AWS Identity Access Management practice questions-
1. Which service enables AWS customers to manage users and permissions in AWS?
A. AWS Access Control Service (ACS)
B. AWS Identity and Access Management (IAM)
C. AWS Identity Manager (AIM)
[showhide type=”q1″ more_text=”Answer is…” less_text=”Show less…”]
B. AWS Identity and Access Management (IAM)
[/showhide]
2. IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information
A. Read Only Access
B. Power User Access
C. AWS Cloud Formation Read Only Access
D. Administrator Access
[showhide type=”q2″ more_text=”Answer is…” less_text=”Show less…”]
D. Administrator Access
[/showhide]
3. Every user you create in the IAM system starts with _________.
A. Partial permissions
B. Full permissions
C. No permissions
[showhide type=”q3″ more_text=”Answer is…” less_text=”Show less…”]
C. No permissions
[/showhide]
4. Groups can’t _____.
A. be nested more than 3 levels
B. be nested at all
C. be nested more than 4 levels
D. be nested more than 2 levels
[showhide type=”q4″ more_text=”Answer is…” less_text=”Show less…”]
B. be nested at all
[/showhide]
5. The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console.
A. Amazon RDS
B. AWS Integrity Management
C. AWS Identity and Access Management
D. Amazon EMR
[showhide type=”q5″ more_text=”Answer is…” less_text=”Show less…”]
C. AWS Identity and Access Management
[/showhide]
6. An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x.509 certificate that contains the specific instanceid. In addition an x.509 certificates must be designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?
A. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
B. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched instances generate a certificate signature request with the instance’s assigned instance-id to the Key management service for signature.
C. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
D. Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature that contains the specific instance-id.
[showhide type=”q6″ more_text=”Answer is…” less_text=”Show less…”]
C. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
[/showhide]
7. When assessing an organization AWS use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers
A. Key pairs
B. Console passwords
C. Access keys
D. Signing certificates
E. Security Group memberships
[showhide type=”q7″ more_text=”Answer is…” less_text=”Show less…”]
B. Console passwords
C. Access keys
D. Signing certificates
[/showhide]
8. An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?
A. The organization has to create a special password policy and attach it to each user
B. The root account owner has to use CLI which forces each IAM user to change their password on first login
C. By default each IAM user can modify their passwords
D. Root account owner can set the policy from the IAM console under the password policy screen
[showhide type=”q8″ more_text=”Answer is…” less_text=”Show less…”]
D. Root account owner can set the policy from the IAM console under the password policy screen
[/showhide]
9. An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level?
A. Use the IAM groups and add users as per their role to different groups and apply policy to group
B. The user can create a policy and apply it to multiple users in a single go with the AWS CLI
C. Add each user to the IAM role as per their organization role to achieve effective policy setup
D. Use the IAM role and implement access at the role level
[showhide type=”q9″ more_text=”Answer is…” less_text=”Show less…”]
A. Use the IAM groups and add users as per their role to different groups and apply policy to group
[/showhide]
10. Your organization’s security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password. Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers
A. Configure multi-factor authentication for privileged IAM users
B. Create IAM users for privileged accounts
C. Implement identity federation between your organization’s Identity provider leveraging the IAM Security Token Service
D. Enable the IAM single-use password policy option for privileged users
[showhide type=”q10″ more_text=”Answer is…” less_text=”Show less…”]
A. Configure multi-factor authentication for privileged IAM users
B. Create IAM users for privileged accounts
[/showhide]
11. Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers
A. Create individual IAM users for everyone in your organization
B. Configure MFA on the root account and for privileged IAM users
C. Assign IAM users and groups configured with policies granting least privilege access
D. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate
[showhide type=”q11″ more_text=”Answer is…” less_text=”Show less…”]
B. Configure MFA on the root account and for privileged IAM users
C. Assign IAM users and groups configured with policies granting least privilege access
[/showhide]
12. A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
A. Create a new IAM role and associated policies within the new region
B. Assign the existing IAM role to the Amazon EC2 instances in the new region
C. Copy the IAM role and associated policies to the new region and attach it to the instances
D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature
[showhide type=”q12″ more_text=”Answer is…” less_text=”Show less…”]
B. Assign the existing IAM role to the Amazon EC2 instances in the new region
[/showhide]
13. After creating a new IAM user which of the following must be done before they can successfully make API calls?
A. Add a password to the user.
B. Enable Multi-Factor Authentication for the user.
C. Assign a Password Policy to the user.
D. Create a set of Access Keys for the user
[showhide type=”q13″ more_text=”Answer is…” less_text=”Show less…”]
D. Create a set of Access Keys for the user
[/showhide]
14. An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM?
A. One IAM user can be a part of a maximum of 5 groups
B. Organization can create 100 groups per AWS account
C. One AWS account can have a maximum of 5000 IAM users
D. One AWS account can have 250 roles
[showhide type=”q14″ more_text=”Answer is…” less_text=”Show less…”]
A. One IAM user can be a part of a maximum of 5 groups
[/showhide]
15. Within the IAM service a GROUP is regarded as a:
A. A collection of AWS accounts
B. It’s the group of EC2 machines that gain the permissions specified in the GROUP.
C. There’s no GROUP in IAM, but only USERS and RESOURCES.
D. A collection of users.
[showhide type=”q15″ more_text=”Answer is…” less_text=”Show less…”]
D. A collection of users.
[/showhide]
16. Is there a limit to the number of groups you can have?
A. Yes for all users except root
B. No
C. Yes unless special permission granted
D. Yes for all users
[showhide type=”q16″ more_text=”Answer is…” less_text=”Show less…”]
D. Yes for all users
[/showhide]
17. What is the default maximum number of MFA devices in use per AWS account (at the root account level)?
A. 1
B. 5
C. 15
D. 10
[showhide type=”q17″ more_text=”Answer is…” less_text=”Show less…”]
A. 1
[/showhide]
18. When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.
A. FALSE
B. This is configurable
C. TRUE
[showhide type=”q18″ more_text=”Answer is…” less_text=”Show less…”]
C. TRUE
[/showhide]
19. You are setting up a blog on AWS. In which of the following scenarios will you need AWS credentials? (Choose 3)
A. Sign in to the AWS management console to launch an Amazon EC2 instance
B. Sign in to the running instance to instance some software
C. Launch an Amazon RDS instance
D. Log into your blog’s content management system to write a blog post
E. Post pictures to your blog on Amazon S3
[showhide type=”q19″ more_text=”Answer is…” less_text=”Show less…”]
A. Sign in to the AWS management console to launch an Amazon EC2 instance
C. Launch an Amazon RDS instance
E. Post pictures to your blog on Amazon S3
[/showhide]
20. An organization has 500 employees. The organization wants to set up AWS access for each department. Which of the below mentioned options is a possible solution?
A. Create IAM roles based on the permission and assign users to each role
B. Create IAM users and provide individual permission to each
C. Create IAM groups based on the permission and assign IAM users to the groups
D. It is not possible to manage more than 100 IAM users with AWS
[showhide type=”q20″ more_text=”Answer is…” less_text=”Show less…”]
C. Create IAM groups based on the permission and assign IAM users to the groups
[/showhide]
21. An organization has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The organization is planning to implement certain security best practices. Which of the below mentioned pointers will not help the organization achieve better security arrangement?
A. Apply the latest patch of OS and always keep it updated.
B. Allow only IAM users to connect with the EC2 instances with their own secret access key.
C. Disable the password-based login for all the users. All the users should use their own keys to connect with the instance securely.
D. Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.
[showhide type=”q21″ more_text=”Answer is…” less_text=”Show less…”]
B. Allow only IAM users to connect with the EC2 instances with their own secret access key.
[/showhide]
22. A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
A. Enable Multi-Factor Authentication for your AWS root account.
B. Assign an IAM role to the Amazon EC2 instance.
C. Store the AWS Access Key ID/Secret Access Key combination in software comments.
D. Assign an IAM user to the Amazon EC2 Instance.
[showhide type=”q22″ more_text=”Answer is…” less_text=”Show less…”]
B. Assign an IAM role to the Amazon EC2 instance.
[/showhide]
23. A company is preparing to give AWS Management Console access to developers. Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? (Select 2) Choose 2 answers
A. AWS Directory Service AD Connector
B. AWS Directory Service Simple AD
C. AWS Identity and Access Management groups
D. AWS identity and Access Management roles
E. AWS identity and Access Management users
[showhide type=”q23″ more_text=”Answer is…” less_text=”Show less…”]
A. AWS Directory Service AD Connector
D. AWS identity and Access Management roles
[/showhide]
24. A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers
A. Use AWS Consolidated Billing and disable AWS root account access for the child accounts.
B. Enable IAM cross-account access for all corporate IT administrators in each child account.
C. Create separate VPCs for each division within the corporate IT AWS account.
D. Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account.
E. Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account’s Amazon S3 ‘Log’ bucket.
[showhide type=”q24″ more_text=”Answer is…” less_text=”Show less…”]
B. Enable IAM cross-account access for all corporate IT administrators in each child account.
D. Use AWS Consolidated Billing to link the divisions’ accounts to a parent corporate account.
[/showhide]
25. Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers)
A. Create an IAM Role that allows write access to the DynamoDB table
B. Add an IAM Role to a running EC2 instance.
C. Create an IAM User that allows write access to the DynamoDB table.
D. Add an IAM User to a running EC2 instance.
E. Launch an EC2 Instance with the IAM Role included in the launch configuration
[showhide type=”q25″ more_text=”Answer is…” less_text=”Show less…”]
A. Create an IAM Role that allows write access to the DynamoDB table
B. Add an IAM Role to a running EC2 instance.
[/showhide]
26. You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.
A. Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
B. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
C. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access
D. Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts
[showhide type=”q26″ more_text=”Answer is…” less_text=”Show less…”]
C. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access
[/showhide]
27. You have an application running on an EC2 Instance which will allow users to download flies from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?
A. Use the AWS account access Keys the application retrieves the credentials from the source code of the application.
B. Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
C. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
D. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
[showhide type=”q27″ more_text=”Answer is…” less_text=”Show less…”]
C. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
[/showhide]
28. An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage when creating the CloudFormation template which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials?
A. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile.
B. Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table.
C. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance.
D. Create an identity and Access Management user in the CloudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.
[showhide type=”q28″ more_text=”Answer is…” less_text=”Show less…”]
C. Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance.
[/showhide]
29. An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise’s account. The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions?
A. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account.
B. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider.
C. Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
D. Create an IAM role for EC2 instances, assign it a policy mat allows only the actions required tor the SaaS application to work, provide the role ARM to the SaaS provider to use when launching their application instances.
[showhide type=”q29″ more_text=”Answer is…” less_text=”Show less…”]
C. Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and assign it a policy that allows only the actions required by the SaaS application.
[/showhide]
30. A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?
A. The user should attach an IAM role with DynamoDB access to the EC2 instance
B. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
C. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
D. The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials
[showhide type=”q30″ more_text=”Answer is…” less_text=”Show less…”]
A. The user should attach an IAM role with DynamoDB access to the EC2 instance
[/showhide]
31. A customer is in the process of deploying multiple applications to AWS that are owned and operated by different development teams. Each development team maintains the authorization of its users independently from other teams. The customer’s information security team would like to be able to delegate user authorization to the individual development teams but independently apply restrictions to the users permissions based on factors such as the users device and location. For example, the information security team would like to grant read-only permissions to a user who is defined by the development team as read/write whenever the user is authenticating from outside the corporate network. What steps can the information security team take to implement this capability?
A. Operate an authentication service that generates AWS STS tokens with IAM policies from application-defined IAM roles.
B. Add additional IAM policies to the application IAM roles that deny user privileges based on information security policy.
C. Configure IAM policies that restrict modification of the application IAM roles only to the information security team.
D. Enable federation with the internal LDAP directory and grant the application teams permissions to modify users.
[showhide type=”q31″ more_text=”Answer is…” less_text=”Show less…”]
B. Add additional IAM policies to the application IAM roles that deny user privileges based on information security policy.
[/showhide]
32. You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch. Which method would be the best way to authenticate your CloudWatch PUT request?
A. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
B. Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the users credentials into the instance User Data
C. Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group
D. Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed
[showhide type=”q32″ more_text=”Answer is…” less_text=”Show less…”]
A. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
[/showhide]