Term
| Which kind of AWS IAM Policy would you use if you strictly want to attach the policy to a single user and be certain that it cannot be accidentally attached to any other user? |
|
Definition
|
|
Term
| Which four things are returned by GetFederationToken when a user successfully logs to AWS in using their Active Directory credentials? |
|
Definition
| Access key, secret access key, session token, expiration. |
|
|
Term
| The root administrator has left your company, what should you do to ensure your AWS account is secure? |
|
Definition
| The following best practices are recommended in order to secure the root account: configure MFA, use a strong password and rotate it regularly and delete the root access key and secret access key. It is also best practise to delete any account associated with a user who has left the company. |
|
|
Term
| Which of the following IAM Policies can you change to update them when the needs of your organization change? |
|
Definition
| AWS Managed Policies cannot be changed, only Customer Managed and Inline Policies can be changed and updated to reflect the needs of your organization. |
|
|
Term
| To which of the following entities can you attach an IAM Policy? |
|
Definition
|
|
Term
| Which of the following approaches would you use to enable an application running on EC2 to read objects located in an S3 bucket? |
|
Definition
| Create an IAM role with read access to the bucket and associate the role with the EC2 instance |
|
|
Term
| You have configured Cross Region Replication on your S3 bucket and would like to enforce the use of SSL. How would you approach this? |
|
Definition
| Do nothing, SSL is enabled by default when you configure Cross Region Replication |
|
|
Term
| Which of the following statements is correct in relation to S3 cross-region replication? |
|
Definition
| SSL is enabled by default |
|
|
Term
| What is a permissions boundary used for? |
|
Definition
| It is used to limit the maximum permissions for a user, group or role |
|
|
Term
| You have created an S3 bucket policy which denies access to all users. Later on you add an additional statement to the bucket policy to allow read only access to one of your colleagues, however even after updating the policy, your colleague is still getting an access denied message. What is the reason for this? |
|
Definition
| An explicit deny always overrides an allow, so access will be denied |
|
|
Term
| Last week you created a Vault Lock Policy to prevent archived files from being deleted unless they are over 2 years old. But now your CTO has changed their mind and only wants to keep the archives for 1 year. What is your recommended approach? |
|
Definition
| Go back to the CTO and explain that once the Vault Lock is in place, it cannot be changed |
|
|
Term
| Which of the following steps would you need to complete in order to configure Cross Region Replication where source and destination buckets are owned by different accounts? |
|
Definition
| The owner of the destination bucket must grant the owner of the source bucket permissions to replicate objects with a bucket policy. |
|
|
Term
| Which of the following policy types is created and managed completely by AWS? |
|
Definition
|
|
Term
| Which of the following policies work in combination to define who or what can an access an S3 bucket? |
|
Definition
| S3 Bucket Policy and IAM policy |
|
|
Term
| You have created a website hosted in S3 and configured a CloudFront web distribution. Which steps do you need to take to force your users to access your site using CloudFront and not directly using the S3 url? |
|
Definition
Configure the bucket policy on your Amazon S3 bucket so that only the origin access identity has read permission for objects in the bucket
Select "Restrict Bucket Access" in the Origin Settings of your CloudFront Distribution
Create an origin access identity for your S3 origin |
|
|
Term
| Which of the following can you achieve using Amazon Cognito? |
|
Definition
Federated access to your web application for Facebook users
Anonymous guest access to your web application |
|
|
Term
| You would like to restrict access to S3 across a number of different AWS accounts in your organization. Which AWS feature can you use to do this? |
|
Definition
|
|
Term
| You have created a new s3 bucket and you want to force users to use HTTPS when uploading objects to your bucket, which approach should you use? |
|
Definition
| Configure a bucket policy which includes a condition statement which denies requests which do not use aws:SecureTransport |
|
|
Term
| The AWS STS API supports which of the following methods of access? |
|
Definition
Cross Account Access
Active Directory Federation
Web Identity Federation |
|
|
Term
| You are configuring a CloudFront web distribution for your website hosted in S3. Your marketing team has already purchased a registered domain name that they would like to use for the new website. Which kind of SSL certificate would you use in this configuration? |
|
Definition
| Use a custom SSL certificate with the certificate stored in ACM in us-east-1 |
|
|
Term
| Which of the following best describes a Glacier Vault? |
|
Definition
| A container which stores one or more Glacier archives |
|
|
Term
| What is meant by the "principal" in relation to AWS and permissions? |
|
Definition
| The principal specifies the user, account, service, or other entity that is allowed or denied access to a resource |
|
|
Term
| Which of the following is correct in relation to Service Control Policies? |
|
Definition
They can only be used to limit permissions to AWS resources and
An SCP applies to all Organizational Units and accounts below the Organizational Unit to which it has been attached |
|
|
Term
| Which of the following does AWS IAM enable you to do? |
|
Definition
Multi-Factor Authentication
Identity Federation with Web Identity providers
Manage user access to the AWS Console
Identity Federation with Active Directory |
|
|
Term
| Which feature of AWS would you use to configure consolidate billing, group your AWS accounts into logical groupings for access control and attach Service Control Policies? |
|
Definition
|
|
Term
| Which AWS API gets called used when a user accesses AWS using their Active Directory credentials? |
|
Definition
|
|
Term
| Which of the following would you use to define the IAM permissions which specify what can be done and what actions can be taken against resources in your AWS environment? |
|
Definition
|
|
Term
| Which of the following types of IAM Policy is created and administered by you and can be attached to multiple users, groups or roles within your account? |
|
Definition
| Customer Managed Policies |
|
|
Term
| How would you go about enforcing a mandatory 5 year retention policy on your Glacier archives? |
|
Definition
| Use a Vault Lock Policy which prevents any user from deleting archives which are less than 5 years in age |
|
|
Term
| Which of the following statements is correct in relation to user federation with Active Directory? |
|
Definition
Users do not need to have IAM credentials and
The user must browse to the ADFS sign-in page |
|
|
Term
| Which of the following mechanisms would you use to apply fine grained permissions on an object in S3? |
|
Definition
|
|
