Quiz: Module 02: AWS Global Infrastructure

Question 1. Which of the following best describes the difference between authentication and authorization in AWS IAM?

Question 2. True or False: A user can be successfully authenticated (signed in) to the AWS Management Console but still be denied permission to perform a specific action.

Question 3. Which of the following statements about IAM user groups is correct? (Select TWO.)Select multiple

Question 4. A company has three teams: Developers, QA, and Database Admins. Each team needs different AWS permissions. What is the most efficient way to manage these permissions using IAM?

Question 5. Which type of IAM policy is created and maintained by AWS, covers common use cases, and is automatically updated when new services or API actions are released?

Question 6. A security engineer needs to create a policy that is tailored to the organization's specific requirements and wants the ability to maintain up to five versions of the policy for rollback purposes. Which policy type should they use?

Question 7. True or False: An inline policy can be attached to multiple IAM users, groups, or roles simultaneously.

Question 8. Which of the following correctly compares managed policies and inline policies? (Select TWO.)Select multiple

Question 9. In an IAM JSON policy document, which element specifies whether the statement allows or denies access?

Question 10. Examine the following IAM policy statement. What does it allow? ```json { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-app-bucket", "arn:aws:s3:::my-app-bucket/*" ] } ```

Question 11. Which element of an IAM policy document uses Amazon Resource Names (ARNs) to specify the AWS resources the statement applies to?

Question 12. A developer writes an IAM policy with a Condition element that includes `"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}`. What does this condition do?

Question 13. True or False: In IAM policy evaluation, if no policy explicitly allows an action, the action is allowed by default.

Question 14. An IAM user has one policy that allows `s3:GetObject` on all S3 buckets and another policy that explicitly denies `s3:*` on all S3 buckets. What happens when the user tries to download an object from S3?

Question 15. Place the following IAM policy evaluation steps in the correct order: (1) Explicit allow overrides implicit deny, (2) All requests start as implicitly denied, (3) Explicit deny overrides any allow.

Question 16. What is the key difference between an IAM user and an IAM role?

Question 17. When an entity assumes an IAM role, which AWS service issues the temporary security credentials?

Question 18. A development team needs their EC2 instances to read objects from an S3 bucket. What is the most secure way to grant this access?

Question 19. True or False: When you attach an IAM role to an EC2 instance via an instance profile, the instance receives temporary credentials that are automatically rotated.

Question 20. Which of the following are common use cases for IAM service roles? (Select THREE.)Select multiple

Question 21. A company has separate AWS accounts for development, staging, and production. A developer in the development account needs temporary access to resources in the production account. What is the recommended approach?

Question 22. In a cross-account role configuration, what does the trust policy specify?

Question 23. In AWS Organizations, what is the management account?

Question 24. Which of the following best describes the purpose of Organizational Units (OUs) in AWS Organizations?

Question 25. True or False: Service Control Policies (SCPs) grant permissions to users and roles in member accounts.

Question 26. An SCP attached to a "Production" OU denies `s3:DeleteBucket`. An IAM policy in a member account within that OU grants the user `AdministratorAccess`. What happens when the user tries to delete an S3 bucket?

Question 27. Which of the following statements about Service Control Policies (SCPs) are correct? (Select TWO.)Select multiple

Question 28. A cloud architect wants to prevent anyone in any member account from disabling AWS CloudTrail logging, regardless of their IAM permissions. Which mechanism should they use?

Question 29. True or False: Service Control Policies (SCPs) affect the management account of an AWS Organization.

Question 30. Which of the following is a recommended best practice for securing the AWS root user? (Select THREE.)Select multiple

Question 31. A new AWS account has just been created. What is the first security action the account owner should take?

Question 32. Which MFA device type is phishing-resistant and uses the FIDO2 standard?

Question 33. A company wants to use a software-based authenticator app like Google Authenticator for MFA. Which MFA type does this represent?

Question 34. True or False: AWS supports SMS text messages as an MFA device type for IAM users.

Question 35. Which of the following can be enforced through an IAM account password policy? (Select TWO.)Select multiple

Question 36. An organization wants to ensure that IAM user passwords are at least 14 characters long, contain uppercase and lowercase letters, numbers, and symbols, and expire every 90 days. Where is this configured?

Question 37. Which of the following are best practices for managing AWS access keys? (Select TWO.)Select multiple

Question 38. A developer discovers that their AWS access keys have been accidentally committed to a public GitHub repository. What should they do immediately?

Question 39. True or False: Storing AWS access keys in application source code or committing them to version control is an acceptable practice if the repository is private.

Question 40. What does the principle of least privilege mean in the context of IAM?

Question 41. Which AWS tool can generate least-privilege policies based on actual access activity recorded in AWS CloudTrail?

Question 42. A company is migrating to AWS and needs to set up identity management for 500 employees who need access to multiple AWS accounts. Instead of creating individual IAM users in each account, which AWS service should they consider?

Question 43. Explain, in your own words, why IAM roles are preferred over long-term access keys for granting AWS services (such as EC2 instances) access to other AWS resources.

Question 44. An IAM policy contains the following Condition element. What does it enforce? ```json "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } ```

Question 45. True or False: In AWS Organizations, you can nest Organizational Units (OUs) to create a hierarchy, such as a "Production" OU and a "Development" OU under a "Workloads" OU.

Question 46. A solutions architect is designing a multi-account strategy. They need to ensure that no member account can launch EC2 instances larger than `t3.large` in any Region. Which approach should they use?

Question 47. Which of the following correctly describes how SCPs and IAM policies work together?

Question 48. A Lambda function needs to write logs to Amazon CloudWatch and read items from a DynamoDB table. How should the permissions be configured?

Question 49. Describe, in your own words, the relationship between Service Control Policies (SCPs) and IAM policies. Include an analogy to explain how they work together.

Question 50. A junior administrator creates an IAM policy with `"Effect": "Allow"` and `"Action": "*"` and `"Resource": "*"`. They attach it to a user in a member account that has an SCP allowing only `s3:*` and `ec2:*` actions. The user then tries to create an IAM user. What is the outcome, and why?