 days

What is the recommended way to store logs in AWS CloudTrail?

In an Amazon S3 bucket

What is the default state of AWS CloudTrail when an AWS account is created?

Enabled by default on all AWS accounts

What is the main benefit of using AWS Organizations?

To centrally manage multiple AWS accounts

What can you attach to each organizational unit (OU) in AWS Organizations?

Different access policies

What is the result of combining AWS Organizations and IAM permissions?

The intersection of what is allowed by AWS Organizations and what is granted by IAM

What is the purpose of service control policies in AWS Organizations?

To establish control over the AWS services and API actions that each AWS account can access

What can you do with AWS accounts that should only be allowed to access AWS services that meet certain regulatory requirements?

Put them into one organizational unit (OU) and define a policy that blocks access to services that do not meet those regulatory requirements

What is the focus of AWS Organizations in terms of security features?

All of the above

What is the result of combining AWS Organizations and IAM in terms of permissions?

The user gets the intersection of permissions from both AWS Organizations and IAM

What is the main benefit of using AWS Organizations in terms of regulatory compliance?

It provides a way to control access to AWS services that meet regulatory requirements

Study Notes

AWS Cloud Security

• This module covers AWS shared responsibility model, IAM, securing a new AWS account, securing accounts, securing data on AWS, working to ensure compliance, and additional security services and resources

AWS Shared Responsibility Model

• Recognize the shared responsibility model
• Identify the responsibility of the customer and AWS
• Understand the role and function of each of the four IAM components: users, groups, roles, and policies

IAM Components

• IAM user: a person or application that must make API calls to AWS products
• IAM group: a collection of IAM users that can simplify specifying and managing permissions for multiple users
• IAM policy: a document that defines permissions to determine what users can do in the AWS account
• IAM role: a tool for granting temporary access to specific AWS resources in an AWS account

IAM Policies

• Identity-based policies: attach a policy to any IAM entity (user, group, or role)
• Resource-based policies: attached to a resource (such as an S3 bucket)
• Policies specify actions that may be performed by the entity, and actions that may not be performed
• A single policy can be attached to multiple entities
• A single entity can have multiple policies attached to it

Securing a New AWS Account

• Require multi-factor authentication (MFA) for the account root user login and for all other IAM user logins
• Use AWS CloudTrail to track user activity on your account
• Enable CloudTrail to log all API requests to resources in all supported services in your account

AWS CloudTrail

• A service that logs all API requests to resources in your account
• Enables operational auditing on your account
• Enabled on account creation by default on all AWS accounts
• Keeps a record of the last 90 days of account management event activity
• Can be used to view, filter, and search the last 90 days of events

AWS Organizations

• Enables you to consolidate multiple AWS accounts into an organization
• Provides security features such as grouping accounts into organizational units (OUs) and attaching different access policies to each OU
• Integrates and supports IAM
• Allows you to use service control policies to establish control over the AWS services and API actions that each AWS account can access

Description

This module covers AWS security topics, including the shared responsibility model, IAM, securing accounts and data, compliance, and additional security services. Hands-on labs and demo activities are included.