AWS Cloud Architecting: Module 9 Knowledge Check – Security User, Application & Data Access

Posted by

Er. Bikash Subedi

In the world of cloud computing, security is priority number one. Module 9 of the AWS Academy Cloud Architecting curriculum focuses on how to manage user access, secure applications, and protect sensitive data.

Here is your comprehensive guide to the Module 9 Knowledge Check, including all questions, options, and the reasoning behind each answer.

1. Characteristics of an IAM Group

Question: Which are characteristics of an AWS Identity and Access Management (IAM) group? (Select TWO.)

  • Options:
    • A group can belong to another group.
    • A user can belong to more than one group.
    • A group can have security credentials.
    • New users added to a group inherit the group’s permissions.
    • Permissions in a group policy always override permissions in a user policy.
  • Correct Answers:
    1. A user can belong to more than one group.
    2. New users added to a group inherit the group’s permissions.
  • Why: IAM groups are used to manage permissions for a collection of users. A user can be a member of multiple groups, and they will inherit all the permissions associated with those groups. It’s important to note that groups cannot be nested (a group cannot belong to another group), and they do not have security credentials themselves; only users have credentials.

2. ABAC vs. RBAC

Question: What is an advantage of using attribute-based access control (ABAC) over role-based access control (RBAC)?

  • Options:
    • ABAC requires less testing than RBAC.
    • ABAC permissions explicitly identify the resources that they protect.
    • ABAC will likely require fewer policies than RBAC.
    • ABAC permissions are more secure than RBAC permissions.
  • Correct Answer: ABAC will likely require fewer policies than RBAC.
  • Why: ABAC uses tags (attributes) to define permissions, allowing for more dynamic and scalable access control. Instead of creating individual policies for every possible role (RBAC), you can create a single policy that grants access based on matching tags, significantly reducing the number of policies you need to manage.

3. Combining User and Group Policies

Question: A developer is a member of an IAM group with a group policy attached to it. The group policy allows access to Amazon S3 and Amazon EC2 and denies access to Amazon Elastic Container Service (Amazon ECS). The developer also has a user policy attached which allows access to Amazon ECS and Amazon CloudFront. Which option describes the user’s access?

  • Options:
    • Access to Amazon ECS and Amazon CloudFront, but no access to Amazon S3 and Amazon EC2
    • Access to Amazon S3 and Amazon EC2, but no access to Amazon ECS and Amazon CloudFront
    • Access to Amazon S3, Amazon EC2, and Amazon CloudFront, but no access to Amazon ECS
    • Access to Amazon S3, Amazon EC2, Amazon ECS, and Amazon CloudFront
  • Correct Answer: Access to Amazon S3, Amazon EC2, and Amazon CloudFront, but no access to Amazon ECS
  • Why: This is a classic example of the “Explicit Deny” principle in AWS. If any policy (group or user) explicitly denies an action, that deny always takes precedence, regardless of any other “Allow” statements. In this case, the group policy’s explicit deny for Amazon ECS overrides the user policy’s allow, meaning the user cannot access ECS.

4. Identity Federation

Question: What is a benefit of identity federation with the AWS Cloud?

  • Options:
    • It eliminates the need for defining permissions in AWS Identity and Access Management (IAM) to secure the access to AWS resources.
    • It centralizes the storage and management of user identities inside of the AWS account.
    • It assigns roles to authenticated users to control their access to AWS resources.
    • It enables the use of an external identity provider to authenticate workforce users and give them access to AWS resources.
  • Correct Answer: It enables the use of an external identity provider to authenticate workforce users and give them access to AWS resources.
  • Why: Identity federation allows users to use their existing credentials (e.g., from an on-premises directory like Active Directory) to log in to AWS. This simplifies user management and provides a more seamless experience for employees.

5. Service for Identity Federation

Question: Which service enables identity federation for accessing a web application running in the AWS Cloud?

  • Options:
    • AWS CloudHSM
    • AWS WAF
    • Amazon Cognito
    • AWS Key Management Service (AWS KMS)
  • Correct Answer: Amazon Cognito
  • Why: Amazon Cognito is specifically designed for web and mobile application security. It provides user sign-up, sign-in, and access control, including support for identity federation through social identity providers (like Facebook or Google) and enterprise providers via SAML or OIDC.

6. Centrally Managing Multiple AWS Accounts

Question: Which service helps centrally manage billing, control access, compliance and security, and share resources across multiple AWS accounts?

  • Options:
    • AWS Systems Manager
    • AWS Organizations
    • AWS Identity and Access Management (IAM)
    • Amazon Cognito
  • Correct Answer: AWS Organizations
  • Why: AWS Organizations is a powerful account management service that allows you to consolidate multiple AWS accounts into an organization that you create and centrally manage. It offers consolidated billing, policy-based control (SCPs), and resource sharing across the entire organization.

7. Preventing Log Deletion with SCPs

Question: A technology company has multiple production accounts grouped into a production organizational unit (OU) in AWS Organizations. The company wants to prevent all IAM users in the production accounts from deleting AWS CloudTrail logs. How can a system administrator enforce this restriction?

  • Options:
    • Create an IAM policy and attach it to each IAM user in the production accounts.
    • Create a service control policy (SCP), and attach it to the production OU.
    • Create a tag policy and attach it to the production accounts.
    • Create an Amazon S3 bucket policy and associate with all buckets containing AWS CloudTrail logs.
  • Correct Answer: Create a service control policy (SCP), and attach it to the production OU.
  • Why: Service Control Policies (SCPs) allow you to set maximum permissions for the accounts in an organization or OU. By attaching an SCP that denies the cloudtrail:DeleteTrail action to the production OU, you ensure that no user in any of those accounts can delete the logs, even if they have full administrator privileges within their individual account.

8. Protecting Confidentiality with Encryption

Question: A developer is writing a client application that encrypts sensitive data using a data key before sending it to a server application. The developer is concerned that the confidentiality of the sensitive data might be compromised if the data key is stolen. Which type of encryption should the developer use to fully protect the sensitive information?

  • Options:
    • Asymmetric encryption
    • Symmetric encryption
    • Server-side encryption
    • Envelope encryption
  • Correct Answer: Envelope encryption
  • Why: Envelope encryption is the practice of encrypting your data with a data key, and then encrypting the data key with a master key. This adds an extra layer of security because even if someone steals the encrypted data key, they cannot use it without access to the master key, which is securely managed by a service like AWS KMS.

9. Functions of AWS KMS

Question: Which functions does the AWS Key Management Service (AWS KMS) provide? (Select TWO.)

  • Options:
    • Authenticate external users
    • Create symmetric and asymmetric keys
    • Create AWS Identity and Access Management (IAM) access keys
    • Store encrypted data
    • Rotate keys
  • Correct Answers:
    1. Create symmetric and asymmetric keys
    2. Rotate keys
  • Why: AWS KMS is a managed service that makes it easy for you to create and control the cryptographic keys used to protect your data. It supports both symmetric and asymmetric keys and provides automated key rotation features to enhance your security posture.

10. Discovering Sensitive Information in S3

Question: Which AWS service discovers and protects sensitive information stored on Amazon S3 in an AWS account?

  • Options:
    • AWS Audit Manager
    • Amazon Macie
    • Amazon Detective
    • AWS Resource Access Manager (AWS RAM)
  • Correct Answer: Amazon Macie
  • Why: Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data (like PII or intellectual property) stored in Amazon S3.

Summary Checklist

Security GoalRecommended Service
Centralized Multi-Account ManagementAWS Organizations
Fine-Grained Access Control (IAM)Service Control Policies (SCPs)
Web/Mobile User Identity ManagementAmazon Cognito
Protecting Data KeysEnvelope Encryption
Discovering Sensitive Data in S3Amazon Macie

Er. Bikash Subedi

Post Views: 6

Er. Bikash Subedi

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Recent Posts

Categories

Tags