AWS IAM Quiz 2

AWS IAM Quiz 2 post thumbnail image
You can access the quiz at Link to Quiz and get all questions by printing the page.


AWS IAM Quiz 2

Question 1: An on-premises application needs access to S3. You created an IAM user account for this application and granted necessary policy permissions to access S3. What additional steps need to be completed for your application to access S3?

     Option 1: Assign a password
     Option 2: Assign access key credentials
     Option 3: Assign either password or access key credentials


Answer: Option 2: Assign access key credentials
Reference

Question 2: You have a resource level access policy. As a principal in that policy, can you specify a IAM Group to ensure all users belonging to group can access the resource?

     Option 1: Yes
     Option 2: No


Answer: Option 2: No
Reference

Question 3: You are using IAM account for managing AWS resources. Can you participate in AWS discussion forum with your IAM account?

     Option 1: yes
     Option 2: no


Answer: Option 1: yes
Reference

Question 4: A newly created IAM user has:

     Option 1: Read access to all services excluding Billing
     Option 2: Read access to all services
     Option 3: No access until explicitly allowed access


Answer: Option 3: No access until explicitly allowed access
Reference

Question 5: Your company already has a corporate directory that is Security Assertion Markup Language 2.0 compliant for maintaining identities of the employees. If your employees need access to AWS Services, you need to

     Option 1: A. Create corresponding identities in IAM and link them with corporate directory
     Option 2: B. Use Identity federation and configure your corporate directory to provide single sign on access to AWS Management Console
     Option 3: C. Create corresponding IAM identities with matching password as one time setup and synchronize automatically from that point onward with corporate directory
     Option 4: D. Any of the above would work


Answer: Option 2: B. Use Identity federation and configure your corporate directory to provide single sign on access to AWS Management Console
Reference

Question 6: When an IAM User switches to a different role using the management console:

     Option 1: A. They temporarily gain privileges granted by the role
     Option 2: B. They give up their original permissions for the duration of role usage and original permission is restored when they exit role
     Option 3: C. They have both role privileges and their original privileges at the same time from console
     Option 4: D. Choices A and B


Answer: Option 4: D. Choices A and B
Reference

Question 7: You have a resource level access policy. As a principal in that policy, can you specify an IAM Role to ensure all users who can assume the role have access to the resource?

     Option 1: A. Role name can be used as a principal. Any user who has permission to assume the role would get access to the resource
     Option 2: B. Role cannot be used as a principal. Only individual users can be specified as a principal


Answer: Option 1: A. Role name can be used as a principal. Any user who has permission to assume the role would get access to the resource
Reference

Question 8: You would like to grant administrative access to your AWS account for a group of employees. The best practice for granting acces is:

     Option 1: Use the Root user and credentials
     Option 2: Create one admin user and share with employees
     Option 3: Create a separate IAM user for each employee and enable Multi-factor authentication
     Option 4: Create one access key credential and share with employees
     Option 5: All of the above.


Answer: Option 3: Create a separate IAM user for each employee and enable Multi-factor authentication
Reference

Question 9: When an application switches to an IAM role using SDK or API:

     Option 1: A. Application temporarily gain privileges granted by the role
     Option 2: B. Application gives up its original permissions and original permission is restored when they exit role
     Option 3: C. Application doesn’t have to exit role to gain its original permissions back. It simply has to stop using the temporary credentials and use its original credentials
     Option 4: Choices A and B
     Option 5: Choices A and C


Answer: Option 5: Choices A and C
Reference

Question 10: The IT department of a large company enforces principles of least privilege and grants only access to resources needed for the job. Which of the policy management scheme improves the agility of the organization while minimizing the effort needed for policy maintenance?

     Option 1: Use job Role-Based Access Control (RBAC) and maintain a list of resource IDs in the policy document
     Option 2: Use Attribute-Based Access Control (ABAC) and maintain policies that grant access only when User’s tag and resource’s tag match
     Option 3: Use resource-based policies to maintain who is allowed access to a resource
     Option 4: Use identity-based policies to maintain who is allowed access to a resource


Answer: Option 2: Use Attribute-Based Access Control (ABAC) and maintain policies that grant access only when User’s tag and resource’s tag match
Reference

Question 11: Can you add IAM Group as a child of another IAM Group?

     Option 1: Yes
     Option 2: No


Answer: Option 2: No
Reference

Question 12: Identity and Access Management is used to control:

     Option 1: A. Access to specific AWS services
     Option 2: B. Actions user can perform on specific AWS services
     Option 3: C. Multi Factor Authentication on Users
     Option 4: D. Identity federation
     Option 5: E. All the above


Answer: Option 5: E. All the above
Reference

Question 13: A user named Alice worked in the Finance department of a company, and she was granted permission to access the finance bucket in S3 using a resource-based policy. The policy grants access using the ARN: arn:aws:iam::123456789012:user/Alice. When Alice left the company, the administrators deleted her identity. After a few months, a different Alice joined the IT department, and administrators created a new account with the same name Alice. S3 finance bucket still has permission that was granted to the original Alice. The newly joined Alice also has the same ARN; would she be able to access the S3 finance bucket?

     Option 1: Yes
     Option 2: No


Answer: Option 2: No
Reference

Question 14: You want to delegate permissions for performing certain actions on your AWS resources. You would like to follow AWS best practice of using IAM Roles for delegation. What are necessary for an IAM user (can belong to a different account) to assume a role?

     Option 1: A. A Permissions policy that grants necessary privileges for a role
     Option 2: B. Accounts that are trusted for using the role and delegate among that account’s users
     Option 3: C. User needs to have permission from the account owner to assume or switch to that role
     Option 4: D. All of the above.


Answer: Option 4: D. All of the above.
Reference

Question 15: Can you grant access to an IAM Group in a resource-based policy?

     Option 1: Yes
     Option 2: No


Answer: Option 2: No
Reference

Question 16: An EC2 instance needs permission to store data in a DynamoDB table. Which of these options is recommended by AWS?

     Option 1: Generate access key credentials and store it in the EC2 instance
     Option 2: Grant permission to the instance using the DynamoDB table resource-based policy
     Option 3: Store DynamoDB user-id and password in the EC2 instance
     Option 4: Attach an IAM Role to the instance with necessary permission


Answer: Option 4: Attach an IAM Role to the instance with necessary permission
Reference

Question 17: Your company has a SAML 2.0 compliant corporate directory for maintaining employee identities. The employees require access to the resources in the company’s AWS account. Which of these options is recommended for managing AWS access?

     Option 1: Create corresponding identities in IAM and link them with corporate directory
     Option 2: Configure IAM Identity federation to provide single sign-on access to AWS
     Option 3: Create corresponding IAM identities with matching password as a one-time setup to synchronize automatically with corporate directory
     Option 4: Any of the avove would work


Answer: Option 2: Configure IAM Identity federation to provide single sign-on access to AWS
Reference

Question 18: In your web application, you allow users to register with their existing identities in Amazon, Google, Facebook. Once authenticated, your users should be able to access specific AWS services related to your application. Which one of these options is recommended for managing access?

     Option 1: Verify user identity with external providers from your web application. Once User is authorized, use web application credentials to access AWS Services
     Option 2: Manage federation using AWS Cognito. Authorized users are mapped to an IAM role, and they gain temporary privileges defined by the role
     Option 3: Manage federation using AWS Cognito. Authorized users are issued permanent access credentials
     Option 4: Create corresponding user identities in IAM and grant them necessary privileges


Answer: Option 2: Manage federation using AWS Cognito. Authorized users are mapped to an IAM role, and they gain temporary privileges defined by the role
Reference

Question 19: When an IAM user creates resources in AWS, who is responsible for paying the bill?

     Option 1: IAM User
     Option 2: IAM Group
     Option 3: IAM Role
     Option 4: Root user


Answer: Option 4: Root user
Reference

Question 20: A large corporation has 100s of AWS accounts, and the corporate IT department has identified three AWS regions that can be used by development teams. However, an audit showed developers using unapproved regions along with the use of expensive EC2 instance families. What can be done to address this situation?

     Option 1: Audit every account and modify policies in each account to enforce controls
     Option 2: Educate employees on the shared-responsibility model and ask for self-enforcement
     Option 3: Configure CloudTrail and set up alerts when someone attempts an unapproved action
     Option 4: Configure Service Control Policy for member accounts using AWS Organizations


Answer: Option 4: Configure Service Control Policy for member accounts using AWS Organizations
Reference

Question 21: You would like to give administrative privileges to your AWS resources. What is the recommended approach?

     Option 1: Use Root account and credentials
     Option 2: Create one admin account and share with the pool of developers
     Option 3: Each user must have their own account and credentials with Multi factor authentication enabled
     Option 4: Any of the above.


Answer: Option 3: Each user must have their own account and credentials with Multi factor authentication enabled
Reference

Question 22: S3 supports resource based policies. Account A likes to grant read access to its S3 bucket for principals belonging to a different account (Account: B). How can this be achieved?

     Option 1: A. Create a role and setup trusted relationship (A trusts B). Account B can delegate the permission to other users belonging to its account.
     Option 2: B. Configure account B as a principal in bucket policy of S3
     Option 3: C. Either option would work
     Option 4: D. None of the above would work.


Answer: Option 3: C. Either option would work
Reference

Question 23: Who can assume an IAM role?

     Option 1: A. IAM user in the same AWS Account
     Option 2: B. IAM user in a different AWS account
     Option 3: C. Other AWS Services like EC2
     Option 4: D. External User authenticated and federated with AWS
     Option 5: E. All of the above


Answer: Option 5: E. All of the above
Reference

Question 24: In order to sign-in to AWS Management Console with IAM users, you can use the following URL:

     Option 1: A. You can specify your Account ID in the URL and access the console: https://YourAccountID.signin.aws.amazon.com/console/
     Option 2: B. You can specify your Account Alias in the URL: https://YourAccountAlias.signin.aws.amazon.com/console/
     Option 3: C. Account Alias if defined needs to be globally unique.
     Option 4: D. You can assign any account alias to your account as this account specific setting. Alias need not be globally unique
     Option 5: E. Choice A, B, C
     Option 6: F. Choice A, B, D


Answer: Option 5: E. Choice A, B, C
Reference

Question 25: You have an application running in your data center and application needs to access S3. You created a IAM user account for this application and granted necessary policy permissions to access S3. What additional steps need to be completed for your application to access S3?

     Option 1: Assign a password for this account
     Option 2: Assign Access Key credentials for the user account
     Option 3: Either Password or Access Key Credentials


Answer: Option 2: Assign Access Key credentials for the user account
Reference

Question 26: An IAM user is part of the Admin group that grants full access to the demo-bucket in S3. The bucket has a resource level policy that denies all write requests. What access does the user have?

     Option 1: Full Access
     Option 2: Read-only Access
     Option 3: Write only access
     Option 4: No Access


Answer: Option 2: Read-only Access
Reference

Question 27: Can an IAM user belong to more than one IAM Group?

     Option 1: Yes
     Option 2: No


Answer: Option 1: Yes
Reference

Question 28: A developer is trying to open a support case with AWS for an issue they are running into with a particular service. Can the developer use IAM account to contact AWS Support and open a case?

     Option 1: A. Yes – all IAM users are allowed access to support case features
     Option 2: B. No – IAM users are not allowed access to support case features
     Option 3: C. Only root account allows access to support case features
     Option 4: D. IAM users who are granted permissions for performing support related actions can submit a ticket


Answer: Option 4: D. IAM users who are granted permissions for performing support related actions can submit a ticket
Reference

Question 29: A startup has multiple AWS accounts. Employees play different job-roles and require appropriate access in each account. For example, they have limited privileges in the production account, whereas, in the development account, they have a wide range of privileges. What can be done to streamline access to accounts?

     Option 1: Use AWS Organizations and enable single sign-on to manage access to accounts centrally
     Option 2: Create IAM roles in each account with appropriate privileges and grant privileges to the user to assume the role
     Option 3: Create IAM identities for the users in each account and manage access using IAM groups
     Option 4: Create IAM identities in one account and map users to groups. In each account, use a resource-based policy to grant relevant access to the groups.


Answer: Option 1: Use AWS Organizations and enable single sign-on to manage access to accounts centrally
Reference

Question 30: With Identity and Access Management, you can:

     Option 1: Grant access to other AWS services
     Option 2: Grant access to users
     Option 3: Enable Multi-Factor Authentication
     Option 4: Manage access to Federated Identities
     Option 5: All of the above.


Answer: Option 5: All of the above.
Reference

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post