AWS Security and IAM

Study Flashcards Play Quiz

Questions and Answers

What is the primary focus of Section 1 of this module?

AWS shared responsibility model

What will you be able to do after completing this module?

Recognize the shared responsibility model

What type of activity is included in Section 1 of this module?

Educator-led activity

What is the purpose of the knowledge check at the end of this module?

To test your understanding of the key concepts covered in this module Signup and view all the answers

What is the focus of Section 2 of this module?

Recorded IAM demo Signup and view all the answers

What is included at the end of Section 2 of this module?

Hands-on lab Signup and view all the answers

What is the primary objective of this module?

To recognize the shared responsibility model Signup and view all the answers

What is not covered in this module?

Configuring IAM using the AWS CLI Signup and view all the answers

What is the primary function of an IAM policy?

To define permissions and access control Signup and view all the answers

What type of policy is attached to an IAM entity?

Identity-based policy Signup and view all the answers

What is an IAM entity?

An IAM user, IAM group, or IAM role Signup and view all the answers

What does an IAM policy specify?

The actions that may or may not be performed by an entity Signup and view all the answers

Can a single policy be attached to multiple entities?

Yes, a single policy can be attached to multiple entities Signup and view all the answers

What is the purpose of a resource-based policy?

To attach a policy to an AWS resource Signup and view all the answers

What does an IAM policy define?

The permissions that will be granted to an entity Signup and view all the answers

What is an example of a policy attachment?

Attaching a policy to an S3 bucket to block requests from unapproved IP addresses Signup and view all the answers

What is the primary purpose of IAM in an AWS account?

To provide secure access to AWS resources Signup and view all the answers

What is an IAM user?

A person or application that can authenticate with an AWS account Signup and view all the answers

What is the purpose of an IAM group?

To simplify specifying and managing permissions for multiple users Signup and view all the answers

What is an IAM policy?

A document that defines permissions to determine what users can do in the AWS account Signup and view all the answers

What is the main difference between an IAM user's security credentials and the AWS account root user security credentials?

The IAM user's credentials are not shared with other users Signup and view all the answers

What is the primary benefit of using IAM groups?

To simplify specifying and managing permissions for multiple users Signup and view all the answers

What is the primary purpose of an IAM role?

To grant temporary access to specific AWS resources Signup and view all the answers

What can an IAM policy explicitly do?

Deny access to specific AWS resources Signup and view all the answers

Why is it recommended to require multi-factor authentication for the account root user login and all other IAM user logins?

To enhance account security Signup and view all the answers

What is the purpose of AWS CloudTrail?

To enable operational auditing on your account Signup and view all the answers

What is the default retention period for basic AWS CloudTrail event history?

90 days Signup and view all the answers

How can you view, filter, and search the last 90 days of events in AWS CloudTrail?

By logging in to the AWS Management Console and choosing the CloudTrail service Signup and view all the answers

What is required to log in to an AWS account when MFA is enabled?

An MFA token Signup and view all the answers

What is the purpose of creating a trail in AWS CloudTrail?

To enable logs beyond 90 days Signup and view all the answers

What is the recommended way to store logs in AWS CloudTrail?

In an Amazon S3 bucket Signup and view all the answers

What is the default state of AWS CloudTrail when an AWS account is created?

Enabled by default on all AWS accounts Signup and view all the answers

What is the main benefit of using AWS Organizations?

To centrally manage multiple AWS accounts Signup and view all the answers

What can you attach to each organizational unit (OU) in AWS Organizations?

Different access policies Signup and view all the answers

What is the result of combining AWS Organizations and IAM permissions?

The intersection of what is allowed by AWS Organizations and what is granted by IAM Signup and view all the answers

What is the purpose of service control policies in AWS Organizations?

To establish control over the AWS services and API actions that each AWS account can access Signup and view all the answers

What can you do with AWS accounts that should only be allowed to access AWS services that meet certain regulatory requirements?

Put them into one organizational unit (OU) and define a policy that blocks access to services that do not meet those regulatory requirements Signup and view all the answers

What is the focus of AWS Organizations in terms of security features?

All of the above Signup and view all the answers

What is the result of combining AWS Organizations and IAM in terms of permissions?

The user gets the intersection of permissions from both AWS Organizations and IAM Signup and view all the answers

What is the main benefit of using AWS Organizations in terms of regulatory compliance?

It provides a way to control access to AWS services that meet regulatory requirements Signup and view all the answers

Study Notes

AWS Cloud Security

This module covers AWS shared responsibility model, IAM, securing a new AWS account, securing accounts, securing data on AWS, working to ensure compliance, and additional security services and resources

AWS Shared Responsibility Model

Recognize the shared responsibility model
Identify the responsibility of the customer and AWS
Understand the role and function of each of the four IAM components: users, groups, roles, and policies

IAM Components

IAM user: a person or application that must make API calls to AWS products
IAM group: a collection of IAM users that can simplify specifying and managing permissions for multiple users
IAM policy: a document that defines permissions to determine what users can do in the AWS account
IAM role: a tool for granting temporary access to specific AWS resources in an AWS account

IAM Policies

Identity-based policies: attach a policy to any IAM entity (user, group, or role)
Resource-based policies: attached to a resource (such as an S3 bucket)
Policies specify actions that may be performed by the entity, and actions that may not be performed
A single policy can be attached to multiple entities
A single entity can have multiple policies attached to it

Securing a New AWS Account

Require multi-factor authentication (MFA) for the account root user login and for all other IAM user logins
Use AWS CloudTrail to track user activity on your account
Enable CloudTrail to log all API requests to resources in all supported services in your account

AWS CloudTrail

A service that logs all API requests to resources in your account
Enables operational auditing on your account
Enabled on account creation by default on all AWS accounts
Keeps a record of the last 90 days of account management event activity
Can be used to view, filter, and search the last 90 days of events

AWS Organizations

Enables you to consolidate multiple AWS accounts into an organization
Provides security features such as grouping accounts into organizational units (OUs) and attaching different access policies to each OU
Integrates and supports IAM
Allows you to use service control policies to establish control over the AWS services and API actions that each AWS account can access

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.