AWS IAM Quiz 3


You can access the quiz at Link to Quiz and get all questions by printing the page.


AWS IAM Quiz 3

Question 1: You would like to use bucket level policy on S3 bucket. The access to the bucket needs to be limited to a specific IAM group. Can you add the Group Amazon REsource Name as the Principal in the policy?

     Option 1: A. Yes since group have an ARN, you can add it as part of principal
     Option 2: B. No, YOu cannot use a group ARN as principal


Answer: Option 2: B. No, YOu cannot use a group ARN as principal
Reference

Question 2: User A has permission assigned to him through IAM group membership. The resource User A is trying to access is restricted using resource level permissions. What permissions are effective to determine if User A has access to resource?

     Option 1: Resource Level Permissions overrides group level permissions
     Option 2: Group level permissions overrides resource level permissions
     Option 3: Both permissions are evaluated for access
     Option 4: Last created permission is applied


Answer: Option 3: Both permissions are evaluated for access
Reference

Question 3: IAM Role can be assumed by

     Option 1: A. IAM User
     Option 2: B. Applications
     Option 3: C. AWS Services
     Option 4: D. Federated Users
     Option 5: E. All of the above
     Option 6: F. Choices A, B, C


Answer: Option 5: E. All of the above
Reference

Question 4: AWS Root Account A has access to resources belonging to Account B. Can account A delegate the permissions to other IAM users who are part of account A?

     Option 1: A. Yes, Account A can delegate permissions to other users belonging to its account
     Option 2: B. Account B has to approve any user level access from Account A. Permission is granted only to Account A root credentials
     Option 3: C. Only if Account A and B are owned by the same entity
     Option 4: D. None of the above would work


Answer: Option 1: A. Yes, Account A can delegate permissions to other users belonging to its account
Reference

Question 5: Account A grants S3 bucket access to Account B. An IAM user belonging to Account B needs access to that bucket. What setps need to be performed for this to work?

     Option 1: Since Account B has access, all users belonging to the account have access to the bucket
     Option 2: Account B has to grant permission to the IAM user to access the bucket
     Option 3: Account A has to grant permission to IAM user belonging to Account B
     Option 4: Cross account deligation is not supported.


Answer: Option 2: Account B has to grant permission to the IAM user to access the bucket
Reference

Question 6: How are IAM services billed?

     Option 1: A. Per user basis
     Option 2: B. Per Role basis
     Option 3: C. Per group basis
     Option 4: D. Number of Active Users Per month basis
     Option 5: E. There is no charge for using IAM


Answer: Option 5: E. There is no charge for using IAM
Reference

Question 7: You would like to version control your policy changes in IAM so that you have ability to rollback changes. What features can you use to automatically track versions?

     Option 1: Managed Policies that are customer maintained
     Option 2: Managed Policies that are AWS maintained
     Option 3: Inline Policies
     Option 4: Managed Policies whether AWS maintained or Customer maintained track last five versions.


Answer: Option 4: Managed Policies whether AWS maintained or Customer maintained track last five versions.
Reference

Question 8: If User identities are not in IAM, would they be able to access AWS resources?

     Option 1: A. You would need t create users in IAM
     Option 2: B. You can link external users through SAML2.0 compliant corporate directory to IAM
     Option 3: C. You can link external internet identities and identity providers using technology like AWS Cognito and manage permissioins with IAM
     Option 4: D. You can link Microsoft Active Directory to AWS Directory Service and use IAM to manage permissions
     Option 5: E. Request need to be routed through your application logic for access to AWS resources
     Option 6: F. Choices B,C,D
     Option 7: G. Choices A or E


Answer: Option 6: F. Choices B,C,D
Reference

Question 9: You have an Allow policy that grants permissions only when access is made from a specific public IP address. You have another Allow policy that grants permissions when access is made from a specific VPC. What is the net effect if both these policies are attached to a IAM User.

     Option 1: A. User can access only from the specified public IP Address
     Option 2: B. User can access only from the specified VPC
     Option 3: C. User can access either from specific Public IP address or VPC


Answer: Option 3: C. User can access either from specific Public IP address or VPC
Reference

Question 10: User A belonging to acount X needs access to services on Account Y. In order to do so

     Option 1: Account Y needs to give permission
     Option 2: Account X needs to give permission
     Option 3: Both X and Y needs to give permission
     Option 4: Either one needs to give permission


Answer: Option 3: Both X and Y needs to give permission
Reference

Question 11: You launched an EC2 instance with an IAM role. Once the instance is launched, can you modify permissions associated with role?

     Option 1: Yes
     Option 2: No


Answer: Option 1: Yes
Reference

Question 12: You have an Allow policy that grants permission only when access ismade from a specific Public IP address: 78.124.30.112 . You have a Deny policy for all actions when access is not made from 85.154.120.55. What is the net effect if both these policies are attached to an IAM useer and user is making a request from an EC@ instance with public IP address 85.154.120.55? There is no other policy attached to the IAM user.

     Option 1: A. User can access all services
     Option 2: B. User can access all services specified in public IP address conditions
     Option 3: C. Policy runs into default deny as there are no other matching Allows
     Option 4: D. Policy run into default allow as there is no other matching deny


Answer: Option 3: C. Policy runs into default deny as there are no other matching Allows
Reference

Question 13: An IAM policy document contains multiple statemens. How are the permissions in a statement evaluated?

     Option 1: A. Logical OR of all statements
     Option 2: B. Logical AND of all statements
     Option 3: C. Logical OR of all statements with explicit Deny overruling explicit Allow
     Option 4: D. Logical AND of all statemetns with explicit Deny overruling explicit Allow


Answer: Option 3: C. Logical OR of all statements with explicit Deny overruling explicit Allow
Reference

Question 14: You want to allow access to S3 buckets only during certain time of the day. How would you accomplish this?

     Option 1: A. Use policy vairables as part of the resource
     Option 2: B. Add conditions using policy variables
     Option 3: C. Add statements using policy variables


Answer: Option 2: B. Add conditions using policy variables
Reference

Question 15: User A has permissions assigned to him through IAM group membership. The resource User A is trying to access has a resource level permission. Resource level permission allows access to User A whereas Group to which User A belongs to has a deny access to resource. User A belong to three different groups.

     Option 1: User A is allowed access to resource
     Option 2: User A is denined access to resource


Answer: Option 2: User A is denined access to resource
Reference

Question 16: You have AWS resources in multiple AWS regions. To manage access to those resources, you need to

     Option 1: Create IAM User, Group and Policies in each region and attach it to corresponding resources in the region
     Option 2: IAM is global and you can use the IAM resources to manage access in pultiple regions


Answer: Option 2: IAM is global and you can use the IAM resources to manage access in pultiple regions
Reference

Question 17: You would like to revoke programmatic access for an IAM user. What steps do you need to take?

     Option 1: Attach a Deny policy for API Actions
     Option 2: Attach a Allow policy for console only actions
     Option 3: Remove Password Credentials
     Option 4: Remove Access Key Credentials


Answer: Option 4: Remove Access Key Credentials
Reference

Question 18: You are using AWS managed policy for controlling access to your Group. AWS updated the policy when a new service was released. In order to your group to use the new permission defined in the policy you need to:

     Option 1: Apply the new AWS managed policy changes to your IAM Group
     Option 2: Approve the new version of AWS managed policy for use within your account
     Option 3: Changes are automatically applied


Answer: Option 3: Changes are automatically applied
Reference

Question 19: You are managing permissions for your users using IAM Groups. In addition, resource level policies are applied Amazon SQS service. What permission are enforced?

     Option 1: Resource level plicies
     Option 2: User level policies
     Option 3: Combined resource level and user level plicies


Answer: Option 3: Combined resource level and user level plicies
Reference

Question 20: You want to limit access to your AWS resouce only from specific EC2 instance inside VPC. You do not use VPC end points. In this case, what IP should you put in the condition when you define the policy?

     Option 1: A. Public IP or Elastic IP address of the instance
     Option 2: B. Private IP address
     Option 3: C. Network CIDR block of the VPC
     Option 4: D. None of the above would work


Answer: Option 1: A. Public IP or Elastic IP address of the instance
Reference

Question 21: You have a single inline policy for an IAM group. YOu decide to give some additional permissions. In order for permissions to correctly proliferate, you choose to update the inline policy for group. Would this change apply to all users that are part of the group?

     Option 1: Yes, new permissions would be effective for all users of the group
     Option 2: No, inline Policy cannot be updated. You need to attach a new policy


Answer: Option 1: Yes, new permissions would be effective for all users of the group
Reference

Question 22: You want to limit access to your AWS S3 bucket only from a specific EC2 instance inside VPC. You are using a VPC end point. In this case, what IP should you put the condition when you define the policy?

     Option 1: Public IP or Elastic IP address of the instance
     Option 2: Private IP address
     Option 3: Either A or B
     Option 4: None of the above would work


Answer: Option 4: None of the above would work
Reference

Question 23: Can you use a managed policy and attach it to a resource?

     Option 1: Yes
     Option 2: No


Answer: Option 2: No
Reference

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post