36 thoughts on “AWS IAM – Identity Access Management

    1. IAM best practices mentions on giving least privileges to the user needed only to perform his role. By default, a user has no privileges but if the user want to launch and EC2 instance, he should be given access for only that rather then ec2:*. A is incorrected as it is better to leverage roles in this case or hook it up with the Companies authentication system

      1. Actually the question is what is ‘Not True’ – 10 Groups is True.
        All options are true – so the Question needs to be updated (or some option)

  1. Hello Jayendra,

    Can you please provide your answer for the below question

    What’s the policy used for cross account access

    Trust policy
    Permissions Policy
    Key policy

    1. Hi Pradeep, for Cross Account access both the Trust Policy and Permissions Policy are needed.
      There are 2 participants here Trusting Account (Who will give access and whose resources are accessed) and Trusted account (who will access).
      Trust Policy helps the Trusting Account to define the Trusted account who can assume the role. This needs to be defined in the Trusting Account side.
      Trust policy can control the access to the resources that the Trusted account user can have, which is the max.
      A Permission policy needs to be defined at the Trusted account to be able to define a policy who can assume the Role and control what all resources the user having the role can access. By default, the user can access the max defined by the Trusting account, but nothing more. But permissions policy will help to control further to limit the access on the Trusted Account side.

  2. Hi Jayandra

    For the below qusetion the answer is B. Why did you choose C?. Pls clarify

    Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?

    Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
    Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP
    Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
    Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
    Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.

    1. Hi Santhil,

      SAML-based federation eliminates the need to maintain separate user identities in both LDAP and AWS. You still need a identity broker or provider to facilitate the communication. Using SAML for SSO is too generic which although it partially correct as well.
      I think its #C cause the identify broker can work with LDAP to authenticate and then work with STS to generate temporary credentials to be able to log in.
      Refer – https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/ & https://aws.amazon.com/blogs/security/how-to-use-shibboleth-for-single-sign-on-to-the-aws-management-console/

  3. Hi Jayendra

    For Q2, shouldn’t the answer be B? It says “policy template gives the admin group permission to access all account resources, EXCEPT your AWS account information” ?

    Thank you.

  4. Q7

    i believe it’s console password not key pair, check below:

    How will your administrators, systems, or applications authenticate their AWS infrastructure requests to
    AWS APIs?
    AWS provides a number of authentication mechanisms including a console, account IDs and secret
    keys, X.509 certificates, and MFA devices to control access to AWS APIs. Console authentication is
    the most appropriate for administrative or manual activities, account IDs and secret keys for
    accessing REST-based interfaces or tools, and X.509 certificates for SOAP-based interfaces and tools.
    Your organization should consider the circumstances under which it will leverage access keys, x.509
    certificates, console passwords, or MFA devices.


    1. Thanks Sherief, yup i think it should be the console password as underlying it still uses the AWS API.

  5. Hi Jayandra

    An AWS customer is deploying an application that is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x.509 certificate that contains the specific instanceid. In addition an x.509 certificates must be designed by the customer’s Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements?

    For this question why can’t we choose ‘A’? Why did you choose ‘C’ using KMS?


  6. Hi,

    I think there is a mistake in Q14. Because as it is there is no good response.

    I think it should be :

    An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM?

    One IAM user can be a part of a maximum of 5 groups (Refer link)
    Organization can create 100 groups per AWS account
    One AWS account can have a maximum of 5000 IAM users
    One AWS account can have 250 roles

    and the answer is A

    1. Thanks Tarek, my bad it was updated to 10 groups which is correct. Corrected the same.

  7. Hi,
    I read on some blogs that questions about limitation (like Q14) will not appear in the test. Is that true?

    1. Generally limits questions like this do not appear in exams … as they are subject to change. However, questions for some of the limits do come. like the Glacier RTO, S3 max size or SQS message size limitation.

  8. The term “users” are liberally used here (and in tons of other blogs elsewhere). I wish people always refer to “end users”, “IT support users”, etc to differentiate.. For a newbie, this may be confusing

    1. the questions check for option that is not valid and option A is not valid. But thats true, the limits keep on changing.

  9. Q10.Implement identity federation between your organization’s Identity provider leveraging the IAM Security Token Service. for one time credentials

  10. Hi Jayendra,

    Q21 – Is it to help the organization achieve better security arrangement or not to help?

    1. Will not help, as IAM users do not control who can access the EC2 instances.

  11. Can you explain me this two terms and difference.

    The IAM resource objects that are used to identify and group. These include users, groups, and roles.

    The IAM resource objects that AWS uses for authentication. These include users and roles. Roles can be assumed by IAM users in your or another account as well as users federated through a web identity or SAML.


Comments are closed.