Access controls and management across multiple accounts

Practice Test

Multiple select: Which of the following statements are correct regarding Identity and Access Management (IAM) in AWS?

• A. IAM enables you to manage access to AWS services and resources securely.
• B. IAM is region specific.
• C. With IAM, you can share security credentials across multiple AWS accounts.
• D. IAM supports identity federation for delegating access to AWS management console.

Answer: A, D

Explanation: IAM allows secure access management for AWS services and supports identity federation, but it is not region specific and does not support sharing of security credentials across multiple accounts.

True or False: AWS Organizations enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.

Answer: True

Explanation: AWS Organizations allows you to consolidate and manage multiple AWS accounts centrally as part of an organization.

Multiple select: What are some capabilities of AWS Single Sign-On (SSO)?

• A. It allows users to sign in to multiple AWS accounts using a single set of credentials.
• B. It only supports a single AWS account at a time.
• C. It centralizes the process of granting, revoking, and managing access across AWS accounts.
• D. It provides in-built data loss prevention capabilities.

Answer: A, C

Explanation: AWS SSO allows users to sign into multiple AWS accounts with a single set of credentials and centralizes access management. However, it does not have in-built data loss prevention capabilities.

True or False: It is possible to use AWS IAM to create and manage AWS users and groups, and to allow permissions to allow and deny their permissions to AWS resources.

Answer: True

Explanation: AWS IAM indeed allows you to create and manage AWS users and groups and to assign permissions based on the principle of least privilege access.

Single select: Federated users in AWS ______________.

• A. Cannot make API calls
• B. Can easily access data in all S3 buckets
• C. Are managed outside of AWS
• D. Can only access resources in the AWS Management Console

Answer: C

Explanation: Federated users are users that are managed outside of AWS. They get temporary access to your AWS environment, but are not users that you create in IAM.

True or False: For cross-account access, the IAM policies can dictate the permissions.

Answer: True

Explanation: For cross-account access, the IAM policies in both the AWS accounts – the one that owns the resources and the one containing users who need access to those resources – can dictate the permissions.

Multiple select: Which of the following can AWS IAM roles be used for?

• A. To delegate permissions to AWS services that need to access your resources
• B. To facilitate creation of new user accounts
• C. To provide secure access from one AWS account to another
• D. To automatically generate access keys

Answer: A, C

Explanation: IAM roles can be used to delegate permissions to AWS services and establish a trusted relationship between AWS accounts for secure cross-account access, but they do not facilitate user account creation or automatically generate access keys.

True or False: AWS allows you to manage permissions in a standardized way with IAM policies.

Answer: True

Explanation: Using IAM policies, AWS ensures a uniform approach to managing permissions. These policies are objects in AWS that define permissions.

Multiple select: Which of the following can be used to manage access across multiple AWS accounts?

• A. AWS IAM
• B. AWS SSO
• C. AWS Elastic Beanstalk
• D. AWS Organizations

Answer: A, B, D

Explanation: AWS IAM, AWS SSO, and AWS Organizations all provide various mechanisms for managing access across multiple AWS accounts. AWS Elastic Beanstalk doesn’t provide this capability.

True or False: AWS Resource Access Manager (RAM) allows you to share your resources with any AWS account, or within your AWS Organization.

Answer: True

Explanation: AWS RAM is a service that enables you to easily and securely share AWS resources with any AWS account or within your organization.

Interview Questions

What is Cross-Account Role Switching in AWS?

Cross-Account Role Switching in AWS is a feature that allows you to switch between different accounts within your AWS Management Console without requiring to sign out and sign in for each account. You achieve this by delegating permissions to IAM users in another AWS account.

What is IAM in the context of AWS?

IAM stands for Identity and Access Management. It is a feature of your AWS account that provides you with fine-grained control over who can access your AWS resources.

How does IAM enhance security across multiple accounts on AWS?

AWS IAM provides security and control by allowing you to create and manage AWS users or groups and use permissions to allow or deny their access to AWS resources. IAM provides multi-factor authentication for highly privileged users for enhanced security.

What is an AWS organization?

AWS Organizations is a service that allows you to centrally manage and apply controls to your accounts. You can create groups of accounts, and then apply policies to those groups.

How does AWS Organizations help in simplifying access control and management?

AWS Organizations allows you to centrally manage policies, security, compliance, and billing across multiple AWS accounts. Through service control policies (SCPs), you can allow or deny access to AWS services.

What are SCPs in AWS Organizations?

SCPs, or Service Control Policies, are a type of policy that you can use in AWS Organizations to manage permissions. SCPs allow you to whitelist or blacklist the actions that administrators in member accounts can delegate to IAM users or roles in their own account.

What is AWS STS?

AWS STS is AWS Security Token Service, which you can use to grant trusted users temporary, limited access credentials to your AWS resources.

What is AWS Resource Access Manager (RAM) in the context of multi-account access control?

AWS Resource Access Manager (RAM) is a service that helps you easily and securely share your AWS resources with any AWS account or within your AWS Organization.

Can IAM be used to control access to specific AWS resources across multiple accounts?

Yes, IAM policies allow you to specify permitted actions, resources, and conditions for access, providing granular control to specific resources across multiple accounts.

What is a Trusted Advisor in relation to AWS access control?

Trusted Advisor is a tool that provides you with real time guidance to help you provision your resources following AWS best practices. It includes checks for secure access permissions among other aspects of resource configuration.

What is the role of AWS CloudTrail in managing access controls across multiple AWS accounts?

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It helps you keep track of all activities including API calls made on your account, providing vital information for analyzing and managing access controls across multiple accounts.

What is the function of AWS Identity Federation in managing multiple accounts?

AWS Identity Federation includes features that allow enterprises to connect their existing identity systems to AWS. This makes it easier to manage access controls across multiple accounts, as users can sign in to the AWS Management Console using their existing identity credentials.

Can AWS Managed Policies be used across multiple AWS accounts?

Yes, AWS Managed Policies can be used across multiple AWS accounts. The policies can be attached to multiple entities (users, groups, and roles) in your AWS accounts.

What is AWS Secrets Manager in terms of access control management?

AWS Secrets Manager protects access to applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Can I use AWS Control Tower for access control and management across multiple accounts?

Yes, AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud.