Explore the core differences between IAM roles and users through practical scenarios and simple explanations. This quiz is designed to help you grasp essential identity management concepts and best practices for secure access control.
Which IAM identity is commonly used for long-term, persistent access by people within an organization?
Explanation: IAM Users are designed for permanent identities that represent actual people or services needing consistent access. The other options are less suited: IAM Roles are typically for temporary access, IAM Groups are collections of users rather than identities themselves, and IAM Tokens refer to credentials, not identities. Using IAM Users enables detailed control over individual permissions, while IAM Roles focus on delegated access.
If an application running on a server needs to access resources without storing credentials, what IAM identity type is recommended?
Explanation: IAM Roles are perfect for granting temporary access without long-term credentials, making them suitable for applications or services. IAM Users require credentials be managed and rotated, which increases security risk. IAM Groups just organize users, not directly grant permissions. IAM Alias is not a recognized identity type in this context.
What kind of credentials are needed for an IAM User to access resources via API calls?
Explanation: IAM Users usually require Access Keys for programmatic access, which include an access key ID and secret. Session Tokens are temporary and often linked with roles. Service Accounts is a term used in some systems but not as a credential here. Policy Documents are used to define permissions, not to authenticate.
Which IAM identity should you use if you want to let an external service assume temporary permissions to access your resources?
Explanation: IAM Roles allow external users or services to assume permissions temporarily, which is a key distinction from IAM Users. IAM Groups only help manage multiple users, not external services. IAM Resource is not an identity but what you control access to. IAM Users are not designed for temporary or external delegation.
For which IAM identity can you enforce password policies, such as complexity requirements?
Explanation: Password policies apply to IAM Users, allowing you to set rules for password complexity. IAM Roles do not use passwords for authentication; they rely on temporary credentials. IAM Policy sets permission rules but doesn’t handle passwords, while IAM Groups are collections of users and do not authenticate directly.
What is the process called when an entity takes on the permissions of an IAM Role?
Explanation: The process of adopting the permissions of an IAM Role is known as 'Assume Role', which creates temporary credentials. 'Attach Role' is incorrect; it refers to assigning roles to resources, not obtaining permissions. 'Join Group' is related to users joining user groups. 'Grant Token' is not an established term here.
If multiple developers need access to the same temporary permissions, what is a secure way to manage this in IAM?
Explanation: Allowing each developer to assume an IAM Role gives temporary, auditable access without sharing permanent credentials. Assigning everyone to one IAM User or sharing access keys is insecure and makes tracking actions difficult. Adding developers to an IAM Policy is incorrect, as policies define permissions, not identities.
Which IAM identity can sign in using a username and password?
Explanation: IAM Users can log in with a username and password, providing direct access to consoles. IAM Roles cannot log in directly as they are assumed via trusted entities. IAM Certificate refers to a credential type, not an identity. IAM Organization is an administrative unit, not an individual identity.
When granting permissions for automated scripts or workloads running in virtual machines, what is the preferred IAM identity approach?
Explanation: Assigning an IAM Role to a machine or workload ensures that permissions are temporary and rotate securely, without requiring embedded credentials. Shared IAM User accounts and personal credentials increase the risk of accidental exposure. IAM Groups cannot directly authenticate workloads or scripts.
Which IAM identity allows for easier temporary access revocation if a service or employee no longer requires access?
Explanation: IAM Roles provide temporary credentials that can be quickly revoked or configured to expire, making it easy to manage short-lived access. IAM Policy only sets permissions but does not control identity. IAM User access requires credential rotation and may linger if not carefully managed. IAM Device is not a typical IAM identity.