Question 1

Which are characteristics of an AWS Identity and Access Management (IAM) group? (Select TWO.)

A user can belong to more than one group.
A group can belong to another group.
A group can have security credentials.
New users added to a group inherit the group’s permissions.
Permissions in a group policy always override permissions in a user policy.

The permissions inherited from the group are evaluated along with any other permissions for the user. A user can belong to multiple groups.

Question 2

What is an advantage of using attribute-based access control (ABAC) over role-based access control (RBAC)?

ABAC requires less testing than RBAC.
ABAC permissions are more secure than RBAC permissions.
ABAC permissions explicitly identify the resources that they protect.
ABAC will likely require fewer policies than RBAC.

Because ABAC defines permissions based on attributes, you don't have to create different policies for different job functions (roles). Therefore, you create fewer policies than with RBAC.

Question 3

A developer is a member of an AWS Identity and Access Management (IAM) group that has a group policy attached to it. The group policy allows access to Amazon S3 and Amazon EC2 and denies access to Amazon Elastic Container Service (Amazon ECS). The developer also has a user policy attached which allows access to Amazon ECS and Amazon CloudFront. Which option describes the user's access?

Access to Amazon S3, Amazon EC2, Amazon ECS, and Amazon CloudFront
Access to Amazon S3, Amazon EC2, and Amazon CloudFront, but no access to Amazon ECS
Access to Amazon ECS and Amazon CloudFront, but no access to Amazon S3 and Amazon EC2
Access to Amazon S3 and Amazon EC2, but no access to Amazon ECS and Amazon CloudFront

When using a user policy and a group policy together, the permissions of both policies are merged in such manner that explicit denies override explicit allows. Amazon ECS is denied in the user policy, so access to the service is denied even though it is allowed in the group policy.

Question 4

What is a benefit of identity federation with the AWS Cloud?

It assigns roles to authenticated users to control their access to AWS resources.
It eliminates the need for defining permissions in AWS Identity and Access Management (IAM) to secure the access to AWS resources.
It enables the use of an external identity provider to authenticate workforce users and give them access to AWS resources.
It centralizes the storage and management of user identities inside of the AWS Cloud.

Identity federation provides the ability to use an identity provider outside of an AWS account to authenticate workforce users who require access to AWS resources. For example, an on-premises application using a local user directory can perform the authentication step

Question 5

Which service enables identity federation for accessing a web application running in the AWS Cloud?

Amazon Cognito
AWS WAF
AWS Key Management Service (AWS KMS)
AWS CloudHSM

Amazon Cognito enables you to add user sign-up, sign-in, and access control to your web and mobile applications. It supports identity federation with social identity providers.

Question 6

Which service helps centrally manage billing, control access, compliance and security, and share resources across multiple AWS accounts?

AWS Systems Manager
Amazon Cognito
AWS Organizations
AWS Identity and Access Management (IAM)

Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all your AWS accounts.

Question 7

A technology company has multiple production accounts grouped into a production organizational unit (OU) in AWS Organizations. The company wants to prevent all AWS Identity and Access Management (IAM) users in the production accounts from deleting AWS CloudTrail logs. How can a system administrator enforce this restriction?

Create an IAM policy and attach it to each IAM user in the production accounts.
Create a service control policy (SCP), and attach it to the production OU.
Create an Amazon S3 bucket policy and associate with all buckets containing AWS CloudTrail logs.
Create a tag policy and attach it to the production accounts.

In AWS Organizations, applying an SCP to the OU can prevent all IAM users from deleting the logs. The SCP cannot be overridden by any user (including the root user) of the AWS accounts in the OU.

Question 8

A developer is writing a client application that encrypts sensitive data using a data key before sending it to a server application. The client application sends the data key to the server application so that the server application can decrypt the sensitive information. The developer is concerned that the confidentiality of the sensitive data might be compromised if the data key is stolen. Which type of encryption should the developer use to fully protect the sensitive information?

Envelope encryption
Asymmetric encryption
Server-side encryption
Symmetric encryption

Envelope encryption encrypts both the sensitive information and the data key for added security. If the data key is stolen, it is unusable because it is also encrypted. Envelope encryption uses both symmetric and asymmetric encryption.

Question 9

Which functions does the AWS Key Management Service (AWS KMS) provide? (Select TWO.)

Create AWS Identity and Access Management (IAM) access keys
Authenticate external users
Store encrypted data
Create symmetric and asymmetric keys
Rotate keys

Question 10

Which AWS service discovers and protects sensitive information stored on Amazon S3 in an AWS account?

Amazon Detective
AWS Resource Access Manager (AWS RAM)
Amazon Macie
AWS Audit Manager

Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes personally identifiable information (PII) such as passport numbers, medical ID numbers, and tax ID numbers.

CLD120 Module 9 Knowledge Check

Securing User, Application, and Data Access

Keyboard Shortcuts