AWS IAM Quiz 3
Question 1: You would like to use bucket level policy on S3 bucket. The access to the bucket needs to be limited to a specific IAM group. Can you add the Group Amazon REsource Name as the Principal in the policy?
Option 1: A. Yes since group have an ARN, you can add it as part of principal
Option 2: B. No, YOu cannot use a group ARN as principal
Answer: Option 2: B. No, YOu cannot use a group ARN as principal
Reference
Question 2: User A has permission assigned to him through IAM group membership. The resource User A is trying to access is restricted using resource level permissions. What permissions are effective to determine if User A has access to resource?
Option 1: Resource Level Permissions overrides group level permissions
Option 2: Group level permissions overrides resource level permissions
Option 3: Both permissions are evaluated for access
Option 4: Last created permission is applied
Answer: Option 3: Both permissions are evaluated for access
Reference
Question 3: IAM Role can be assumed by
Option 1: A. IAM User
Option 2: B. Applications
Option 3: C. AWS Services
Option 4: D. Federated Users
Option 5: E. All of the above
Option 6: F. Choices A, B, C
Answer: Option 5: E. All of the above
Reference
Question 4: AWS Root Account A has access to resources belonging to Account B. Can account A delegate the permissions to other IAM users who are part of account A?
Option 1: A. Yes, Account A can delegate permissions to other users belonging to its account
Option 2: B. Account B has to approve any user level access from Account A. Permission is granted only to Account A root credentials
Option 3: C. Only if Account A and B are owned by the same entity
Option 4: D. None of the above would work
Answer: Option 1: A. Yes, Account A can delegate permissions to other users belonging to its account
Reference
Question 5: Account A grants S3 bucket access to Account B. An IAM user belonging to Account B needs access to that bucket. What setps need to be performed for this to work?
Option 1: Since Account B has access, all users belonging to the account have access to the bucket
Option 2: Account B has to grant permission to the IAM user to access the bucket
Option 3: Account A has to grant permission to IAM user belonging to Account B
Option 4: Cross account deligation is not supported.
Answer: Option 2: Account B has to grant permission to the IAM user to access the bucket
Reference
Question 6: How are IAM services billed?
Option 1: A. Per user basis
Option 2: B. Per Role basis
Option 3: C. Per group basis
Option 4: D. Number of Active Users Per month basis
Option 5: E. There is no charge for using IAM
Answer: Option 5: E. There is no charge for using IAM
Reference
Question 7: You would like to version control your policy changes in IAM so that you have ability to rollback changes. What features can you use to automatically track versions?
Option 1: Managed Policies that are customer maintained
Option 2: Managed Policies that are AWS maintained
Option 3: Inline Policies
Option 4: Managed Policies whether AWS maintained or Customer maintained track last five versions.
Answer: Option 4: Managed Policies whether AWS maintained or Customer maintained track last five versions.
Reference
Question 8: If User identities are not in IAM, would they be able to access AWS resources?
Option 1: A. You would need t create users in IAM
Option 2: B. You can link external users through SAML2.0 compliant corporate directory to IAM
Option 3: C. You can link external internet identities and identity providers using technology like AWS Cognito and manage permissioins with IAM
Option 4: D. You can link Microsoft Active Directory to AWS Directory Service and use IAM to manage permissions
Option 5: E. Request need to be routed through your application logic for access to AWS resources
Option 6: F. Choices B,C,D
Option 7: G. Choices A or E
Answer: Option 6: F. Choices B,C,D
Reference
Question 9: You have an Allow policy that grants permissions only when access is made from a specific public IP address. You have another Allow policy that grants permissions when access is made from a specific VPC. What is the net effect if both these policies are attached to a IAM User.
Option 1: A. User can access only from the specified public IP Address
Option 2: B. User can access only from the specified VPC
Option 3: C. User can access either from specific Public IP address or VPC
Answer: Option 3: C. User can access either from specific Public IP address or VPC
Reference
Question 10: User A belonging to acount X needs access to services on Account Y. In order to do so
Option 1: Account Y needs to give permission
Option 2: Account X needs to give permission
Option 3: Both X and Y needs to give permission
Option 4: Either one needs to give permission
Answer: Option 3: Both X and Y needs to give permission
Reference
Question 11: You launched an EC2 instance with an IAM role. Once the instance is launched, can you modify permissions associated with role?
Option 1: Yes
Option 2: No
Answer: Option 1: Yes
Reference
Question 12: You have an Allow policy that grants permission only when access ismade from a specific Public IP address: 78.124.30.112 . You have a Deny policy for all actions when access is not made from 85.154.120.55. What is the net effect if both these policies are attached to an IAM useer and user is making a request from an EC@ instance with public IP address 85.154.120.55? There is no other policy attached to the IAM user.
Option 1: A. User can access all services
Option 2: B. User can access all services specified in public IP address conditions
Option 3: C. Policy runs into default deny as there are no other matching Allows
Option 4: D. Policy run into default allow as there is no other matching deny
Answer: Option 3: C. Policy runs into default deny as there are no other matching Allows
Reference
Question 13: An IAM policy document contains multiple statemens. How are the permissions in a statement evaluated?
Option 1: A. Logical OR of all statements
Option 2: B. Logical AND of all statements
Option 3: C. Logical OR of all statements with explicit Deny overruling explicit Allow
Option 4: D. Logical AND of all statemetns with explicit Deny overruling explicit Allow
Answer: Option 3: C. Logical OR of all statements with explicit Deny overruling explicit Allow
Reference
Question 14: You want to allow access to S3 buckets only during certain time of the day. How would you accomplish this?
Option 1: A. Use policy vairables as part of the resource
Option 2: B. Add conditions using policy variables
Option 3: C. Add statements using policy variables
Answer: Option 2: B. Add conditions using policy variables
Reference
Question 15: User A has permissions assigned to him through IAM group membership. The resource User A is trying to access has a resource level permission. Resource level permission allows access to User A whereas Group to which User A belongs to has a deny access to resource. User A belong to three different groups.
Option 1: User A is allowed access to resource
Option 2: User A is denined access to resource
Answer: Option 2: User A is denined access to resource
Reference
Question 16: You have AWS resources in multiple AWS regions. To manage access to those resources, you need to
Option 1: Create IAM User, Group and Policies in each region and attach it to corresponding resources in the region
Option 2: IAM is global and you can use the IAM resources to manage access in pultiple regions
Answer: Option 2: IAM is global and you can use the IAM resources to manage access in pultiple regions
Reference
Question 17: You would like to revoke programmatic access for an IAM user. What steps do you need to take?
Option 1: Attach a Deny policy for API Actions
Option 2: Attach a Allow policy for console only actions
Option 3: Remove Password Credentials
Option 4: Remove Access Key Credentials
Answer: Option 4: Remove Access Key Credentials
Reference
Question 18: You are using AWS managed policy for controlling access to your Group. AWS updated the policy when a new service was released. In order to your group to use the new permission defined in the policy you need to:
Option 1: Apply the new AWS managed policy changes to your IAM Group
Option 2: Approve the new version of AWS managed policy for use within your account
Option 3: Changes are automatically applied
Answer: Option 3: Changes are automatically applied
Reference
Question 19: You are managing permissions for your users using IAM Groups. In addition, resource level policies are applied Amazon SQS service. What permission are enforced?
Option 1: Resource level plicies
Option 2: User level policies
Option 3: Combined resource level and user level plicies
Answer: Option 3: Combined resource level and user level plicies
Reference
Question 20: You want to limit access to your AWS resouce only from specific EC2 instance inside VPC. You do not use VPC end points. In this case, what IP should you put in the condition when you define the policy?
Option 1: A. Public IP or Elastic IP address of the instance
Option 2: B. Private IP address
Option 3: C. Network CIDR block of the VPC
Option 4: D. None of the above would work
Answer: Option 1: A. Public IP or Elastic IP address of the instance
Reference
Question 21: You have a single inline policy for an IAM group. YOu decide to give some additional permissions. In order for permissions to correctly proliferate, you choose to update the inline policy for group. Would this change apply to all users that are part of the group?
Option 1: Yes, new permissions would be effective for all users of the group
Option 2: No, inline Policy cannot be updated. You need to attach a new policy
Answer: Option 1: Yes, new permissions would be effective for all users of the group
Reference
Question 22: You want to limit access to your AWS S3 bucket only from a specific EC2 instance inside VPC. You are using a VPC end point. In this case, what IP should you put the condition when you define the policy?
Option 1: Public IP or Elastic IP address of the instance
Option 2: Private IP address
Option 3: Either A or B
Option 4: None of the above would work
Answer: Option 4: None of the above would work
Reference
Question 23: Can you use a managed policy and attach it to a resource?
Option 1: Yes
Option 2: No
Answer: Option 2: No
Reference