Your organization is preparing for a security assessment of your use of AWS.
In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2
answers
A.
Create individual IAM users for everyone in your organization
B.
Configure MFA on the root account and for privileged IAM users
C.
Assign IAM users and groups configured with policies granting least privilege access
D.
Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509
certificate
Explanation:
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
The article below agrees with B, C
http://jayendra-patil.blogspot.com/2016/03/aws-iam-best-practices_9.html
0
0
C is not correct because by default IAM Users and Groups have no privileges, therefore it does not make sense to add a policy that grants least privilege access.
From the following it would appear to be A and B.
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
0
0
A is create users for everyone in your organization, that could mean even the janitor, it makes no sense to create users for everyone, only for those who really need to use AWS
0
0
I agree
I’ll opt for B and C
0
0
bc
0
0
1.Lock away your AWS account (root) access keys
2.Create individual IAM users
3.Use AWS-defined policies to assign permissions whenever possible
4.Use groups to assign permissions to IAM users
5.Grant least privilege
6.Configure a strong password policy for your users
7.Enable MFA for privileged users
8.Use roles for applications that run on Amazon EC2 instances
9.Delegate by using roles instead of by sharing credentials
10.Rotate credentials regularly
11.Remove unnecessary credentials
12.Use policy conditions for extra security
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
0
0
BC are correct because we can choose only 2(more specific to topic)
0
0
D is wrong as users do not need an x.509 certificate, nor are x.509 certificates and identity/secret access keys frequently rotated.
A is wrong , you might have 3500 people in your organization, combined with D, you’ll spend your whole life rotating passwords, large organizations need identity broker/web federation to obtain credentials.
B is correct
C is correct
0
0
BC
0
0