Practice Test

True or False: Using ACLs (Access Control Lists) in AWS, we can manage permissions at a granular level, such as allowing only certain IP addresses to access S3 bucket.

  • Answer: True

Explanation: ACLs allow fine-tuned permission control in AWS by allowing or denying specific IP addresses or ranges to access resources like S3 buckets.

In AWS, ACLs are normally used for authorization?

  • Answer: True

Explanation: ACLs or Access Control Lists are a common way to manage access permissions in AWS, for services such as S3, EC2 and VPC.

Can ACLs be used to control both in-bound and out-bound traffic in a VPC in AWS?

  • Answer: True

Explanation: ACLs in AWS allow control over both inbound and outbound traffic, thereby providing additional security for resources in a VPC.

Which of the below is not an advantage of using ACLs in AWS?

  • A. Granular access control
  • B. Scalability
  • C. Native integration with other AWS services
  • D. Automatic encryption of data

Answer: D. Automatic encryption of data

Explanation: While AWS ACLs do provide granular access control, scalability and native integration with AWS services, they do not inherently provide automatic data encryption.

True or False: ACLs allow permissions to be assigned at the resource level and not the user level in AWS.

  • Answer: False

Explanation: ACLs in AWS help to manage permissions at both resource and user levels, enabling stricter access control.

An ACL could be used to restrict access to what in AWS? (Select all that apply)

  • A. S3 Buckets
  • B. EC2 Instances
  • C. VPC Networks
  • D. IAM Users

Answer: A. S3 Buckets, B. EC2 Instances, C. VPC Networks

Explanation: ACLs are used to manage permissions and control access to resources like S3 Buckets, EC2 Instances and VPC Networks. However, they are not used to restrict access to IAM Users.

What does an ACL comprise in AWS? (Select all that apply)

  • A. Resources
  • B. Permissions
  • C. Subnets
  • D. Users

Answer: A. Resources, B. Permissions, D. Users

Explanation: An ACL in AWS generally consists of Resources, Permissions and Users, enabling you to define who has what kind of access. Subnets, however, are not typically part of an ACL.

True or False: When an ACL is modified in AWS, the changes take effect immediately.

  • Answer: True

Explanation: In AWS, when an ACL is modified, the changes take effect immediately, enforcing the new permissions automatically.

Is it possible to have multiple ACLs per subnet in an AWS VPC?

  • Answer: False

Explanation: In AWS, you can only associate one network ACL with a subnet at any given time.

True or False: ACLs support both allow and deny rules in AWS.

  • Answer: True

Explanation: ACLs in AWS support both allow and deny rules, enabling you to manage access permissions in a flexible way.

What are the different types of ACL’s in AWS?

  • A. Network ACL
  • B. S3 Bucket ACL
  • C. IAM User ACL
  • D. All are correct

Answer: D. All are correct

Explanation: AWS provides different types of ACLs to manage permissions for different resources and services including Network ACLs, S3 Bucket ACLs and IAM User ACLs.

True or False: Network ACLs are stateful in AWS.

  • Answer: False

Explanation: Network ACLs in AWS are stateless, which means they do not automatically allow return traffic.

Can we apply ACLs per object in AWS s3 service?

  • Answer: True

Explanation: S3 Bucket ACL’s can provide access control at the bucket level as well as the object level. It allows you to grant permissions to individual objects in a bucket.

Which AWS resource does not use ACLs for permission management?

  • A. S3 Buckets
  • B. EC2 Instances
  • C. IAM Users
  • D. Lambdas

Answer: D. Lambdas

Explanation: Although many AWS resources use ACLs for permissions management, Lambdas instead rely more on IAM policies for access control.

What happens to the network traffic, if it does not match any rule in Network ACL?

  • A. It is automatically allowed
  • B. It is denied
  • C. It is rerouted
  • D. It depends on AWS service

Answer: B. It is denied

Explanation: If network traffic does not match any rule in a Network ACL in AWS, it is automatically denied as a security precaution. This is based off the principle of least privilege.

Interview Questions

What is an ACL in the context of AWS?

ACL stands for Access Control List. It is a security feature used in AWS which controls who can access and perform operations on AWS resources.

What are the two types of ACLs in Amazon S3?

Amazon S3 supports two types of ACLs: Access Control List (ACL) and bucket policy. Bucket policies provide centralized, access control to buckets and objects based on a variety of conditions while ACL is more granular.

What can a bucket Policy do that an ACL cannot in AWS?

Bucket policies can be used to add or deny permissions across some or all of the objects within a single bucket and also supports a variety of conditions such as IP address, SSL use, and the time of the request. ACL doesn’t support these.

What elements are included in an ACL in AWS?

An ACL includes a list of grants, and each grant consists of a grantee and a permission. The grantee can be an AWS account or a predefined Amazon S3 group and each permission is for a specific type of operation.

Which AWS service uses ACLs to set permissions or control?

The Amazon S3 service uses ACLs to control permissions. Another service that leverages ACLs is Amazon VPC, that uses network ACLs to control inbound and outbound traffic to network subnets.

Are ACLs the most effective way to secure your resources in AWS?

While ACLs provide a layer of security, they are not the only or the most effective way depending on the use case. AWS recommends using IAM policies or bucket policies and S3 Access Points for the majority of your use cases.

How does ACL differ from IAM?

IAM controls who can sign in to your AWS infrastructure and who is authorized to use the resources (EC2, VPS, S3, etc.), while ACL is about controlling who can access a specific object in an S3 bucket.

Can you change an ACL on a resource in Amazon S3 after it’s been created?

Yes, you can change the ACL of a resource at any time after it’s been created.

Which AWS service uses network ACLs for additional security control?

Amazon VPC (Virtual Private Cloud) uses network ACLs as a layer of security that acts as a firewall for controlling traffic in and out of a VPC subnet.

What is the rule evaluation logic of a network ACL in Amazon VPC?

Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that may contradict it.

How many types of predefined groups are supported by a S3 ACL?

S3 ACL supports three types of predefined groups: All Users group, Authenticated Users group, and Log Delivery group.

What is the default network ACL rule in an AWS VPC?

By default, a network ACL allows all outbound and inbound traffic.

Can an object in a S3 bucket have more than one ACL?

No, an object in S3 can have only one ACL.

Is it a good practice to maintain the same ACL across all objects in a S3 bucket?

Depending on the sensitivity of the data, it could be a good practice for a uniform data security policy. However, the suitability of having the same ACL across all objects is dependent on the use case.

Can ACLs control the list of IP address that can access an S3 bucket?

No, ACLs can’t control the list of IP addresses. This is managed via Bucket Policy where you can provide a condition for IP address.

Leave a Reply

Your email address will not be published. Required fields are marked *