AWS IAM Quiz 2
Question 1: An on-premises application needs access to S3. You created an IAM user account for this application and granted necessary policy permissions to access S3. What additional steps need to be completed for your application to access S3?
Option 1: Assign a password
Option 2: Assign access key credentials
Option 3: Assign either password or access key credentials
Answer: Option 2: Assign access key credentials
Reference
Question 2: You have a resource level access policy. As a principal in that policy, can you specify a IAM Group to ensure all users belonging to group can access the resource?
Option 1: Yes
Option 2: No
Answer: Option 2: No
Reference
Question 3: You are using IAM account for managing AWS resources. Can you participate in AWS discussion forum with your IAM account?
Option 1: yes
Option 2: no
Answer: Option 1: yes
Reference
Question 4: A newly created IAM user has:
Option 1: Read access to all services excluding Billing
Option 2: Read access to all services
Option 3: No access until explicitly allowed access
Answer: Option 3: No access until explicitly allowed access
Reference
Question 5: Your company already has a corporate directory that is Security Assertion Markup Language 2.0 compliant for maintaining identities of the employees. If your employees need access to AWS Services, you need to
Option 1: A. Create corresponding identities in IAM and link them with corporate directory
Option 2: B. Use Identity federation and configure your corporate directory to provide single sign on access to AWS Management Console
Option 3: C. Create corresponding IAM identities with matching password as one time setup and synchronize automatically from that point onward with corporate directory
Option 4: D. Any of the above would work
Answer: Option 2: B. Use Identity federation and configure your corporate directory to provide single sign on access to AWS Management Console
Reference
Question 6: When an IAM User switches to a different role using the management console:
Option 1: A. They temporarily gain privileges granted by the role
Option 2: B. They give up their original permissions for the duration of role usage and original permission is restored when they exit role
Option 3: C. They have both role privileges and their original privileges at the same time from console
Option 4: D. Choices A and B
Answer: Option 4: D. Choices A and B
Reference
Question 7: You have a resource level access policy. As a principal in that policy, can you specify an IAM Role to ensure all users who can assume the role have access to the resource?
Option 1: A. Role name can be used as a principal. Any user who has permission to assume the role would get access to the resource
Option 2: B. Role cannot be used as a principal. Only individual users can be specified as a principal
Answer: Option 1: A. Role name can be used as a principal. Any user who has permission to assume the role would get access to the resource
Reference
Question 8: You would like to grant administrative access to your AWS account for a group of employees. The best practice for granting acces is:
Option 1: Use the Root user and credentials
Option 2: Create one admin user and share with employees
Option 3: Create a separate IAM user for each employee and enable Multi-factor authentication
Option 4: Create one access key credential and share with employees
Option 5: All of the above.
Answer: Option 3: Create a separate IAM user for each employee and enable Multi-factor authentication
Reference
Question 9: When an application switches to an IAM role using SDK or API:
Option 1: A. Application temporarily gain privileges granted by the role
Option 2: B. Application gives up its original permissions and original permission is restored when they exit role
Option 3: C. Application doesn’t have to exit role to gain its original permissions back. It simply has to stop using the temporary credentials and use its original credentials
Option 4: Choices A and B
Option 5: Choices A and C
Answer: Option 5: Choices A and C
Reference
Question 10: The IT department of a large company enforces principles of least privilege and grants only access to resources needed for the job. Which of the policy management scheme improves the agility of the organization while minimizing the effort needed for policy maintenance?
Option 1: Use job Role-Based Access Control (RBAC) and maintain a list of resource IDs in the policy document
Option 2: Use Attribute-Based Access Control (ABAC) and maintain policies that grant access only when User’s tag and resource’s tag match
Option 3: Use resource-based policies to maintain who is allowed access to a resource
Option 4: Use identity-based policies to maintain who is allowed access to a resource
Answer: Option 2: Use Attribute-Based Access Control (ABAC) and maintain policies that grant access only when User’s tag and resource’s tag match
Reference
Question 11: Can you add IAM Group as a child of another IAM Group?
Option 1: Yes
Option 2: No
Answer: Option 2: No
Reference
Question 12: Identity and Access Management is used to control:
Option 1: A. Access to specific AWS services
Option 2: B. Actions user can perform on specific AWS services
Option 3: C. Multi Factor Authentication on Users
Option 4: D. Identity federation
Option 5: E. All the above
Answer: Option 5: E. All the above
Reference
Question 13: A user named Alice worked in the Finance department of a company, and she was granted permission to access the finance bucket in S3 using a resource-based policy. The policy grants access using the ARN: arn:aws:iam::123456789012:user/Alice. When Alice left the company, the administrators deleted her identity. After a few months, a different Alice joined the IT department, and administrators created a new account with the same name Alice. S3 finance bucket still has permission that was granted to the original Alice. The newly joined Alice also has the same ARN; would she be able to access the S3 finance bucket?
Option 1: Yes
Option 2: No
Answer: Option 2: No
Reference
Question 14: You want to delegate permissions for performing certain actions on your AWS resources. You would like to follow AWS best practice of using IAM Roles for delegation. What are necessary for an IAM user (can belong to a different account) to assume a role?
Option 1: A. A Permissions policy that grants necessary privileges for a role
Option 2: B. Accounts that are trusted for using the role and delegate among that account’s users
Option 3: C. User needs to have permission from the account owner to assume or switch to that role
Option 4: D. All of the above.
Answer: Option 4: D. All of the above.
Reference
Question 15: Can you grant access to an IAM Group in a resource-based policy?
Option 1: Yes
Option 2: No
Answer: Option 2: No
Reference
Question 16: An EC2 instance needs permission to store data in a DynamoDB table. Which of these options is recommended by AWS?
Option 1: Generate access key credentials and store it in the EC2 instance
Option 2: Grant permission to the instance using the DynamoDB table resource-based policy
Option 3: Store DynamoDB user-id and password in the EC2 instance
Option 4: Attach an IAM Role to the instance with necessary permission
Answer: Option 4: Attach an IAM Role to the instance with necessary permission
Reference
Question 17: Your company has a SAML 2.0 compliant corporate directory for maintaining employee identities. The employees require access to the resources in the company’s AWS account. Which of these options is recommended for managing AWS access?
Option 1: Create corresponding identities in IAM and link them with corporate directory
Option 2: Configure IAM Identity federation to provide single sign-on access to AWS
Option 3: Create corresponding IAM identities with matching password as a one-time setup to synchronize automatically with corporate directory
Option 4: Any of the avove would work
Answer: Option 2: Configure IAM Identity federation to provide single sign-on access to AWS
Reference
Question 18: In your web application, you allow users to register with their existing identities in Amazon, Google, Facebook. Once authenticated, your users should be able to access specific AWS services related to your application. Which one of these options is recommended for managing access?
Option 1: Verify user identity with external providers from your web application. Once User is authorized, use web application credentials to access AWS Services
Option 2: Manage federation using AWS Cognito. Authorized users are mapped to an IAM role, and they gain temporary privileges defined by the role
Option 3: Manage federation using AWS Cognito. Authorized users are issued permanent access credentials
Option 4: Create corresponding user identities in IAM and grant them necessary privileges
Answer: Option 2: Manage federation using AWS Cognito. Authorized users are mapped to an IAM role, and they gain temporary privileges defined by the role
Reference
Question 19: When an IAM user creates resources in AWS, who is responsible for paying the bill?
Option 1: IAM User
Option 2: IAM Group
Option 3: IAM Role
Option 4: Root user
Answer: Option 4: Root user
Reference
Question 20: A large corporation has 100s of AWS accounts, and the corporate IT department has identified three AWS regions that can be used by development teams. However, an audit showed developers using unapproved regions along with the use of expensive EC2 instance families. What can be done to address this situation?
Option 1: Audit every account and modify policies in each account to enforce controls
Option 2: Educate employees on the shared-responsibility model and ask for self-enforcement
Option 3: Configure CloudTrail and set up alerts when someone attempts an unapproved action
Option 4: Configure Service Control Policy for member accounts using AWS Organizations
Answer: Option 4: Configure Service Control Policy for member accounts using AWS Organizations
Reference
Question 21: You would like to give administrative privileges to your AWS resources. What is the recommended approach?
Option 1: Use Root account and credentials
Option 2: Create one admin account and share with the pool of developers
Option 3: Each user must have their own account and credentials with Multi factor authentication enabled
Option 4: Any of the above.
Answer: Option 3: Each user must have their own account and credentials with Multi factor authentication enabled
Reference
Question 22: S3 supports resource based policies. Account A likes to grant read access to its S3 bucket for principals belonging to a different account (Account: B). How can this be achieved?
Option 1: A. Create a role and setup trusted relationship (A trusts B). Account B can delegate the permission to other users belonging to its account.
Option 2: B. Configure account B as a principal in bucket policy of S3
Option 3: C. Either option would work
Option 4: D. None of the above would work.
Answer: Option 3: C. Either option would work
Reference
Question 23: Who can assume an IAM role?
Option 1: A. IAM user in the same AWS Account
Option 2: B. IAM user in a different AWS account
Option 3: C. Other AWS Services like EC2
Option 4: D. External User authenticated and federated with AWS
Option 5: E. All of the above
Answer: Option 5: E. All of the above
Reference
Question 24: In order to sign-in to AWS Management Console with IAM users, you can use the following URL:
Option 1: A. You can specify your Account ID in the URL and access the console: https://YourAccountID.signin.aws.amazon.com/console/
Option 2: B. You can specify your Account Alias in the URL: https://YourAccountAlias.signin.aws.amazon.com/console/
Option 3: C. Account Alias if defined needs to be globally unique.
Option 4: D. You can assign any account alias to your account as this account specific setting. Alias need not be globally unique
Option 5: E. Choice A, B, C
Option 6: F. Choice A, B, D
Answer: Option 5: E. Choice A, B, C
Reference
Question 25: You have an application running in your data center and application needs to access S3. You created a IAM user account for this application and granted necessary policy permissions to access S3. What additional steps need to be completed for your application to access S3?
Option 1: Assign a password for this account
Option 2: Assign Access Key credentials for the user account
Option 3: Either Password or Access Key Credentials
Answer: Option 2: Assign Access Key credentials for the user account
Reference
Question 26: An IAM user is part of the Admin group that grants full access to the demo-bucket in S3. The bucket has a resource level policy that denies all write requests. What access does the user have?
Option 1: Full Access
Option 2: Read-only Access
Option 3: Write only access
Option 4: No Access
Answer: Option 2: Read-only Access
Reference
Question 27: Can an IAM user belong to more than one IAM Group?
Option 1: Yes
Option 2: No
Answer: Option 1: Yes
Reference
Question 28: A developer is trying to open a support case with AWS for an issue they are running into with a particular service. Can the developer use IAM account to contact AWS Support and open a case?
Option 1: A. Yes – all IAM users are allowed access to support case features
Option 2: B. No – IAM users are not allowed access to support case features
Option 3: C. Only root account allows access to support case features
Option 4: D. IAM users who are granted permissions for performing support related actions can submit a ticket
Answer: Option 4: D. IAM users who are granted permissions for performing support related actions can submit a ticket
Reference
Question 29: A startup has multiple AWS accounts. Employees play different job-roles and require appropriate access in each account. For example, they have limited privileges in the production account, whereas, in the development account, they have a wide range of privileges. What can be done to streamline access to accounts?
Option 1: Use AWS Organizations and enable single sign-on to manage access to accounts centrally
Option 2: Create IAM roles in each account with appropriate privileges and grant privileges to the user to assume the role
Option 3: Create IAM identities for the users in each account and manage access using IAM groups
Option 4: Create IAM identities in one account and map users to groups. In each account, use a resource-based policy to grant relevant access to the groups.
Answer: Option 1: Use AWS Organizations and enable single sign-on to manage access to accounts centrally
Reference
Question 30: With Identity and Access Management, you can:
Option 1: Grant access to other AWS services
Option 2: Grant access to users
Option 3: Enable Multi-Factor Authentication
Option 4: Manage access to Federated Identities
Option 5: All of the above.
Answer: Option 5: All of the above.
Reference
