Challenge your understanding of cross-account access and identity federation within AWS IAM by answering questions on trust policies, roles, external identities, and secure delegation. Perfect for those seeking clarity on access management and federated authentication best practices.
If an organization wishes to allow users from Account A to access resources in Account B without creating user accounts in Account B, which IAM feature should they primarily use?
Explanation: IAM Roles with cross-account trust allow users from Account A to assume permissions in Account B without requiring duplicate user accounts. IAM Groups are used within a single account and cannot span accounts. Federation tokens are used for identity federation, not specifically for cross-account access. Resource-based policies cannot be attached directly to IAM users. Only roles with trust relationships enable secure delegation across accounts.
Which statement accurately describes the purpose of a trust policy in the context of cross-account IAM roles?
Explanation: A trust policy in an IAM role defines which entities (users, roles, accounts) are permitted to assume or use that role. The permissions granted after assuming the role are set by the permissions policy, not the trust policy. Communication encryption is handled elsewhere, and password complexity is managed by authentication settings, not trust policies.
When an enterprise wants its employees to access AWS resources using their existing company login credentials from a different identity provider, what AWS feature enables this integration?
Explanation: Identity federation allows users to access resources using credentials from external identity providers, such as corporate directories. Cross-region replication deals with copying resources between regions. Multi-factor authentication adds an extra layer of security but does not integrate external identities on its own. Inline permissions boundaries are unrelated to authentication sources.
What is the primary benefit of providing temporary security credentials via identity federation for external users?
Explanation: Temporary security credentials restrict the time window in which users can access resources, minimizing security risks. These credentials do not provide unlimited access or permanent storage. Authentication is still required, so it does not bypass necessary security checks.
In a cross-account scenario, which permission must an external user or role have to assume a role in another account?
Explanation: The permission sts:AssumeRole is mandatory to allow an entity to assume a role in a different account during cross-account access. s3:ListBucket provides object listing, not role assumption. iam:UpdateUser and ec2:RunInstances are unrelated to cross-account role assumption.
Why is specifying an external ID in a cross-account IAM role trust policy considered a best practice?
Explanation: The external ID prevents unintended delegation by ensuring only the trusted party can assume the role. It does not handle encryption, session duration, or passwordless authentication; those are managed through other mechanisms or configurations.
Within a cross-account access setup, what does the permissions policy attached to the role control?
Explanation: The permissions policy dictates what actions and resources the role can access after being assumed. Which accounts can use the role are set in the trust policy. Connectivity between networks and password settings are defined elsewhere and are unrelated to role permissions policies.
Which protocol allows integrating third-party identity providers for web-based single sign-on into AWS resources?
Explanation: OpenID Connect (OIDC) is used for web-based single sign-on with external identity providers. SMTP is related to email, VPN tunneling handles secure network connections, and ICMP is a diagnostic networking protocol. Only OIDC is designed for federated identity access.
When setting up cross-account IAM trust, which value must match the trusted account to permit valid access?
Explanation: The AWS account ID in the trust policy must match the account permitted to assume the role. IP ranges and password settings are not used for identifying trusted accounts. Resource regions define where resources exist, not which accounts can assume a role.
What should you do to immediately revoke federated users’ access who obtained temporary credentials via identity federation?
Explanation: Revoking or expiring temporary security credentials ends the federated user's session immediately. Changing the email address or resetting multi-factor devices does not end active sessions. Increasing permissions would actually expand, not restrict, access.